Use WsTunnel in Android - VPN (Wireguard)

[vincent1890]

Not BUG !!!!
WsTunnel is a really great project really top 😍

But how to use wstunnel_9.6.2_android_arm64.tar.gz in Android ?
is there an app on Google Play because I can’t find anything functional ?
What are prerequis, etc ... plz ?

• OS: Android > v10
• Version 9.6.2

[ikhwanperwira]

I can help you with, this is supported for non-root phone:

Prerequisites:
Termux (fdroid) -> To run the binary and start local socks5 listener. (Convert traffic between L7 (ws) to L4 (socks5)
V2rayNG (playstore) -> To convert traffic between L4 (socks5) and L2 (VPN).

Concept:
Wstunnel act as socks5 server in Termux, while V2rayNG act as socks5 client and run the VPN service.

Therefore, the command you should use in Termux:

wstunnel client -L socks5://127.0.0.1:10808 ws://<ip>:<port>

While in V2rayNG you should specify the Host and Port.

Here are some screenshots:

[vincent1890]

I can help you with, this is supported for non-root phone:

Prerequisites: Termux (fdroid) -> To run the binary and start local socks5 listener. (Convert traffic between L7 (ws) to L4 (socks5) V2rayNG (playstore) -> To convert traffic between L4 (socks5) and L2 (VPN).

Concept: Wstunnel act as socks5 server in Termux, while V2rayNG act as socks5 client and run the VPN service.

Therefore, the command you should use in Termux:

wstunnel client -L socks5://127.0.0.1:10808 ws://<ip>:<port>

While in V2rayNG you should specify the Host and Port.

Here are some screenshots:

Hello @ikhwanperwira

Thanks for answering you, I test this next week because I would be in constrained environment so the perfect time for that.

Thanks for that

[FT1142558190]

有帮助

[vincent1890]

I can help you with, this is supported for non-root phone:

Prerequisites: Termux (fdroid) -> To run the binary and start local socks5 listener. (Convert traffic between L7 (ws) to L4 (socks5) V2rayNG (playstore) -> To convert traffic between L4 (socks5) and L2 (VPN).

Concept: Wstunnel act as socks5 server in Termux, while V2rayNG act as socks5 client and run the VPN service.

Therefore, the command you should use in Termux:

wstunnel client -L socks5://127.0.0.1:10808 ws://<ip>:<port>

While in V2rayNG you should specify the Host and Port.

Here are some screenshots:

Error when I use the same command that still works on computer but not on android in Termux

Help me plz !

[ikhwanperwira]

I can help you with, this is supported for non-root phone:

Prerequisites: Termux (fdroid) -> To run the binary and start local socks5 listener. (Convert traffic between L7 (ws) to L4 (socks5) V2rayNG (playstore) -> To convert traffic between L4 (socks5) and L2 (VPN).

Concept: Wstunnel act as socks5 server in Termux, while V2rayNG act as socks5 client and run the VPN service.

Therefore, the command you should use in Termux:

wstunnel client -L socks5://127.0.0.1:10808 ws://<ip>:<port>

While in V2rayNG you should specify the Host and Port.

Here are some screenshots:

Error when I use the same command that still works on computer but not on android in Termux

Help me plz !

Based on the command with flag -L, it seems you are listening on UDP instead of Socks5.

You need addition relay for UDP packet so it can be converted to Socks5 packet since V2rayNG accept Socks5 traffic.

Or try to change listener to socks5

-L socks5://10808:localhost:51820?timeout_sec?=51820

Or don't follow your PC command specifically -L flag, just follow socks5 command that I mentioned earlier

-L socks5://127.0.0.1:10808

[ginnort]

Hi, I love this project, it runs fast and smooth on pc.
But how to run the binary on a non-root phone exactly? I google and try, can't figure it out.
When wstunnel in the internal storage, "chmod + x" doesn't work, even with adb root shell, it changes nothing.
When copy wstunnel to termux home directory, "chmod +x" works, but have to run wstunnel with root.
Would you please give some tips to run this binary. Thank you very much.

os: lineageos 20, android 13

[ginnort]

Hi, I love this project, it runs fast and smooth on pc. But how to run the binary on a non-root phone exactly? I google and try, can't figure it out. When wstunnel in the internal storage, "chmod + x" doesn't work, even with adb root shell, it changes nothing. When copy wstunnel to termux home directory, "chmod +x" works, but have to run wstunnel with root. Would you please give some tips to run this binary. Thank you very much.

os: lineageos 20, android 13

I change the user and group, still permission denied.

[vincent1890]

I can help you with, this is supported for non-root phone:
Prerequisites: Termux (fdroid) -> To run the binary and start local socks5 listener. (Convert traffic between L7 (ws) to L4 (socks5) V2rayNG (playstore) -> To convert traffic between L4 (socks5) and L2 (VPN).
Concept: Wstunnel act as socks5 server in Termux, while V2rayNG act as socks5 client and run the VPN service.
Therefore, the command you should use in Termux:

wstunnel client -L socks5://127.0.0.1:10808 ws://<ip>:<port>

While in V2rayNG you should specify the Host and Port.
Here are some screenshots:

Error when I use the same command that still works on computer but not on android in Termux


Help me plz !

Based on the command with flag -L, it seems you are listening on UDP instead of Socks5.

You need addition relay for UDP packet so it can be converted to Socks5 packet since V2rayNG accept Socks5 traffic.

Or try to change listener to socks5

-L socks5://10808:localhost:51820?timeout_sec?=51820

Or don't follow your PC command specifically -L flag, just follow socks5 command that I mentioned earlier

-L socks5://127.0.0.1:10808

Hello thank !

I don’t understand why you have to use v2rayNG in addition to wstunnel why wstunnel is not enough as on linux or windows?

Currently my config:
.\wstunnel client -c 10 -L 'udp://51820:localhost:51820?timeout_sec=0' wss://vpn.server.com:443 --tls-sni-override vpn.server.com

[(Windows/Linux) App_(file/chrome/other) -> Wireguard (UDP 51820) -> (IN - UDP 51820 )Wstunnel(Out - TCP 443) -> Internet World -> (In - TCP 443)Docker-RevProxy(Out - TCP 9442) -> (In - TCP 9442)Docker-WsTunnel(Out - UDP 51820) -> (In UDP 51820)_Wireguard-Server-VPN -> (Enterprise)Private-Lan] this works well

But on android how to add this component v2rayNG (in addition to termux) and why I do not understand and therefore can not operate the whole surely because the does not understand the path and the needs?

Should it be like this in Termux with v2rayNG ?
./wstunnel client -c 10 -L 'socks5://10808:localhost:51820?timeout_sec=0' wss://vpn.server.com:443 --tls-sni-override vpn.server.com

[(Android) App_(file/chrome/other) -> v2rayNG(Out - UDP 10808) -> I don’t understand the link here or if "Wireguard" and "v2rayNG" are reversed in my schema? -> Wireguard (Out - UDP 51820) -> (In - UDP 51820 )Wstunnel_In-TERMUX(Out - TCP 443) -> Internet World -> (In - TCP 443)Docker-RevProxy(Out - TCP 9442) -> (In - TCP 9442)Docker-WsTunnel(Out - UDP 51820) -> (Out - UDP 51820)_Wireguard-VPN -> (Enterprise)Private-Lan]

[vincent1890]

Hi, I love this project, it runs fast and smooth on pc. But how to run the binary on a non-root phone exactly? I google and try, can't figure it out. When wstunnel in the internal storage, "chmod + x" doesn't work, even with adb root shell, it changes nothing. When copy wstunnel to termux home directory, "chmod +x" works, but have to run wstunnel with root. Would you please give some tips to run this binary. Thank you very much.
os: lineageos 20, android 13

I change the user and group, still permission denied.

check the permissions of the app termux in android

[ikhwanperwira]

I can help you with, this is supported for non-root phone:
Prerequisites: Termux (fdroid) -> To run the binary and start local socks5 listener. (Convert traffic between L7 (ws) to L4 (socks5) V2rayNG (playstore) -> To convert traffic between L4 (socks5) and L2 (VPN).
Concept: Wstunnel act as socks5 server in Termux, while V2rayNG act as socks5 client and run the VPN service.
Therefore, the command you should use in Termux:

wstunnel client -L socks5://127.0.0.1:10808 ws://<ip>:<port>

While in V2rayNG you should specify the Host and Port.
Here are some screenshots:

Error when I use the same command that still works on computer but not on android in Termux


Help me plz !

Based on the command with flag -L, it seems you are listening on UDP instead of Socks5.
You need addition relay for UDP packet so it can be converted to Socks5 packet since V2rayNG accept Socks5 traffic.
Or try to change listener to socks5
-L socks5://10808:localhost:51820?timeout_sec?=51820
Or don't follow your PC command specifically -L flag, just follow socks5 command that I mentioned earlier
-L socks5://127.0.0.1:10808

Hello thank !

I don’t understand why you have to use v2rayNG in addition to wstunnel why wstunnel is not enough as on linux or windows?

Currently my config: .\wstunnel client -c 10 -L 'udp://51820:localhost:51820?timeout_sec=0' wss://vpn.server.com:443 --tls-sni-override vpn.server.com

[(Windows/Linux) App_(file/chrome/other) -> Wireguard (UDP 51820) -> (IN - UDP 51820 )Wstunnel(Out - TCP 443) -> Internet World -> (In - TCP 443)Docker-RevProxy(Out - TCP 9442) -> (In - TCP 9442)Docker-WsTunnel(Out - UDP 51820) -> (In UDP 51820)_Wireguard-Server-VPN -> (Enterprise)Private-Lan] this works well

But on android how to add this component v2rayNG (in addition to termux) and why I do not understand and therefore can not operate the whole surely because the does not understand the path and the needs?

Should it be like this in Termux with v2rayNG ? ./wstunnel client -c 10 -L 'socks5://10808:localhost:51820?timeout_sec=0' wss://vpn.server.com:443 --tls-sni-override vpn.server.com

[(Android) App_(file/chrome/other) -> v2rayNG(Out - UDP 10808) -> I don’t understand the link here or if "Wireguard" and "v2rayNG" are reversed in my schema? -> Wireguard (Out - UDP 51820) -> (In - UDP 51820 )Wstunnel_In-TERMUX(Out - TCP 443) -> Internet World -> (In - TCP 443)Docker-RevProxy(Out - TCP 9442) -> (In - TCP 9442)Docker-WsTunnel(Out - UDP 51820) -> (Out - UDP 51820)_Wireguard-VPN -> (Enterprise)Private-Lan]

I think you can just ommit wireguard (udp) in client side (nothing changes in server side, you can keep wireguard in server side) because it replaced by socks5 client app (socks5)

Actually you don't have to use V2rayNG, you can just use another socks5 client such as Tun2Socks in playstore.

Try this, there is no need URL query param I think:

./wstunnel client -c 10 -L 'socks5://127.0.0.1:10808' wss://vpn.server.com:443 --tls-sni-override vpn.server.com

V2ray doesn't work on UDP, generally all socks5 client doesn't work on UDP.

Here is:
[(Android) App_(file/chrome/other) -> v2rayNG(Out - Socks5 10808) ->Wstunnel_In-TERMUX(Out - TCP 443) -> Internet World -> (In - TCP 443)Docker-RevProxy(Out - TCP 9442) -> (In - TCP 9442)Docker-WsTunnel(Out - UDP 51820) -> (Out - UDP 51820)_Wireguard-VPN -> (Enterprise)Private-Lan]

Another important to consider, you need to EXCLUDE termux internet traffic from consumed by V2rayNG. This means Termux app will not be processed by V2rayNG, which mean termux will use normal traffic instead of tunneled traffic (because termux is supposed to be tunneler, not consumed by tunneler). You can setting this in V2rayNG app setting with specifying app (Termux) to exclude.

[deyloTT]

I can help you with, this is supported for non-root phone:
Prerequisites: Termux (fdroid) -> To run the binary and start local socks5 listener. (Convert traffic between L7 (ws) to L4 (socks5) V2rayNG (playstore) -> To convert traffic between L4 (socks5) and L2 (VPN).
Concept: Wstunnel act as socks5 server in Termux, while V2rayNG act as socks5 client and run the VPN service.
Therefore, the command you should use in Termux:

wstunnel client -L socks5://127.0.0.1:10808 ws://<ip>:<port>

While in V2rayNG you should specify the Host and Port.
Here are some screenshots:

Error when I use the same command that still works on computer but not on android in Termux


Help me plz !

Based on the command with flag -L, it seems you are listening on UDP instead of Socks5.
You need addition relay for UDP packet so it can be converted to Socks5 packet since V2rayNG accept Socks5 traffic.
Or try to change listener to socks5
-L socks5://10808:localhost:51820?timeout_sec?=51820
Or don't follow your PC command specifically -L flag, just follow socks5 command that I mentioned earlier
-L socks5://127.0.0.1:10808

Hello thank !

I don’t understand why you have to use v2rayNG in addition to wstunnel why wstunnel is not enough as on linux or windows?

Currently my config: .\wstunnel client -c 10 -L 'udp://51820:localhost:51820?timeout_sec=0' wss://vpn.server.com:443 --tls-sni-override vpn.server.com

[(Windows/Linux) App_(file/chrome/other) -> Wireguard (UDP 51820) -> (IN - UDP 51820 )Wstunnel(Out - TCP 443) -> Internet World -> (In - TCP 443)Docker-RevProxy(Out - TCP 9442) -> (In - TCP 9442)Docker-WsTunnel(Out - UDP 51820) -> (In UDP 51820)_Wireguard-Server-VPN -> (Enterprise)Private-Lan] this works well

But on android how to add this component v2rayNG (in addition to termux) and why I do not understand and therefore can not operate the whole surely because the does not understand the path and the needs?

Should it be like this in Termux with v2rayNG ? ./wstunnel client -c 10 -L 'socks5://10808:localhost:51820?timeout_sec=0' wss://vpn.server.com:443 --tls-sni-override vpn.server.com

[(Android) App_(file/chrome/other) -> v2rayNG(Out - UDP 10808) -> I don’t understand the link here or if "Wireguard" and "v2rayNG" are reversed in my schema? -> Wireguard (Out - UDP 51820) -> (In - UDP 51820 )Wstunnel_In-TERMUX(Out - TCP 443) -> Internet World -> (In - TCP 443)Docker-RevProxy(Out - TCP 9442) -> (In - TCP 9442)Docker-WsTunnel(Out - UDP 51820) -> (Out - UDP 51820)_Wireguard-VPN -> (Enterprise)Private-Lan]

Hey, so you run this command in termux and then connect via wireguard?
Does the server side require anything special? What command do you execute on the server?

[simpz]

Not sure if still fighting this, but here is what I have:

On Android:
I created a /data/lcl/wstunnel and in here have a wstunnel_start with:

#!/system_ext/bin/bash

cd /data/lcl/wstunnel
/data/lcl/wstunnel client \
   --tls-certificate ./certs/wstunnel-client-2.cert.pem \
   --tls-private-key ./private/wstunnel-client-2.pem \
   -L 'udp://1212:[::1]:51820?timeout_sec=0' \
  wss://w.x.y.z:443 &

And a simple wsunnel_stop script:

#!/system_ext/bin/bash

killall wstunnel

This is LineageOS so I doubt standard Android come with that so replace /system_ext/bin/bash with whatever the path to your shell is on your android. echo $SHELL from the command line will probably help with this ( I just use JuiceSSH to get a local shell on my phone).

I setup cert authentication but it's by no means essential but I like the extra protection against remote poking, generating these is documented on this wstunnel site.

w.x.y.z is the public IP of my router.

On my router I have:

./wstunnel server --tls-certificate ./certs/wstunnel-server.cert.pem \
   --tls-private-key ./private/wstunnel-server.pem \
   --tls-client-ca-certs ./certs/ca.cert.pem \
   --restrict-to '[::1]:51820' \
wss://[::]:443

Then on the Android wireguard client I configure to connect to localhost:1212

The only other wrinkle is the routes you want to send through wireguard. If you want to send all traffic through this you need to exclude wstunnel from the wireguard, and as wstunnel is not a GUI this is a little tricky (as the app won't be listed in the GUI). I solved this by removing my wstunnel endpoint (my router) from the wireguard AllowedIP's. The lazy way to do this esp is to use is to use this site which will convert a DisallowedIP list into a AllowedIPs list:

https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator

So I just get a shell on my phone and launch wstunnel_start and then connect wireguard.

I hope this helps someone....

[maytom2016]

I have create a android gui for wstunnel.Incase of someone need.
https://github.com/maytom2016/Wstunnela/releases/download/v1.0.0/app-release-signed.apk
It works on my phone running android 11.
It can work with wireguard. And you don't need to root your phone to use it.
I don't guarantee that it will work well everywhere.

[deyloTT]

I have create a android gui for wstunnel.Incase of someone need. https://github.com/maytom2016/Wstunnela/releases/download/v1.0.0/app-release-signed.apk It works on my phone running android 11. It can work with wireguard. And you don't need to root your phone to use it. I don't guarantee that it will work well everywhere.

Nice. Seems interesting. I just installed it. Will i be able to use a bughost/sni on the client side? I was looking for a way to contact you but didnt see any telegram ID, etc because i dont want to crowd up these comments with any unnecessary messages?

[maytom2016]

Nice. Seems interesting. I just installed it. Will i be able to use a bughost/sni on the client side? I was looking for a way to contact you but didnt see any telegram ID, etc because i dont want to crowd up these comments with any unnecessary messages?

It also a github repositories.if you will have found any bugs or good ideas.you could be discussing this here.
https://github.com/maytom2016/Wstunnela/issues