Obfuscating WireGuard

[antonw-25]

Hi,
To start off with, I don't know much about this and am relatively new.
I was wondering if there is anyway to obfuscate wireguard (and doesn't mess up the speeds too much)?
I have come accross this - https://github.com/infinet/xt_wgobfs, however i don't think i set it up properly (not sure how to configure WGG clientside)
i tried ss-libev and outline which i tihnk uses ss go. libev didn't load websites and outline only loaded google.com for some reason.
im using a port which i know works because the wireguard server im using right now works perfectly fine with it.
I was looking into tunneling wireguard with shadowsocks, however I am not sure if im even doing it right - https://errande.com/2021/07/obfuscate-wireguard/ So if this is a good idea if someone could give me a step by step setup would be extremely helpful. (thanks in advance), however I am also not sure if this would be a massive bottleneck to wifi and fi theres a better way to obfuscate.
Please do tell about other obfuscation methods!
By the way, i am running ansible-easy-vpn made by wolfgangschannel for simplicity, however I have a test server setup on just setting up wireguard normally.
Thanks!

[cjhenck]

I'm afraid I can't help on the wireguard front, but I am on the Outline team and was curious if you also had used the Outline server, or just the client? Were you able to do searches on Google or just the home page loaded? I'd like to make sure we are aware of any situations where it isn't performing as expected.

Thanks, and I hope you're able to get a setup working.

[wkrp]

Besides the xt_wgobfs you mentioned, a few other WireGuard obfuscation ideas have been discussed:

https://lists.zx2c4.com/pipermail/wireguard/2022-September/007835.html

In terms of obfuscation for the WireGuard protocol, here are some references:

Iptables WireGuard obfuscation extension
https://lists.zx2c4.com/pipermail/wireguard/2022-September/007822.html
https://github.com/infinet/xt_wgobfs

swgp-go (userspace obfuscation proxy)
https://lists.zx2c4.com/pipermail/wireguard/2022-June/007638.html
https://github.com/database64128/swgp-go
#117

WireGuard with obfuscation support
https://lists.zx2c4.com/pipermail/wireguard/2021-September/007142.html
https://github.com/el3xyz/wireguard-linux-compat
#88

WireGuard obfuscation using shadowsocks
https://lists.zx2c4.com/pipermail/wireguard/2019-January/003809.html

Example config for swgp-go: #140 (comment)

[antonw-25]

@cjhenck Hi, i deployed the outline server on digital ocean and when hosted on port 3478 connected perfectly fine, however apart from loading google searches I could not load anything else. I think pinging stuff in cli worked but i cant be 100% sure.

[antonw-25]

@wkrp tysm, will have a look. however i might need some help setting them up! Thanks!

[antonw-25]

@wkrp I tried out some protocols including - Trojan, trojan/grpc, vless/xtls, vmess/websocket, vless/grpc. They worked fine on my hotspot which isn't restricted, however on the restricted wifi for some reason web pages aren't loading (server not found). I THINK i changed the port corerctly, so I was wondering if there is another fix.

[wkrp]

@antonw-25 I'm afraid this is not the place to troubleshoot the connection. This forum is for research and development, not user support. You may be able to get help from the projects you mentioned. If you find out what's wrong, and you can attribute it to some action by a censor, you are welcome to share that technical information here.

[Snawoot]

Hello!

I would like to present a solution I developed to workaround blocking of Wireguard in Russia: https://github.com/Snawoot/dtlspipe

So far I already have reports about successful tests in real censorship conditions, but more feedback would be appreciated.

It uses well-known and fairly legit DTLS protocol to secure arbitrary UDP payload, which is suitable for Wireguard, UDP OpenVPN and many more other kinds of UDP traffic. Good luck!

[0x391F]

I wonder why not use DTLS tunnel directly? It's as security as OpenVPN/WireGuard and without additional complexity.

[wkrp]

It uses well-known and fairly legit DTLS protocol to secure arbitrary UDP payload

One thing to be aware of is possible DTLS fingerprinting. dtlspipe uses the same pion/dtls package as Snowflake, which has seen blocking of some DTLS handshake fingerprints in Russia.

Overview:
https://github.com/turfed/snowflake-paper/blob/72cefe460f38a87150c46fa593eff53448bf1098/snowflake.tex#L2282

• 2021-12-01: Presence of a supported_groups extension in Server Hello.
  This one got fixed on 2021-12-14 and 2021-12-20
• 2022-05: Contents of supported_groups in Client Hello
  The fingerprint blocking was confirmed, but it didn't seem to affect Snowflake. It seemed to go away by 2022-07.
• 2022-07: Presence of Hello Verify Request message
  This one was worked around by patching pion/dtls not to send Hello Verify Request. Mitigation released on 2023-02-15.

Something that would be nice to have, but doesn't exist yet, is something that does fingerprint camouflage for DTLS, the way uTLS does for TLS.

[Snawoot]

@wkrp Thanks! Added server option to skip Hello Verify Request and released v1.1.0. The rest seems already fine.

[wkrp]

At NTC there is a thread about AmneziaWG.

• Call the testers: AmneziaWG protocol

During the recent blocking of OpenVPN and WireGuard the Amnezia VPN team thought about creating their own protocol, which could help users to bypass the blocking without slowing down the speed (since OpenVPN over Cloak, which we recommended to install, was not very fast for obvious reasons).

Here is our implementation of the WireGuard protocol - AmneziaWG.

AmneziaWG (AmneziaWireGuard) is a fork of the WireGuard-Go with added features to bypass blocking and reduce the probability of protocol detection. One of the key features of AmneziaWG is backward compatibility with WireGuard. This means that when using AmneziaWG, unless specific parameters for protocol obfuscation are specified in the configuration, it will work like standard WireGuard.

What is the feature?

• Before starting a session the client sends several packets with random data (the number of such packets Jc and their minimum and maximum size in bytes Jmin, Jmax is set in the config).
• The header of handshake packet (Initiator to Responder) and response packet (Responder to Initiator) has been changed, these values are also set in config (H1 and H2).
• Handshake init packets additionally have garbage at the beginning of the data, the sizes are determined by S1 and S2 values. (by default, the handshake init packet has a fixed size (148 bytes), after adding garbage its size will be 148 + size of random bytes).
• The header of data packets and special “Under Load” packets has been changed - H4 and H3 respectively.

More details about new customizable fields:

1. Jc (Junk packet count) - number of packets with random data that are sent before the start of the session
2. Jmin (Junk packet minimum size) - minimum packet size for Junk packet. That is, all randomly generated packets will have a size no smaller than Jmin.
3. Jmax (Junk packet maximum size) - maximum size for Junk packets
4. S1 (Init packet junk size) - the size of random data that will be added to the init packet, the size of which is initially fixed.
5. S2 (Response packet junk size) - the size of random data that will be added to the response packet, the size of which is initially fixed.
6. H1 (Init packet magic header) - the header of the first byte of the handshake
7. H2 (Response packet magic header) - header of the first byte of the handshake response
8. H4 (Transport packet magic header) - header of the packet of the data packet
9. H3 (Underload packet magic header) - UnderLoad packet header.

As you can guess, the H1, H2, H3, H4 headers must be different. If you set Jc, S1 and S2 to zero, there will be no garbage.

There are 2 ways to test this protocol:

1. Install Amnezia VPN on your server by downloading the client from the official website.
2. Write to us by e-mail with a request to issue a config for testing this protocol (in the header of the e-mail you should specify “Testing AmneziaWG - NTC.PARTY”).

We ask everyone who is interested to test this protocol!

Any feedback on working/not working protocol and performance is welcome! Questions too.

[wkrp]

Mentioned at #400:

https://github.com/ClusterM/wg-obfuscator

This is a simple obfuscator for WireGuard. It is designed to make it harder to detect WireGuard traffic by making it look like something else. It does this by wrapping WireGuard packets in a layer of obfuscation using a simple XOR cipher. Usefull for bypassing DPI (Deep Packet Inspection) firewalls, e.g. if your ISP/government blocks WireGuard traffic.

Since the obfuscator is a simple XOR cipher, it is totally simmetric. You need to install this application on the same network as the WireGuard peer you want to obfuscate, you need to do this on the other peer too. The obfuscator will then obfuscate the WireGuard packets and send them to the Internet. On the other side the obfuscator will deobfuscate the packets and send them to the WireGuard peer.

[wkrp]

Something that would be nice to have, but doesn't exist yet, is something that does fingerprint camouflage for DTLS, the way uTLS does for TLS.

@Snawoot Since we last wrote, there has appeared https://github.com/theodorsm/covert-dtls by @theodorsm. "covertDTLS is a library inspired by uTLS for offering fingerprint-resistance features to pion/dtls."

The development of and motivation behind covertDTLS is described in @thedorsm's master's thesis, "Reducing distinguishability of DTLS for usage in Snowflake".

We have seen that censors have been able to do so by fingerprinting the DTLS implementation that is produced by the Pion library used by Snowflake. The aim of this thesis is to reduce the distinguisability of said DTLS library. We developed a tool named, dfind for analyzing and finding passive field-based fingerprints of DTLS. This tool was validated using a data set with known fingerprints, and found that the extensions field was especially vulnerable for identification. To combat such fingerprints, we implemented covertDTLS, a Go library inspired by uTLS. Our module extends the Pion DTLS library with handshake hooking to offer mimicry and randomization features. To ensure that mimicking remains up-to-date, we developed a novel continuous delivery workflow for generating fresh DTLS-WebRTC handshakes from popular browsers.

More information:
https://lists.torproject.org/pipermail/anti-censorship-team/2024-August/000350.html