Tunnel.pyjam.as – HTTP tunnels without custom software thanks to WireGuard (opens in new tab)

(tunnel.pyjam.as)

144 pointskofoednielsen3y ago27 comments

27 comments

It's important to note that if you're not self hosting this, you're giving unlimited internal network access to this service (unless you properly firewall of course). It's not specific to the single port/address that is used when downloading the config.

Disclaimer: I wrote a similar tool that is self-hosted and uses SSH as the tunneling service. Does HTTP(S) with TLS termination, TCP, TLS (via SNI), and internal tunneling (unexposed tunnels that are authenticated using SSH) [0].

[0] https://github.com/antoniomika/sish

tarasglek3y ago

Author should include an iptables line to limit traffic from wireguard interface to only that port. Pre/Post commands in configuration will work for this

zekica3y ago

Not exactly true. It gives access to the computer you are running the tunnel on. Your computer still has to forward packets to others (if you can compromise another service on another computer without any two-way communication) and others still have to know how to route packets back to 10.101.0.1 that this service uses.

antoniomika3y ago

Sorry, meant internal network access related to the computer you set the tunnel up on. I usually refer to local network when speaking about the LAN :)

For reference though, all that is needed are some poorly written POSTROUTING rules and ip forwarding enabled on the client to allow access to the local network. More people have these set than you think!

anderspitman3y ago

I maintain a list of solutions to this problem:

https://github.com/anderspitman/awesome-tunneling

Great to see more WireGuard implementations popping up. Most of the "no install" options are based on SSH tunnels, which are great, but WireGuard should have much better performance under certain conditions.

Abishek_Muthian3y ago

I appreciate that you included a short personal description of the tools along with the stars(Which is often missing from such lists).

P.S. I've added your list to my curated list of startup tools - https://startuptoolchain.com/#software-testing as tunneling is quite essential for software development.

number63y ago

Oh that's you?! Thanks for this resource, it is really helpful

varenc3y ago

It's impressive how simple the code is: https://gitlab.com/pyjam.as/tunnel/-/blob/main/tunnel.py

All the heavy lifting and reverse proxying is done by Wireguard and Caddy! Very slick.

Though of course all traffic will be ran through pyjam.as. As this isn't a company with an income stream, I fear if its gets too popular it'll be infeasible for the author to keep it up and available for free long term.

kofoednielsenOP3y ago

We encourage self-hosting for privacy and my wallet reasons.

tarasglek3y ago

Simplicity and elegancy is incredible here! Thank you.

anderspitman3y ago

Unfortunately a bigger concern than cost is abuse for things like phishing attacks.

dugite-code3y ago

I wont lie I was confused as to the purpose at first, but the more I think about this the more impressed I get. What wasn't clear at first glance was the port isn't fixed and it generates a "one-time" link. i.e. curling `https://tunnel.example.tld/<whateverport>` generates a neat proxy link `https://<code>.tunnel.example.tld/`.

It would be very handy for say a website designer to quickly bring up and share a demo website running on their development laptop no matter where they happen to be (home, work, the client's office or Starbucks) and everyone involved can "just access" everything through a web browser.

8organicbits3y ago

Similar to https://ngrok.com/ except this uses wireguard, and doesn't require any custom software.

With ngrok you need to trust their binary, with this I suppose you need to trust the generated config file.

gigatexal3y ago

It’s also self hostable.

woleium3y ago

repo readme makes more sense than site: "tunnel.pyjam.as can be used as an ephemeral reverse proxy for your local services. This may be useful, for instance when you need to show your friend something cool you've built. tunnel.pyjam.as works without installing any software on your machine, thanks to the magic of Wireguard."

tptacek3y ago

Neat! You could do this without even having WireGuard installed with wireguard-go and Netstack.

anderspitman3y ago

Do you have link to an example of how this would be done?

jjoergensen3y ago

Perhaps this could serve as inspiration https://git.zx2c4.com/wireguard-go/tree/tun/netstack

Fly.io version using it https://github.com/superfly/flyctl/tree/master/pkg/wg

net.Dialer using gVisor https://git.zx2c4.com/wireguard-go/tree/tun/netstack/tun.go#...

1 more reply

tptacek3y ago

Google "user mode WireGuard".

hhh3y ago

This is absolutely spectacular. I have written up details for an internal service that we were to start a sprint on next week, that has the exact same bits of software. We're looking to build a Teleport alternative as the enterprise pricing is far greater than the value we'd gain. Will definitely be exploring this. Cheers!

bonkabonka3y ago

I wish some clever person would make a sort of modern-day kali.net where you could easily route game traffic over Wireguard so your self-hosted Minecraft of Valheim servers don't have to be accessible on the public internet.

carlbordum3y ago

I haven't used kali.net, but it sounds like https://tailscale.com/ might be for you :)

nurettin3y ago

Why should I bind to 0.0.0.0? It should be able to tunnel any port on any interface.

antoniomika3y ago

You need to bind to at least the wireguard interface/address in order for this to work. The service reverse proxies over the tunnel, and your kernel won’t be looking to handle those connections unless you’re listening on the correct tunnel interface.

LoveGracePeace3y ago

I tunnel traffice using Wireguard, why would I want something on top of it?

anderspitman3y ago

This provides a Caddy reverse proxy, which gives you an HTTPS URL with auto TLS certs that tunnels to a port on your local machine. It's also hosted so you don't have to manage a VPS yourself if you don't want to.

j / k navigate · click thread line to collapse

27 comments

antoniomika3y ago

[0] https://github.com/antoniomika/sish

tarasglek3y ago

Author should include an iptables line to limit traffic from wireguard interface to only that port. Pre/Post commands in configuration will work for this

zekica3y ago

antoniomika3y ago

Sorry, meant internal network access related to the computer you set the tunnel up on. I usually refer to local network when speaking about the LAN :)

anderspitman3y ago

I maintain a list of solutions to this problem:

https://github.com/anderspitman/awesome-tunneling

Abishek_Muthian3y ago

I appreciate that you included a short personal description of the tools along with the stars(Which is often missing from such lists).

P.S. I've added your list to my curated list of startup tools - https://startuptoolchain.com/#software-testing as tunneling is quite essential for software development.

number63y ago

Oh that's you?! Thanks for this resource, it is really helpful

varenc3y ago

It's impressive how simple the code is: https://gitlab.com/pyjam.as/tunnel/-/blob/main/tunnel.py

All the heavy lifting and reverse proxying is done by Wireguard and Caddy! Very slick.

kofoednielsenOP3y ago

We encourage self-hosting for privacy and my wallet reasons.

tarasglek3y ago

Simplicity and elegancy is incredible here! Thank you.

anderspitman3y ago

Unfortunately a bigger concern than cost is abuse for things like phishing attacks.

dugite-code3y ago

8organicbits3y ago

Similar to https://ngrok.com/ except this uses wireguard, and doesn't require any custom software.

With ngrok you need to trust their binary, with this I suppose you need to trust the generated config file.

gigatexal3y ago

It’s also self hostable.

woleium3y ago

tptacek3y ago

Neat! You could do this without even having WireGuard installed with wireguard-go and Netstack.

anderspitman3y ago

Do you have link to an example of how this would be done?

jjoergensen3y ago

Perhaps this could serve as inspiration https://git.zx2c4.com/wireguard-go/tree/tun/netstack

Fly.io version using it https://github.com/superfly/flyctl/tree/master/pkg/wg

net.Dialer using gVisor https://git.zx2c4.com/wireguard-go/tree/tun/netstack/tun.go#...

1 more reply

tptacek3y ago

Google "user mode WireGuard".

hhh3y ago

bonkabonka3y ago

carlbordum3y ago

I haven't used kali.net, but it sounds like https://tailscale.com/ might be for you :)

nurettin3y ago

Why should I bind to 0.0.0.0? It should be able to tunnel any port on any interface.

antoniomika3y ago

LoveGracePeace3y ago

I tunnel traffice using Wireguard, why would I want something on top of it?

anderspitman3y ago

j / k navigate · click thread line to collapse