Rohde & Schwarz Adds Emerging WireGuard VPN Protocol to its Deep Packet Inspection (DPI) Software Library, R&S(R) PACE 2

Fredrik Strömberg stromberg at
Thu Jan 24 12:01:54 CET 2019

Deep Packet Inspection is the term used to describe detailed
inspection of network traffic.

A firewall might allow, block, or log traffic based on source or
destination IP address. Or it might do so by looking at TCP and UDP
headers inside the IP packet frame. Or, the firewall will even look at
the payload inside a TCP or UDP packet frame, and that is called Deep
Packet Inspection.

WireGuard uses UDP, and by looking at the payload of those UDP packets
it is trivial to distinguish from other protocols. An experienced
network sysadmin could write you a firewall rule that blocks WireGuard
in a few minutes. Obfuscation is not a goal of WireGuard, so this not
a problem for WireGuard, the project.

It will however be a problem for those blocked by this equipment. Like
all technology, this DPI equipment is a double-edged sword. Will it be
sold to a government so they can block privacy-seeking dissidents from
using WireGuard, or will it be sold to an organization that has a more
legitimate need to block WireGuard traffic?

The solution is to use an obfuscation protocol that encapsulates
WireGuard, just like Tor users in censored countries do.


More information about the WireGuard mailing list