Logo Peer-to-peer VPN

Websocket Proxy

The websocket proxy feature helps nodes in restricted network environments (restrictive firewalls, blocked ports, or protocol whitelisting) to connect to other nodes. Normally the native VpnCloud UDP protocol would be blocked in these environments but HTTP is normally allowed everywhere.

How it works

The websocket protocol uses HTTP connections to encapsulate raw data streams. VpnCloud supports a websocket proxy setup with a proxy server application being the HTTP server and a VpnCloud node as the HTTP client. The client tunnels all its communication through the websocket connection to the proxy and the proxy forwards it to the destination given by the client node. User VpnCloud nodes see the the proxy as sender of the messages that the client sends and therefore send replies to the proxy instead of the client. The proxy then sends the reply back to the client through the websocket tunnel. The way, the websocket proxy acts as a kind of remote UDP port.

The websocket proxy does not act as a VpnCloud node and does not actually understand the payload it forwards. Also the proxy will not decrypt or encrypt the messages, so the VpnCloud nodes still encrypt and decrypt the messages end-to-end.

When a node uses a websocket proxy, it will not try to enable port forwarding and it will use the ip and port given by the proxy (dynamically allocated on the proxy, not the proxy URL) as its own address.

Using the proxy

Setup on the proxy server

On the proxy server, the websocket proxy can be run using the ws-proxy subcommand. With the optional --listen parameter you can select the HTTP port (default is 3210).

The most common ports for HTTP and therefore the most likely to pass through firewalls are 80, 8080, 8008 and 8000 (note that port 80 is often already used and requires root permissions to use).

$proxy> sudo vpncloud ws-proxy --listen 80

Setup on the node

The node has to be configured normally (see the beginner tutorial) but the listen setting has to be modified. It has to start with ws:// and contain the URL of the websocket proxy server.

Here is an example config:

listen: 'ws://websocket.proxy.provider.com:80'  # <- here is the websocket setting
  password: mysecretpassword
  - mynode.dyndns.provider.com

Deploy proxy on AWS

If you just want to quickly deploy a VpnCloud websocket proxy ready to be used whenever you need it and throw it away when you don't need it, cloud providers like AWS are perfect for this.

To simplify the setup, I created a template that automatically deploys a websocket proxy within seconds and shows the URL to use as --listen as an output.

All you need is a free AWS account (costs are charged for the resources being used, see below). Just fill out the form below.

On the AWS page, just click on "create stack", wait until is has been fully deployed (a few seconds) and then find the URL in the output tab.

To shutdown the proxy, just delete the stack (you can always find it under CloudFormation).

AWS costs

When the websocket proxy is running, you pay for the resources you use. The template uses one EC2 t4g.nano spot instance (the cheapest VM on AWS). Also the instance uses 8 GB of EBS storage.

The following prices are of 2021-02-06 for the region eu-central-1 (other regions have different prices, some are even cheaper).

According to the EC2 spot price table and the EBS price table the current prices are $0.0014 per hour for the EC2 instance and $0.059 per GB per month for the storage.

Also you pay for the traffic that the proxy sends (incoming traffic is free, so you only pay once). The current traffic price is $0.09 per GB.

AWS resourcePrice
Proxy VM, 1 hour$0.002
Proxy VM, 1 day$0.05
Proxy VM, 1 month$1.48
Traffic, 1 GB$0.09