Skip to content

Add support for UDP proxying#187

Merged
windtf merged 3 commits intowindtf:masterfrom
VastBlast:add-udp-support
Mar 5, 2026
Merged

Add support for UDP proxying#187
windtf merged 3 commits intowindtf:masterfrom
VastBlast:add-udp-support

Conversation

@VastBlast
Copy link
Copy Markdown
Contributor

@VastBlast VastBlast commented Nov 23, 2025

Reopening #154 as it was auto closed after restructuring my fork.

This PR adds support for a proxying a UDP server through WireGuard. It can listen on IPv4 while tunneling to an IPv6 address or vice versa.

When sending, it goes through BindAddress -> Wireguard -> Target and the opposite when receiving.

For example, if you wanted to proxy Cloudflare's DNS server, an example config would be:

[Interface]
...

[Peer]
...

[UDPProxyTunnel]
BindAddress = 127.0.0.1:53

#Target = [2606:4700:4700::1111]:53
Target = 1.1.1.1:53

# If its set to 0, it will never timeout
InactivityTimeout = 30

@shihiro09
Copy link
Copy Markdown

shihiro09 commented Dec 17, 2025

Love the DNS use-case. cc @whyvl

Just a thought: would this enable nested wireguard tunnels with two wireproxy daemons? e.g.

outer.conf:

[Peer]
Endpoint = [outer-tunnel]:51280
PublicKey = [outer-key]

[UDPProxyTunnel]
BindAddress = 127.0.0.1:1234
Target = [inner-tunnel]:51280

inner.conf:

[Peer]
Endpoint = 127.0.0.1:1234 # inner proxy
PublicKey = [inner-key]

@VastBlast
Copy link
Copy Markdown
Contributor Author

VastBlast commented Dec 17, 2025

Love the DNS use-case. cc @whyvl

Just a thought: would this enable nested wireguard tunnels with two wireproxy daemons? e.g.

outer.conf:

[Peer]
Endpoint = [outer-tunnel]:51280
PublicKey = [outer-key]

[UDPProxyTunnel]
BindAddress = 127.0.0.1:1234
Target = [inner-tunnel]:51280

inner.conf:

[Peer]
Endpoint = 127.0.0.1:1234 # inner proxy
PublicKey = [inner-key]

Yes, it would. Might need more testing, but it should.

@penyuan
Copy link
Copy Markdown

penyuan commented Jan 11, 2026

Reopening #154 as it was auto closed after restructuring my fork.

This PR adds support for a proxying a UDP server through WireGuard. It can listen on IPv4 while tunneling to an IPv6 address or vice versa.

When sending, it goes through BindAddress -> Wireguard -> Target and the opposite when receiving.

For example, if you wanted to proxy Cloudflare's DNS server, an example config would be:

[Interface]
...

[Peer]
...

[UDPProxyTunnel]
BindAddress = 127.0.0.1:53

#Target = [2606:4700:4700::1111]:53
Target = 1.1.1.1:53

# If its set to 0, it will never timeout
InactivityTimeout = 30

@VastBlast Thanks!
Does your solution allow UDP traffic through Wireproxy's SOCKS or HTTP proxies? If so, how should it be configured in the .conf file? If not, could this capability be implemented?

@actualben
Copy link
Copy Markdown

actualben commented Feb 14, 2026
edited
Loading

I have a public docker build of wireproxy with this patch applied in case anyone wants to help test this PR. There are some UDP-related bugs in go-socks5 that will cause panics until they are resolved - I've sent PRs and patched those in my build as well.

https://hub.docker.com/r/backplane/wireproxy

@windtf windtf merged commit 1c6a10d into windtf:master Mar 5, 2026
@windtf windtf mentioned this pull request Mar 5, 2026
Closed
@shihiro09
Copy link
Copy Markdown

shihiro09 commented Mar 15, 2026

I've confirmed that nested tunnels work with this change. Good work. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@VastBlast @shihiro09 @penyuan @actualben @windtf