Development discussion of WireGuard
 help / color / mirror / Atom feed
From: el3xyz <el3xyz@protonmail.com>
To: "wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: WireGuard with obfuscation support
Date: Sun, 26 Sep 2021 12:09:18 +0000	[thread overview]
Message-ID: <XhEJRjPvvlk57PFUWApI0RPX2-dCuDbQ9RYxw9Y5GxzMs8YEpwVc4U-fR3avC-NT1X2UlBNQerMkOxgqrue_EEOtyZR18V329KuKev_i3aE=@protonmail.com> (raw)

Hey all,

I guess this topic is, at the very least, not new, but there is still no solution. In the country where I live internet censorship increases year after year and more network operators start blocking WG. With that being done I'm stuck to ShadowSocks which is slower and less secure on desktops then WG. That said I decided to implement obfuscation for WG at least for my own use and kindly asking for code review and possible improvements:

https://github.com/el3xyz/wireguard-linux-compat

To my understanding there are several ways WG is detected by DPI
* Port 51820 (easily fixed)
* 4-byte message tag
* Fixed message lengths
* MAC2 which is all zeroes, unless cookie message is received (high load scenario)


To make detection more difficult two things are being done
* handshake initiation, response and cookie messages are padded with random sized garbage
* Up to 192 bytes of each message is encrypted with obfuscation key derived from peer public key (different keys are used in different directions).

I have tools and Linux driver working already so anyone interested can try this out.
Cheers

             reply	other threads:[~2021-09-27  0:17 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-26 12:09 el3xyz [this message]
2021-09-27  0:53 ` Nico Schottelius
2021-09-27  7:11   ` Bruno Wolff III
2021-09-27  7:34     ` Roman Mamedov
2021-09-27  9:14       ` Bruno Wolff III
2021-09-27  9:36         ` Roman Mamedov
2021-09-27 10:21           ` Bruno Wolff III
2021-09-27 13:01             ` Konstantin Ryabitsev
2021-09-27 13:48               ` Lonnie Abelbeck
2021-09-27 15:28             ` StarBrilliant
2021-09-27 15:59               ` Nico Schottelius
2021-09-27 16:37                 ` StarBrilliant
2021-09-27  7:44     ` Nico Schottelius
2021-09-27  8:17       ` Fredrik Strömberg
2021-09-27 16:21 ` Jason A. Donenfeld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='XhEJRjPvvlk57PFUWApI0RPX2-dCuDbQ9RYxw9Y5GxzMs8YEpwVc4U-fR3avC-NT1X2UlBNQerMkOxgqrue_EEOtyZR18V329KuKev_i3aE=@protonmail.com' \
    --to=el3xyz@protonmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).