Print Page - Expose WireGuard over port 443 (HTTPS) with HAProxy, Cloudflare, and SSL certs?

Title: Expose WireGuard over port 443 (HTTPS) with HAProxy, Cloudflare, and SSL certs?
Post by: peterkal on April 15, 2025, 03:04:58 PM

Hello everyone,

I'm running an OPNsense setup and looking for a way to make my WireGuard server accessible via port 443 (HTTPS), especially for use in restricted networks that block UDP/51820 or use DPI.

My current setup:

OPNsense as firewall with built-in WireGuard server
Port 51820/UDP is forwarded and works fine under normal conditions
Using HAProxy with a frontend on port 443 (HTTPS) to reverse proxy internal services (all domains proxied via Cloudflare)
Using the built-in ACME client to generate SSL certificates from Let's Encrypt

The problem: On some restrictive networks (corporate, public WiFi, mobile data), UDP/51820 is blocked or filtered. This causes the WireGuard handshake to fail, and I cannot connect at all.

Since port 443 is usually open in most networks, I want to:

Expose WireGuard via TCP/443 (or some TLS-wrapped variant)
Still keep my HTTPS HAProxy frontend on port 443 for websites
Retain SSL support using ACME + Cloudflare (proxied mode)

Challenges:

Code Select


HAProxy cannot bind both HTTPS (TCP) and raw TCP (or UDP) on the same port 443

WireGuard itself doesn't support TCP, and Cloudflare proxy doesn't support UDP

I'd prefer to avoid breaking my HTTPS websites behind HAProxy

Ideas I've considered:

sslh (https://github.com/yrutschle/sslh) – for multiplexing HTTPS and WireGuard on the same port
stunnel (https://www.stunnel.org/) – to wrap WireGuard in TLS
shadowsocks (https://github.com/shadowsocks/shadowsocks) – custom tunneling with obfuscation
Using a separate public server as a TCP relay to my OPNsense WG server

But I couldn't find a clear guide that works cleanly with:

OPNsense + HAProxy
Cloudflare (proxied mode)
ACME/Let's Encrypt certs

My questions:

Is it possible to expose WireGuard on port 443 while still using HAProxy for HTTPS on the same port?
Can sslh, stunnel, or another tool help in this case? Has anyone done this?
What would a working setup look like with Cloudflare in front?

Thanks in advance for any advice, working configs, or alternative ideas!

Title: Re: Expose WireGuard over port 443 (HTTPS) with HAProxy, Cloudflare, and SSL certs?
Post by: Monviech (Cedrik) on April 15, 2025, 04:24:42 PM

Wireguard is UDP by design so you cannot wrap it into TCP with a proxy inbetween.

If you need TCP 443 rather use OpenVPN for multiplexing.

You can do many multiplexing use-cases in caddy:

https://docs.opnsense.org/manual/how-tos/caddy.html#layer-7-matchers

OPNsense Forum

English Forums => Virtual private networks => Topic started by: peterkal on April 15, 2025, 03:04:58 PM