wsnic (or WebSocket-NIC) is a layer-2 proxy server that connects WebSocket clients to a shared virtual Linux bridge. Clients connected to wsnic can communicate with each other like in a physical network, and if enabled can also access external networks and the Internet.
There are two different ways to install wsnic, see
- Docker installation about installing wsnic with Docker, and
- Source installation about installing wsnic from this repository.
In either case, see section CLI options next about wsnic's command line interface for configuration options.
For WebSocket Secure support (wss://) see section WebSocket Secure support.
- exchanges unmodified IEEE 802.3 ethernet frames between a virtual Linux network and any number of WebSocket clients
- creates a single, shared virtual bridge and one TAP device per WebSocket client
- supports attaching the bridge to a physical network using NAT masquerading to grant Internet-access to WebSocket guests
- supports WebSocket Secure (wss://) connections with stunnel
- provides DHCP, DNS and iperf2 services to WebSocket guests using dnsmasq and iperf
- sends periodic PINGs to idle WebSocket clients, drops unresponsive clients after timeout
- written in Python3 with no external Python dependencies
- see section How it works for more details
First, follow the official Docker installation instructions to install the latest Docker release.
Then pull the latest wsnic container from Docker Hub and run it with Internet-access for clients enabled (by the -i command line option) using:
docker run --rm --interactive --tty \
    --cap-add=NET_ADMIN \
    --device /dev/net/tun:/dev/net/tun \
    -p 8086:8086 \
    chschnell86/wsnic -iTo instead run wsnic with WebSocket Secure (wss://) support use:
docker run --rm --interactive --tty \
    --cap-add=NET_ADMIN \
    --device /dev/net/tun:/dev/net/tun \
    -p 8086:8086 \
    -p 8087:8087 \
    -v ~/cert/cert.crt:/opt/wsnic/cert/cert.crt \
    -v ~/cert/cert.key:/opt/wsnic/cert/cert.key \
    chschnell86/wsnic -iBrief description for each of these Docker command line arguments, and why they're needed:
- --cap-add=NET_ADMIN
 Allow Docker application to modify internal Docker network, needed to add/remove network bridge and TAP devices.
- --device /dev/net/tun:/dev/net/tun
 Map host's TUN device file into Docker image, this device is needed to create TAP devices and otherwise not available in Docker images.
- -p 8086:8086
 Maps the WebSocket (ws://) port number<host-port>:<docker-port>to host port 8086, for example12345:8086would instead expose wsnic on the host's port 12345.
- -p 8087:8087
 Maps the WebSocket Secure (wss://) port number to host port 8087, only needed when wss is used.
- -v ~/cert/cert.crt:/opt/wsnic/cert/cert.crt (and similar)
 Maps the WebSocket Secure certificate file to~/cert/cert.crt.
 In order to pass files (wsnic.conf,cert.crtorcert.key) from the host into the Docker image they need to be volume mounted using Docker command line option-v. When running under Docker, upon startup wsnic checks for specific files at these fixed paths:- /opt/wsnic/wsnic.conffor the wsnic configuration file
- /opt/wsnic/cert/cert.crtfor the WebSocket Secure server certificate file
- /opt/wsnic/cert/cert.keyfor the WebSocket Secure private key file
 
For further information, see sections:
- CLI options about wsnic's command line interface (or use -h)
- WebSocket Secure support about WebSocket Secure support (wss://)
Tip
To build the Docker container locally, clone this repository and build it with (for example) tag name wsnic:local using:
git clone https://github.com/chschnell/wsnic.git
cd wsnic
docker buildx build -t wsnic:local .The Docker command line to run it is the same as described above, just replace chschnell86/wsnic with wsnic:local.
wsnic supports configuration through its Command Line Interface (CLI) and optionally by using a configuration file. Each setting in the configuration file has the same effect as a CLI option with a similar name, for example, CLI option --foo-bar has the same effect as configuration file setting foo_bar. Options specified on the command line take precedence over those in wsnic.conf.
Tip
Copy template file wsnic.conf.template to wsnic.conf for a quick-start if you want to use a configuration file.
Command line interface
usage: wsnic [-h] [-v] [-q] [-c CFGFILE] [-a ADDR] [--ws-port PORT]
             [--wss-port PORT] [-r CRTFILE] [-k KEYFILE] [-s SUBNET] [-i]
             [-f IFACE] [--disable-dhcp] [--dhcp-lease-file DBFILE]
             [-t SECONDS] [-n NAME] [-d IPLIST] [-p]
WebSocket to virtual network device proxy server.
options:
    -h, --help
          show this help message and exit
    -v    Output verbose log messages.
    -q    Output warning and error log messages only.
    -c CFGFILE
          Use configuration file CFGFILE, default: wsnic.conf (if
          exists).
    -a ADDR, --ws-address ADDR
          WebSocket server address.
          Use 127.0.0.1 if wsnic runs on the same machine as the
          WebSocket client (browser), or 0.0.0.0 to make wsnic
          available in the network.
          Default: 0.0.0.0 under Docker or 127.0.0.1.
    --ws-port PORT
          WebSocket server port (ws://), default: 8086.
    --wss-port PORT
          WebSocket Secure server port (wss://), default: 8087.
    -r CRTFILE, --wss-certificate CRTFILE
          Absolute path of a PEM formatted file containing either just
          the public server certificate or an entire certificate chain
          including public key, private key, and root certificates.
          Optional, default: "cert/cert.crt" (if exists).
    -k KEYFILE, --wss-private-key KEYFILE
          Absolute path of a PEM formatted file containing only the
          private key of the server certificate.
          Optional, default: "cert/cert.key" (if exists).
    -s SUBNET, --subnet SUBNET
          The wsnic subnet in CIDR notation, default: 192.168.86.0/24.
          The subnet's first and last IP addresses are reserved for
          network and broadcast addresses. The subnet's second IP is
          reserved for the bridge device (also gateway and DHCP server
          IP). The remaining IP addresses are used for the DHCP
          address pool.
          Example for the default subnet:
          - Network address: 192.168.86.0
          - Broadcast address: 192.168.86.255
          - Bridge/gateway/DHCPD address: 192.168.86.1
          - DHCP address pool: 192.168.86.2 ... 192.168.86.254
          The default subnet might conflict with your local network
          configuration and must then be changed accordingly.
    -i, --enable-inet
          Grant bridge access to the host's network (including
          Internet if available) using inet_iface.
    -f IFACE, ---inet-iface IFACE
          Interface name of a physical network device that provides
          access to the Internet (for example "eth0" or "enp0s3").
          wsnic will try to auto-detect this interface, this option is
          only needed to force an interface name in case detection
          fails. This option only takes effect if CLI option -i is
          also present.
          Optional, default (Docker only): "eth0".
    --disable-dhcp
          Disable DHCP/DNS service using dnsmasq.
    --dhcp-lease-file DBFILE
          DHCP lease database file path, default: undefined.
          If undefined, wsnic uses a temporary file which will be
          deleted on close.
    -t SECONDS, ---dhcp-lease-time SECONDS
          DHCP lease time in seconds, default: 86400 (24 hours).
    -n NAME, ---dhcp-domain-name NAME
          Domain Name of this subnet published in DHCP replies.
          Optional, default: undefined.
    -d IPLIST, --dhcp-nameserver IPLIST
          Comma-separated list of Domain Name Server (DNS) IP
          address(es) published in DHCP replies, for example:
              "8.8.8.8, 8.8.4.4"
          If undefined, the bridge's IP address is used as the DNS
          address (which gets handled by dnsmasq).
          Optional, default: undefined.
    -p, --enable-iperf
          Run an iperf server on bridge for clients.
WebSocket Secure (wss://) support is optional and enabled by passing a TLS server certificate file to wsnic (either by CLI option or in wsnic.conf), which means you need:
- a DNS record for the hostname of your wsnic server
- a TLS server certificate issued for that DNS hostname
If your wsnic server has a public DNS record for its hostname you should use a service like Let’s Encrypt to get a TLS certificate for it, otherwise you can create your own self-signed certificate as described in the next section.
Setting up a self-signed certificate involves two steps, after generating it you also have to configure your browser to accept it.
Note
The following instructions use localhost as the DNS hostname and /host/path as the directory where TLS certificate files are stored on the wsnic host, you need to replace both consistently according to your setup and network environment.
Tip
Make sure to use the same hostname for the DNS hostname in the server certificate, in browser URLs and in HTTP server's virtual host definitions. For example, if you plan to run the server on the same machine as your browser, use localhost in all cases.
To issue a basic self-signed TLS server certificate for DNS hostname localhost:
mkdir /host/path
cd /host/path
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
  -nodes -keyout cert.key -out cert.crt -subj "/CN=localhost"By default, modern browsers refuse to connect to HTTPS (and WebSocket Secure) servers that present a self-signed certificate. In order to get around that you have to manually grant permission in your browser.
Note
These instructions are for Mozilla Firefox. If you want to use Google Chrome, start chrome with command line options --disable-web-security --ignore-certificate-errors --allow-running-insecure-content --user-data-dir=/tmp/chrome-temp, and replace /tmp/chrome-temp with some directory for the session data.
Start wsnic and direct your browser to your wsnic server using a HTTPS URL like:
https://localhost:8087
You will get a security warning that you need to acknowledge once to grant permission permanently. After that you should see a reply page from wsnic that reads:
wsnic proxy server
HTTP request refused, missing or invalid WebSocket upgrade.
If this request's purpose is to test the TLS certificate: TLS test succeeded.
To use wsnic without Docker you can execute wsnic directly from its source code as described below. Instructions are tested with Debian 12 (Bookworm) netinst (without Desktop).
Warning
Unlike the Docker image this installation method will run directly on the host, meaning it is not isolated from the host as is the case with Docker. It is recommended to use this installation method only in a virtual machine dedicated for this purpose in order to avoid unwanted system modifications in case of a crash.
Having said that, wsnic attempts to restore all system state back as it was before starting, for example the host's network configuration and settings.
Note
stunnel is only required for wss:// support and otherwise not needed.
First, make sure that the packages required by wsnic are installed:
sudo apt install python3-venv iproute2 iptables dnsmasq stunnel iperfStop and disable the systemd dnsmasq service with (if you want to run it, make sure that it does not bind to newly created network devices):
sudo systemctl stop dnsmasq
sudo systemctl disable dnsmasqNext, clone a working copy of this repository:
git clone https://github.com/chschnell/wsnic.gitFinally, run wsnic using:
cd wsnic
sudo ./wsnic.sh [WSNIC-OPTIONS]See section CLI options for documentation on WSNIC-OPTIONS (or use -h).
The necessity for adjusting sysctl settings in the Linux host is not entirely clear, and the host's defaults of some sysctl settings are also not always known. For this reason wsnic does not modify these settings by itself, they can be changed from outside wsnic as described below.
sysctl (non-Docker)
To see relevant sysctl settings use:
sudo sysctl -a | grep forwardLook for net.ipv4.ip_forward and make sure it is set to 1, otherwise change it using:
sudo sysctl -w net.ipv4.ip_forward=1For some sysctl settings it is unclear whether they're even relevant, if there are still issues you might try:
sudo sysctl -w net.ipv4.conf.all.forwarding=1
sudo sysctl -w net.ipv4.conf.default.forwarding=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.ipv6.conf.default.forwarding=1sysctl (Docker)
To change sysctl settings from within the Docker image would require to run it with the --privileged flag which is otherwise not needed by wsnic and hence avoided.
Pass sysctl settings on the docker run command line like so:
docker run ... \
    --sysctl net.ipv4.ip_forward=1 \
    --sysctl net.ipv4.conf.all.forwarding=1 \
    --sysctl net.ipv4.conf.default.forwarding=1 \
    --sysctl net.ipv6.conf.all.forwarding=1 \
    --sysctl net.ipv6.conf.default.forwarding=1 ...Overview of wsnic and its network components:
 +-----+     +-----+         +-----+
 | ws0 |     | ws1 |   ...   | wsN |    (WebSocket clients)
 +--+--+     +--+--+         +--+--+
    |           |               |
+===+===========+===============+====+
|   :           :               :    |  (wsnic proxy server)
+===+===========+===============+====+
    |           |               |
+---+----+  +---+----+      +---+----+
| wstap0 |  | wstap1 |      | wstapN |  (TAP devices)
+---+----+  +---+----+      +---+----+
    |           |               |
+---+-----------+---------------+----+
|               wsbr0                |  (virtual bridge)
+-----------------+-------------+----+
                  |             |
          NAT (MASQUERADE)      |
                  |          [server]   (dnsmasq and iperf for DHCP/DNS/iperf)
               +--+---+
               | eth0 |                 (physical network)
               +--+---+
                  |
               Internet
Roughly, wsnic works like this:
- Upon startup, wsnic:
- creates virtual bridge wsbr0and assigns it the subnet's first available IP address,
- optionally attaches wsbr0to a physical network adapter named (for instance)eth0using NAT,
- optionally starts DHCP server dnsmasqand binds it to the IP address ofwsbr0, and
- optionally starts iperf server iperfand binds it to the IP address ofwsbr0, and
- starts operating as the WebSocket server, listening for WebSocket client connections
 
- creates virtual bridge 
- After completing the handshake with a newly accepted WebSocket client connection wsX, wsnic:- creates a TAP device wstapX,
- connects wstapXtowsbr0, and
- begins passing ethernet frames between wsXandwstapX
 
- creates a TAP device 
- If a WebSocket client disconnects, wsnic removes the associated TAP device from the bridge (and network)
- DHCP server dnsmasqassigns DHCP leases to WebSocket clients, it is also the default DNS server
wsnic avoids allocating and copying internal buffers by using a buffer pool where possible.
- v86, the browser-based x86 emulator which wsnic was developed for.
- websockproxy, the project that inspired wsnic.