Expose WireGuard over port 443 (HTTPS) with HAProxy, Cloudflare, and SSL certs?

Started by peterkal, April 15, 2025, 03:04:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 15, 2025, 03:04:58 PM
Hello everyone,

I'm running an OPNsense setup and looking for a way to make my WireGuard server accessible via port 443 (HTTPS), especially for use in restricted networks that block UDP/51820 or use DPI.

My current setup:
  • OPNsense as firewall with built-in WireGuard server
  • Port 51820/UDP is forwarded and works fine under normal conditions
  • Using HAProxy with a frontend on port 443 (HTTPS) to reverse proxy internal services (all domains proxied via Cloudflare)
  • Using the built-in ACME client to generate SSL certificates from Let's Encrypt

The problem: On some restrictive networks (corporate, public WiFi, mobile data), UDP/51820 is blocked or filtered. This causes the WireGuard handshake to fail, and I cannot connect at all.

Since port 443 is usually open in most networks, I want to:
  • Expose WireGuard via TCP/443 (or some TLS-wrapped variant)
  • Still keep my HTTPS HAProxy frontend on port 443 for websites
  • Retain SSL support using ACME + Cloudflare (proxied mode)

Challenges:
Code Select

HAProxy cannot bind both HTTPS (TCP) and raw TCP (or UDP) on the same port 443

WireGuard itself doesn't support TCP, and Cloudflare proxy doesn't support UDP

I'd prefer to avoid breaking my HTTPS websites behind HAProxy
Ideas I've considered:
  • sslh – for multiplexing HTTPS and WireGuard on the same port
  • stunnel – to wrap WireGuard in TLS
  • shadowsocks – custom tunneling with obfuscation
  • Using a separate public server as a TCP relay to my OPNsense WG server

But I couldn't find a clear guide that works cleanly with:
  • OPNsense + HAProxy
  • Cloudflare (proxied mode)
  • ACME/Let's Encrypt certs

My questions:
  • Is it possible to expose WireGuard on port 443 while still using HAProxy for HTTPS on the same port?
  • Can sslh, stunnel, or another tool help in this case? Has anyone done this?
  • What would a working setup look like with Cloudflare in front?

Thanks in advance for any advice, working configs, or alternative ideas!
April 15, 2025, 04:24:42 PM #1
Wireguard is UDP by design so you cannot wrap it into TCP with a proxy inbetween.

If you need TCP 443 rather use OpenVPN for multiplexing.

You can do many multiplexing use-cases in caddy:

https://docs.opnsense.org/manual/how-tos/caddy.html#layer-7-matchers
Hardware:
DEC740
Print
Go Up Pages1
User actions