Primary Use Case

Wiretap enables users to securely route traffic through a WireGuard-based proxy server, allowing clients to access remote network resources as if they were on the same local network. It is ideal for network administrators and security professionals who need to create flexible, multi-hop VPN-like connections without complex privilege requirements or infrastructure changes.

Key Features

Transparent VPN-like proxy server using WireGuard

No special privileges required to run Wiretap binary

Supports chaining multiple servers to reach new networks

Dynamic reconfiguration of Wiretap network by clients

Bidirectional UDP communication with configurable outbound connections

Optional port forwarding (Expose feature)

Experimental support for TCP tunneling

Ability to share access with multiple clients

Insights & Recommendations

Wiretap requires privileged access on the Client to configure WireGuard interfaces, typically needing root or admin rights. The Server must allow bidirectional UDP communication on a single port, with the default behavior having the Server initiate the handshake. While UDP is preferred, TCP tunneling is available experimentally but not recommended for production. Proper firewall configuration is essential to ensure connectivity. The tool supports chaining multiple servers to extend network reach and dynamic network reconfiguration by Clients.

Installation

Download Wiretap binaries from the GitHub releases page for your Client and Server OS/architecture.
Copy the Wiretap binary onto the Server machine.
Ensure WireGuard is installed on the Client machine.
Verify the Client has privileged access to configure WireGuard interfaces (usually root/admin).
Run Wiretap commands on Client and Server as needed.

Usage

./wiretap configure --endpoint <IP>:<port> --routes <CIDRs>

Configure the Client with the Server endpoint and routing CIDRs.

./wiretap serve

Run the Wiretap Server to receive and relay network traffic.

./wiretap status

Check the current status of the Wiretap network and connections.

./wiretap add-server

Add an additional Wiretap Server to the network (optional).

./wiretap add-client

Add a new Client to the Wiretap network (optional).

./wiretap expose <port>

Set up port forwarding to expose services through the Wiretap network.

./wiretap expose list

List active port forwarding rules.

./wiretap expose remove <port>

Remove a port forwarding rule.

Smart Usage Notes

Leverage Wiretap's no-privilege requirement to deploy flexible VPN tunnels in restricted environments for red team lateral movement simulations.Use Wiretap chaining to emulate complex multi-hop adversary network paths during purple team exercises.Integrate Wiretap with network monitoring tools to detect unauthorized tunneling or proxying attempts.Employ Wiretap's dynamic reconfiguration feature to rapidly adapt network segmentation during incident response.Use Wiretap's port forwarding (Expose) to securely expose internal services for remote security assessments or blue team investigations.

OpenSec Atlas

wiretap

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like