From: Nico Schottelius <nico.schottelius@ungleich.ch>
To: StarBrilliant <coder@poorlab.com>
Cc: wireguard@lists.zx2c4.com
Subject: Re: WireGuard with obfuscation support
Date: Tue, 28 Sep 2021 00:59:19 +0900 [thread overview]
Message-ID: <87tui6yozj.fsf@ungleich.ch> (raw)
In-Reply-To: <d071a9ed-a1cf-4b4c-85ba-8a918a6e331a@www.fastmail.com>
StarBrilliant <coder@poorlab.com> writes:
> On Mon, Sep 27, 2021, at 10:21, Bruno Wolff III wrote:
>> If your ISP is blocking your Wireguard traffic call them up and complain.
>
> All ISPs in China is blocking Wireguard traffic. If you call any of
> them up, you will end up in jail. There was a case where one user sued
> their ISP for blocking Google, and got prosecuted until disappear in
> public.
> [...]
Thanks a lot for the detailed explanation. While we have become a bit
off-topic (more of the why then the how) in regards to wireguard, I
think above explanation is important.
Wireguard's purpose is to be a secure VPN tunnel and I personally would
love if we can add "reliable" to its feature list. However that would
need more advanced support, like obfuscation is providing.
I'm not saying obfuscation is the only method, but compared to
a DPI with statistical analysis, I think we are pretty far away from
being reliable in hostile networks. Maybe extending wireguard with
obfuscation is out of scope of this project, but then it might be an
idea to wrap the wireguard traffic into other protocols.
I'm not sure how much wireguard depends on the IP/UDP layers, but
assuming it only uses it for payload, maybe it makes sense to
wrap wireguard into HTTP, HTTPS, SMTP (+TLS), IMAP(S) or even DNS
(slow). I am aware that there is a variety of tools out there that
handle some of the tunnel ideas.
Given that all of these approaches are actually rather trivial to
implement, is there any easy way to grab the outgoing wireguard packets
without the need of creating n artifical local UDP endpoints?
Best regards,
Nico
--
Sustainable and modern Infrastructures by ungleich.ch
next prev parent reply other threads:[~2021-09-27 16:14 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-26 12:09 el3xyz
2021-09-27 0:53 ` Nico Schottelius
2021-09-27 7:11 ` Bruno Wolff III
2021-09-27 7:34 ` Roman Mamedov
2021-09-27 9:14 ` Bruno Wolff III
2021-09-27 9:36 ` Roman Mamedov
2021-09-27 10:21 ` Bruno Wolff III
2021-09-27 13:01 ` Konstantin Ryabitsev
2021-09-27 13:48 ` Lonnie Abelbeck
2021-09-27 15:28 ` StarBrilliant
2021-09-27 15:59 ` Nico Schottelius [this message]
2021-09-27 16:37 ` StarBrilliant
2021-09-27 7:44 ` Nico Schottelius
2021-09-27 8:17 ` Fredrik Strömberg
2021-09-27 16:21 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tui6yozj.fsf@ungleich.ch \
--to=nico.schottelius@ungleich.ch \
--cc=coder@poorlab.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).