Sometimes no Wireguard handshake through wstunnel + nginx reverse proxy

[agevlakh]

Describe the goal

I want always completing handshake when use wstunnel + nginx stream proxy.
My scheme: Wireguard client -> server (nginx udp reverse proxy -> stunnel client) -> server (wstunnel server -> Wireguard server) -> network

Describe what does not work

Sometimes, in one out of three cases, the handshake between the client and the wireguard server fails. Nginx, which is located in front of the wstunnel client, returns a connection refused error ([error] 4879#4879: *933 recv() failed (111: Connection refused) while proxying and reading from upstream, udp client). No error logs on wstunnel when nginx connection refused

Describe your wstunnel setup

wstunnel server --restrict-http-upgrade-path-prefix "password" --restrict-to localhost:wg server port wss://0.0.0.0:443

wstunnel client --http-upgrade-path-prefix "password" -L 'udp://wstunnel port:localhost:Wireguard server port?timeout_sec=60' https://DNS name wg server:443

Nginx stream proxy config:
upstream wstunnel {
least_conn;
server localhost:wstunnel port;
}

server {
listen nginx port udp reuseport;
proxy_pass wstunnel;
}

Desktop (please complete the following information):

• OS: [Android]

• Version [12]

• OS: [Desktop]

• Version: [Windows 10]

[agevlakh]

I solve my problem. I commented ::1 string in /etc/hosts. Also you may delete it. Now handshake always completed with wstunnel