<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Tue, Sep 25, 2018 at 12:06 PM KeXianbin(<a href="http://diyism.com">http://diyism.com</a>) <<a href="mailto:kexianbin@diyism.com">kexianbin@diyism.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Thanks for the info. </div><div class="gmail_extra"><br><div class="gmail_quote">On Sep 25, 2018 23:53, "StarBrilliant" <<a href="mailto:coder@poorlab.com" target="_blank">coder@poorlab.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Sep 25, 2018 at 1:17 PM KeXianbin(<a href="http://diyism.com" rel="noreferrer" target="_blank">http://diyism.com</a>)<br>
<<a href="mailto:kexianbin@diyism.com" target="_blank">kexianbin@diyism.com</a>> wrote:<br>
><br>
> Currently, I'm using udp2raw-tunnel to transform wireguard udp traffic into raw tcp (config files as follows),<br>
> It's very stable on my home network than using wireguard alone,<br>
> But if we can integrate RAW TCP feature into wireguard, it would significantly improve performance and stability for end users.<br>
><br>
><br>
> from: <a href="https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L145" rel="noreferrer" target="_blank">https://gist.github.com/diyism/1b80903a83776675031c73ae499438d8#file-wireguard_config-txt-L145</a><br>
><br>
> $wget <a href="https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz" rel="noreferrer" target="_blank">https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz</a><br>
> $tar xzvf udp2raw_binaries.tar.gz<br>
> $sudo cp udp2raw_amd64 /usr/bin/<br>
> $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r<server ip>:24447 -a<br>
> $cat /etc/wireguard/wg0.conf<br>
> [Interface]<br>
> PrivateKey = <client privkey><br>
> Address = <a href="http://10.0.0.3/32" rel="noreferrer" target="_blank">10.0.0.3/32</a><br>
> ListenPort = 24447<br>
> MTU = 1300<br>
> PostUp = ip route add <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> dev wg0 && wg set wg0 peer <server pubkey> allowed-ips <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
> PostDown = ip route del <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a><br>
><br>
> [Peer]<br>
> #10.0.0.1<br>
> PublicKey = <server pubkey><br>
> Endpoint = <a href="http://127.0.0.2:24448" rel="noreferrer" target="_blank">127.0.0.2:24448</a><br>
> #AllowedIPs = <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
><br>
> $sudo wg-quick down wg0 ; sudo wg-quick up wg0<br>
> $ping 10.0.0.1<br>
> 64 bytes from <a href="http://10.0.0.1" rel="noreferrer" target="_blank">10.0.0.1</a>: icmp_seq=2113 ttl=64 time=183 ms<br>
> $sudo ip route add <a href="http://104.24.0.0/16" rel="noreferrer" target="_blank">104.24.0.0/16</a> dev wg0<br>
> $ping <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">myip.ipip.net</a><br>
> PING <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">myip.ipip.net</a> (104.24.20.50) 56(84) bytes of data.<br>
> 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms<br>
> $curl <a href="http://myip.ipip.net" rel="noreferrer" target="_blank">http://myip.ipip.net</a><br>
> IP:<server ip><br>
><br>
> #take care, "MTU = 1300" in wg0.conf is needed when wireguard over udp2raw, or else most https requests will be blocked because of mtu problem.<br>
<br>
<br>
Hello Kexianbin,<br>
<br>
This is an UNOFFICIAL response to your question. (But I think the<br>
official developers may have similar answers.)<br>
<br>
Wireguard probably will not accept an official integration to udp2raw.<br>
The reasons are:<br>
<br>
1) Wireguard wants to keep their kernel part code minimized, therefore<br>
easy for security auditing, and less bugs.The UDP protocol is actually<br>
very simple and straightforward. (By the way, if you intended to use<br>
Wireguard in China, be informed that this is a protocol that is very<br>
easy to block by the ISP.)<br>
<br>
2) I have read the source code of udp2raw. To be frank, the code is of<br>
very low quality. For this reason, I don't think udp2raw would be<br>
integrated into Wireguard unless it's rewritten.<br>
<br>
3) Udp2raw is not suitable for everyone or for every country. For<br>
example udp2raw may have problems passing middleboxes, which is common<br>
among satellite ISPs in Oceania. Middleboxes break and resemble TCP<br>
segments thus make udp2raw literally unusable. Also it is not<br>
congestion friendly (by design), so a massive deployment may affect<br>
the global Internet ecology.<br></blockquote></div></div></blockquote><div><br></div><div>Let me also add (unofficially of course) that stealth against active scanning is also an important goal achieved by Wireguard's usage of UDP, and switching to TCP would break this. If TCP is required, then integration options with third party tools such as udp2raw-tunnel will always be there. Wireguard should not have to directly support those options, and rather should stick to its current compelling design.</div><div><br></div><div>--Mike</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
However the good news is, Wireguard provides an open control interface<br>
(see <a href="https://www.wireguard.com/xplatform/" rel="noreferrer" target="_blank">https://www.wireguard.com/xplatform/</a> ). By utilizing this<br>
interface, we can develop an alternate frontend application other than<br>
the official command "wg", that automatically sets up the kernel<br>
Wireguard kernel part and a userland udp2raw part, packaged as one<br>
application.<br>
<br>
<br>
My words for Wireguard developers:<br>
<br>
1) In case you may not know the udp2raw protocol, here is a<br>
description. Some ISPs in certain countries have strange QoS strategy<br>
that deprioritize UDP packets during network congestion, resulting a<br>
50% loss rate or more for UDP. The udp2raw protocol simulates a<br>
three-way TCP handshake and add TCP header to UDP packets so they will<br>
not be dropped. This protocol does not do congestion control or rate<br>
control, neither does it understand any TCP semantics. It's a dirty<br>
hack for dirty ISP, not suitable for everyone, but overwhelmingly<br>
useful in certain countries.<br>
<br>
2) Wireguard currently does not support binding to localhost. This is<br>
required for any third-party plugins upon Wireguard to work. We might<br>
need to consider binding to localhost an important feature to go in<br>
the near future.<br>
<br>
<br>
Best regards,<br>
StarBrilliant<br>
</blockquote></div></div>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Michael Rash | Founder<br><a href="http://www.cipherdyne.org/" target="_blank">http://www.cipherdyne.org/</a><br>Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F<br></div></div></div>