Iptables WireGuard obfuscation extension

Roman Mamedov rm at romanrm.net
Wed Sep 28 11:33:56 UTC 2022


On Sat, 10 Sep 2022 06:34:42 -0500
Wei Chen <weichen302 at zoho.com> wrote:

> Hi,
> 
> Jason once suggested use a netfilter module for obfuscation[1]. Here is one.
> 
> https://github.com/infinet/xt_wgobfs
> 
> It uses SipHash 1-2 to generate pseudo-random numbers in a reproducible way.
> Sender and receiver share a siphash secret key. Sender creates and receiver
> re-creates identical siphash output, if input is same. These siphash outputs
> are used for obfuscation.
> 
> - The first 16 bytes of WG message is obfuscated.
> - The mac2 field is also obfuscated if it is all zeros.
> - Padding WG message with random bytes, which also has random length. They are
>   from kernel get_random_bytes_wait() though.
> - Drop 80% of keepalive message at random. Again randomness is from kernel.
> - Change the Diffserv field to zero.
> 
> Tested working on Alpine linux kernel 5.15 and CentOS 7 kernel 3.10.
> 
> Performance test in two Alpine VMs running on same host. Each VM has 1 CPU and
> 256 MB RAM. Iperf3 results 1.1Gbits/s without,vs 860Mbits/s with obfuscation.

Hello,

Are you the author, so we can ask questions about it?

The "Usage" section speaks of "server" and "client". However in the WG world
there's not really a server or client per se, but all WG network members are
peers. As such, is it possible to propose an universal set of iptables rules
that would be fine to use on any network node?

As I understand, all INPUT packets to our local --dport need to be --unobfs,
and all OUTPUT packets from us to any other node need to be --obfs. Right?

-- 
With respect,
Roman


More information about the WireGuard mailing list