Skip to the content.

Custom WireGuard Exit Nodes

Configure your Root Server to send all traffic via an Exit Node


Use either SERVER-MODE or CLIENT-MODE — but not both.

A new network interface (wgExit) will magically appear on your Root Server: Traffic from your Root Server will now appear as if originating from the Exit Node.

The Exit Node can be behind a Firewall or NAT-Gateway (e.g. you can use your workstation as an Exit Node). Superuser privileges or root access is not needed.


Server-Mode
Connect from an EXIT NODE to SEGFAULT

Typical use case:

  1. You like to mass-scan from your Root Server.
  2. You have shell access to the Exit Node and like all traffic from your Root Server to leave via this Exit Node.
  3. The Exit Node is not reachable from the Internet or is behind NAT/Firewall.
  4. You like to connect from your Root Server to workstations on a remote firewalled/private LAN (e.g. use nmap, metasploit, smbscan, etc.. on your Root Server to scan a private LAN behind the Exit Node).

Step #1 - On your Root Server

Create and activate an Exit Node configuration:

curl http://sf/net/up

login screen

Your Root Server is now ready to accept an Exit Node.

Step #2 - On the Exit Node

Cut & paste the output from above into the shell on your Exit Node:

login screen

» All traffic from your Root Server will now leave via the Exit Node «


Client-Mode
Connect from SEGFAULT to an EXIT NODE

Typical use case:

  1. The Exit Node is on the public Internet (ProtonVPN, Mullvad, NordVPN, …)
  2. You like to access an AWS VPC/Private-Subnet

On your Root Server

This example uses Proton’s Free VPN as an Exit Node. After registration scroll down to “WireGuard Configuration” and select “GNU/Linux” and click “Create”.

A window containing Proton’s WireGuard configuration similar to this one will show:

protonwgconf

Use this informationon your Root Server:

curl sf/wg/up -d name=ProtonFree \
              -d PrivateKey=aBvvSus/nNdGxzep/gnC1j0EqSHVKgxSM7VyBsXwD1s= \
              -d Address=10.2.0.2/32 \
              -d PublicKey=TH87YVmOQBoo1Mir13INlDzvTOlvsi9dWmAp+IF3bRg= \
              -d Endpoint=149.34.244.169:51820
### THESE KEYS WILL NOT WORK. YOU MUST REQUEST YOUR OWN KEYS FROM PROTON AS EXPLAINED ABOVE.
### THESE KEYS WILL NOT WORK. YOU MUST REQUEST YOUR OWN KEYS FROM PROTON AS EXPLAINED ABOVE.
### THESE KEYS WILL NOT WORK. YOU MUST REQUEST YOUR OWN KEYS FROM PROTON AS EXPLAINED ABOVE.

» All traffic from your Root Server will now leave via Proton’s Free VPN «


More Shenanigans

Each command is executed on the Root Server (after the Exit Node has connected).

Check Exit Node

curl sf/net/show  # Server Mode
curl sf/wg/show   # Client Mode

Masscan the Internet

### Simple
masscan -e wgExit -p 22,80,443 --rate 10000 --range 1.0.0.0-8.255.255.255
### With banner grabbing:
masscan -e wgExit -p 22,80,443 --rate 10000  --range 1.0.0.0-8.255.255.255 --banners --adapter-ip 172.16.0.3-172.16.128.2 --adapter-port 1024-33791

Note: Setting --rate 40000 will use 40000 * (40 + 60 + 40) * 2 * 8 == 85.45 Mbit on the EXIT node.

Ping an IPv6 host

ping6 2606:4700:4700::64

Scan the remote private LAN

nmap -n -Pn -sV -F -T5 --min-rate 10000 --open 192.168.123.0/24

Crackmapexec the LAN

cme smb 192.168.123.0/24

Find Window shares on the LAN

nbtscan 192.168.123.0/24

SNMP dump

snmp-check 192.168.123.250

Log in to a workstation (Remote Desktop/RDP) on the LAN

startxweb
remmina -c rdp://username@server

Poke the lion and appear as if originating from the LAN

amass enum -d nsa.gov

Windows

Cut & Paste the YELLOW strings into an Admin Powershell (Right-Click on Powershell -> Run as Administrator) or else Defender’s heuristic will block Wiretap.

Similar services

  1. WireGuard over Cloudflared
  2. Anything over Cloudflared Free
  3. Tailscale
  4. Gsocket

Contact

X.com: https://x.com/hackerschoice
Mastodon: @thc@infosec.exchange
Telegram: https://t.me/thcorg
Web: https://www.thc.org
Medium: https://medium.com/@hackerschoice
Hashnode: https://iq.thc.org/
Abuse: https://thc.org/abuse
E-Mail: members@proton.thc.org