Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Obfuscating WireGuard #223

Open
antonw-25 opened this issue Mar 8, 2023 · 13 comments
Open

Obfuscating WireGuard #223

antonw-25 opened this issue Mar 8, 2023 · 13 comments

Comments

@antonw-25
Copy link

antonw-25 commented Mar 8, 2023

Hi,
To start off with, I don't know much about this and am relatively new.
I was wondering if there is anyway to obfuscate wireguard (and doesn't mess up the speeds too much)?
I have come accross this - https://github.com/infinet/xt_wgobfs, however i don't think i set it up properly (not sure how to configure WGG clientside)
i tried ss-libev and outline which i tihnk uses ss go. libev didn't load websites and outline only loaded google.com for some reason.
im using a port which i know works because the wireguard server im using right now works perfectly fine with it.
I was looking into tunneling wireguard with shadowsocks, however I am not sure if im even doing it right - https://errande.com/2021/07/obfuscate-wireguard/ So if this is a good idea if someone could give me a step by step setup would be extremely helpful. (thanks in advance), however I am also not sure if this would be a massive bottleneck to wifi and fi theres a better way to obfuscate.
Please do tell about other obfuscation methods!
By the way, i am running ansible-easy-vpn made by wolfgangschannel for simplicity, however I have a test server setup on just setting up wireguard normally.
Thanks!

@cjhenck
Copy link

cjhenck commented Mar 8, 2023

I'm afraid I can't help on the wireguard front, but I am on the Outline team and was curious if you also had used the Outline server, or just the client? Were you able to do searches on Google or just the home page loaded? I'd like to make sure we are aware of any situations where it isn't performing as expected.

Thanks, and I hope you're able to get a setup working.

@wkrp
Copy link
Member

wkrp commented Mar 8, 2023

Besides the xt_wgobfs you mentioned, a few other WireGuard obfuscation ideas have been discussed:

https://lists.zx2c4.com/pipermail/wireguard/2022-September/007835.html

In terms of obfuscation for the WireGuard protocol, here are some references:

Iptables WireGuard obfuscation extension
https://lists.zx2c4.com/pipermail/wireguard/2022-September/007822.html
https://github.com/infinet/xt_wgobfs

swgp-go (userspace obfuscation proxy)
https://lists.zx2c4.com/pipermail/wireguard/2022-June/007638.html
https://github.com/database64128/swgp-go
#117

WireGuard with obfuscation support
https://lists.zx2c4.com/pipermail/wireguard/2021-September/007142.html
https://github.com/el3xyz/wireguard-linux-compat
#88

WireGuard obfuscation using shadowsocks
https://lists.zx2c4.com/pipermail/wireguard/2019-January/003809.html

Example config for swgp-go: #140 (comment)

@antonw-25
Copy link
Author

@cjhenck Hi, i deployed the outline server on digital ocean and when hosted on port 3478 connected perfectly fine, however apart from loading google searches I could not load anything else. I think pinging stuff in cli worked but i cant be 100% sure.

@antonw-25
Copy link
Author

@wkrp tysm, will have a look. however i might need some help setting them up! Thanks!

@antonw-25
Copy link
Author

@wkrp I tried out some protocols including - Trojan, trojan/grpc, vless/xtls, vmess/websocket, vless/grpc. They worked fine on my hotspot which isn't restricted, however on the restricted wifi for some reason web pages aren't loading (server not found). I THINK i changed the port corerctly, so I was wondering if there is another fix.

@wkrp
Copy link
Member

wkrp commented Mar 10, 2023

@antonw-25 I'm afraid this is not the place to troubleshoot the connection. This forum is for research and development, not user support. You may be able to get help from the projects you mentioned. If you find out what's wrong, and you can attribute it to some action by a censor, you are welcome to share that technical information here.

@Snawoot
Copy link

Snawoot commented Aug 29, 2023

Hello!

I would like to present a solution I developed to workaround blocking of Wireguard in Russia: https://github.com/Snawoot/dtlspipe

So far I already have reports about successful tests in real censorship conditions, but more feedback would be appreciated.

It uses well-known and fairly legit DTLS protocol to secure arbitrary UDP payload, which is suitable for Wireguard, UDP OpenVPN and many more other kinds of UDP traffic. Good luck!

@0x391F
Copy link

0x391F commented Aug 30, 2023

I wonder why not use DTLS tunnel directly? It's as security as OpenVPN/WireGuard and without additional complexity.

@wkrp
Copy link
Member

wkrp commented Aug 30, 2023

It uses well-known and fairly legit DTLS protocol to secure arbitrary UDP payload

One thing to be aware of is possible DTLS fingerprinting. dtlspipe uses the same pion/dtls package as Snowflake, which has seen blocking of some DTLS handshake fingerprints in Russia.

Overview:
https://github.com/turfed/snowflake-paper/blob/72cefe460f38a87150c46fa593eff53448bf1098/snowflake.tex#L2282

Something that would be nice to have, but doesn't exist yet, is something that does fingerprint camouflage for DTLS, the way uTLS does for TLS.

@Snawoot
Copy link

Snawoot commented Aug 30, 2023

@wkrp Thanks! Added server option to skip Hello Verify Request and released v1.1.0. The rest seems already fine.

@wkrp
Copy link
Member

wkrp commented Dec 30, 2023

At NTC there is a thread about AmneziaWG.

During the recent blocking of OpenVPN and WireGuard the Amnezia VPN team thought about creating their own protocol, which could help users to bypass the blocking without slowing down the speed (since OpenVPN over Cloak, which we recommended to install, was not very fast for obvious reasons).

Here is our implementation of the WireGuard protocol - AmneziaWG.

AmneziaWG (AmneziaWireGuard) is a fork of the WireGuard-Go with added features to bypass blocking and reduce the probability of protocol detection. One of the key features of AmneziaWG is backward compatibility with WireGuard. This means that when using AmneziaWG, unless specific parameters for protocol obfuscation are specified in the configuration, it will work like standard WireGuard.

What is the feature?

  • Before starting a session the client sends several packets with random data (the number of such packets Jc and their minimum and maximum size in bytes Jmin, Jmax is set in the config).
  • The header of handshake packet (Initiator to Responder) and response packet (Responder to Initiator) has been changed, these values are also set in config (H1 and H2).
  • Handshake init packets additionally have garbage at the beginning of the data, the sizes are determined by S1 and S2 values. (by default, the handshake init packet has a fixed size (148 bytes), after adding garbage its size will be 148 + size of random bytes).
  • The header of data packets and special “Under Load” packets has been changed - H4 and H3 respectively.

More details about new customizable fields:

  1. Jc (Junk packet count) - number of packets with random data that are sent before the start of the session
  2. Jmin (Junk packet minimum size) - minimum packet size for Junk packet. That is, all randomly generated packets will have a size no smaller than Jmin.
  3. Jmax (Junk packet maximum size) - maximum size for Junk packets
  4. S1 (Init packet junk size) - the size of random data that will be added to the init packet, the size of which is initially fixed.
  5. S2 (Response packet junk size) - the size of random data that will be added to the response packet, the size of which is initially fixed.
  6. H1 (Init packet magic header) - the header of the first byte of the handshake
  7. H2 (Response packet magic header) - header of the first byte of the handshake response
  8. H4 (Transport packet magic header) - header of the packet of the data packet
  9. H3 (Underload packet magic header) - UnderLoad packet header.

As you can guess, the H1, H2, H3, H4 headers must be different. If you set Jc, S1 and S2 to zero, there will be no garbage.

There are 2 ways to test this protocol:

  1. Install Amnezia VPN on your server by downloading the client from the official website.
  2. Write to us by e-mail with a request to issue a config for testing this protocol (in the header of the e-mail you should specify “Testing AmneziaWG - NTC.PARTY”).

We ask everyone who is interested to test this protocol!

Any feedback on working/not working protocol and performance is welcome! Questions too.

@wkrp
Copy link
Member

wkrp commented Oct 2, 2024

Mentioned at #400:

https://github.com/ClusterM/wg-obfuscator

This is a simple obfuscator for WireGuard. It is designed to make it harder to detect WireGuard traffic by making it look like something else. It does this by wrapping WireGuard packets in a layer of obfuscation using a simple XOR cipher. Usefull for bypassing DPI (Deep Packet Inspection) firewalls, e.g. if your ISP/government blocks WireGuard traffic.

Since the obfuscator is a simple XOR cipher, it is totally simmetric. You need to install this application on the same network as the WireGuard peer you want to obfuscate, you need to do this on the other peer too. The obfuscator will then obfuscate the WireGuard packets and send them to the Internet. On the other side the obfuscator will deobfuscate the packets and send them to the WireGuard peer.

@wkrp
Copy link
Member

wkrp commented Oct 2, 2024

Something that would be nice to have, but doesn't exist yet, is something that does fingerprint camouflage for DTLS, the way uTLS does for TLS.

@Snawoot Since we last wrote, there has appeared https://github.com/theodorsm/covert-dtls by @theodorsm. "covertDTLS is a library inspired by uTLS for offering fingerprint-resistance features to pion/dtls."

The development of and motivation behind covertDTLS is described in @thedorsm's master's thesis, "Reducing distinguishability of DTLS for usage in Snowflake".

We have seen that censors have been able to do so by fingerprinting the DTLS implementation that is produced by the Pion library used by Snowflake. The aim of this thesis is to reduce the distinguisability of said DTLS library. We developed a tool named, dfind for analyzing and finding passive field-based fingerprints of DTLS. This tool was validated using a data set with known fingerprints, and found that the extensions field was especially vulnerable for identification. To combat such fingerprints, we implemented covertDTLS, a Go library inspired by uTLS. Our module extends the Pion DTLS library with handshake hooking to offer mimicry and randomization features. To ensure that mimicking remains up-to-date, we developed a novel continuous delivery workflow for generating fresh DTLS-WebRTC handshakes from popular browsers.

More information:
https://lists.torproject.org/pipermail/anti-censorship-team/2024-August/000350.html

@wkrp wkrp changed the title Obfuscating Wireguard Obfuscating WireGuard Oct 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants