Wireguard over DNSTT

Hi all,

Is it possible to make DNSTT support UDP as well? I am trying to build the following so my mobile phone can bypass firewall restrictions. However, Wireguard only runs on UDP.

Wireguard client <—> DNSTT client <—> DNSTT server <—> Wireguard server

I am very new to this and sorry if I asked a n00b question.


Why do you want wireguard ? Openvpn can operate over TCP.
Openvpn is available on any platform

I’ll give openvpn a try. Thanks!

I have not gotten Openvpn to work yet but I do have another question.

In my region, Internet access might not be the most stable and there could be network disconnection. Is there a way to make dnstt-client auto reconnect when that happens? When there is a disconnect, the ncat client can no longer get through to the server side unless I restart the dnstt-client.

dnstt itself is built on the assumption of provide a reliable stream interface to user-space applications.

You can think of dnstt as a combination of two things: a specific way of encoding chunks of data into DNS queries and responses, as well as a KCP/smux session and reliability layer. The KCP/smux layer is the “tt” (turbo tunnel) part of the name.

If you want to use DNS like a VPN (kernel space not user space), you don’t need the session and reliability part. That’s because the kernel already has its own mechanisms for sessions and reliability. You only need a way to encode IP datagrams as DNS queries/responses.

The software doesn’t support it at this point, but conceptually would be possible to use dnstt’s encodings on raw IP datagrams, and remove the KCP/smux layer to get a VPN-like interface that works with WireGuard and UDP. You would need a virtual network interface with the MTU set small enough (around 120 bytes) to fit into a DNS query. This is how TUNS works, for example.

One option for you to try is tun2socks. You can set dnstt up to be a SOCKS proxy; then tun2socks can provide a network interface over the top of it.

It is likely also possible to implement a DNS encoding specifically for WireGuard. Here are some examples of how obfuscations have been implemented for WireGuard specifically:

I see what you’re saying. I don’t think there’s an automatic way to do this now. I’m planning a change (after this thread) that might make the situation better. It will have the side effect of starting a new session if all connected clients have disconnected.

Another possible reference for you is DNS tunnel that can do DoH and DoT · Issue #30 · net4people/bbs · GitHub.