[Vadim Smirnov]

I will add a proxy option. This can be really useful.

Wiresock VPN Client is standalone, you don’t need the official Wireguard client to make it work.

WireSock VPN Gateway needs an official Wireguard client and allows it to act as a WireGuard server.

 

[Vadim Smirnov]

The problem was parsing a configuration that expected the Address parameter to have a specified netmask, e.g. Address = 10.10.0.4/32, 2001:dc8:a260::4/128 while in your configuration the Address parameter looked like Address = 10.10.0.4 , 2001:dc8:a260::4.

I have fixed the configuration parser in 1.2.8. Please give it a try.

[Vadim Smirnov]

Please check if you have received my reply email.

[Vadim Smirnov]

Problems with -lac options are caused by insufficient user privileges, please note that Wiresock should be run as administrator.

You can email PCAP files directly to support@ntkernel.com. We can continue to review the issue privately, after which I will post the final solution here. Unfortunately, without anti-spam, I would have to delete too many users/spam daily…

[Vadim Smirnov]

Hello, could you please provide the generated PCAP files in addition to the application log? Also, could you check if using-lac makes a difference? With the latter option, Wiresock works closer to the stock client. One more question, do you have DNS specified in the config file (‘server not found’ points to DNS problem)?

Currently, only the process name is checked, the path is ignored. It’s easy to change the check to a fully qualified pathname, but in the current implementation with a config file, this can lead to unwanted collisions. I plan to add an advanced configuration that will allow this.

You definitely read in my mind! I really was considering adding a proxy (as a dedicated process) that would be connected and intercepted by Wiresock. I implemented a similar thing for one side project.

[Vadim Smirnov]

I’m afraid something is wrong with your Dante server configuration. Unfortunately, it is difficult to guess and advise.

[Vadim Smirnov]

Check if you allowed configured UDP port range on Dante server machine, e.g. for 40000-45000 range it can be done by the command below:

iptables -I INPUT -p udp --dport 40000:45000 -j ACCEPT

[Vadim Smirnov]

According to the wiresock log, the authentication and UDP ASSOCIATE commands succeeded, but the handshake packet did not reach its destination. Most likely, it was blocked by the firewall (iptables or VPS provider). Please check this post for configuration details. They are specific to the Oracle cloud, but should be close to any other VPS.

[Vadim Smirnov]

Unfortunately, the SOCKS5 proxy provided by the SSH client does not support UDP and you cannot use it to forward the handshake. You need to set up a SOCKS5 UDP-enabled proxy (Dante) on the remote machine to use this option.

[Vadim Smirnov]

Hmm, the main question is when and how this client ID is assigned. If this is agreed before the start of the Wireguard session and already presented in the handshake packet, then this would require reverse engineering of the protocol used by Warp to authenticate and assign a client ID.

[Vadim Smirnov]

I think it’s doable, it just needs a little research. If you have already done this, could you share the details?

[Vadim Smirnov]

Your system can use more than one network adapter at the same time. However, to determine the default Internet interface, you can use GetBestInterface and specify some well-known IP address as a parameter, such as 1.1.1.1.

[Vadim Smirnov]

As I mentioned above, I once re-implemented NAT as a C++/CLI class library having the interface below. However, it’s a little complicated for the sample and I also need to preserve some sugar cubes for the customers.

// natcl.h

#pragma once

using namespace System;
using namespace Collections::Generic;
using namespace Threading;
using namespace msclr::interop;

namespace nat_managed_lib
{
public ref class managed_network_adapter_info sealed
{
String^ adapter_name_;
String^ friendly_name_;
List<String^>^ ip_addresses_;

public:
property String^ AdapterName
{
String^ get() { return adapter_name_; }
void set(String^ value) { adapter_name_ = value; }
}

property String^ FriendlyName
{
String^ get() { return friendly_name_; }
void set(String^ value) { friendly_name_ = value; }
}

property List<String^>^ IpAddresses
{
List<String^>^ get() { return ip_addresses_; }
void set(List<String^>^ value) { ip_addresses_ = value; }
}
};

public ref class nat_wrapper sealed
{
public:
event EventHandler^ AdaptersListChangeEvent;

private:
ManualResetEvent^ adapters_list_change_notify_event_;
Thread^ adapter_list_change_notify_thread_;
volatile bool is_adapter_list_change_thread_active_ = true;

bool set_adapter_list_change_event();
void adapter_list_change_thread();

native::nat_unmanaged* native_nat_provider_;

public:
explicit nat_wrapper(String^ device_name);
!nat_wrapper();
~nat_wrapper();

List<managed_network_adapter_info^>^ get_network_adapters();

Boolean set_nat_parameters(
// provider interface name
String^ provider,
// client interface name
String^ client,
// provider IP address to be used for NAT (adapter may have multiply IP addresses)
String^ nat_ip,
// DNS IP address for DNS forwarding
String^ dns_ip,
// Enable DNS forwarding (redirect DNS requests to the IP above). Otherwise client provided IP is used for DNS.
Boolean dns_forwarding
);

Boolean start_nat();
Boolean stop_nat();
Boolean is_started();

Boolean is_ip_routing_dynamic_success();

void re_initialize();

Boolean block_client_ip_address(String^ ip_address);
Boolean block_client_mac_address(String^ mac_address);
};
}

[Vadim Smirnov]

Unfortunately, no. Personally, I prefer C/C++ for protocol header manipulation, and when I had a need for NAT in a C# project, I implemented it as a C++/CLI class library.

[Vadim Smirnov]

I would start with port forwarding on your router and firewall configuration on the server. It looks like the handshake packet can’t get through.

[Author]

Posts