Closed evangelme closed 3 days ago
Snawoot
commented
2 weeks ago Hello!
I understand in general terms what you want but I don't understand why would you need it?
What exactly doesn't work for you if both sides use IPv4? Does dtlspipe work in your country at all?
What doesn't work if you use udptlspipe instead?
evangelme
commented
2 weeks ago Thank you for your response. Let me clarify the issue I’m facing in my country.
Imagine I have a server with an IP address of 22.22.22.22, and I’m running a VPN protocol on it. After 2-3 days, my country’s filtering system blocks requests sent to this IP. To bypass this, I’ve been using a method similar to udptlspipe, where:
1-I have two IPv4 addresses (for example, "22.22.22.22" and "33.33.33.33") and an IPv6 address. 2-The client sends data to the server using "22.22.22.22" and receives data back from either "33.33.33.33" or the IPv6 address (which will be the public IP of the client)
This way, if the filtering system blocks "33.33.33.33" (the IP used for receiving data), my service remains unaffected because the initial data is still being sent to "22.22.22.22," which the filtering system doesn’t see, so it doesn’t get blocked.
The problem is that udptlspipe allows different IPs for sending and receiving, but it’s slower than dtlspipe. However, dtlspipe doesn’t support using separate IPs for sending and receiving data. I was wondering if it’s possible to implement something similar to udptlspipe in dtlspipe to allow different IPs?
I’ve tried implementing this in Go (i mean add this to dtlspipe), but I haven’t been successful since I’m not very experienced with Go. Is there any way to add this feature?
Snawoot
commented
2 weeks ago Okay, now I see. I need to think about it a bit.
To me it looks like a big issue that server is getting identified as VPN in the first place.
Which options for udptlspipe you use to achieve desired behavior? Are we talking about https://github.com/ameshkov/udptlspipe ? I just checked and I don't see such option for separation of upstream and downstream traffic by different server addresses.
evangelme
commented
2 weeks ago Here’s how I set it up on the server side:
I have two IPs on my server, and I designate one as the main IP. When a request is sent to the secondary IP, the server responds with the main IP. you ask "I don't see such option for separation of upstream and downstream traffic by different server addresses." so i do this on server side.
For example, in the scenario I described, I make "22.22.22.22" the secondary IP, and when the client requests data through it, the server receives the data on "33.33.33.33," the main IP.
For TLS over WireGuard, I primarily use wstunnel (https://github.com/erebe/wstunnel), but I’ve also checked with udptlspipe and it works as well.
To summarize: if dtlspipe on the server is set up with the same configuration (sending data through one IP and receiving on another), it will rescive the data with one ip and send the data to the client with another IP, However, DTLS doesn’t accept this separation and it will give client error.
If it helps, I can set up a Linux server now with DTLS and two IPv4 addresses, then give you SSH access to test and see what I mean. It would only take about 10 minutes to configure. This way, you can directly check the setup.
Thanks again for your time and consideration on this issue—I really appreciate it!
Snawoot
commented
2 weeks ago Could you please contact me on telegram, my nickname is @Snawoot?
because in some countries they do not have ipv6 by themselves and DTLS should have same ip for send and receive, How to implement this for the countries that dose not have ipv6 by default? can you implement something that dose not give us error when the ip of the Receiver changes like udptlspipe? because in this way we send ipv4 to server and recive ipv6 as a result and the client ip will be IPv6 thank you.