Home - krrr/wstan GitHub Wiki

Systemd config

location: /etc/systemd/system/wstan.service

[Unit]
Description=wstan server
After=network.target


[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/usr/local/bin/wstan -s ws://HOST:4000/ab KEY --x-forward

[Install]
WantedBy=multi-user.target

Caddy2 reverse proxy config

match wstan traffic by URL path

http://example.com {
        @ws {
                not path /path/*
        }

        reverse_proxy /path/* localhost:4000

        redir @ws https://example.com{uri} 301
}

Problems

• TCP half-close is not supported
• can't prevent attacker from modifying cipher text (only request frame has HMAC; data frame has no sequence number)
• client can't tell fake server (won't fix?)
• server may fail to tell fake client (remember reused nonce and timestamp is not enough)
• fails if system clock of client and server is out of sync (the worst situation: your OpenVZ VPS has wrong time and you can't even change it)
• exchanging of encryption nonce is complicated and badly designed

R.I.P TCP Fast Open

it just doesn't work: https://squeeze.isobar.com/2019/04/11/the-sad-story-of-tcp-fast-open