Iptables WireGuard obfuscation extension
Wei Chen
weichen302 at zoho.com
Sat Sep 10 11:34:52 UTC 2022
Hi,
Jason once suggested use a netfilter module for obfuscation[1]. Here is one.
https://github.com/infinet/xt_wgobfs
It uses SipHash 1-2 to generate pseudo-random numbers in a reproducible way.
Sender and receiver share a siphash secret key. Sender creates and receiver
re-creates identical siphash output, if input is same. These siphash outputs
are used for obfuscation.
- The first 16 bytes of WG message is obfuscated.
- The mac2 field is also obfuscated if it is all zeros.
- Padding WG message with random bytes, which also has random length. They are
from kernel get_random_bytes_wait() though.
- Drop 80% of keepalive message at random. Again randomness is from kernel.
- Change the Diffserv field to zero.
Tested working on Alpine linux kernel 5.15 and CentOS 7 kernel 3.10.
Performance test in two Alpine VMs running on same host. Each VM has 1 CPU and
256 MB RAM. Iperf3 results 1.1Gbits/s without,vs 860Mbits/s with obfuscation.
Wei
1. https://lists.zx2c4.com/pipermail/wireguard/2021-September/007155.html
More information about the WireGuard
mailing list