WireSock VPN Client

WireSock VPN Client is a lightweight command line WireGuard VPN client for Windows that has advanced features not available in the official WireGuard for Windows such as selective application tunneling and disallowed IP addresses. WireSock VPN Client is easy to set up and is free*.

WireSock VPN Client combines the power of Windows Packet Filter and BoringTun (user space WireGuard implementation in Rust) to provide exceptional performance, security and scalability.

Key Features

  • Transparent mode. Unlike most VPN software, WireSock VPN Client supports two modes of operation. The former (enabled with the -lac command line switch) works through the virtual network adapter associated with the VPN connection, while the latter (default mode) does not change your network settings and is completely transparent.
  • Tunneling only certain applications. “AllowedApps” and “DisallowedApps” are WireSock extension options that allow only selected applications to be tunneled. For example, the Chrome browser can be configured to go through a VPN tunnel, while Firefox will connect directly through your normal internet connection.
  • Ability to exclude subnets from ‘AllowedIPs‘. ‘DisallowedIPs’ is a WireSock extension parameter which allows exclusion of specified subnets or individual IP addresses from AllowedIPs without complex calculations.
  • High performance. WireSock VPN Client is much faster than user-space WinTun based implementation in Go and competes with kernel mode WireGuardNT (though normally has slightly higher CPU impact due to user-space nature). Below are comparison throughput (upload/download) test results using a nine-year-old Intel® NUC DC3217IYE (Core i3-3217u) on the client side. In each test, iperf3 has been using 4 TCP sessions (one per vCPU). The topmost results were taken from a series of 10 sequential tests.
 iperf3 -c 10.66.66.1 -P 4
(upload)		iperf3 -c 10.66.66.1 -R -P 4
(download)
WireSock VPN Client v1.0.46879 Mbits/sec892 Mbits/sec
WireGuard for Windows
(kernel driver) v0.5		892 Mbits/sec719 Mbits/sec
WireGuard for Windows
(WinTun) v0.4.1		288 Mbit/sec325 Mbits/sec
TunSafe v1.4435 Mbits/sec284 Mbits/sec

Core i3-3217u, Windows 10 x64 1809, 1Gbps wired connection

  • Lightweight. WireSock VPN Client binaries take approximately 1.5 MB storage on disk, and runtime RAM footprint is under 10 MB.
  • Double VPN (with nested tunnels). WireSock VPN Client is compatible and can be used with official WireGuard for Windows to organize nested WireGuard tunnels completely on the client side. In such configuration, the official client organizes the external tunnel (to the first WireGuard Server instance) and WireSock VPN Client the internal one (to the second WireGuard Server instance). You only need to remember to adjust MTU parameter for the internal tunnel accordingly to avoid fragmentation and throughput degradation.
  • Windows 10 Mobile hotspot support. When WireSock VPN Client is active, Mobile hotspot connected devices are also forwarded over the WireGuard tunnel. This functionality is not available in the official WireGuard for Windows.
  • SOCKS5 for WireGuard handshake. The easiest way to block WireGuard VPN is based on identifying handshake and handshake response packets (both fixed length and known format). This feature allows these packets to be passed through a SOCKS5 proxy, making identification more difficult. Note that only the handshake and handshake response packets go through the SOCKS5 proxy, all other tunnel packets are sent directly.
  • Fallback WireGuard configuration. Allows you to add another WireGuard configuration that will be used if the main tunnel is down (unavailable).

Quick Start Guide

Download and install the appropriate WireSock VPN Client installer for your target platform:

If you’re planning to use the WireSock VPN Client in application mode*, there are two options available to you for managing the client more easily:

  • TunnlTo: A Rust project that starts wiresock-vpn-client.exe in the background and provides it with configuration options.
  • EpexGUI: A C# project that functions similarly to TunnlTo. However, I have created a fork that includes significant modifications, such as directly calling wgbooster.dll instead of wiresock-vpn-client.exe and adding a Wiresock Client installer for x86 platforms. This fork also includes support for transparent (NAT) mode, which can simplify the user experience. While it’s uncertain whether the original author will accept these changes, you can download the latest release of this fork here.

    Both options offer several convenient features, such as importing and editing Wireguard configurations and switching between tunnels, which can greatly simplify the user experience when using the WireSock VPN Client.

    Usage

    WireSock VPN Client can be started from the command line as a Windows console application (wiresock-client.exe) or run in the background as a Windows service. Running wiresock-client.exe from the command line without parameters shows the following output:

    WireSock LightWeight WireGuard VPN Client

Parameters:

 install [-start-type <2..4> -account <account-name> -password <account-password> -config <wireguard-client-config-full-pathname> [-fallback-config <wireguard-fallback-client-config-full-pathname>] -log-level <none | info | debug | all>]
  - to install the service.
    service start types are:
     2 - service started automatically by the service control manager during system startup.
     3 - service started manually or by calling StartService function from another process.
     4 - service installed in the "disabled" state, and cannot be started until enabled.
 run [-config <wireguard-client-config-full-pathname> [-fallback-config <wireguard-fallback-client-config-full-pathname>] -log-level <none | info | debug | all>]
  - to start as a regular process (not a service)
 uninstall
  - to remove the service.

    If you already have the WireGuard configuration file, you can run WireSock VPN Client as an application using the command line below:

    wiresock-client.exe run -config [config_full_path_name] -log-level none

    To start WireSock VPN Client in virtual network interface mode you can use the command below:

    wiresock-client.exe run -config [config_full_path_name] -log-level none -lac

    Please note to use -log-level none unless you need to debug the application because it affects the performance.

    To install as auto-starting Windows Service, use the following:

    wiresock-client.exe install -start-type 2 -config [config_full_path_name] -log-level none

    OR (to install in virtual network adapter mode)

    wiresock-client.exe install -start-type 2 -config [config_full_path_name] -log-level none -lac

    Wiresock VPN Client Service can be started/stopped using the Services applet (services.msc) or commands below (requires Administrator privilege):

    sc start wiresock-client-service
sc stop wiresock-client-service

    The service can be uninstalled (remember to stop the service first) using:

    wiresock-client.exe uninstall

    OR

    sc delete wiresock-client-service

    Application vs Service mode

    As you have already noticed, you can use Wiresock VPN Client as a Windows service or as a normal application. It is worth mentioning one limitation of running it as a normal application. When a Wiresock VPN client is started in this way, it can only split tunnel processes that are accessible (e.g., started) by the current user (others will be labeled as SYSTEM).

    Extended configuration parameters

    In addition to WireGuard standard configuration parameters, WireSock VPN Client supports the following (parameters below should be specified in the Peer section of the configuration file):

    • AllowedApps – specifies comma separated list of application names (or partial names) to forward over VPN tunnel. This parameter narrows AllowedIPs, so the traffic to be tunneled should match both AllowedIPs and AllowedApps. For example, ‘AllowedApps = chrome’ and ‘AllowedIPs = 0.0.0.0/0’ will result in forwarding only Chrome browser over the VPN connection, everything else will bypass the tunnel.
    • DisallowedApps – specifies comma separated list of application names (or partial names) to be excluded from the tunneling. This parameter is the opposite of AllowedApps. Please note that AllowedApps takes precedence, and if both are specified, then AllowedApps is matched first.
    • DisallowedIPs – specifies comma separated list of IP subnets to be excluded from the tunneling. For example, AllowedIps = 0.0.0.0/0 and DisallowedIPs = 192.168.0.1/24 will exclude 192.168.0.1/24 from the tunneling.
    • WireGuard handshake over SOCKS5 proxy parameters:
      • Socks5Proxy – specifies SOCKS5 proxy endpoint, e.g. Socks5Proxy = socks5.sshvpn.me:1080 or Socks5Proxy = 13.134.12.31:1080
      • Socks5ProxyUsername – specifies SOCKS5 username (optional)
      • Socks5ProxyPassword – specifies SOCKS5 password (optional)

    In the example configuration below, the WireSock VPN Client will tunnel only Google Chrome browser for all destination IP addresses except LAN (192.168.1.0/24 ):

    [Interface]
PrivateKey = AD9GaupPbRlfjPTfhLm1/lm5qtgwvFcB1rGpKOZkXXE=
Address = 10.66.66.2/32, fd42:42:42::2/128
DNS = 94.140.14.14, 94.140.15.15
MTU = 1420

[Peer]
PublicKey = tRb3/FxzJBhinaVPY/tyoX40PS7EY1mmzFyrL/dAnwY=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ora.sshvpn.me:51820
AllowedApps = chrome
DisallowedIPs = 192.168.1.0/24

    Troubleshooting

    If you experience any problems, then first try starting the application/service with ‘-log-level all‘ command line parameter. If you run it as an application, then it dumps the debug log directly on the console, while service will save the log into the file located in C:\ProgramData\NT Kernel Resources\WireSock VPN Client. In both cases, all processed network packets will be stored in PCAP files (can be opened and analyzed in Wireshark) in the C:\ProgramData\NT Kernel Resources\WireSock VPN Client.

    Please note that ‘-log-level all‘ exists for debug purposes only and significantly affects the application performance.

    License

    WireSock VPN Client is free for personal (non-commercial), or educational (including non-profit organization) use.

    Support

    Please ask questions in our support forum.