Show HN: Wiretap – Transparent WireGuard proxy server without root
github.comHilarious name for an open source project released by a government lab.
Reminds me of Moloch, the packet capture and indexing software[0]. I wonder why it was renamed and moved out of the AOL github org...
Based on the name initially I thought Wiretap was a MITM proxy for Wireguard.
Wireproxy can do similar stuff: https://github.com/octeep/wireproxy
(Disclaimer: I am a contributor to Wireproxy)
Thanks for the link! IIUIC, wireproxy is not similar, but complementary: you can run wiretap on the server-side and wireproxy on the client and have a complete user-space solution.
Much better name. Initially I thought Wiretap was a MITM proxy for Wireguard.
The focus here is on the fact that it runs in userspace. Tailscale in userspace does something similar where it receives packet "meta-data" and then just creates the packet that came through the tunnel and sends it out the lan interface. Is this what happens here? I do like the docker option ;)
Yes! It’s very similar to what Tailscale does in userspace mode, written as more of a standalone utility
Thanks! That's pretty cool. I will definitely have to try that. I could think of some sweet applications. Especially in a secured Kubernetes cluster.
mitmproxy just gained this feature in 9.0.0 too: https://mitmproxy.org/posts/wireguard-mode/
I’m not sure to understand what makes it different from WireGuard. Could someone eli5 ?
Vanilla WireGuard doesn't provide a way to run a peer in userspace that can proxy traffic between another peer and an endpoint such as a web server because you need to be privileged to do things like work with raw packets. However, https://github.com/WireGuard/wireguard-go is a userspace implementation of WireGuard and has recently incorporated Google's userspace networking stack. This project uses these two userspace tools to "fake" a privileged WireGuard peer that proxies TCP, UDP, and (a small subset of) ICMP. It was written as a pentesting/red team utility for my team but it can also serve as a general makeshift VPN when you don't have privileges on a box you want to proxy through.
Edit: typo
Userspace capability. Especially when running inside containers.
Kernel networking interfaces already work pretty well in containers (using network namespaces). You can eg run openvpn or some fancier SDN inside a container to tunnel its traffic with the default non-privileged permission set that
If you are running an old kernel from before Wireguard was merged to the mainline kernel, or want the extra safery from a memory safe language wireguard implementation this can be useful.
this replaces WG + some iptables config in a single user-space solution (no root required)
Cool project, but AV are gonna flag the shit out of it.
ssf and other tunneling techno are already abused by a lot of threat actors ...
Wire this to Lightning and profit.