Wireguard obfuscation

r134a

Hi,

I have a server in my basement running proxmox as a hypervisor, which serves me different services.
On that host is have several lxc containers configured as an exit-node running wireguard for other services.

I'm using tailscale on my phone if i'm on cellular to be able to acces these services, and one wireguard container is configured to serve as an exit node for tailscale. So if i'm connected to tailscale on cellular, all my traffic is routed through vpn. (Not sure of the security aspect of this setup?).

I'm looking into how to obfuscate my wireguard traffic from my ISP, and avoid being flagged for using a vpn by potential Deep Packet Inspection. I've came accros https://github.com/ClusterM/wg-obfuscator, but this needs to be installed on the same network of both peers. Obviously i have no acces to the network of the peer i'm connecting to, as it is a commercial vpn service.

Is there any way someone is aware of how i can obfuscate my wireguard traffic, in the usecase mentioned above, and willing to point me in the right direction?

nullable

r134a by creating excessive noise... that's the only logical thing i know of.. Even though i know you were hoping for something better.

If you have a lot of noisy devices sending, recieving data and packets through a gateway, you can obfuscate your actions by adding extra traffic at the cost of bandwidth. Idk thsat's what came to mind for me https://en.m.wikipedia.org/wiki/Radio_noise

words

r134a You can't obfuscate Wireguard without modifying the unnderlying protocol. You'd need to patch fixed cookie message length, zero bytes on MAC2 etc. Current obfuscation efforts only partially cover this issue and are easy to detect with a smart DPI.

r134a

nullable
Thanks for your suggestion and reply!

I don't think this option would do anything in this case, as my actions are already 'obfuscated' for my ISP, i.e. all data that passes through my ISP is encrypted while using a vpn tunnel.

I want to obfuscate that i'm actually using a vpn, as now with my current implementation with wireguard, if my ISP would use deep packet inspection, they can see from the headers i'm using a vpn, though not the traffic itself.

Therefore, i'm not sure generating random data would avoid deep packet inspection in any way.

r134a

words
Is obfuscation with openvpn possible, or does roughly the same apply?

words

r134a OpenVPN was hard to detect on outdated DPI systems, but it's easily detectable nowadays.

Why would you need to circumvent DPI if you're not living under oppressive governments anyway? Wireguard encrypts your traffic perfectly fine, and if you want to reduce the probability of time/disconnect attacks - use a dedicated server somewhere to keep your connections alive. If you're not a criminal doing bad things - you don't need to worry about the DPI.

Ammako

words If you're not a criminal doing bad things - you don't need to worry

But that's the mindset you shouldn't have. Who decides if you're a criminal doing bad things?

words

Another method is to simply encapsulate your Wireguard traffic into a DPI resistant protocol. Do note that the classical definition of DPI isn't the only method of detecting the VPN usage. In China, they measure the ratio of outbound/inbound connections and block suspicious yet unidentifiable traffic. They don't block suspicious traffic all the time since it disrupts legitimate technical startups, but they know it's suspicious since it doesn't look like a normal connection. You also can't verify the effectiveness of anti DPI measures in EU since they don't prohibit the VPN usage yet. This topic is very complex and, truth be told, there's no real solution against time correlation/dpi related attacks.

r134a

words i've read me into it before posting, admittedly, on a surface level.

To my current understanding, there are solutions, as u mentioned like encapsulating the packets into another protocol, like https. But for these solutions the encapsulation needs to be reverted before reaching the receiving peer as far as i understand. Those are not an option currently with my commercial vpn service.

The more i read into this, i agree this topic is very complex. And there's probably no 'solution' in my specific use case.

There's currently no need to accomplish this, but i like to learn and try new things, hence this attempt. I've asked my vpn provider aswell now and they suggested openvpn over tcp and port 4443.

I will dig some deeper into this matter, thanks for responding.

hamlet9371

Wireguard and its variants are under heavy QoS from my ISP along with other UDP-based VPN. People use udp2raw to initially bypass it.