wstunnel Windows connection times out, same connection works on Android #463
Description
Describe the bug
I built wstunnel 10.4.4 from source for Windows. When I start the connection, it gives this error:
2025-09-02T20:20:03.975290Z INFO wstunnel::protocols::tcp::server: Opening TCP connection to x.x.x.x:443
2025-09-02T20:20:13.979463Z WARN wstunnel::protocols::tcp::server: Cannot connect to tcp endpoint x.x.x.x:443 due to timeout of 10s elapsed
This is for a Wireguard connection. When I start the wg tunnel after wstunnel, it doesn't connect. When I stop the wg tunnel, wstunnel throws this error and quits:
2025-09-02T20:12:40.755262Z ERROR wstunnel::protocols::udp::server: Cannot read from UDP server. Closing server: An existing connection was forcibly closed by the remote host. (os error 10054)
2025-09-02T20:12:40.755957Z INFO tunnel{id="01990c0e-c989-7080-b186-92207256f6c1" remote="localhost:60820"}: wstunnel::tunnel::transport::io: Closing local => remote tunnel
2025-09-02T20:12:40.756055Z INFO tunnel{id="01990c0e-c989-7080-b186-92207256f6c1" remote="localhost:60820"}: wstunnel::tunnel::transport::io: Closing local <= remote tunnel
Meanwhile, this error shows up in the server when the wg tunnel stops:
2025-09-02T20:28:11.323572Z ERROR cnx{peer="x.x.x.x:49243"}:tunnel{id="01990c1d-80fa-7132-9351-c3b7a0b195bd" remote="localhost:60820"}: wstunnel::tunnel::transport::io: error while reading from tunnel rx peer closed connection without sending TLS close_notify: https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eof
The same connection works (albeit not 100%) on my Android (commands underneath).
To Reproduce
server:
/usr/local/bin/wstunnel server --restrict-http-upgrade-path-prefix <secret> --restrict-to localhost:60820 wss://0.0.0.0:443
client:
wstunnel client --http-upgrade-path-prefix <secret> -L "udp://60820:localhost:60820?timeout_sec=0" wss://x.x.x.x
wireguard:
[Interface]
PrivateKey = private
Address = 10.66.66.4/32
PostUp = route add x.x.x.x mask 255.255.255.255 10.66.66.1
PostDown = route delete x.x.x.x mask 255.255.255.255 10.66.66.1
[Peer]
PublicKey = public
AllowedIPs = 0.0.0.0/1
Endpoint = 127.0.0.1:60820
Your wstunnel setup
Paste your logs of wstunnel, started with --log-lvl=DEBUG, and with the command line used
server:
2025-09-02T20:37:44.496664Z INFO wstunnel::embedded_certificate: Generating self-signed tls certificate
2025-09-02T20:37:44.497149Z INFO wstunnel: Starting wstunnel server v10.4.4 with config WsServerConfig { socket_so_mark: SoMark { inner: None }, bind: 0.0.0.0:443, websocket_ping_frequency: Some(30s), timeout_connect: 10s, websocket_mask_frame: false, restriction_config: None, tls: true, remote_server_idle_timeout: 180s, mTLS: false }
2025-09-02T20:37:44.497683Z DEBUG wstunnel: Restriction rules: RestrictionsRules {
restrictions: [
RestrictionConfig {
name: "Allow path prefix secret",
match: [
PathPrefix(
Regex(
"^secret$",
),
),
],
allow: [
Tunnel(
AllowTunnelConfig {
protocol: [],
port: [
60820..=60820,
],
host: Regex(
"^localhost$",
),
cidr: [],
},
),
],
},
],
}
2025-09-02T20:37:44.498705Z INFO wstunnel::tunnel::server::server: Starting wstunnel server listening on 0.0.0.0:443
2025-09-02T20:38:17.649727Z INFO cnx{peer="<client_ip>:61807"}: wstunnel::tunnel::server::server: Accepting connection
2025-09-02T20:38:17.649829Z INFO cnx{peer="<client_ip>:61807"}: wstunnel::tunnel::server::server: Doing TLS handshake
2025-09-02T20:38:17.653513Z DEBUG cnx{peer="<client_ip>:61807"}: rustls::server::hs: decided upon suite TLS13_AES_256_GCM_SHA384
2025-09-02T20:38:17.653800Z DEBUG cnx{peer="<client_ip>:61807"}: rustls::server::hs: Chosen ALPN protocol ProtocolName(687474702f312e31)
2025-09-02T20:38:17.685304Z INFO cnx{peer="<client_ip>:61807"}:tunnel{id="01990c26-cd1d-7620-a681-92db70e15b2c" remote="localhost:60820"}: wstunnel::tunnel::server::server: Tunnel accepted due to matched restriction: Allow path prefix secret
2025-09-02T20:38:17.685491Z INFO cnx{peer="<client_ip>:61807"}:tunnel{id="01990c26-cd1d-7620-a681-92db70e15b2c" remote="localhost:60820"}: wstunnel::protocols::udp::server: Opening UDP connection to localhost:60820
2025-09-02T20:38:17.685644Z DEBUG wstunnel::protocols::udp::server: connecting to [::1]:60820
2025-09-02T20:38:17.685758Z DEBUG cnx{peer="<client_ip>:61807"}:tunnel{id="01990c26-cd1d-7620-a681-92db70e15b2c" remote="localhost:60820"}: wstunnel::protocols::udp::server: Connected to udp endpoint [::1]:60820, aborted all other connection attempts
2025-09-02T20:38:17.685887Z INFO cnx{peer="<client_ip>:61807"}:tunnel{id="01990c26-cd1d-7620-a681-92db70e15b2c" remote="localhost:60820"}: wstunnel::tunnel::server::server: connected to Udp { timeout: None } localhost:60820
2025-09-02T20:38:17.739218Z ERROR cnx{peer="<client_ip>:61807"}:tunnel{id="01990c26-cd1d-7620-a681-92db70e15b2c" remote="localhost:60820"}: wstunnel::tunnel::transport::io: error while reading from tunnel rx peer closed connection without sending TLS close_notify: https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eof
2025-09-02T20:38:17.739386Z INFO cnx{peer="<client_ip>:61807"}:tunnel{id="01990c26-cd1d-7620-a681-92db70e15b2c" remote="localhost:60820"}: wstunnel::tunnel::transport::io: Closing local <= remote tunnel
2025-09-02T20:38:17.739449Z INFO cnx{peer="<client_ip>:61807"}:tunnel{id="01990c26-cd1d-7620-a681-92db70e15b2c" remote="localhost:60820"}: wstunnel::tunnel::transport::io: Closing local => remote tunnel
client
2025-09-02T20:38:00.106537Z INFO wstunnel: Starting wstunnel client v10.4.4
2025-09-02T20:38:00.107037Z INFO wstunnel::protocols::udp::server: Starting UDP server listening cnx on 127.0.0.1:60820 with cnx timeout of 0s
2025-09-02T20:38:13.533636Z INFO wstunnel::protocols::udp::server: New UDP connection from 127.0.0.1:55715
2025-09-02T20:38:13.534409Z INFO wstunnel::protocols::tcp::server: Opening TCP connection to <server_ip>:443
2025-09-02T20:38:13.534870Z DEBUG wstunnel::protocols::tcp::server: Connecting to <server_ip>:443
2025-09-02T20:38:17.824778Z DEBUG wstunnel::protocols::tcp::server: Cannot connect to tcp endpoint <server_ip>:443 reason An established connection was aborted by the software in your host machine. (os error 10053)
2025-09-02T20:38:18.234082Z INFO wstunnel::protocols::tcp::server: Opening TCP connection to <server_ip>:443
2025-09-02T20:38:18.234958Z DEBUG wstunnel::protocols::tcp::server: Connecting to <server_ip>:443
2025-09-02T20:38:18.260375Z DEBUG wstunnel::protocols::tcp::server: Connected to tcp endpoint <server_ip>:443, aborted all other connection attempts
2025-09-02T20:38:18.260814Z INFO wstunnel::protocols::tls::server: Doing TLS handshake using SNI IpAddress(V4(Ipv4Addr([107, 22, 66, 204]))) with the server <server_ip>:443
2025-09-02T20:38:18.261578Z DEBUG rustls::client::hs: No cached session for IpAddress(V4(Ipv4Addr([107, 22, 66, 204])))
2025-09-02T20:38:18.262007Z DEBUG rustls::client::hs: Not resuming any session
2025-09-02T20:38:18.290747Z DEBUG rustls::client::hs: Using ciphersuite TLS13_AES_256_GCM_SHA384
2025-09-02T20:38:18.291162Z DEBUG rustls::client::tls13: Not resuming
2025-09-02T20:38:18.292622Z DEBUG rustls::client::tls13: TLS1.3 encrypted extensions: ServerExtensions { selected_protocol: SingleProtocolName(ProtocolName(687474702f312e31)), unknown_extensions: {}, .. }
2025-09-02T20:38:18.292849Z DEBUG rustls::client::hs: ALPN protocol is Some(b"http/1.1")
2025-09-02T20:38:18.295128Z DEBUG tunnel{id="01990c26-cd1d-7620-a681-92db70e15b2c" remote="localhost:60820"}: wstunnel::tunnel::transport::websocket: with HTTP upgrade request Request { method: GET, uri: /<secret>/events, version: HTTP/1.1, headers: {"host": "<server_ip>", "upgrade": "websocket", "connection": "upgrade", "sec-websocket-key": "Ja2Ev4CX2wCxzMYo4rzHxw==", "sec-websocket-version": "13", "sec-websocket-protocol": "v1, authorization.bearer.eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjAxOTkwYzI2LWNkMWQtNzYyMC1hNjgxLTkyZGI3MGUxNWIyYyIsInAiOnsiVWRwIjp7InRpbWVvdXQiOm51bGx9fSwiciI6ImxvY2FsaG9zdCIsInJwIjo2MDgyMH0.mzqkc5qDUTPwvWM1_PV0rZTo2OpVYjK2XI8DL3X2F3w"}, body: Empty }
2025-09-02T20:38:18.321586Z DEBUG tunnel{id="01990c26-cd1d-7620-a681-92db70e15b2c" remote="localhost:60820"}: wstunnel::tunnel::client::client: Server response: Parts { status: 101, version: HTTP/1.1, headers: {"connection": "upgrade", "upgrade": "websocket", "sec-websocket-accept": "05kc/dcmQfhloeqBo0jZUGmxaiw=", "sec-websocket-protocol": "v1", "date": "Tue, 02 Sep 2025 20:38:17 GMT"} }
2025-09-02T20:38:18.348525Z ERROR wstunnel::protocols::udp::server: Cannot read from UDP server. Closing server: An existing connection was forcibly closed by the remote host. (os error 10054)
2025-09-02T20:38:18.349132Z INFO tunnel{id="01990c26-cd1d-7620-a681-92db70e15b2c" remote="localhost:60820"}: wstunnel::tunnel::transport::io: Closing local <= remote tunnel
2025-09-02T20:38:18.349243Z INFO tunnel{id="01990c26-cd1d-7620-a681-92db70e15b2c" remote="localhost:60820"}: wstunnel::tunnel::transport::io: Closing local => remote tunnel
Desktop (please complete the following information):
- OS: Windows 11