Skip to the content.

Custom WireGuard Exit Nodes

Configure your Root Server to send all traffic via an Exit Node

Use either SERVER-MODE or CLIENT-MODE — but not both.

A new network interface (wgExit) will magically appear on your Root Server: Traffic from your Root Server will now appear as if originating from the Exit Node.

The Exit Node can be behind a Firewall or NAT-Gateway (e.g. you can use your workstation as an Exit Node). Superuser privileges or root access is not needed.

Connect from an EXIT NODE to SEGFAULT

Typical use case:

  1. You like to mass-scan from your Root Server.
  2. You have shell access to the Exit Node and like all traffic from your Root Server to leave via this Exit Node.
  3. The Exit Node is not reachable from the Internet or is behind NAT/Firewall.
  4. You like to connect from your Root Server to workstations on a remote firewalled/private LAN (e.g. use nmap, metasploit, smbscan, etc.. on your Root Server to scan a private LAN behind the Exit Node).

Step #1 - On your Root Server

Create and activate an Exit Node configuration:

curl http://sf/net/up

login screen

Your Root Server is now ready to accept an Exit Node.

Step #2 - On the Exit Node

Cut & paste the output from above into the shell on your Exit Node:

login screen

» All traffic from your Root Server will now leave via the Exit Node «

Connect from SEGFAULT to an EXIT NODE

Typical use case:

  1. The Exit Node is on the public Internet (ProtonVPN, Mullvad, NordVPN, …)
  2. You like to access an AWS VPC/Private-Subnet

On your Root Server

This example uses Proton’s Free VPN as an Exit Node. After registration scroll down to “WireGuard Configuration” and select “GNU/Linux” and click “Create”.

A window containing Proton’s WireGuard configuration similar to this one will show:


Use this informationon your Root Server:

curl sf/wg/up -d name=ProtonFree \
              -d PrivateKey=aBvvSus/nNdGxzep/gnC1j0EqSHVKgxSM7VyBsXwD1s= \
              -d Address= \
              -d PublicKey=TH87YVmOQBoo1Mir13INlDzvTOlvsi9dWmAp+IF3bRg= \
              -d Endpoint=

» All traffic from your Root Server will now leave via Proton’s Free VPN «

More Shenanigans

Each command is executed on the Root Server (after the Exit Node has connected).

Check Exit Node

curl sf/net/show  # Server Mode
curl sf/wg/show   # Client Mode

Masscan the Internet

### Simple
masscan -e wgExit -p 22,80,443 --range
### With banner grabbing:
masscan -e wgExit -p 22,80,443 --range --banners --adapter-ip --adapter-port 1024-33791

Ping an IPv6 host

ping6 2606:4700:4700::64

Scan the remote private LAN

nmap -n -Pn -sV -F -T5 --min-rate 10000 --open

Crackmapexec the LAN

cme smb

Find Window shares on the LAN


SNMP dump


Log in to a workstation (Remote Desktop/RDP) on the LAN

remmina -c rdp://username@server

Poke the lion and appear as if originating from the LAN

amass enum -d


Cut & Paste the YELLOW strings into an Admin Powershell (Right-Click on Powershell -> Run as Administrator) or else Defender’s heuristic will block Wiretap.

Similar services

  1. WireGuard over Cloudflared
  2. Anything over Cloudflared Free
  3. Tailscale
  4. Gsocket