Beware of udp2raw-tunnel (was: [HACK] UDP tunneling over TCP for WireGuard)

tomli at tomli at
Thu May 24 03:20:04 CEST 2018

>> You can use this:
>> instead of socat to avoid TCP over TCP effect.
> This is interesting . I'll give it a shot in the next few days and see how it 
> fares (and report back).

This is a great project, but the last time I've looked into the code, showed some
serious problems, including hardcoding "iptables" commands and execute them as
root[0]. It also comes with an "encryption" scheme "authenticated" by plain MD5
in a MAC-then-encrypt basis, and never used HMAC[1], but still claims the encryption
provided a certain level of security... If the only purpose is traffic obfuscation,
why bother to have AES in the first place? But at least random number generation
has been done correctly, but instead of calling getrandom() or getentropy(), it
opens /dev/urandom with O_RDONLY, and read() some bytes[2]...

So, better compile the whole program with CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-all
--param ssp-buffer-size=1 -fPIE" to get some protections. At least don't run the
program at root, it may break your system, set CAP_NET_RAW instead.

This much being said, I'm not blaming the developers, considering the fact that
the program probably involved from a weekend project and they did understand the
existence of problems[3].

If anyone is interested in this project, a refactoring or a re-implementation
is appreciated.


Tom Li
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 851 bytes
Desc: Digital signature
URL: <>

More information about the WireGuard mailing list