WireGuard

Goauld agent WireGuard

The agent exposes a virtual WireGuard interface, allowing TCP, UDP, and ICMP (ping) traffic without relying on a SOCKS proxy.

The virtual WireGuard interface uses the gVisor network stack (https://github.com/google/gvisor/tree/go).

The implementation works as follows:

The agent exposes a WireGuard server port on the host.
The agent forwards the WireGuard port to the server using UDP-over-TCP encapsulation to traverse the existing agent tunnel.
The client forwards the WireGuard port exposed on the server to the local machine.
The client decapsulates the UDP-over-TCP traffic to expose the WireGuard port.
The WireGuard client on the operator machine connects to the agent’s virtual WireGuard interface.

Note

This implementation uses TCP-over-TCP encapsulation, which reduces performance. However, this architecture was chosen because the server does not expose a WireGuard server common to all connected agents, which could result in unauthorized access between agents.

Warning

The agent runs without privileges. Consequently it cannot forward raw packets (such as ICMP packets, or Nmap SYN scans).

nmap must be run using --unprivileged or -PE.

Flags

The virtual WireGuard interface is not enabled by default.

--wg: Enable the WireGuard interface

See client/WireGuard