Can't access to cf proxied wstunnel server

[kalcao]

Describe the goal

My friend's school doesn't allow access to major websites. But they allows cloudflare proxied websites. So I've checked that my friend can access to my cf proxied website. So I've configured to wstunnel > cf > my friend, but he's getting No route to host when he could access to my cf proxied website.

Describe what does not work

My friend can't get to establish tunnel. But with this same setup below, I was able to use the proxy.

Describe your wstunnel setup

server: ./wstunnel server --restrict-http-upgrade-path-prefix h3GywpDrP6gJEdZ6xbJbZZVFmvFZDCa4KcRd http://0.0.0.0:8888
client: .\wstunnel client --log-lvl=debug -L 'socks5://127.0.0.1:4443' --http-upgrade-path-prefix h3GywpDrP6gJEdZ6xbJbZZVFmvFZDCa4KcRd --tls-sni-override=mydomain.com https://prx1.mydomain.com

2025-09-21T08:58:02.909059Z  INFO wstunnel: Starting wstunnel client v10.4.4
2025-09-21T08:58:02.909661Z  INFO wstunnel::protocols::socks5::tcp_server: Starting SOCKS5 server listening cnx on 127.0.0.1:4443 with credentials None
2025-09-21T08:58:14.750171Z DEBUG fast_socks5::server: incoming connection from peer 127.0.0.1:54946 @ 127.0.0.1:4443    
2025-09-21T08:58:14.751549Z DEBUG fast_socks5::server: Handshake headers: [version: 5, methods len: 1]    
2025-09-21T08:58:14.751565Z DEBUG fast_socks5::server: methods supported sent by the client: [0]    
2025-09-21T08:58:14.751704Z DEBUG fast_socks5::server: Reply with method AuthenticationMethod::None (0)    
2025-09-21T08:58:14.752239Z DEBUG fast_socks5::server: Request: [version: 5, command: 1, rev: 0, address_type: 3]    
2025-09-21T08:58:14.752246Z DEBUG fast_socks5::util::target_addr: Address type `domain`    
2025-09-21T08:58:14.752345Z DEBUG fast_socks5::server: Request target is www.google.com:443    
2025-09-21T08:58:14.752350Z DEBUG fast_socks5::server: Domain won't be resolved because `dns_resolve`'s config has been turned off.    
2025-09-21T08:58:14.756659Z  INFO wstunnel::protocols::tcp::server: Opening TCP connection to prx1.mydomain.com:80    
2025-09-21T08:58:14.759249Z DEBUG hickory_proto::xfer::dns_handle: querying: prx1.mydomain.com. A
2025-09-21T08:58:14.759882Z DEBUG hickory_resolver::name_server::name_server_pool: sending request: [Query { name: Name("prx1.mydomain.com."), query_type: A, query_class: IN }]
2025-09-21T08:58:14.760840Z DEBUG hickory_resolver::name_server::name_server: reconnecting: NameServerConfig { socket_addr: 10.1.1.18:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
2025-09-21T08:58:14.761822Z DEBUG hickory_proto::xfer: enqueueing message:QUERY:[Query { name: Name("prx1.mydomain.com."), query_type: A, query_class: IN }]
2025-09-21T08:58:14.762216Z DEBUG hickory_resolver::name_server::name_server: reconnecting: NameServerConfig { socket_addr: 10.1.1.16:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
2025-09-21T08:58:14.762256Z DEBUG hickory_proto::xfer: enqueueing message:QUERY:[Query { name: Name("prx1.mydomain.com."), query_type: A, query_class: IN }]
2025-09-21T08:58:14.762276Z DEBUG hickory_proto::xfer::dns_handle: querying: prx1.mydomain.com. AAAA
2025-09-21T08:58:14.762291Z DEBUG hickory_resolver::name_server::name_server_pool: sending request: [Query { name: Name("prx1.mydomain.com."), query_type: AAAA, query_class: IN }]
2025-09-21T08:58:14.762304Z DEBUG hickory_resolver::name_server::name_server: existing connection: NameServerConfig { socket_addr: 10.1.1.18:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
2025-09-21T08:58:14.762387Z DEBUG hickory_proto::xfer: enqueueing message:QUERY:[Query { name: Name("prx1.mydomain.com."), query_type: AAAA, query_class: IN }]
2025-09-21T08:58:14.762391Z DEBUG hickory_resolver::name_server::name_server: existing connection: NameServerConfig { socket_addr: 10.1.1.16:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
2025-09-21T08:58:14.762394Z DEBUG hickory_proto::xfer: enqueueing message:QUERY:[Query { name: Name("prx1.mydomain.com."), query_type: AAAA, query_class: IN }]
2025-09-21T08:58:14.764011Z DEBUG hickory_proto::udp::udp_client_stream: final message: ; header 21227:QUERY:RD:NoError:QUERY:0/0/0
; query
;; prx1.mydomain.com. IN A

2025-09-21T08:58:14.763999Z DEBUG hickory_proto::udp::udp_client_stream: final message: ; header 37330:QUERY:RD:NoError:QUERY:0/0/0
; query
;; prx1.mydomain.com. IN A

2025-09-21T08:58:14.764206Z DEBUG hickory_proto::udp::udp_client_stream: final message: ; header 474:QUERY:RD:NoError:QUERY:0/0/0
; query
;; prx1.mydomain.com. IN AAAA

2025-09-21T08:58:14.764247Z DEBUG hickory_proto::udp::udp_client_stream: final message: ; header 14152:QUERY:RD:NoError:QUERY:0/0/0
; query
;; prx1.mydomain.com. IN AAAA

2025-09-21T08:58:14.764707Z DEBUG hickory_proto::udp::udp_stream: created socket successfully
2025-09-21T08:58:14.765145Z DEBUG hickory_proto::udp::udp_stream: created socket successfully
2025-09-21T08:58:14.765180Z DEBUG hickory_proto::udp::udp_stream: created socket successfully
2025-09-21T08:58:14.765206Z DEBUG hickory_proto::udp::udp_stream: created socket successfully
2025-09-21T08:58:14.815249Z DEBUG hickory_proto::udp::udp_client_stream: received message id: 21227
2025-09-21T08:58:14.815969Z DEBUG hickory_proto::error: response: ; header 21227:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; prx1.mydomain.com. IN A
; answers 2
prx1.mydomain.com. 300 IN A 172.67.204.5
prx1.mydomain.com. 300 IN A 104.21.77.37
; nameservers 0
; additionals 0

2025-09-21T08:58:14.816813Z DEBUG hickory_proto::error: response: ; header 21227:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; prx1.mydomain.com. IN A
; answers 2
prx1.mydomain.com. 300 IN A 172.67.204.5
prx1.mydomain.com. 300 IN A 104.21.77.37
; nameservers 0
; additionals 0

2025-09-21T08:58:14.819378Z DEBUG hickory_proto::udp::udp_client_stream: received message id: 474
2025-09-21T08:58:14.819393Z DEBUG hickory_proto::error: response: ; header 474:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; prx1.mydomain.com. IN AAAA
; answers 2
prx1.mydomain.com. 300 IN AAAA 2606:4700:3034::6815:4d25
prx1.mydomain.com. 300 IN AAAA 2606:4700:3034::ac43:cc05
; nameservers 0
; additionals 0

2025-09-21T08:58:14.819964Z DEBUG hickory_proto::error: response: ; header 474:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; prx1.mydomain.com. IN AAAA
; answers 2
prx1.mydomain.com. 300 IN AAAA 2606:4700:3034::6815:4d25
prx1.mydomain.com. 300 IN AAAA 2606:4700:3034::ac43:cc05
; nameservers 0
; additionals 0

2025-09-21T08:58:14.821651Z DEBUG wstunnel::protocols::tcp::server: Connecting to [2606:4700:3034::6815:4d25]:80
2025-09-21T08:58:14.822647Z DEBUG wstunnel::protocols::tcp::server: Cannot connect to tcp endpoint [2606:4700:3034::6815:4d25]:80 reason No route to host (os error 65)
2025-09-21T08:58:15.072760Z DEBUG wstunnel::protocols::tcp::server: Connecting to 172.67.204.5:80
2025-09-21T08:58:15.076658Z DEBUG wstunnel::protocols::tcp::server: Connected to tcp endpoint 172.67.204.5:80, aborted all other connection attempts
2025-09-21T08:58:15.083293Z DEBUG tunnel{id="01996b7e-c761-73f3-b351-53fad24b4f84" remote="www.google.com:443"}: wstunnel::tunnel::transport::websocket: with HTTP upgrade request Request { method: GET, uri: /h3GywpDrP6gJEdZ6xbJbZZVFmvFZDCa4KcRd/events, version: HTTP/1.1, headers: {"host": "prx1.mydomain.com", "upgrade": "websocket", "connection": "upgrade", "sec-websocket-key": "7aYyKDoD7fC1Q6eyI7hGVA==", "sec-websocket-version": "13", "sec-websocket-protocol": "v1, authorization.bearer.eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjAxOTk2YjdlLWM3NjEtNzNmMy1iMzUxLTUzZmFkMjRiNGY4NCIsInAiOnsiVGNwIjp7InByb3h5X3Byb3RvY29sIjpmYWxzZX19LCJyIjoid3d3Lmdvb2dsZS5jb20iLCJycCI6NDQzfQ.E1AZbcOshkCP91sLgr8fpuHHxXz4sgPLNWtyC0C_KWQ"}, body: Empty }    
2025-09-21T08:58:15.768900Z ERROR tunnel{id="01996b7e-c761-73f3-b351-53fad24b4f84" remote="www.google.com:443"}: wstunnel::tunnel::client::client: failed to do websocket handshake with the server ws://prx1.mydomain.com:80

Caused by:
    Invalid status code: 400
2025-09-21T08:58:41.839965Z DEBUG fast_socks5::server: incoming connection from peer 127.0.0.1:54985 @ 127.0.0.1:4443    
2025-09-21T08:58:41.840019Z DEBUG fast_socks5::server: Handshake headers: [version: 5, methods len: 1]    
2025-09-21T08:58:41.840028Z DEBUG fast_socks5::server: methods supported sent by the client: [0]    
2025-09-21T08:58:41.840033Z DEBUG fast_socks5::server: Reply with method AuthenticationMethod::None (0)    
2025-09-21T08:58:41.840554Z DEBUG fast_socks5::server: Request: [version: 5, command: 1, rev: 0, address_type: 3]    
2025-09-21T08:58:41.840560Z DEBUG fast_socks5::util::target_addr: Address type `domain`    
2025-09-21T08:58:41.840573Z DEBUG fast_socks5::server: Request target is www.google.com:443    
2025-09-21T08:58:41.840577Z DEBUG fast_socks5::server: Domain won't be resolved because `dns_resolve`'s config has been turned off.    
2025-09-21T08:58:41.840735Z  INFO wstunnel::protocols::tcp::server: Opening TCP connection to prx1.mydomain.com:80    
2025-09-21T08:58:41.842527Z DEBUG wstunnel::protocols::tcp::server: Connecting to [2606:4700:3034::6815:4d25]:80
2025-09-21T08:58:41.842583Z DEBUG wstunnel::protocols::tcp::server: Cannot connect to tcp endpoint [2606:4700:3034::6815:4d25]:80 reason No route to host (os error 65)
2025-09-21T08:58:42.095186Z DEBUG wstunnel::protocols::tcp::server: Connecting to 172.67.204.5:80
2025-09-21T08:58:42.099138Z DEBUG wstunnel::protocols::tcp::server: Connected to tcp endpoint 172.67.204.5:80, aborted all other connection attempts
2025-09-21T08:58:42.099532Z DEBUG tunnel{id="01996b7f-3130-7541-a2a0-af1fe631ac97" remote="www.google.com:443"}: wstunnel::tunnel::transport::websocket: with HTTP upgrade request Request { method: GET, uri: /h3GywpDrP6gJEdZ6xbJbZZVFmvFZDCa4KcRd/events, version: HTTP/1.1, headers: {"host": "prx1.mydomain.com", "upgrade": "websocket", "connection": "upgrade", "sec-websocket-key": "fQDdpzhiE7A0kPDBhBNXCQ==", "sec-websocket-version": "13", "sec-websocket-protocol": "v1, authorization.bearer.eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjAxOTk2YjdmLTMxMzAtNzU0MS1hMmEwLWFmMWZlNjMxYWM5NyIsInAiOnsiVGNwIjp7InByb3h5X3Byb3RvY29sIjpmYWxzZX19LCJyIjoid3d3Lmdvb2dsZS5jb20iLCJycCI6NDQzfQ.6ETSDTiJn_tLiZXNVNJm5G4-7qOxA7U1kyclYefJaL0"}, body: Empty }    
2025-09-21T08:58:42.436595Z ERROR tunnel{id="01996b7f-3130-7541-a2a0-af1fe631ac97" remote="www.google.com:443"}: wstunnel::tunnel::client::client: failed to do websocket handshake with the server ws://prx1.mydomain.com:80

Caused by:
    Invalid status code: 400
2025-09-21T08:58:54.875029Z DEBUG fast_socks5::server: incoming connection from peer 127.0.0.1:55011 @ 127.0.0.1:4443    
2025-09-21T08:58:54.875085Z DEBUG fast_socks5::server: Handshake headers: [version: 5, methods len: 1]    
2025-09-21T08:58:54.875094Z DEBUG fast_socks5::server: methods supported sent by the client: [0]    
2025-09-21T08:58:54.875096Z DEBUG fast_socks5::server: Reply with method AuthenticationMethod::None (0)    
2025-09-21T08:58:54.875189Z DEBUG fast_socks5::server: Request: [version: 5, command: 1, rev: 0, address_type: 3]    
2025-09-21T08:58:54.875199Z DEBUG fast_socks5::util::target_addr: Address type `domain`    
2025-09-21T08:58:54.875211Z DEBUG fast_socks5::server: Request target is www.google.com:443    
2025-09-21T08:58:54.875214Z DEBUG fast_socks5::server: Domain won't be resolved because `dns_resolve`'s config has been turned off.    
2025-09-21T08:58:54.875409Z  INFO wstunnel::protocols::tcp::server: Opening TCP connection to prx1.mydomain.com:80    
2025-09-21T08:58:54.875897Z DEBUG wstunnel::protocols::tcp::server: Connecting to [2606:4700:3034::6815:4d25]:80
2025-09-21T08:58:54.875964Z DEBUG wstunnel::protocols::tcp::server: Cannot connect to tcp endpoint [2606:4700:3034::6815:4d25]:80 reason No route to host (os error 65)
2025-09-21T08:58:55.127307Z DEBUG wstunnel::protocols::tcp::server: Connecting to 172.67.204.5:80
2025-09-21T08:58:55.132303Z DEBUG wstunnel::protocols::tcp::server: Connected to tcp endpoint 172.67.204.5:80, aborted all other connection attempts
2025-09-21T08:58:55.133023Z DEBUG tunnel{id="01996b7f-641b-7023-ba09-e63719c60513" remote="www.google.com:443"}: wstunnel::tunnel::transport::websocket: with HTTP upgrade request Request { method: GET, uri: /h3GywpDrP6gJEdZ6xbJbZZVFmvFZDCa4KcRd/events, version: HTTP/1.1, headers: {"host": "prx1.mydomain.com", "upgrade": "websocket", "connection": "upgrade", "sec-websocket-key": "mFqSLsELKd9X8UbUYgxPAQ==", "sec-websocket-version": "13", "sec-websocket-protocol": "v1, authorization.bearer.eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjAxOTk2YjdmLTY0MWItNzAyMy1iYTA5LWU2MzcxOWM2MDUxMyIsInAiOnsiVGNwIjp7InByb3h5X3Byb3RvY29sIjpmYWxzZX19LCJyIjoid3d3Lmdvb2dsZS5jb20iLCJycCI6NDQzfQ.oxkXiRBe8S1KptKj9Tui-rUTJaQgOl9bFCghrBJNGuc"}, body: Empty }    
2025-09-21T08:58:55.734555Z ERROR tunnel{id="01996b7f-641b-7023-ba09-e63719c60513" remote="www.google.com:443"}: wstunnel::tunnel::client::client: failed to do websocket handshake with the server ws://prx1.mydomain.com:80

Caused by:
    Invalid status code: 400

Desktop (please complete the following information):

• OS: macOS
• version: 10.4.4

[erebe]

Hello,

If you use tls-sni-override, your http host header must match the sni domain or cloudflare reject those requests.

      --tls-sni-override <DOMAIN_NAME>
          Domain name that will be used as SNI during TLS handshake
          Warning: If you are behind a CDN (i.e: Cloudflare) you must set this domain also in the http HOST header.
                   or it will be flagged as fishy and your request rejected

In your case your request contains prx1.domain.com

Request { method: GET, uri: /h3GywpDrP6gJEdZ6xbJbZZVFmvFZDCa4KcRd/events, version: HTTP/1.1, headers: {"host": "prx1.mydomain.com", "upgrade": "websocket",

try starting the client by adding this options --http-headers='host: mydomain.com'