Show HN: Wiretap – Transparent WireGuard proxy server without root(github.com)
github.com
Show HN: Wiretap – Transparent WireGuard proxy server without root
https://github.com/sandialabs/wiretap
18 comments
Hilarious name for an open source project released by a government lab.
Reminds me of Moloch, the packet capture and indexing software[0]. I wonder why it was renamed and moved out of the AOL github org...
[0]: https://news.ycombinator.com/item?id=22949604
[0]: https://news.ycombinator.com/item?id=22949604
Based on the name initially I thought Wiretap was a MITM proxy for Wireguard.
Wireproxy can do similar stuff: https://github.com/octeep/wireproxy
(Disclaimer: I am a contributor to Wireproxy)
(Disclaimer: I am a contributor to Wireproxy)
Thanks for the link! IIUIC, wireproxy is not similar, but complementary: you can run wiretap on the server-side and wireproxy on the client and have a complete user-space solution.
Much better name. Initially I thought Wiretap was a MITM proxy for Wireguard.
The focus here is on the fact that it runs in userspace. Tailscale in userspace does something similar where it receives packet "meta-data" and then just creates the packet that came through the tunnel and sends it out the lan interface. Is this what happens here? I do like the docker option ;)
mitmproxy just gained this feature in 9.0.0 too: https://mitmproxy.org/posts/wireguard-mode/
I’m not sure to understand what makes it different from WireGuard. Could someone eli5 ?
Vanilla WireGuard doesn't provide a way to run a peer in userspace that can proxy traffic between another peer and an endpoint such as a web server because you need to be privileged to do things like work with raw packets. However, https://github.com/WireGuard/wireguard-go is a userspace implementation of WireGuard and has recently incorporated Google's userspace networking stack. This project uses these two userspace tools to "fake" a privileged WireGuard peer that proxies TCP, UDP, and (a small subset of) ICMP. It was written as a pentesting/red team utility for my team but it can also serve as a general makeshift VPN when you don't have privileges on a box you want to proxy through.
Edit: typo
Edit: typo
Userspace capability. Especially when running inside containers.
Kernel networking interfaces already work pretty well in containers (using network namespaces). You can eg run openvpn or some fancier SDN inside a container to tunnel its traffic with the default non-privileged permission set that
If you are running an old kernel from before Wireguard was merged to the mainline kernel, or want the extra safery from a memory safe language wireguard implementation this can be useful.
If you are running an old kernel from before Wireguard was merged to the mainline kernel, or want the extra safery from a memory safe language wireguard implementation this can be useful.
this replaces WG + some iptables config in a single user-space solution (no root required)
Cool project, but AV are gonna flag the shit out of it.
ssf and other tunneling techno are already abused by a lot of threat actors ...
ssf and other tunneling techno are already abused by a lot of threat actors ...
[deleted]
Wire this to Lightning and profit.