Development discussion of WireGuard
 help / color / mirror / Atom feed
From: David Fifield <david@bamsoftware.com>
To: wireguard@lists.zx2c4.com
Subject: WireGuard protocol blocking in China, swgp-go (userspace obfuscation proxy)
Date: Thu, 9 Jun 2022 16:05:22 -0600	[thread overview]
Message-ID: <20220609220522.kwqa4uvuc3sijlka@bamsoftware.com> (raw)

I am forwarding some information about WireGuard blocking and
anti-blocking that was posted to a censorship circumvention forum.

swgp-go is a userspace obfuscation proxy that aims to hide WireGuard's
distinctive protocol fingerprint (message_type and reserved_zero fields,
fixed packet lengths). It super-encrypts part or all of WireGuard
packets using a preshared symmetric key, and optionally adds padding.
The security of the channel relies on the encryption and authentication
of the underlying WireGuard tunnel, which requires less overhead than a
general-purpose circumvention proxy would.

https://github.com/database64128/swgp-go
https://github.com/net4people/bbs/issues/117

There is a past discussion on this mailing list of something similar.
That one was in the kernel; this one is in userspace.
https://lists.zx2c4.com/pipermail/wireguard/2021-September/007142.html
https://github.com/net4people/bbs/issues/88

Separately, the swgp-go announcement post comments on the dynamics of
WireGuard blocking in China:

> The GFW will block the remote peer's UDP port for a few days after
> about a week's continuous usage.
> ...
> ... the GFW only started blocking WireGuard on IPv4 this February.

GFW = Great Firewall, the collective name for various censorship systems
used by the government of China. The pattern of "detect, then block for
a limited time, then unblock" is typical for the GFW, though the time
intervals are usually rather shorter. For example, when the GFW began to
block the use of the ESNI extension in TLS 1.3, it would block the
server endpoint for 120 or 180 seconds:
https://gfw.report/blog/gfw_esni_blocking/en/#residual-censorship

I have not confirmed the reported blocking behavior in China. It's worth
keeping in mind also that blocking in China can differ across networks
and geographic regions. I did find a Reddit post from 3 months ago, from
the Fuzhou region, saying that WireGuard is detected and blocked within
24 hours:
https://www.reddit.com/r/WireGuard/comments/t0bpy3/wireguard_detected_and_blocked_by_gfw/

A past message on this mailing list about temporary problems with the
WireGuard protocol in Russia last year:
https://lists.zx2c4.com/pipermail/wireguard/2021-September/007050.html

             reply	other threads:[~2022-06-14  9:24 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-09 22:05 David Fifield [this message]
2022-06-14 13:13 ` Nico Schottelius
2022-07-02 23:21   ` David Fifield
2022-06-14 14:15 ` Alex

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220609220522.kwqa4uvuc3sijlka@bamsoftware.com \
    --to=david@bamsoftware.com \
    --cc=wireguard@lists.zx2c4.com \
    --subject='Re: WireGuard protocol blocking in China, swgp-go (userspace obfuscation proxy)' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).