I keep reading that Wireguard over Tor is either impossible, ill-advised, or both. For future people coming to search, I don’t want this to be the final word, so here is my solution which works very very well.
There are actually a few ways to do the udp-over-tcp part, which is the hangup most people cite. The method I outline below I use because it works very well with the Debian VPS server I wanted to put invisibly on my OpenWrt-hosted WireGuard home network.
The broad strokes are:
- A Tor hidden service on the remote VPS that points to the machine’s ssh port
- Create a TUN adapter on the VPS and give it an IP
- Use
socator BSDnetcatto create a raw SOCKS5 connection from the local machine to the VPS. - Use the above inside ssh to form an ssh connection to the VPS
- Use ssh’s
-wswitch to engage tuntap tunneling (a little-known feature of OpenSSH) that creates a TUN adapter on the local machine and links it to the TUN adapter on the VPS. - This gives a TUN (complete layer 3) tunnel from the client to the remote VPS which will work to reliably send UDP over the underlying TCP ssh connection. Once established, WireGuard will simply work.
With a Linux server on the remote end and an OpenWrt router on your end, about 90% of the setup can be automated with an /etc/network/interface.d/tun0 config file on the remote side, and a few clicks setting up the route, interface, and WireGuard on the local side. About the only “manual” (scripted) part is the actual ssh command.
The same basic method can be used with an underlying ssh connection and pppd on each side providing the layer 3 solution. I personally like the ssh -w method myself as on the initiating side it automatically creates the TUN adapter and this works well on my OpenWrt device.
In either case, you have a full layer 3 tunnel over an underlying ssh connection over Tor reliably giving WireGuard.
If this is of interest to the community, I’d be happy to make a complete howto.