WireGuard with obfuscation support
el3xyz
el3xyz at protonmail.com
Sun Sep 26 12:09:18 UTC 2021
Hey all,
I guess this topic is, at the very least, not new, but there is still no solution. In the country where I live internet censorship increases year after year and more network operators start blocking WG. With that being done I'm stuck to ShadowSocks which is slower and less secure on desktops then WG. That said I decided to implement obfuscation for WG at least for my own use and kindly asking for code review and possible improvements:
https://github.com/el3xyz/wireguard-linux-compat
To my understanding there are several ways WG is detected by DPI
* Port 51820 (easily fixed)
* 4-byte message tag
* Fixed message lengths
* MAC2 which is all zeroes, unless cookie message is received (high load scenario)
To make detection more difficult two things are being done
* handshake initiation, response and cookie messages are padded with random sized garbage
* Up to 192 bytes of each message is encrypted with obfuscation key derived from peer public key (different keys are used in different directions).
I have tools and Linux driver working already so anyone interested can try this out.
Cheers
More information about the WireGuard
mailing list