WireGuard with obfuscation support

Roman Mamedov rm at romanrm.net
Mon Sep 27 09:36:28 UTC 2021

On Mon, 27 Sep 2021 04:14:35 -0500
Bruno Wolff III <bruno at wolff.to> wrote:

> This isn't a simple problem. The assumption is that someone is seeing 
> your network traffic and blocking it.

The assumption is that there's an appliance at the ISP which has a DROP rule
for UDP with 4 fixed bytes at a fixed offset. It has five hundreds other rules
to process as well, so it can't spend "too much" time on specifically WG.

> They are still going to see it  even if you disguise it.

With obfuscation there would be UDP packets of random junk, and it would be a
much harder job to come up with a rule to drop those without affecting
anything else.

> So you are going to need to disquise it as  something that whoever is
> watching isn't going to care about. That is going to vary a lot depending on
> who is watching. You may also need to hide who you are communicating with.
> In some cases that will be even more important.

You are going full-on "Enemy of the state" movie. The reality is most often a
lot simpler and more benign.

> There are going to be a number of ways to detect Wireguard traffic and 
> it is pretty unlikely that the bar for detection can be raised enough to 
> be relevant with a few simple changes to the protocol.

That's not a justification for not trying at all.

With respect,

More information about the WireGuard mailing list