Hey,
What is the best way to obfuscate WireGuard over port 443 (TCP) as HTTP(S) traffic?
Is this possible using something like Nginx?
Thanks in advance.
What is the reason of the obfuscation?
I want to add that, usually, you cant find obfuscated wg as http(s) on mobile.
If you need both obfuscation and encryption, i suggest other tools over wireguard.
TCP Mode
WireGuard explicitly does not support tunneling over TCP, due to the classically terrible network performance of tunneling TCP-over-TCP. Rather, transforming WireGuard’s UDP packets into TCP is the job of an upper layer of obfuscation (see previous point), and can be accomplished by projects like udptunnel and udp2raw.
Source: Known Limitations - WireGuard
Additional option : https://github.com/wangyu-/udp2raw
Would be helpful if OP stated the goal instead of the assumed technical answer.
Ehh, would be useful if it was built-in in the official GUI client. I could do all those steps myself and start vpn like this every time, but my dad won’t be able to do that -_- Amnezia has it built-in, but they have issues with DNS
force UDP as TCP, because Wireguard only supports UDP you need to apply another layer that converts it for you. This is helpful for some iptv users as a couple ISP throttles the traffic as a counter measures for using VPN for that purpose.
Firewall restrictions aka Russian internet
UDP to UDP is useful, too. Some captive portal wifi systems use deep packet inspection that allows HTTP to specific servers as well as limited UDP traffic, but they’ll block wireguard frames because they’re easy to identify. You might be able to get DNS out to a remote server, and systems that allow UDP address roaming (such as mosh) might be able to start on cellular and then continue on the captive portal, but new connections are cut short.
wstunnel and stunnel only work only help in that case if you control the whitelisted server. But a light weight UDP wrapper that uses an extremely weak encryption could be enough to prevent the wireguard frames from being identified.
Yup it’s worthwhile to test something like that out aswell as long as you know how.