|  | 2 years ago | |
|---|---|---|
| client | 2 years ago | |
| cmd | 2 years ago | |
| keystore | 2 years ago | |
| server | 2 years ago | |
| util | 2 years ago | |
| .gitignore | 2 years ago | |
| LICENSE | 2 years ago | |
| Makefile | 2 years ago | |
| README.md | 2 years ago | |
| go.mod | 2 years ago | |
| go.sum | 2 years ago | 
Generic DTLS wrapper for UDP sessions. Like stunnel, but for UDP. Suitable for wrapping Wireguard or UDP OpenVPN or any other connection-oriented UDP sessions.
"Client" receives plaintest UDP traffic and forwards it to "Server" via encrypted DTLS connection. "Server" listens UDP port and accepts encrypted DTLS sessions, forwarding messages from each session as a separate UDP connection to plaintext UDP port.
Pre-built binaries are available here.
Alternatively, you may install dtlspipe from source. Run the following command within the source directory:
make install
Let's assume you have following setup: you have server with public IP address 203.0.113.11, running some UDP service on port 514. You want to access this service securely and have UDP datagrams between you and this service encrypted and authenticated.
dtlspipe genpskdtlspipe -psk xxxxxxxxxxxx server 0.0.0.0:2815 127.0.0.1:514dtlspipe -psk xxxxxxxxxxxx client 127.0.0.1:2816 203.0.113.11:2815127.0.0.1:2816 instead of 203.0.113.11:514 for communication with the service.Few notes:
127.0.0.1 for port bind is optional too and used in example to restrict port access from localhost only. Use 0.0.0.0 to allow network access from outside.DTLSPIPE_PSK environment variable.dtlspipe setup can be done using example for generic case, but dtlspipe server should point to the wireguard port.
But you also need to make following adjustments to wireguard client config:
AllowedIPs in the wireguard client config. This calculator may help you. Example for server address 203.0.113.11:Use smaller MTU for wireguard tunnel, add MTU = 1280 to the [Peer] section of wireguard client tunnel config.
AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/5, 200.0.0.0/7, 202.0.0.0/8, 203.0.0.0/18, 203.0.64.0/19, 203.0.96.0/20, 203.0.112.0/24, 203.0.113.0/29, 203.0.113.8/31, 203.0.113.10/32, 203.0.113.12/30, 203.0.113.16/28, 203.0.113.32/27, 203.0.113.64/26, 203.0.113.128/25, 203.0.114.0/23, 203.0.116.0/22, 203.0.120.0/21, 203.0.128.0/17, 203.1.0.0/16, 203.2.0.0/15, 203.4.0.0/14, 203.8.0.0/13, 203.16.0.0/12, 203.32.0.0/11, 203.64.0.0/10, 203.128.0.0/9, 204.0.0.0/6, 208.0.0.0/4, 224.0.0.0/3, ::/0
$ dtlspipe -h
Usage:
dtlspipe [OPTION]... server <BIND ADDRESS> <REMOTE ADDRESS>
dtlspipe [OPTION]... client <BIND ADDRESS> <REMOTE ADDRESS>
dtlspipe [OPTION]... genpsk
dtlspipe version
Options:
  -cpuprofile string
    	write cpu profile to file
  -identity string
    	client identity sent to server
  -idle-time duration
    	max idle time for UDP session (default 1m30s)
  -key-length uint
    	generate key with specified length (default 16)
  -mtu int
    	MTU used for DTLS fragments (default 1400)
  -psk string
    	hex-encoded pre-shared key. Can be generated with genpsk subcommand
  -timeout duration
    	network operation timeout (default 10s)