[Vadim Smirnov]

It’s feasible to adjust the initial settings for the network driver, a setup that would halt all inbound and outbound network traffic until the VPN client becomes active. This strategy, however, could have extensive repercussions on the overall system functionality, possibly obstructing even DHCP operations.

In light of this, I am considering developing a buddy Windows Service as an alternative. This service would be programmed to initialize with the system startup and manage network traffic in a more selective manner, permitting only certain types of traffic based on a pre-established rule set (e.g. allow DHCP/DNS or/and allow all for selected network interfaces).

Without explicit approval from this service, any other traffic would be strictly denied unless it’s funneled through the VPN client. There, the traffic would be processed according to the configuration settings of the Wireguard VPN, ensuring secure and efficient handling of network operations.

[Vadim Smirnov]

The most effective strategy to tackle this issue requires reproducing it under the examination of a debugger. I’m committed to attempting to replicate the situation this coming weekend. Could you please describe your typical use scenario with the VPN?

[Vadim Smirnov]

Thank you for the update. While I can’t state with certainty, it’s highly probable that the issue was related to MTU. I would recommend upgrading to version v1.2.26, as v1.2.25 has a known issue with the process context resolution feature for IPv6.

[Vadim Smirnov]

Is this a limitation by WireSock itself? or is it only the UI? is there a fix for this?

Thank you for your kind words. Currently, Wiresock does not support multiple tunnels. Nevertheless, this is not a fundamental constraint, and I am contemplating the inclusion of this feature in the future. Please understand that due to my limited capacity to dedicate time to this project, I’m unable to offer a precise timeline for this enhancement.

[Vadim Smirnov]

Thank you for bringing this matter to our attention. Unfortunately, the process of identifying and resolving issues of this nature can prove to be challenging, particularly when their replication is inconsistent. Regardless, I assure you that I will try allocating time to investigate and address this issue.

[Vadim Smirnov]

There could potentially be an issue related to address conflict. Could you please provide the subnets for both your Local Area Network (LAN) and Wireguard?

[Vadim Smirnov]

I sincerely apologize for not being able to take on this task sooner. Due to a considerable workload in the past few weeks, I was primarily focused on resolving bugs. However, I’m optimistic about finding time this upcoming weekend to address this matter. Thank you for your understanding and patience.

[Vadim Smirnov]

Любопытно, мне было неизвестно, что для Keenetic доступен клиент Shadowsocks. Это, безусловно, представляет собой интересную возможность для пользователей. Я тоже предпочитаю роутеры keenetic для дома, так что не исключено, что подобная схема может и мне как-нибудь пригодиться.

Единственный недостаток, который я вижу в данной схеме, заключается в том, что весь трафик, передаваемый через Wireguard, проходит через Shadowsocks. Это, вероятно, может негативно сказаться на общей производительности и скорости работы, которые обычно ассоциируются с использованием Wireguard.

[Vadim Smirnov]

The key part is below:

WixQuietExec64: Trying to install nt_ndiswgc ...
WixQuietExec64:

WixQuietExec64: ... C:\Program Files\WireSock VPN Client\drivers\ndiswgc_lwf.inf was copied to C:\WINDOWS\INF\oem142.inf.
WixQuietExec64:

WixQuietExec64: ... failed. Error code: 0x80070005.
WixQuietExec64:

WixQuietExec64: Error 0x80070005: Command line returned an error.
WixQuietExec64: Error 0x80070005: QuietExec64 Failed
WixQuietExec64: Error 0x80070005: Failed in ExecCommon method

It appears you may not have the necessary permissions to install the driver.

[Vadim Smirnov]

Причем на VPS вижу как входящие пакеты, так и исходящие.

Похоже на то, что блокируют именно handshake response.

Соответственно у меня вопрос: возможно ли как-то настроить keenetic так, что бы он подключался к wireguard через прокси? Или же настроить wireguard сервер так, что бы запросы к нему шли через этот прокси?

Мне кажется, использование Keenetic может вызвать определенные сложности и, вероятно, потребуется модификация реализации Wireguard. К сожалению, ограничиться решением только на стороне VPS также не представляется возможным. В данной ситуации я вижу одну стратегию: вставить промежуточное звено между Keenetic и Интернетом, которое сможет перехватывать и обрабатывать Wireguard handshake. Я полагаю, что на основе Windows-хоста с двумя сетевыми интерфейсами и WinpkFilter можно было бы без больших усилий разработать подобное решение.

[Vadim Smirnov]

Could you please collect the MSI log? Here’s a step-by-step guide to enable logging for an MSI installation:

1. Open a command prompt. This can be done by searching for cmd in the Windows search bar and selecting “Command Prompt”.

2. In the command prompt, navigate to the directory where the MSI file is located using the cd command. For example, if your MSI file is in the Downloads folder, you could type cd Downloads.

3. Once you’re in the correct directory, enter the following command to start the installation and simultaneously enable logging:

msiexec /i NameOfYourInstaller.msi /l*v MyLog.txt

Replace NameOfYourInstaller.msi with the name of your MSI file, and MyLog.txt with the name you want for your log file.

4. Press Enter to run the command. The installation will proceed and a log of the installation will be created in the same directory under the name you specified.

The /l*v option in the command enables verbose logging. This records all actions that are taken during the installation, making it easier to identify any issues that may arise.

Please remember that the generated logs might contain sensitive information, so handle and share them carefully.

[Vadim Smirnov]

If you have any alternative suggestions or unique insights regarding the implementation, we’d greatly appreciate your input. Please feel free to share.

[Vadim Smirnov]

Indeed, this topic is currently a subject of active discussion. To provide some context, here’s an excerpt from one of the most recent emails I’ve received regarding the matter:

In my suggestion/vision, I appreciate the options that Tunsafe provided, such that all traffic is blocked if the VPN goes down, but there is an option to allow local traffic if the VPN goes down.
Also, I appreciate the ‘service mode’ and run-at-boot features that attempt traffic-blocking at startup, also implemented in Tunsafe.

KILLSWITCH DESIRED BEHAVIOR >>>
DISCONNECTED:
My hope is that WireSock disallows all network traffic while disconnected, with the option to allow local traffic (DHCP/DNS mainly). Advanced : Fine-tuned options to allow/disallow specific traffic types while disconnected.
WHILE CONNECTING:
My hope is that WireSock only allows the minimal amount of Internet Traffic (dhcp/dns/tcp/udp) while connecting, and mainly through its processes.
CONNECTED:
Once connected, my hope is that WireSock allows all traffic to occur through all processes, but only through the VPNs IP (with options to allow local traffic as described above). Additional process filters can occur with an ALG firewall, such as Simplewall/etc.

Advanced Features / Not Suggested:
(1) A feature that some VPN Clients have implemented is to allow certain applications to bypass the VPN. This allows a mixed-mode operation that some people want because of IP-discrimination (their email server blocks all VPN IP addresses, or a website does endless captcha challenges for all VPN IP addresses, etc). This feature would be very difficult to implement and I am not suggesting it, but wanted to include it because it seems related.
(2) There are few more theoretical features that could be implemented, but most seem beyond the scope of “KILLSWITCH”.

[Vadim Smirnov]

Hello,

I’m glad you’re finding the Wiresock VPN Client user-friendly and easy to navigate.

To answer your question, the Wiresock VPN Client itself does not have the functionality to expose itself as a local proxy server. However, you can certainly achieve your goal by setting up a local proxy server (either SOCKS or HTTP) on your device.

Once you’ve set up the local proxy server, you can add the process name of this proxy server to the “AllowedApps” list in the Wiresock VPN Client. This way, all the connections initiated through the local proxy will be tunneled via the Wireguard tunnel, while other connections will proceed as usual.

For example, if you want certain websites to automatically use the VPN in Firefox, you can set the proxy for different containers to point to the local proxy server that you have set up and added to the “AllowedApps” list.

This should enable you to use some websites via the VPN while others use a direct connection, as you mentioned in your example.

I hope this helps! If you have any more questions, feel free to ask.

[Vadim Smirnov]

While SOCKS5 is utilized solely for the Wireguard handshake, it may induce a slight delay for it. However, this should not impact the rest of your traffic, which is directed straight to your Wireguard server.

[Author]

Posts