Skip to content

Add support for UDP proxying#187

Open
VastBlast wants to merge 3 commits intowhyvl:masterfrom
VastBlast:add-udp-support
Open

Add support for UDP proxying#187
VastBlast wants to merge 3 commits intowhyvl:masterfrom
VastBlast:add-udp-support

Conversation

@VastBlast
Copy link

@VastBlast VastBlast commented Nov 23, 2025

Reopening #154 as it was auto closed after restructuring my fork.

This PR adds support for a proxying a UDP server through WireGuard. It can listen on IPv4 while tunneling to an IPv6 address or vice versa.

When sending, it goes through BindAddress -> Wireguard -> Target and the opposite when receiving.

For example, if you wanted to proxy Cloudflare's DNS server, an example config would be:

[Interface]
...

[Peer]
...

[UDPProxyTunnel]
BindAddress = 127.0.0.1:53

#Target = [2606:4700:4700::1111]:53
Target = 1.1.1.1:53

# If its set to 0, it will never timeout
InactivityTimeout = 30

@shihiro09
Copy link

shihiro09 commented Dec 17, 2025

Love the DNS use-case. cc @whyvl

Just a thought: would this enable nested wireguard tunnels with two wireproxy daemons? e.g.

outer.conf:

[Peer]
Endpoint = [outer-tunnel]:51280
PublicKey = [outer-key]

[UDPProxyTunnel]
BindAddress = 127.0.0.1:1234
Target = [inner-tunnel]:51280

inner.conf:

[Peer]
Endpoint = 127.0.0.1:1234 # inner proxy
PublicKey = [inner-key]

@VastBlast
Copy link
Author

VastBlast commented Dec 17, 2025

Love the DNS use-case. cc @whyvl

Just a thought: would this enable nested wireguard tunnels with two wireproxy daemons? e.g.

outer.conf:

[Peer]
Endpoint = [outer-tunnel]:51280
PublicKey = [outer-key]

[UDPProxyTunnel]
BindAddress = 127.0.0.1:1234
Target = [inner-tunnel]:51280

inner.conf:

[Peer]
Endpoint = 127.0.0.1:1234 # inner proxy
PublicKey = [inner-key]

Yes, it would. Might need more testing, but it should.

@penyuan
Copy link

penyuan commented Jan 11, 2026

Reopening #154 as it was auto closed after restructuring my fork.

This PR adds support for a proxying a UDP server through WireGuard. It can listen on IPv4 while tunneling to an IPv6 address or vice versa.

When sending, it goes through BindAddress -> Wireguard -> Target and the opposite when receiving.

For example, if you wanted to proxy Cloudflare's DNS server, an example config would be:

[Interface]
...

[Peer]
...

[UDPProxyTunnel]
BindAddress = 127.0.0.1:53

#Target = [2606:4700:4700::1111]:53
Target = 1.1.1.1:53

# If its set to 0, it will never timeout
InactivityTimeout = 30

@VastBlast Thanks!
Does your solution allow UDP traffic through Wireproxy's SOCKS or HTTP proxies? If so, how should it be configured in the .conf file? If not, could this capability be implemented?

@actualben
Copy link

actualben commented Feb 14, 2026
edited
Loading

I have a public docker build of wireproxy with this patch applied in case anyone wants to help test this PR. There are some UDP-related bugs in go-socks5 that will cause panics until they are resolved - I've sent PRs and patched those in my build as well.

https://hub.docker.com/r/backplane/wireproxy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@VastBlast @shihiro09 @penyuan @actualben