[Question] How to setup wss with domain name

[VincentBehzad]

Hello again, hope you had a good day.

Trying to use my WSTunnel (TLS enabled) which is encapsuling my openconnect/openvpn connection by using domain name.
I did register my domain in Cloudflare CDN and right now I am trying to connect over reverse proxy/CDN.
The point is to be completely anonymous for ISP and network watcher/censorship.

---

VPN server agent is listening on :

0.0.0.0:333

---

• Server Side

./wstunnel --tlsCertificate=certificate.crt --tlsKey=private.key --server wss://0.0.0.0:443

p.s: Port 443 https and http and websocket traffic is allowed on CDN and firewall rules are allowed on remote host.

---

• Client Side (windows)

wstunnel --localToRemote=127.0.0.1:2020:mydomain.name:333 wss://mydomain.name:443 --verbose

and I get this debug info:

with this code :
wstunnel --localToRemote=127.0.0.1:2020:0.0.0.0:333 wss://mydomain.name:443 --verbose
or this one
wstunnel --localToRemote=127.0.0.1:2020:127.0.0.1:333 wss://mydomain.name:443 --verbose

I get this debug info:

Thank you in advance for your help.

• How can I solve this issue?
• Do I have to use NGINX reverse proxy? does WSTunnel support nginx reverse proxy?

[erebe]

Hello,

This one is more likely to work
wstunnel --localToRemote=127.0.0.1:2020:127.0.0.1:333 wss://mydomain.name:443 --verbose
do not re-use the domain name you proxify with cloudflare into LocalToRemote, or you are going to create a loop.

Regarding your issue, the 404 you see is Cloudflare not managing to contact your server.

As you are starting wstunnel with tls enabled be sure, that you set tls in full mode, because else cloudflare is going to proxy your requests in http and not found wstunnel listening on https port

[VincentBehzad]

Hi,

So in this case indeed I was using flexible mode on CDN and according to my drawing, TLS data is being sent to CDN but because I am using "Flexible mode" data gets decrypted in cloud and HTTP data is being pushed toward my server which gets dropped because the server is actually listening on HTTPS WS data not HTTP.

I will try your instructions and report the results.

[erebe]

indeed,
but in your diagram it should be
sending http-> server:80 and not sending http-> server:443 when you are in flex mode.

[erebe]

By the way, when your setup is done if you happen to write an article/blog post/page about it.
Let me know, i would be pleased to link to it in the readme.

[VincentBehzad]

I did used the instructions you mentioned and I was able to bypass firewall with the most strict rules.

Server Side
./wstunnel --tlsCertificate=certificate.crt --tlsKey=private.key --server wss://0.0.0.0:443

Client Side
./wstunnel --localToRemote=127.0.0.1:2020:127.0.0.1:333 wss://mydonam.name:443 --verbose

It is working with SSL/TLS FULL mode "Encrypts end-to-end, using a self signed certificate on the server" on cloudflare settings. It means data encryption is applied only with my key/cert file located in my remote host.

---

As you mentioned above if I was to use FLEXIBLE mode "Encrypts traffic between the browser and Cloudflare" I should use:

Server Side:
./wstunnel --server ws://0.0.0.0:80

Client Side
./wstunnel --localToRemote=127.0.0.1:2020:127.0.0.1:333 wss://mydonam.name:443 --verbose

which is not recommended because we want end to end encryption even when data is being transfered from reverse proxy/CDN (Cloudflare) to remote host.

I can not thank you enough for help and time you spent on this issue at hand. :-D

---

There is one more thing to make it a 24/7 and make WSTunnel be persistence and there is no need for me to ssh into remote host and run WSTunnel again in case whenever the process is killed or host gets rebooted.

• What is the best solution in this case?

[VincentBehzad]

When the setup is done completely I will make a post and refer wstunnel project with complete instruction on this "VPN over WSTunnel" concept.
I would be more than glad to be in this project.

[erebe]

If the traffic you are tunneling is the one from openvpn just doing the flex mode is enough.
so ./wstunnel --server ws://0.0.0.0:80 (cloudflare send non encrypted traffic on port 80 and you can't change it)

The reasoning is that OpenVPN traffic is already secure by itself, you just need wstunnel to create a hole in your firewall, to allow this secure traffic. So no need to add yet another layer and adding TLS on top of it. Openvpn by itself is secure, the target is just the minimum overhead to punch a hole in the firewall. You can add tls later if you don't manage anymore to bypass your firewall, but if it is ok without it, no need to worry

Just to note also that Encrypts end-to-end is just marketing and is false. Cloudflare act as a man in the middle, your traffic is decrypted before sending it to your server, so even in full/strict mode cloudflare see your traffic without TLS at some point!.

client >>> data with cloudflare tls >>>>> [ cloudflare unwraping its tls] >>>>>> data with your server tls >>>>> your server unwraping your tls

[VincentBehzad]

Hello,
sorry for my late response, I was sick.
That is right because we are sending OVPN traffic which is already encrypted and safe, but if the data is plain text lets say http proxy so we will need encryption in FULL mode, I will aim to use TLS even with ovpn being safe because network admins and ISP cant see we are smuggling OVPN traffic through wstunnel, but I get the bigger picture on what is happening.

My work about this concept is almost done, just one more step is left which is how to have WSTunnel run 24/7, everytime I logout of remote host, WSTunnel process gets killed after few minutes.

I will create a post about this whole work after I regain my health again in few days.
thank you for your help regarding this issue.

[VincentBehzad]

I was tinkering with some stuff and trying it on some super restricted network, I did come across this issue, trying to connect directly to remote host (without cloudflare/CDN/...) I was unable to connect

Server

Client

<socket: 484>: hGetBuf: invalid argument (Invalid argument)
since there is not text book for these errors I need to ask about it.

[erebe]

like that i can't tell, the connection is just cut in the middle. Try to do a tcpdump/network capture on client and server to see.
Out of curiosity whatiis your/this secure network ?
maybe there is something thzt forbid self signed certificate. Try with just http without tls at server side

[VincentBehzad]

Finally I discovered the solution that is simply just don't use that ISP as your internet provider, because they are actively dropping all kind of WS/WSS connections that they assume it is not really web intended connection, They are dropping the connection after 5seconds of initial handshake/connection with destination.
The changes I can make is just obfuscate VPN traffic as good old regular HTTPS traffic, because they are dropping and resetting ws/wss connections.
About the network I am testing, it is Iran's super restricted internet and one of my friends who is living there is helping me with testing and stuff and I know if it works on that network it will work on any other network without an issue, because I know there is no other as restricted network as Iran's.
One more thing about the post/blog, I have almost regained my health and finally finished with being sick and soon will write the post.

[erebe]

You should try to setup Cloudflare in strict mode, with wstunnel server configured with a valid tls certificate (you can use let's encrypt for that or https://www.sslforfree.com/ or https://zerossl.com/)

when under true tls, it is not possible to distinguish http from websocket.

After maybe, they just hard cut connection that push data to the server after the initial payload. If it is that, there is no real solution.
You can try on different port, like i.e imap port, to see if they cut the cnx based on the protocol, or if they apply the same behavior to everyone.

Thank you for the blog post :)

[VincentBehzad]

I do also have certificates from "zerossl" which is issued for my remote host IP address, I will try the instruction for cloudflare strict mode and tinker around to see how is it working.
The thing that makes me wonder is somehow on same network that I have difficulty connecting with our WS/WSS, v2ray/xray is working very well and it is using ws and tls (is it same with wstunnel I am using?)

Please take a look at these pictures:


As you can see this v2ray/xray client configuration is using ws+tls and obviously Cloudflare (port 2083 is one of Cloudflare's free ports) yet it has no problem connecting and punching a hole into firewall. I am still curious if anything is happening that differentiates my configs and v2ray/xray is SNI which I have to know how to apply it and implement in my configs.

[erebe]

It should be the same indeed. Wstunnel when used in secure mode server side wss:// is just tls + websocket.
If I am not mistaken (to be verified) with Cloudflare in the middle you can't change the SNI, I think they forbid connection that have a SNI different than the host header.