Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internet speed divided by 9 #371

Open
Yaya48 opened this issue Oct 23, 2024 · 5 comments
Open

Internet speed divided by 9 #371

Yaya48 opened this issue Oct 23, 2024 · 5 comments
Labels
help wanted

Comments

@Yaya48
Copy link

Yaya48 commented Oct 23, 2024

Describe the goal

Running wireguard behind wstunnel + traefik

Describe what does not work

I'm using wireguard + wstunnel + traefik in order to bypass pretty restrictive stormshield, the stormshield is set to do transparant SSL MITM and blocking pretty much every port. Although by using wstunnel/websocket with mtls i got it to work, only issues is i have 180mbps when not using it and it downgrade to 20mbps when using it is there anything i can do to increase it at least having 50-60mpbs ?

Describe your wstunnel setup

Server : traefik + wstunnel
Client wireguard + wstunnel

Desktop (please complete the following information):

  • OS: Windows 11
@erebe
Copy link
Owner

erebe commented Oct 25, 2024

Hello,

Like that it is hard to tell. In my tests I hadn't such a difference between my raw bandwith and when using wstunnel.
It is the CPU that would be the bottleneck either on your client or server. So you can check for that to see if it is the case.

but my guess is that as you are using mTLS and bypass the transparent TLS stripping, you are hitting the slow path of your fortinet/firewall and being throttled due to a middle box. If this is the case, there are not much you can do.

Do your fortinet appliance block traffic without mTLS ? Would you mind describing a bit more the security setup/context where you are using wstunnel ?

@Yaya48
Copy link
Author

Yaya48 commented Oct 25, 2024
edited
Loading

Hi, yeah due to SSL MITM its not possible to run it without MTLS else it'll just decrypt the tunnel and drop it guess i'll need to check for other potential protocol. beacuse 5-13mbps is not really usable.

I'm using it on a school internal network that use a stormshield firewall.

@erebe
Copy link
Owner

erebe commented Oct 25, 2024
edited
Loading

If you haven't tried it yet. you can give a shot to use http2 instead of the default websocket as transport protocol.

https://github.com/erebe/wstunnel?tab=readme-ov-file#http2

Also you can try to play with tls-sni to avoid the stormshield TLS strip. It is illegal to stip TLS of certains website (i.e: in france bank account should be whitelisted). So you can try to spoof the SNI of a bank site to see it evade restriction.

@Yaya48
Copy link
Author

Yaya48 commented Oct 26, 2024

Yeah, i didn't try http2 i'll try next time, also i didn't know MITM certain site was illegal i mean it's obvious but eh x)

@Yaya48
Copy link
Author

Yaya48 commented Nov 12, 2024

So i've tried to use SNIs that are whitelisted its doesnt change anything, it still randomly disconnect and doesnt go faster, same for http2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erebe @Yaya48