Skip to content
/ zia Public
forked from MarcelCoding/zia

Proxy UDP over WebSocket - useful to use WireGuard in restricted networks.

License

AGPL-3.0 license
0 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

helsinki-systems/zia

1 Branch0 Tags
This branch is 3 commits ahead of, 10 commits behind MarcelCoding/zia:main.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Conni2461Conni2461
feat: systemd unit for zia-client in deb package
Oct 25, 2024
a8becb3 · Oct 25, 2024

History

104 Commits
.github
.github
Mar 13, 2024
nixos-modules
nixos-modules
Mar 13, 2024
zia-client
zia-client
Oct 25, 2024
zia-common
zia-common
Sep 22, 2024
zia-server
zia-server
Sep 22, 2024
.editorconfig
.editorconfig
Nov 17, 2023
.envrc
.envrc
Oct 22, 2024
.gitignore
.gitignore
Oct 22, 2024
.rustfmt.toml
.rustfmt.toml
May 27, 2022
Cargo.lock
Cargo.lock
Oct 25, 2024
Cargo.toml
Cargo.toml
Nov 17, 2023
Dockerfile
Dockerfile
Jul 28, 2022
Dockerfile.gh-actions
Dockerfile.gh-actions
Jul 23, 2022
LICENSE
LICENSE
Aug 11, 2022
README.md
README.md
Sep 4, 2024
config.toml
config.toml
Jul 18, 2022
derivation.nix
derivation.nix
Aug 21, 2024
flake.lock
flake.lock
Aug 21, 2024
flake.nix
flake.nix
Oct 22, 2024

Repository files navigation

Zia

Proxy UDP over WebSocket - useful to use WireGuard in restricted networks.

Basic example:
Loading 
graph LR
    WC[Wireguard Client] ---|UDP| B[Zia Client]
    B ---|Websocket| C[Zia Server]
    C ---|UDP| D[Wireguard Server]

The benefit is that WebSocket uses HTTP. If you are on a restricted network where you can only access external services using a provided HTTP proxy, you can proxy your WireGuard UDP traffic over WebSocket through that proxy.
Loading 
graph LR
    WC[Wireguard Client] ---|UDP| B[Zia Client]
    B ---|Websocket| C[Http Proxy]
    C ---|Websocket| D[Zia Server]
    D ---|UDP| E[Wireguard Server]

Mode

Name Description
WebSocket The UDP datagrams are wrapped inside WebSocket frames. These frames are then transmitted to the server, where they are unwrapped.
TCP The UDP datagrams are prefixed with a 16 bit length of the datagram and then transmitted to the server in TCP packages. At the server, these packages are unwrapped and forwarded to the actual UDP upstream.

The client is capable of doing a TLSv2 or TLSv3 handshake, the server isn't able to handle TLS requests. In a case where an end-to-end (zia-client <-> zia-server) TLS encryption should happen, you have to proxy the traffic for the server using a reverse proxy.

Client

Just download the appropriate binary from the latest release, or use the Docker image:

ghcr.io/marcelcoding/zia-client

Environment variables:

ZIA_LISTEN_ADDR=127.0.0.1:8080 # local udp listener
ZIA_UPSTREAM=ws://domain.tld:1234 # your zia server instance (ws(s) or tcp(s))
# ZIA_PROXY=http://user:[email protected]:8080 # optional http(s) proxy

If you are using the binary use --help to the all available options.

Server

Just download the appropriate binary from the latest release, or use the Docker image:

ghcr.io/marcelcoding/zia-server

Environment variables:

ZIA_LISTEN_ADDR=0.0.0.0:1234 # public websocket listener (client -> ZIA_UPSTREAM)
ZIA_UPSTREAM=domain.tld:9999 # your actual udp service e.g. wireguard listener
ZIA_MODE=WS # WS or TCP see client -> ZIA_UPSTREAM

If you are using the binary use --help to the all available options.

About

Proxy UDP over WebSocket - useful to use WireGuard in restricted networks.

Resources

Readme

License

AGPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Rust 84.9%
  • Nix 12.5%
  • Dockerfile 2.6%