Objective
I was looking for a solution that will allow me to hide Wireguard traffic inside another tunnel - to make Wireguard work in the networks where output UDP traffic on high ports is banned. All the solutions I found were either too complicated - OpenVPN that possibly could replace Wireguard(but configuration is too difficult) - or only x64 compatible - Wstunnel - so won’t work on OpenWRT devices.
Solution
… it was right in front of me. Lately, I discovered not-so-popular functionality of OpenSSH server(and client). Besides well known port forwarding(L4 Tunneling), It can perform tunneling on L3 or even at L2.
Server
On the OpenSSH server, inside sshd_config following rule enables tunneling PermitTunnel yes. Besides that, access to /dev/net/tun should be provided for vpn user, and for each user - interface tun should be created sudo ip tuntap add mode tun user sshclientusernameonserver name tun101 , then IP should be assigned sudo ip addr add 10.242.10.1 dev "tun101, and then finally, interface should be brought upsudo ip link set tun101 up
Client
On the OpenSSH client, we should also create interface, assign IP to it(the other than on the server), and use the following command to establishe SSH L3 tunnel ssh username@ip_server -w 24:101. Where 24 is number of local tun interface, and 101 is number of tun interface on server side.
Advantages
- It can be run on OpenWRT, as OpenSSH client can be installed on those devices!
- long-time-support
- simplicity
Docker project
I created a project of docker image, with an example of deployment.It’s available here