New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Use shadowsocks with WireGuard or use TunSafe, which is a fork of WireGuard with obfuscation feature available in it besides few other things.
Which ISP does this?
My ISP does something similar but with certain WG server IPs not all, my machine can send packets to the server and server gets it but it can't receive/see packets from the server (no, I tried port forwarding and even DMZ and turning off firewall in router already)
https://www.lowendtalk.com/discussion/168620/wireguard-handshake-did-not-complete-after-5-seconds-on-home-network
Re: using TunSafe, WireGuard creator warned against using other Windows clients before and with the official Windows client available now, there is no point in using TunSafe even if it has extra features imo.
Thanks @akb for tip.
https://lists.zx2c4.com/pipermail/wireguard/2019-January/003809.html
I did some experimentation in the past 2 months - with ntopng on the upstream to see if the DPI engine would pick up the traffic and how it was seen by it.
The easiest quickest way to hide your traffic is to run tunsafe (make sure its the latest) the traffic will be seen as visiting any website because the client would run on port 443 and it does obfuscate and encrypt. You get to pick if you want to pretend the browser to be Chrome or Firefox in the TLS.
The quickest way to get up and running with tunsafe:
https://github.com/Freekers/ansible-tunsafe
The issues I found with tunsafe:
The first two issues were my main show stoppers BUT it did obfuscate traffic well and you get up and running really quick. If you don't have time to play around with option 2 below go via tunsafe.
The second option I tried was udp2raw-tunnel:
https://github.com/wangyu-/udp2raw-tunnel
It was challenging to get it up and running at first. It wasn't until I forced MTU = 1300 on the wireguard tunnel that I finally got this to work. Traffic was encrypted as TLS and throughput was less than tunsafe.
NDPi engines saw tunsafe traffic as web browser traffic, udp2raw traffic was seen as simply TLS - it was obvious in the ntopng interface that this traffic was oddball compared to the rest.
fin
@cheap_box @Kassem where are you guys from? Just curious as to which countries' ISPs are so restrictive.
If you've got to do extra steps to mask your traffic as HTTPS, then what's the point of using Wireguard? Something else like ocserv uses the HTTPS protocol to begin with, and uses port 443 by default for its traffic.
Another option is Google/Jigsaw's Outline, which uses shadowsocks as a base and is very resistant to blocking. It's also the easiest self-hosted VPN to set up and use.
https://www.getoutline.org/
I tried outline and it seemed hard / complex to setup.
If you want a truly easy peazy way of setting up shawdowsocks or even openvpn: https://myvpn.run
is outline reliable?
Outline is as simple as it can get, provided you can read.
https://getoutline.org/get-started/#step-1
Beware of the risk associated with one line scripts from third parties. Only use such script if they are available on github and have good reviews/reputation. Example: nyr.
If you need to access resources on a WireGuard VPN and you don't control the choice of technology perhaps.
Or you do have control but are happy with WireGuard everywhere else (not used it myself yet, but I'm told it does perform rather well compared to many other options and is not a pain to configure) and are just having trouble with this one location. May be worth having a HTTPS wrapper fall-back if you are a mobile remote worker anyway (a consultant regularly working on client sites, for instance): use pure wireguard for simplicity/performance where you can, bring up the extra transport layer if that seems to be blocked/throttled/mangled by your current network access route.
@stevewatson301
We had a blocked canal earlier this year.
+1 for Outline and you can also use it with https://github.com/shadowsocks/shadowsocks-windows if you don't want all traffic to use the VPN.
Outline is nice for just the purpose of setting up your own VPN, it's not yet blocked by ISPs in the country where the canal was blocked but it can be easily blocked as the ports cannot be changed.
Also Outline does not work for the purpose of remote access as it does not allow routing of private networks, for that I needed to apply a workaround to trick outline (DNAT'ing a dummy public /24 network to a private one on the firewall, so it passes outline as a public network but gets NAT'd to a private network afterwards, not sure why they removed that functionality)
Outline seems very nice. Is it compatible with all shadowsocks clients?
I use OpenConnect ocserv with my domain and letsencrypt, works everywhere, port 443.
What are you using WireGuard for? If you're just using it for web browsing, a HTTPS proxy would be easier. Or do you need to tunnel protocols other than HTTP?
If you do want to obfuscate a VPN connection, just keep in mind that TCP-based VPNs are significantly slower than UDP-based VPNs, due to the fact that you're tunneling a stateful protocol over another stateful protocol (TCP-over-TCP). TCP guarantees that all packets arrive in the same order and lost packets are resent, but you really don't need that overhead for a VPN, as the protocol being tunneled handles it.
Web browsing isn't just web browsing these days. Any random web site might start opening web sockets. At the very least, stick with a SOCKS proxy which can handle any/every port. Could still be tunneled over SSL. You're basically re-inventing TOR though.
Use port 2049 and maybe your ISP will assume it's an NFS mount and not a VPN? Or the SIP port and they'll think you do a lot of VoIP calling? Or the RTP port and it might look like DTLS-SRTP ala a WebRTC (e.g. Jitsi Meet) video conference?
Yeah that's a good point that I didn't consider. Web sockets should work fine via a HTTP proxy using HTTP CONNECT though? Connections to HTTPS sites via a proxy already needs to use CONNECT, and I think websockets could use it too.
Any ISP that attempts to block VPNs for whatever reason will be using DPI to detect VPN protocols. That's why routing it via HTTP helps. WireGuard says that obfuscation is explicitly a non-goal for the protocol so the WireGuard protocol is likely to always be detectable by a firewall.
What about v2ray?
It's not WireGuard, but it's newer than Shadowsocks.
I usually use v2-ui + nginx and it's working fine for my friend (who is in GFW in China) and me on Windows and iPhone.
Softether is one of the best open source VPN applications in the area of obfuscating traffic. For simple TCP 443 cases it supports the built-in SSTP client in Windows, and for more complex cases it has options to VPN over ICMP packets or port 53 DNS packets
If WireGuard does not have built-in obfuscation mechanisms, why not use the solutions that they have. Maybe openvpn with tls-crypt will solve the problem?
Del (double post)
mullvad offers now wireguard over tcp https://mullvad.net/en/blog/2021/11/1/introducing-wireguard-over-tcp-and-ipv6/ and their repo https://github.com/mullvad/udp-over-tcp
Why don't you just use Tor?
Well, every Chinese ISP does, and this is the reason why Chinese people use shadowsocks or trojan to bypass GFW.
VPN and wireguard, which are designed with strong encryption, have distinguishable characteristics yet obfuscation is never their priority.
So if someone loves CCP, love its dog(Internet censorship, human and animal genocide, air-soil-water contamination, Sharp power and wolf-warrior diplomacy, ...).
Ironically, it's mostly US companies (including Cisco) who helped establish GFW, which acts against and insidiously infiltrates into free world.
The Chinese legislature (ccp itself) has been revising (or creating) the "law" year after year to prohibit bypassing GFW and strengthen the punishment for citizens who seek free information.
Good luck, MJJs.
If we talk about getting over the wall too much, chairman xi will not be happy pooh.
Is chairman actively cracking down on airport chickens?
I've had https://github.com/jpillora/chisel bookmarked to experiment with for a while, but not got round to trying it as my main need for it passed. The traffic will just look like normal HTTP(S) requests (as it will be normal HTTP requests other than their content which the ISP won't be able to read).
I doubt it'll perform particularly well due to common issues with tunnelling over TCP and breaking streams into multiple HTTP(S) requests, but it will circumvent port and protocol based blocks (even those that catch stunnel & friends).
You'll need to install the server end. Not a problem if you control the other end of the wireguard VPN (just install it on the same machine/network) though you'll need somewhere to put it otherwise (a VPS somewhere, preferably topologically close to the wireguard end-point to avoid even more extra latency).
Many, particularly in controls with rather control fixated governments.
Also I've come across a public WiFi AP that only allowed ports 53/80/443 (though not that checked protocol, so I was able to just make the other end listed on 443 also without extra jiggery-pokery in that case).