[WireGuard] Options to obfuscate WireGuard traffic?

Bruno Wolff III bruno at wolff.to
Sat Jul 9 17:49:47 CEST 2016


On Fri, Jul 08, 2016 at 21:13:02 +0200,
  Bin Jin <bjin at ctrl-d.org> wrote:
>> Actually there's already a PSK mode. I suppose it's possible to
>> leverage this to add an obfuscation layer. This is likely the most
>> robust way of doing things, in fact. I'll give this some more thought,
>> but it's kind of unlikely that I'll incorporate this into the
>> codebase.
>
>I see. It's a bit pity to learn that, but I understand it's kind of
>ugly and probably still not enough (due to fixed packet length for
>first two types). Thanks for explaining every details.

I'm not sure it makes sense to combine the hiding of traffic with the 
secure tunneling of traffic. There are going to be different efficiency 
trades and there are going to be different traffic patterns available 
to try to blend into. So different people are going to want to use 
significantly different solutions to that problem. Given the design goals 
of wireguard, I don't think it is something that would be particularly 
good to combine with steganography.

I think for normal people this is more of a political problem then a 
technical problem. We need real net neutrality, with ISPs not allowed 
to block traffic based on content. (e.g being prohibited from charging 
people extra to allow the use of VPNs.) We need governments not passing 
laws to make people compromise their own security (e.g. RIP in the UK), 
nor should they prevent companies from providing applications or services 
where the end user can guaranty their security (as some people are trying 
to do in the US). Using strong unbreakable encryption when communicating, 
should be the norm, not something you need to hide.


More information about the WireGuard mailing list