{
	"id": "d9ce0018-75bf-4eb3-9c55-60376a67448c",
	"created_at": "2026-04-06T00:22:23.792096Z",
	"updated_at": "2026-04-10T03:20:06.124444Z",
	"deleted_at": null,
	"sha1_hash": "24f552e3c097304c1fbc1a5658a52e3a07e9d03e",
	"title": "GitHub - erebe/wstunnel: Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2692570,
	"plain_text": "GitHub - erebe/wstunnel: Tunnel all your traffic over Websocket or\r\nHTTP2 - Bypass firewalls/DPI - Static binary available\r\nBy erebe\r\nArchived: 2026-04-05 13:02:44 UTC\r\nSummary\r\nDescription\r\nhttps://github.com/erebe/wstunnel\r\nPage 1 of 16\n\nDemo server\r\nCommand line\r\nExamples\r\nRelease\r\nNote\r\nBenchmark\r\nHow to build\r\nDescription\r\nMost of the time when you are using a public network, you are behind some kind of firewall or proxy. One of their\r\npurpose is to constrain you to only use certain kind of protocols and consult only a subset of the web. Nowadays,\r\nthe most widespread protocol is http and is de facto allowed by third party equipment.\r\nWstunnel uses the websocket protocol which is compatible with http in order to bypass firewalls and proxies.\r\nWstunnel allows you to tunnel whatever traffic you want and access whatever resources/site you need.\r\nMy inspiration came from this project but as I don't want to install npm and nodejs to use this tool, I remade it in\r\nHaskell Rust and improved it.\r\nWhat to expect:\r\nEasy to use\r\nGood error messages and debug information\r\nStatic forward (reverse) tunneling (TCP, UDP, Unix socket, Stdio)\r\nDynamic (reverse) tunneling (Socks5 proxy, HTTP proxy and Transparent Proxy)\r\nSupport for using http proxy (when behind one) as gateway\r\nSupport of proxy protocol\r\nSupport for tls/https server with certificates auto-reload (with embedded self-signed certificate, or your\r\nown)\r\nSupport of mTLS with certificates auto-reload - documentation here\r\nSupport IPv6\r\nSupport for Websocket and HTTP2 as transport protocol (websocket is more performant)\r\nStandalone binaries (so just cp it where you want) here\r\nSponsors\r\nPart of Wstunnel development has been sponsored by\r\nhttps://github.com/erebe/wstunnel\r\nPage 2 of 16\n\nNote\r\nv7.0.0 is a complete rewrite of wstunnel in Rust and is not compatible with previous version. Previous code in\r\nHaskell can be found on branch https://github.com/erebe/wstunnel/tree/haskell\r\nWhat to expect from previous version:\r\nMore throughput and less jitter due to Haskell GC. Most of you will not care, as it was performant enough\r\nalready. But you can now saturate a gigabit ethernet card with a single connection\r\nCommand line is more homogeneous/has better UX. All tunnel can be specified multiple times\r\nTunnel protocol tries to look like normal traffic, to avoid being flagged\r\nSupport of reverse tunneling\r\nNew bug, it is a rewrite (╯'□')╯︵ ┻━┻ ¯\\(ツ)/¯\r\nMainly for me to ease the maintenance of the project. I don't do a lot of haskell nowadays and it was harder\r\nfor me to keep maintening the project over time, as I get lost in touch of the Haskell ecosystem and new\r\nrelease.\r\nArmv7 build (aka raspberry pi), as new version of GHC (Haskell compiler) dropped its support\r\nDemo server\r\nIf you just want to try out that you can bypass your proxy/firewall. You can give it a try with wstunnel demo\r\nserver.\r\n# In a terminal start wstunnel client\r\n# You can set as tls-sni-override whatever domain you want. The tunnel is the only one that is going\r\nwstunnel client -L 'tcp://4443:localhost:444?proxy_protocol' -P demo --tls-sni-override=google.fr wss\r\n# on another terminal, run curl and it should return you this greetings\r\ncurl -k https://localhost:4443\r\n\u003e Memento mori !\r\nCommand line\r\nUsage: wstunnel client [OPTIONS] \u003cws[s]|http[s]://wstunnel.server.com[:port]\u003e\r\nArguments:\r\n \u003cws[s]|http[s]://wstunnel.server.com[:port]\u003e\r\n Address of the wstunnel server\r\n You can either use websocket or http2 as transport protocol. Use websocket if you are unsure.\r\n Example: For websocket with TLS wss://wstunnel.example.com or without ws://wstunnel.example.com\r\n For http2 with TLS https://wstunnel.example.com or without http://wstunnel.example.com\r\n \r\n *WARNING* HTTP2 as transport protocol is harder to make it works because:\r\n - If you are behind a (reverse) proxy/CDN they are going to buffer the whole request before forwardi\r\nhttps://github.com/erebe/wstunnel\r\nPage 3 of 16\n\nObviously, this is not going to work for tunneling traffic\r\n - if you have wstunnel behind a reverse proxy, most of them (i.e: nginx) are going to turn http2 req\r\n This is not going to work, because http1 does not support streaming naturally\r\n The only way to make it works with http2 is to have wstunnel directly exposed to the internet without\r\nOptions:\r\n -L, --local-to-remote \u003c{tcp,udp,socks5,stdio,unix}://[BIND:]PORT:HOST:PORT\u003e\r\n Listen on local and forwards traffic from remote. Can be specified multiple times\r\n examples:\r\n 'tcp://1212:google.com:443' =\u003e listen locally on tcp on port 1212 and forward to google.com\r\n 'tcp://2:n.lan:4?proxy_protocol' =\u003e listen locally on tcp on port 2 and forward to n.lan on port\r\n Send a proxy protocol header v2 when establishing connection\r\n \r\n 'udp://1212:1.1.1.1:53' =\u003e listen locally on udp on port 1212 and forward to cloudflare\r\n 'udp://1212:1.1.1.1:53?timeout_sec=10' timeout_sec on udp force close the tunnel after 10sec. Set i\r\n \r\n 'socks5://[::1]:1212' =\u003e listen locally with socks5 on port 1212 and forward dynamica\r\n 'socks5://[::1]:1212?login=admin\u0026password=admin' =\u003e listen locally with socks5 on port 1212 and only a\r\n \r\n 'http://[::1]:1212' =\u003e start a http proxy on port 1212 and forward dynamically requ\r\n 'http://[::1]:1212?login=admin\u0026password=admin' =\u003e start a http proxy on port 1212 and only accept conn\r\n 'tproxy+tcp://[::1]:1212' =\u003e listen locally on tcp on port 1212 as a *transparent proxy*\r\n 'tproxy+udp://[::1]:1212?timeout_sec=10' listen locally on udp on port 1212 as a *transparent proxy*\r\n linux only and requires sudo/CAP_NET_ADMIN\r\n \r\n 'stdio://google.com:443' =\u003e listen for data from stdio, mainly for `ssh -o ProxyCommand=\r\n \r\n 'unix:///tmp/wstunnel.sock:g.com:443' =\u003e listen for data from unix socket of path /tmp/wstunnel.sock\r\n -R, --remote-to-local \u003c{tcp,udp,socks5,unix}://[BIND:]PORT:HOST:PORT\u003e\r\n Listen on remote and forwards traffic from local. Can be specified multiple times. Only tcp is support\r\n examples:\r\n 'tcp://1212:google.com:443' =\u003e listen on server for incoming tcp cnx on port 1212 and forward\r\n 'udp://1212:1.1.1.1:53' =\u003e listen on server for incoming udp on port 1212 and forward to\r\n 'socks5://[::1]:1212' =\u003e listen on server for incoming socks5 request on port 1212 and\r\n 'http://[::1]:1212' =\u003e listen on server for incoming http proxy request on port 1212\r\n 'unix://wstunnel.sock:g.com:443' =\u003e listen on server for incoming data from unix socket of path ws\r\n --no-color \u003cNO_COLOR\u003e\r\n Disable color output in logs\r\n \r\n [env: NO_COLOR=]\r\n --socket-so-mark \u003cINT\u003e\r\n (linux only) Mark network packet with SO_MARK sockoption with the specified value.\r\n You need to use {root, sudo, capabilities} to run wstunnel when using this option\r\nhttps://github.com/erebe/wstunnel\r\nPage 4 of 16\n\n-c, --connection-min-idle \u003cINT\u003e\r\n Client will maintain a pool of open connection to the server, in order to speed up the connection proc\r\n This option set the maximum number of connection that will be kept open.\r\n This is useful if you plan to create/destroy a lot of tunnel (i.e: with socks5 to navigate with a brow\r\n It will avoid the latency of doing tcp + tls handshake with the server\r\n \r\n [default: 0]\r\n --nb-worker-threads \u003cINT\u003e\r\n *WARNING* The flag does nothing, you need to set the env variable *WARNING*\r\n Control the number of threads that will be used.\r\n By default, it is equal the number of cpus\r\n \r\n [env: TOKIO_WORKER_THREADS=]\r\n --log-lvl \u003cLOG_LEVEL\u003e\r\n Control the log verbosity. i.e: TRACE, DEBUG, INFO, WARN, ERROR, OFF\r\n for more details: https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter\r\n \r\n [env: RUST_LOG=]\r\n [default: INFO]\r\n --tls-sni-override \u003cDOMAIN_NAME\u003e\r\n Domain name that will be used as SNI during TLS handshake\r\n Warning: If you are behind a CDN (i.e: Cloudflare) you must set this domain also in the http HOST head\r\n or it will be flagged as fishy and your request rejected\r\n --tls-sni-disable\r\n Disable sending SNI during TLS handshake\r\n Warning: Most reverse proxies rely on it\r\n --tls-ech-enable\r\n Enable ECH (encrypted sni) during TLS handshake to wstunnel server.\r\n Warning: Ech DNS config is not refreshed over time. It is retrieved only once at startup of the progra\r\n --tls-verify-certificate\r\n Enable TLS certificate verification.\r\n Disabled by default. The client will happily connect to any server with self-signed certificate.\r\n -p, --http-proxy \u003cUSER:PASS@HOST:PORT\u003e\r\n If set, will use this http proxy to connect to the server\r\n \r\n [env: HTTP_PROXY=]\r\n --http-proxy-login \u003cLOGIN\u003e\r\n If set, will use this login to connect to the http proxy. Override the one from --http-proxy\r\nhttps://github.com/erebe/wstunnel\r\nPage 5 of 16\n\n[env: WSTUNNEL_HTTP_PROXY_LOGIN=]\r\n --http-proxy-password \u003cPASSWORD\u003e\r\n If set, will use this password to connect to the http proxy. Override the one from --http-proxy\r\n \r\n [env: WSTUNNEL_HTTP_PROXY_PASSWORD=]\r\n -P, --http-upgrade-path-prefix \u003cHTTP_UPGRADE_PATH_PREFIX\u003e\r\n Use a specific prefix that will show up in the http path during the upgrade request.\r\n Useful if you need to route requests server side but don't have vhosts\r\n \r\n [env: WSTUNNEL_HTTP_UPGRADE_PATH_PREFIX=]\r\n [default: v1]\r\n --http-upgrade-credentials \u003cUSER[:PASS]\u003e\r\n Pass authorization header with basic auth credentials during the upgrade request.\r\n If you need more customization, you can use the http_headers option.\r\n --websocket-ping-frequency-sec \u003cseconds\u003e\r\n Frequency at which the client will send websocket ping to the server.\r\n \r\n [default: 30]\r\n --websocket-mask-frame\r\n Enable the masking of websocket frames. Default is false\r\n Enable this option only if you use unsecure (non TLS) websocket server, and you see some issues. Other\r\n -H, --http-headers \u003cHEADER_NAME: HEADER_VALUE\u003e\r\n Send custom headers in the upgrade request\r\n Can be specified multiple time\r\n --http-headers-file \u003cFILE_PATH\u003e\r\n Send custom headers in the upgrade request reading them from a file.\r\n It overrides http_headers specified from command line.\r\n File is read everytime and file format must contain lines with `HEADER_NAME: HEADER_VALUE`\r\n --tls-certificate \u003cFILE_PATH\u003e\r\n [Optional] Certificate (pem) to present to the server when connecting over TLS (HTTPS).\r\n Used when the server requires clients to authenticate themselves with a certificate (i.e. mTLS).\r\n The certificate will be automatically reloaded if it changes\r\n --tls-private-key \u003cFILE_PATH\u003e\r\n [Optional] The private key for the corresponding certificate used with mTLS.\r\n The certificate will be automatically reloaded if it changes\r\n --dns-resolver \u003cDNS_RESOLVER\u003e\r\nhttps://github.com/erebe/wstunnel\r\nPage 6 of 16\n\nDns resolver to use to lookup ips of domain name. Can be specified multiple time\r\n Example:\r\n dns://1.1.1.1 for using udp\r\n dns+https://1.1.1.1?sni=cloudflare-dns.com for using dns over HTTPS\r\n dns+tls://8.8.8.8?sni=dns.google for using dns over TLS\r\n For Dns over HTTPS/TLS if an HTTP proxy is configured, it will be used also\r\n To use libc resolver, use\r\n system://0.0.0.0\r\n **WARN** On windows you may want to specify explicitly the DNS resolver to avoid excessive DNS queries\r\nSERVER\r\nUsage: wstunnel server [OPTIONS] \u003cws[s]://0.0.0.0[:port]\u003e\r\nArguments:\r\n \u003cws[s]://0.0.0.0[:port]\u003e\r\n Address of the wstunnel server to bind to\r\n Example: With TLS wss://0.0.0.0:8080 or without ws://[::]:8080\r\n \r\n The server is capable of detecting by itself if the request is websocket or http2. So you don't need t\r\nOptions:\r\n --socket-so-mark \u003cINT\u003e\r\n (linux only) Mark network packet with SO_MARK sockoption with the specified value.\r\n You need to use {root, sudo, capabilities} to run wstunnel when using this option\r\n --websocket-ping-frequency-sec \u003cseconds\u003e\r\n Frequency at which the server will send websocket ping to client.\r\n --no-color \u003cNO_COLOR\u003e\r\n Disable color output in logs\r\n \r\n [env: NO_COLOR=]\r\n --websocket-mask-frame\r\n Enable the masking of websocket frames. Default is false\r\n Enable this option only if you use unsecure (non TLS) websocket server, and you see some issues. Other\r\n --nb-worker-threads \u003cINT\u003e\r\n *WARNING* The flag does nothing, you need to set the env variable *WARNING*\r\n Control the number of threads that will be used.\r\n By default, it is equal the number of cpus\r\n \r\n [env: TOKIO_WORKER_THREADS=]\r\n --restrict-to \u003cDEST:PORT\u003e\r\nhttps://github.com/erebe/wstunnel\r\nPage 7 of 16\n\nServer will only accept connection from the specified tunnel information.\r\n Can be specified multiple time\r\n Example: --restrict-to \"google.com:443\" --restrict-to \"localhost:22\"\r\n --dns-resolver \u003cDNS_RESOLVER\u003e\r\n Dns resolver to use to lookup ips of domain name\r\n This option is not going to work if you use transparent proxy\r\n Can be specified multiple time\r\n Example:\r\n dns://1.1.1.1 for using udp\r\n dns+https://1.1.1.1?sni=loudflare-dns.com for using dns over HTTPS\r\n dns+tls://8.8.8.8?sni=dns.google for using dns over TLS\r\n To use libc resolver, use\r\n system://0.0.0.0\r\n --log-lvl \u003cLOG_LEVEL\u003e\r\n Control the log verbosity. i.e: TRACE, DEBUG, INFO, WARN, ERROR, OFF\r\n for more details: https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter\r\n \r\n [env: RUST_LOG=]\r\n [default: INFO]\r\n -r, --restrict-http-upgrade-path-prefix \u003cRESTRICT_HTTP_UPGRADE_PATH_PREFIX\u003e\r\n Server will only accept connection from if this specific path prefix is used during websocket upgrade.\r\n Useful if you specify in the client a custom path prefix, and you want the server to only allow this o\r\n The path prefix act as a secret to authenticate clients\r\n Disabled by default. Accept all path prefix. Can be specified multiple time\r\n \r\n [env: WSTUNNEL_RESTRICT_HTTP_UPGRADE_PATH_PREFIX=]\r\n --restrict-config \u003cRESTRICT_CONFIG\u003e\r\n Path to the location of the restriction yaml config file.\r\n Restriction file is automatically reloaded if it changes\r\n --tls-certificate \u003cFILE_PATH\u003e\r\n [Optional] Use custom certificate (pem) instead of the default embedded self-signed certificate.\r\n The certificate will be automatically reloaded if it changes\r\n --tls-private-key \u003cFILE_PATH\u003e\r\n [Optional] Use a custom tls key (pem, ec, rsa) that the server will use instead of the default embedde\r\n The private key will be automatically reloaded if it changes\r\n --tls-client-ca-certs \u003cFILE_PATH\u003e\r\n [Optional] Enables mTLS (client authentication with certificate). Argument must be PEM file\r\n containing one or more certificates of CA's of which the certificate of clients needs to be signed wit\r\n The ca will be automatically reloaded if it changes\r\n \r\nhttps://github.com/erebe/wstunnel\r\nPage 8 of 16\n\n-p, --http-proxy \u003cUSER:PASS@HOST:PORT\u003e\r\n If set, will use this http proxy to connect to the client\r\n [env: HTTP_PROXY=]\r\n --http-proxy-login \u003cLOGIN\u003e\r\n If set, will use this login to connect to the http proxy. Override the one from --http-proxy\r\n [env: WSTUNNEL_HTTP_PROXY_LOGIN=]\r\n --http-proxy-password \u003cPASSWORD\u003e\r\n If set, will use this password to connect to the http proxy. Override the one from --http-proxy\r\n [env: WSTUNNEL_HTTP_PROXY_PASSWORD=]\r\nRelease\r\nStatic binaries are available in release section\r\ndocker image are available at https://github.com/erebe/wstunnel/pkgs/container/wstunnel\r\ndocker pull ghcr.io/erebe/wstunnel:latest\r\nExamples\r\nUnderstand command line syntax\r\nSimplest one with socks5 - Good for browsing internet\r\nProxy SSH\r\nBypass a corporate proxy\r\nProxy Wireguard traffic\r\nAndroid\r\nProxy easily any traffic with transparent proxy (linux only)\r\nReverse tunneling\r\nHow to secure access of your wstunnel server\r\nUse HTTP2 instead of websocket for transport protocol\r\nMaximize your stealthiness/Make your traffic discrete\r\nUnderstand command line syntax\r\nWstunnel command line mimic ssh tunnel syntax. You can take reference to this article, or this diagram to\r\nunderstand\r\nhttps://github.com/erebe/wstunnel\r\nPage 9 of 16\n\nSimplest one\r\nOn your remote host, start the wstunnel's server by typing this command in your terminal\r\nwstunnel server wss://[::]:8080\r\nThis will create a websocket server listening on any interface on port 8080. On the client side use this command to\r\nforward traffic through the websocket tunnel\r\nwstunnel client -L socks5://127.0.0.1:8888 --connection-min-idle 5 wss://myRemoteHost:8080\r\nThis command will create a socks5 server listening on port 8888 of the loopback interface and will forward traffic\r\ndynamically. connection-min-idle 10 is going an optimization to create a pool of 10 connection connected to\r\nthe server, to speed-up the establishement of new tunnels.\r\nWith firefox you can setup a proxy using this tunnel, by setting in networking preferences 127.0.0.1:8888 and\r\nselecting socks5 proxy. Be sure to check the option Proxy DNS when using SOCKS v5 for the server to resolve\r\nDNS name and not your local machine.\r\nor with curl\r\ncurl -x socks5h://127.0.0.1:8888 http://google.com/\r\nhttps://github.com/erebe/wstunnel\r\nPage 10 of 16\n\n#Please note h after the 5, it is to avoid curl resolving DNS name locally\r\nAs proxy command for SSH\r\nYou can specify stdio as source port on the client side if you wish to use wstunnel as part of a proxy command\r\nfor ssh\r\nssh -o ProxyCommand=\"wstunnel client --log-lvl=off -L stdio://%h:%p ws://myRemoteHost:8080\" my-serve\r\nWhen behind a corporate proxy\r\nAn other useful example is when you want to bypass an http proxy (a corporate proxy for example) The most\r\nreliable way to do it is to use wstunnel as described below\r\nStart your wstunnel server with tls activated\r\nwstunnel server wss://[::]:443 --restrict-to 127.0.0.1:22\r\nThe server will listen on any interface using port 443 (https) and restrict traffic to be forwarded only to the ssh\r\ndaemon.\r\nBe aware that the server will use self signed certificate with weak cryptographic algorithm. It was made in\r\norder to add the least possible overhead while still being compliant with tls.\r\nDo not rely on wstunnel to protect your privacy, if it is one of your concerns, you should only forwards\r\ntraffic that is already secure by design (ie: https or vpn traffic)\r\nNow on the client side start the client with\r\nwstunnel client -L tcp://9999:127.0.0.1:22 -p http://mycorporateproxy:8080 wss://myRemoteHost:443\r\nIt will start a tcp server on port 9999 that will contact the corporate proxy, negotiate a tls connection with the\r\nremote host and forward traffic to the ssh daemon on the remote host.\r\nYou may now access your server from your local machine on ssh by using\r\nssh -p 9999 login@127.0.0.1\r\nWireguard and wstunnel\r\nYou can find a full tutorial that explain how to setup wstunnel and wireguard at here\r\nhttps://github.com/erebe/wstunnel\r\nPage 11 of 16\n\nFor a quick explanation see below.\r\nYou have a working wireguard client configuration called wg0.conf . Let's say\r\n[Interface]\r\nAddress = 10.200.0.2/32, fd00:cafe::2/128\r\nPrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=\r\n[Peer]\r\nPublicKey = 9iicV7Stdl/U0RH1BNf3VvlVjaa4Eus6QPEfEz6cR0c=\r\nAllowedIPs = 0.0.0.0/0, ::/0\r\nEndpoint = my.server.com:51820\r\nStart wstunnel server on my.server.com like this\r\nwstunnel server --restrict-to localhost:51820 wss://[::]:443\r\non your local machine start the client like this\r\nwstunnel client -L 'udp://51820:localhost:51820?timeout_sec=0' wss://my.server.com:443\r\nchange your wireguard client config to something\r\n[Interface]\r\nAddress = 10.200.0.2/32, fd00:cafe::2/128\r\nPrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=\r\n# Replace by a dns your server has access to\r\ndns = 8.8.8.8\r\n# https://github.com/nitred/nr-wg-mtu-finder to find best mtu for you\r\nMTU = 1400\r\n[Peer]\r\nPublicKey = 9iicV7Stdl/U0RH1BNf3VvlVjaa4Eus6QPEfEz6cR0c=\r\nAllowedIPs = 0.0.0.0/0, ::/0\r\n# Should target port where wstunnel client is listenning to\r\nEndpoint = localhost:51820\r\n# Should not be necessary if you enable wstunnel client websocket ping\r\nPersistentKeepalive = 20\r\nAdd a default route to your server, as your AllowedIps are catch-all, it is to avoid the traffic looping.\r\nsudo ip route add ip.of.my.server.com dev eth0 via 192.168.0.1\r\n# replace eth0 (interface) and 192.168.0.1 (router gateway) by the one given by `ip route get ip.of.m\r\nhttps://github.com/erebe/wstunnel\r\nPage 12 of 16\n\nstart your wireguard, and it should be working\r\nsudo wg-quick up wg0\r\nping 10.200.0.1 # ping another ip of your vpn network\r\nFAQ\r\nDisable default udp tunnel timeout that will auto-close it after 30sec. i.e: udp://1212:127.0.0.1:5201?\r\ntimeout_sec=0\r\nIf you see some throughput issue, be sure to lower the MTU of your wireguard interface (you can do it via\r\nconfig file) to something like 1300 or you will endup fragmenting udp packet (due to overhead of other\r\nlayer) which is always causing issues\r\nIf wstunnel cannot connect to server while wireguard is on, be sure you have added a static route via your\r\nmain gateway for the ip of wstunnel server. Else if you forward all the traffic without putting a static route,\r\nyou will endup looping your traffic wireguard interface -\u003e wstunnel client -\u003e wireguard interface\r\nIf you have trouble making it works on windows, please check this issue #252\r\nAndroid\r\nYou can use the android binary and use termux to run it on your phone.\r\nIf you want a guide regarding how to use wstunnel on Android, you can follow this guide\r\nTransparent proxy (linux only)\r\nTransparent proxy allows to easily proxy any program. Start wstunnel with\r\nsudo wstunnel client -L 'tproxy+tcp://1080' -L 'tproxy+udp://1080' wss://my.server.com:443\r\nuse this project to route traffic seamlessly https://github.com/NOBLES5E/cproxy. It works with any program\r\ncproxy --port 1080 --mode tproxy -- curl https://google.com\r\nYou can even start a new shell, were all your commands will be proxyfied\r\ncproxy --port 1080 --mode tproxy -- bash\r\nReverse tunneling\r\nStart wstunnel with\r\nhttps://github.com/erebe/wstunnel\r\nPage 13 of 16\n\nsudo wstunnel client -R 'tcp://[::]:8000:localhost:8000' wss://my.server.com:443\r\nIn another terminal, start a simple webserver on your local machine\r\nFrom your my.server.com machine/network you can now do\r\ncurl http://localhost:8000\r\nHow to secure the access of your wstunnel server\r\nGenerate a secret, let's say h3GywpDrP6gJEdZ6xbJbZZVFmvFZDCa4KcRd\r\nNow start you server with the following command\r\nwstunnel server --restrict-http-upgrade-path-prefix h3GywpDrP6gJEdZ6xbJbZZVFmvFZDCa4KcRd wss://[::]\r\nAnd start your client with\r\nwstunnel client --http-upgrade-path-prefix h3GywpDrP6gJEdZ6xbJbZZVFmvFZDCa4KcRd ... wss://myRemoteHos\r\nNow your wstunnel server, will only accept connection if the client specify the correct path prefix during the\r\nupgrade request.\r\nIf you need more customization, you can use a config file to specify specific rules with --restrict-config . You\r\ncan find examples of restriction rules there\r\nUse HTTP2 instead of websocket for the transport protocol\r\nUse this only if websocket is blocked by your firewall/proxy. Otherwise, it is less performant than websocket.\r\nStart your wstunnel server as usual with\r\nwstunnel server wss://[::]:8080\r\nOn the client the only difference is to specify https:// instead of wss://\r\nwstunnel client -L socks5://127.0.0.1:8888 https://myRemoteHost:8080\r\nWARNING HTTP2 as transport protocol is harder to make it works because:\r\nIf you are behind a (reverse) proxy/CDN they may buffer the whole request before forwarding it to the\r\nserver. Cloudflare is doing that, and obviously, this is not going to work for tunneling traffic\r\nhttps://github.com/erebe/wstunnel\r\nPage 14 of 16\n\nif you have wstunnel behind a reverse proxy, most of them (i.e: nginx) are going to turn http2 request into\r\nhttp1 This is not going to work, because http1 does not support streaming naturally\r\nThe only way to make it works with HTTP2 is to have wstunnel server directly exposed to the internet without\r\nany reverse proxy in front of it\r\nIn addition, you may also want to play with the request headers (i.e: content-length and content-type) to make it\r\nlooks like normal traffic to bypass your firewall/proxy. Some firewall may not like to see request with content-length not set, or with content-type set to application/octet-stream\r\nMaximize your stealthiness/Make your traffic discrete\r\nUse wstunnel with TLS activated (wss://) and use your own certificate\r\nEmbedded certificate is self-signed and are the same for everyone, so can be easily\r\nfingerprinted/flagged\r\nUse valid certificate (i.e: with Let's Encrypt), self-signed certificate are suspicious\r\nUse a custom http path prefix (see --http-upgrade-path-prefix option)\r\nTo avoid having the same url than every other wstunnel user\r\nChange your tls-sni-override to a domain is known to be allowed (i.e: google.com, baidu.com, etc...)\r\nthis will not work if your wstunnel server is behind a reverse proxy (i.e: Nginx, Cloudflare,\r\nHAProxy, ...)\r\nBenchmark\r\nHow to Build\r\nInstall the Rust https://www.rust-lang.org/tools/install or if you are a believer\r\nhttps://github.com/erebe/wstunnel\r\nPage 15 of 16\n\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\r\nand run those commands at the root of the project\r\ncargo build --package wstunnel-cli\r\ntarget/debug/wstunnel ...\r\nSource: https://github.com/erebe/wstunnel\r\nhttps://github.com/erebe/wstunnel\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://github.com/erebe/wstunnel"
	],
	"report_names": [
		"wstunnel"
	],
	"threat_actors": [],
	"ts_created_at": 1775434943,
	"ts_updated_at": 1775791206,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24f552e3c097304c1fbc1a5658a52e3a07e9d03e.pdf",
		"text": "https://archive.orkl.eu/24f552e3c097304c1fbc1a5658a52e3a07e9d03e.txt",
		"img": "https://archive.orkl.eu/24f552e3c097304c1fbc1a5658a52e3a07e9d03e.jpg"
	}
}