-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Obfuscating WireGuard #223
Comments
I'm afraid I can't help on the wireguard front, but I am on the Outline team and was curious if you also had used the Outline server, or just the client? Were you able to do searches on Google or just the home page loaded? I'd like to make sure we are aware of any situations where it isn't performing as expected. Thanks, and I hope you're able to get a setup working. |
Besides the xt_wgobfs you mentioned, a few other WireGuard obfuscation ideas have been discussed: https://lists.zx2c4.com/pipermail/wireguard/2022-September/007835.html
Example config for swgp-go: #140 (comment) |
@cjhenck Hi, i deployed the outline server on digital ocean and when hosted on port 3478 connected perfectly fine, however apart from loading google searches I could not load anything else. I think pinging stuff in cli worked but i cant be 100% sure. |
@wkrp tysm, will have a look. however i might need some help setting them up! Thanks! |
@wkrp I tried out some protocols including - Trojan, trojan/grpc, vless/xtls, vmess/websocket, vless/grpc. They worked fine on my hotspot which isn't restricted, however on the restricted wifi for some reason web pages aren't loading (server not found). I THINK i changed the port corerctly, so I was wondering if there is another fix. |
@antonw-25 I'm afraid this is not the place to troubleshoot the connection. This forum is for research and development, not user support. You may be able to get help from the projects you mentioned. If you find out what's wrong, and you can attribute it to some action by a censor, you are welcome to share that technical information here. |
Hello! I would like to present a solution I developed to workaround blocking of Wireguard in Russia: https://github.com/Snawoot/dtlspipe So far I already have reports about successful tests in real censorship conditions, but more feedback would be appreciated. It uses well-known and fairly legit DTLS protocol to secure arbitrary UDP payload, which is suitable for Wireguard, UDP OpenVPN and many more other kinds of UDP traffic. Good luck! |
I wonder why not use DTLS tunnel directly? It's as security as OpenVPN/WireGuard and without additional complexity. |
One thing to be aware of is possible DTLS fingerprinting. dtlspipe uses the same pion/dtls package as Snowflake, which has seen blocking of some DTLS handshake fingerprints in Russia.
Something that would be nice to have, but doesn't exist yet, is something that does fingerprint camouflage for DTLS, the way uTLS does for TLS. |
At NTC there is a thread about AmneziaWG.
|
Mentioned at #400: https://github.com/ClusterM/wg-obfuscator
|
@Snawoot Since we last wrote, there has appeared https://github.com/theodorsm/covert-dtls by @theodorsm. "covertDTLS is a library inspired by uTLS for offering fingerprint-resistance features to pion/dtls." The development of and motivation behind covertDTLS is described in @thedorsm's master's thesis, "Reducing distinguishability of DTLS for usage in Snowflake".
More information: |
Hi,
To start off with, I don't know much about this and am relatively new.
I was wondering if there is anyway to obfuscate wireguard (and doesn't mess up the speeds too much)?
I have come accross this - https://github.com/infinet/xt_wgobfs, however i don't think i set it up properly (not sure how to configure WGG clientside)
i tried ss-libev and outline which i tihnk uses ss go. libev didn't load websites and outline only loaded google.com for some reason.
im using a port which i know works because the wireguard server im using right now works perfectly fine with it.
I was looking into tunneling wireguard with shadowsocks, however I am not sure if im even doing it right - https://errande.com/2021/07/obfuscate-wireguard/ So if this is a good idea if someone could give me a step by step setup would be extremely helpful. (thanks in advance), however I am also not sure if this would be a massive bottleneck to wifi and fi theres a better way to obfuscate.
Please do tell about other obfuscation methods!
By the way, i am running ansible-easy-vpn made by wolfgangschannel for simplicity, however I have a test server setup on just setting up wireguard normally.
Thanks!
The text was updated successfully, but these errors were encountered: