WireGuard with obfuscation support
Roman Mamedov
rm at romanrm.net
Mon Sep 27 09:36:28 UTC 2021
On Mon, 27 Sep 2021 04:14:35 -0500
Bruno Wolff III <bruno at wolff.to> wrote:
> This isn't a simple problem. The assumption is that someone is seeing
> your network traffic and blocking it.
The assumption is that there's an appliance at the ISP which has a DROP rule
for UDP with 4 fixed bytes at a fixed offset. It has five hundreds other rules
to process as well, so it can't spend "too much" time on specifically WG.
> They are still going to see it even if you disguise it.
With obfuscation there would be UDP packets of random junk, and it would be a
much harder job to come up with a rule to drop those without affecting
anything else.
> So you are going to need to disquise it as something that whoever is
> watching isn't going to care about. That is going to vary a lot depending on
> who is watching. You may also need to hide who you are communicating with.
> In some cases that will be even more important.
You are going full-on "Enemy of the state" movie. The reality is most often a
lot simpler and more benign.
> There are going to be a number of ways to detect Wireguard traffic and
> it is pretty unlikely that the bar for detection can be raised enough to
> be relevant with a few simple changes to the protocol.
That's not a justification for not trying at all.
--
With respect,
Roman
More information about the WireGuard
mailing list