WireGuard with obfuscation support

StarBrilliant coder at poorlab.com
Mon Sep 27 15:28:52 UTC 2021

On Mon, Sep 27, 2021, at 10:21, Bruno Wolff III wrote:
> If your ISP is blocking your Wireguard traffic call them up and complain.

All ISPs in China is blocking Wireguard traffic. If you call any of them up, you will end up in jail. There was a case where one user sued their ISP for blocking Google, and got prosecuted until disappear in public.

I believe the original poster is located in China rather than other countries, because the word “Shadowsocks” was mentioned, which is the only operable proxy software there -- its obfuscation is strong, but is slow and never cryptographically proved safe.

I would highly recommend you to test Wireguard on a virtual host in China to experience how the DPI is carried out, or to run a VPN service for Chinese users. The DPI system tries to create evidences to fool the user into believing it to be a network congestion, rather than an interference. The traffic will get interrupted after a few days, with increased packet loss rate each day. After a certain number of days, all packets will get dropped.

For any of you who is curious: The DPI system uses a statistical model, which means you get a higher chance of blocking if the source ASN is from a data center rather ran residential Internet; or if your size / timing / number of packets also match the characteristics of web browsing in addition to the usual Wireguard pattern. The sensitivity can even be tuned so the interference becomes stronger during June, August, and October.

It is so unfortunate this situation affects 1/5 of the world population. The Chinese users used to be too optimistic about Wireguard. Developing an obfuscation plugin framework is not sufficient to fight against it, but there aren't too much that one can do.

More information about the WireGuard mailing list