Building DPI bypass systems on top of wireguard

Amir Omidi amir at
Wed Jun 19 02:41:16 CEST 2019


I've lived in countries under oppressive DPI systems and I want to see if
its possible to create a DPI bypass system using the wireguard protocol.
During my time under these DPI systems, I've seen them evolve and grow and
get stronger and better in detecting various bypass systems.

In Iran, when there's a lot of political news the government deploys a
traffic/endpoint ratio strategy. Essentially, instead of blocking specific
protocols, they block amount of traffic going to a specific IP (or
sometimes IP:PORT combination if they want to be less strict). This breaks
every single bypassing solution as they all rely on sending traffic to
another endpoint.

The strategy I had in mind was creating a microservice VPN that can be
deployed across thousands of endpoints with thousands of IPs and Ports. The
servers would be in contact with each other to "restructure" a packet that
has gone through to them, and send it off to the actual endpoint.

Essentially, the client can split a packet into many pieces, send it off to
a thousand systems, and then get a response back from several servers and
reconstruct the actual message itself. This would break the ratio based
detection system. Alongside general hiding techniques such as masquarding
as https/dns/QUIC traffic, this could be a pretty robust and unstoppable
system. Especially with IPv6 becoming a lot more popular and maintaining an
IP ban list much more expensive.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the WireGuard mailing list