Tunnel.pyjam.as – HTTP tunnels without custom software thanks to WireGuard
tunnel.pyjam.asIt's important to note that if you're not self hosting this, you're giving unlimited internal network access to this service (unless you properly firewall of course). It's not specific to the single port/address that is used when downloading the config.
Disclaimer: I wrote a similar tool that is self-hosted and uses SSH as the tunneling service. Does HTTP(S) with TLS termination, TCP, TLS (via SNI), and internal tunneling (unexposed tunnels that are authenticated using SSH) [0].
Author should include an iptables line to limit traffic from wireguard interface to only that port. Pre/Post commands in configuration will work for this
Not exactly true. It gives access to the computer you are running the tunnel on. Your computer still has to forward packets to others (if you can compromise another service on another computer without any two-way communication) and others still have to know how to route packets back to 10.101.0.1 that this service uses.
Sorry, meant internal network access related to the computer you set the tunnel up on. I usually refer to local network when speaking about the LAN :)
For reference though, all that is needed are some poorly written POSTROUTING rules and ip forwarding enabled on the client to allow access to the local network. More people have these set than you think!
I maintain a list of solutions to this problem:
https://github.com/anderspitman/awesome-tunneling
Great to see more WireGuard implementations popping up. Most of the "no install" options are based on SSH tunnels, which are great, but WireGuard should have much better performance under certain conditions.
I appreciate that you included a short personal description of the tools along with the stars(Which is often missing from such lists).
P.S. I've added your list to my curated list of startup tools - https://startuptoolchain.com/#software-testing as tunneling is quite essential for software development.
Oh that's you?! Thanks for this resource, it is really helpful
It's impressive how simple the code is: https://gitlab.com/pyjam.as/tunnel/-/blob/main/tunnel.py
All the heavy lifting and reverse proxying is done by Wireguard and Caddy! Very slick.
Though of course all traffic will be ran through pyjam.as. As this isn't a company with an income stream, I fear if its gets too popular it'll be infeasible for the author to keep it up and available for free long term.
We encourage self-hosting for privacy and my wallet reasons.
Simplicity and elegancy is incredible here! Thank you.
Unfortunately a bigger concern than cost is abuse for things like phishing attacks.
I wont lie I was confused as to the purpose at first, but the more I think about this the more impressed I get. What wasn't clear at first glance was the port isn't fixed and it generates a "one-time" link. i.e. curling `https://tunnel.example.tld/<whateverport>` generates a neat proxy link `https://<code>.tunnel.example.tld/`.
It would be very handy for say a website designer to quickly bring up and share a demo website running on their development laptop no matter where they happen to be (home, work, the client's office or Starbucks) and everyone involved can "just access" everything through a web browser.
Similar to https://ngrok.com/ except this uses wireguard, and doesn't require any custom software.
With ngrok you need to trust their binary, with this I suppose you need to trust the generated config file.
It’s also self hostable.
repo readme makes more sense than site: "tunnel.pyjam.as can be used as an ephemeral reverse proxy for your local services. This may be useful, for instance when you need to show your friend something cool you've built. tunnel.pyjam.as works without installing any software on your machine, thanks to the magic of Wireguard."
Neat! You could do this without even having WireGuard installed with wireguard-go and Netstack.
Do you have link to an example of how this would be done?
Perhaps this could serve as inspiration https://git.zx2c4.com/wireguard-go/tree/tun/netstack
Fly.io version using it https://github.com/superfly/flyctl/tree/master/pkg/wg
net.Dialer using gVisor https://git.zx2c4.com/wireguard-go/tree/tun/netstack/tun.go#...
Thanks!
Google "user mode WireGuard".
This is absolutely spectacular. I have written up details for an internal service that we were to start a sprint on next week, that has the exact same bits of software. We're looking to build a Teleport alternative as the enterprise pricing is far greater than the value we'd gain. Will definitely be exploring this. Cheers!
I wish some clever person would make a sort of modern-day kali.net where you could easily route game traffic over Wireguard so your self-hosted Minecraft of Valheim servers don't have to be accessible on the public internet.
I haven't used kali.net, but it sounds like https://tailscale.com/ might be for you :)
Why should I bind to 0.0.0.0? It should be able to tunnel any port on any interface.
You need to bind to at least the wireguard interface/address in order for this to work. The service reverse proxies over the tunnel, and your kernel won’t be looking to handle those connections unless you’re listening on the correct tunnel interface.
I tunnel traffice using Wireguard, why would I want something on top of it?
This provides a Caddy reverse proxy, which gives you an HTTPS URL with auto TLS certs that tunnels to a port on your local machine. It's also hosted so you don't have to manage a VPS yourself if you don't want to.