erebe/wstunnel

wstunnel + wireguard with reverse proxy setup

Open

#481 opened on Jan 12, 2026

View on GitHub
 (5 comments) (0 reactions) (0 assignees)Haskell (1,803 stars) (196 forks)batch import
help wanted

Description

Describe the goal

Goal is to make wstunnel work behind a reverse proxy.

Describe what does not work

The wireguard handshake packet is twisted. This worked in the past, but it was long time ago. I added cloudflare recently but I don't think it changes the content of packets. Probably something changed in new versions.

The setup works until the wireguard packets are "decapsulated" from the wstunnel packet. The standard wireguard handshake initial packet have patterns, I'll list down what it should be and what I see. I will include 2 packets that are sent for handshake initiation. The 2nd packet is sent about 2s after the 1st packet.

bytes wireguard pattern packet 1 packet 2
first 4 bytes 01 00 00 00 a5 e6 db 7f 7d 51 dd c1
last 4 bytes mac2 00 00 00 00 a4 e6 db 7f 7c 51 dd c1

The payload length is correct, all payloads are 148 bytes long, as the length of handshake initiation payload. But the contents are obviously twisted. This looks like encryption but I don't know where this comes from.

Describe your wstunnel setup

I have a domain for my VPS and one subdomain is used for wireguard connection. When URI is for wireguard, Apache forwards everything to a predefined port on lo. Wstunnel listens to this port and do wstunnel stuff with it, then forwards it to wireguard port on lo. Wireguard should pick up from there. The setup has custom certificates with certbot. TLS 1.3 is used.

Desktop :

client:

  • OS: Android
  • Version 16
  • Uses Termux

server:

  • OS: Linux

Contributor guide

Tech stack
None
Domain
infrastructure
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
needs investigation
Prerequisites
WireGuard handshakewstunnel packet handlingApache reverse proxy
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
15
Research direction
Investigate why WireGuard handshake packets become corrupted after passing through wstunnel behind a reverse proxy. Compare the byte patterns provided by the user with expected WireGuard handshake initiation packets. Review wstunnel's source code for packet decapsulation logic, particularly any byte manipulation or encryption steps. Check if Apache's proxy modules or TLS termination alter packet content. Test with a simpler setup without reverse proxy to isolate the issue.