Open antonw-25 opened 1 year ago
cjhenck
commented
1 year ago I'm afraid I can't help on the wireguard front, but I am on the Outline team and was curious if you also had used the Outline server, or just the client? Were you able to do searches on Google or just the home page loaded? I'd like to make sure we are aware of any situations where it isn't performing as expected.
Thanks, and I hope you're able to get a setup working.
wkrp
commented
1 year ago Besides the xt_wgobfs you mentioned, a few other WireGuard obfuscation ideas have been discussed:
https://lists.zx2c4.com/pipermail/wireguard/2022-September/007835.html
In terms of obfuscation for the WireGuard protocol, here are some references:
Iptables WireGuard obfuscation extension https://lists.zx2c4.com/pipermail/wireguard/2022-September/007822.html https://github.com/infinet/xt_wgobfs
swgp-go (userspace obfuscation proxy) https://lists.zx2c4.com/pipermail/wireguard/2022-June/007638.html https://github.com/database64128/swgp-go https://github.com/net4people/bbs/issues/117
WireGuard with obfuscation support https://lists.zx2c4.com/pipermail/wireguard/2021-September/007142.html https://github.com/el3xyz/wireguard-linux-compat https://github.com/net4people/bbs/issues/88
WireGuard obfuscation using shadowsocks https://lists.zx2c4.com/pipermail/wireguard/2019-January/003809.html
Example config for swgp-go: https://github.com/net4people/bbs/issues/140#issuecomment-128241887
antonw-25
commented
1 year ago @cjhenck Hi, i deployed the outline server on digital ocean and when hosted on port 3478 connected perfectly fine, however apart from loading google searches I could not load anything else. I think pinging stuff in cli worked but i cant be 100% sure.
antonw-25
commented
1 year ago @wkrp tysm, will have a look. however i might need some help setting them up! Thanks!
antonw-25
commented
1 year ago @wkrp I tried out some protocols including - Trojan, trojan/grpc, vless/xtls, vmess/websocket, vless/grpc. They worked fine on my hotspot which isn't restricted, however on the restricted wifi for some reason web pages aren't loading (server not found). I THINK i changed the port corerctly, so I was wondering if there is another fix.
wkrp
commented
1 year ago @antonw-25 I'm afraid this is not the place to troubleshoot the connection. This forum is for research and development, not user support. You may be able to get help from the projects you mentioned. If you find out what's wrong, and you can attribute it to some action by a censor, you are welcome to share that technical information here.
Snawoot
commented
10 months ago Hello!
I would like to present a solution I developed to workaround blocking of Wireguard in Russia: https://github.com/Snawoot/dtlspipe
So far I already have reports about successful tests in real censorship conditions, but more feedback would be appreciated.
It uses well-known and fairly legit DTLS protocol to secure arbitrary UDP payload, which is suitable for Wireguard, UDP OpenVPN and many more other kinds of UDP traffic. Good luck!
0x391F
commented
10 months ago I wonder why not use DTLS tunnel directly? It's as security as OpenVPN/WireGuard and without additional complexity.
wkrp
commented
10 months ago It uses well-known and fairly legit DTLS protocol to secure arbitrary UDP payload
One thing to be aware of is possible DTLS fingerprinting. dtlspipe uses the same pion/dtls package as Snowflake, which has seen blocking of some DTLS handshake fingerprints in Russia.
Something that would be nice to have, but doesn't exist yet, is something that does fingerprint camouflage for DTLS, the way uTLS does for TLS.
Snawoot
commented
10 months ago wkrp
commented
6 months ago At NTC there is a thread about AmneziaWG.
During the recent blocking of OpenVPN and WireGuard the Amnezia VPN team thought about creating their own protocol, which could help users to bypass the blocking without slowing down the speed (since OpenVPN over Cloak, which we recommended to install, was not very fast for obvious reasons).
Here is our implementation of the WireGuard protocol - AmneziaWG.
AmneziaWG (AmneziaWireGuard) is a fork of the WireGuard-Go with added features to bypass blocking and reduce the probability of protocol detection. One of the key features of AmneziaWG is backward compatibility with WireGuard. This means that when using AmneziaWG, unless specific parameters for protocol obfuscation are specified in the configuration, it will work like standard WireGuard.
What is the feature?
- Before starting a session the client sends several packets with random data (the number of such packets Jc and their minimum and maximum size in bytes Jmin, Jmax is set in the config).
- The header of handshake packet (Initiator to Responder) and response packet (Responder to Initiator) has been changed, these values are also set in config (H1 and H2).
- Handshake init packets additionally have garbage at the beginning of the data, the sizes are determined by S1 and S2 values. (by default, the handshake init packet has a fixed size (148 bytes), after adding garbage its size will be 148 + size of random bytes).
- The header of data packets and special “Under Load” packets has been changed - H4 and H3 respectively.
More details about new customizable fields:
- Jc (Junk packet count) - number of packets with random data that are sent before the start of the session
- Jmin (Junk packet minimum size) - minimum packet size for Junk packet. That is, all randomly generated packets will have a size no smaller than Jmin.
- Jmax (Junk packet maximum size) - maximum size for Junk packets
- S1 (Init packet junk size) - the size of random data that will be added to the init packet, the size of which is initially fixed.
- S2 (Response packet junk size) - the size of random data that will be added to the response packet, the size of which is initially fixed.
- H1 (Init packet magic header) - the header of the first byte of the handshake
- H2 (Response packet magic header) - header of the first byte of the handshake response
- H4 (Transport packet magic header) - header of the packet of the data packet
- H3 (Underload packet magic header) - UnderLoad packet header.
As you can guess, the H1, H2, H3, H4 headers must be different. If you set Jc, S1 and S2 to zero, there will be no garbage.
There are 2 ways to test this protocol:
- Install Amnezia VPN on your server by downloading the client from the official website.
- Write to us by e-mail with a request to issue a config for testing this protocol (in the header of the e-mail you should specify “Testing AmneziaWG - NTC.PARTY”).
We ask everyone who is interested to test this protocol!
Any feedback on working/not working protocol and performance is welcome! Questions too.
Hi, To start off with, I don't know much about this and am relatively new. I was wondering if there is anyway to obfuscate wireguard (and doesn't mess up the speeds too much)? I have come accross this - https://github.com/infinet/xt_wgobfs, however i don't think i set it up properly (not sure how to configure WGG clientside) i tried ss-libev and outline which i tihnk uses ss go. libev didn't load websites and outline only loaded google.com for some reason. im using a port which i know works because the wireguard server im using right now works perfectly fine with it. I was looking into tunneling wireguard with shadowsocks, however I am not sure if im even doing it right - https://errande.com/2021/07/obfuscate-wireguard/ So if this is a good idea if someone could give me a step by step setup would be extremely helpful. (thanks in advance), however I am also not sure if this would be a massive bottleneck to wifi and fi theres a better way to obfuscate. Please do tell about other obfuscation methods! By the way, i am running ansible-easy-vpn made by wolfgangschannel for simplicity, however I have a test server setup on just setting up wireguard normally. Thanks!