Obfuscate Wireguard

Hello ,

My question may sounds dumb, however I'm very new to this topic.

I bought 2 routers from GLinet.

ROUTER A was set up as a server at my house in the USA for use with wireguard.

Router B was set up as a client for me to use while traveling.

However , my company found out I'm using a VPN service, I installed and ran Wireshark, however in the protocol HTTP I see a get request and the info contains wireguard, also you can see the handshake initiation

My question is , how can I wrap my wireguard connection within some sort of TSL tunnel or obfuscate method.

More importantly how will I do this on the router itself? I have luciopenwrt installed. But other than that I'm not sure how to run code onto the router.

What are my best options

Should I just utilize a computer to host a server at home ?

Can I use the routers I currently have ?

Let's assume that:

  • you have a wireguard server at your home (not your work)
  • you use the VPN tunnel so to others including your work it looks like you are home
  • you connect to your work from a work laptop via the vpn?

Then what you are asking doesn't make sense: why would you want to obfuscate the wireguard tunnel itself as it doesn't touch your work network or your work laptop at all.

Instead, your work probably detected the use of VPN in one of the following ways:

  • MTU missmatch - your home network had a MTU of 1500 bytes while your wireguard tunnel has 1420
    • this is easy to "fix" but will make the tunnel slower - just increase the inner tunnel MTU to 1500
    • this will then cause the outer packets to be fragmented which is not good for performance, but will probably work
  • Your work laptop has a remote management software that scans local wifi networks and locates you abroad while your IP says that you are at your home. The only thing to do then is to disable the wifi completely and use a cable (while still changing the MTU)
2 Likes

Thanks for you response,

However how can I hide the fact that I'm using my worrguard set up on a deep packet inspection?

What was your employer's objection to your use of your own VPN tunnel?

The reason I ask is because my day job is in I.T. security. It's possible that there might be a non-technical solution to your problem.

Every company has its own policies, but my own $employer does not have an opinion about private VPN usage. If an employee knows enough to set up his or her own VPN from scratch on privately-owned equipment, then we have no issue with it. In fact, we would usually take the time to have a chat with the employee about his or her thoughts regarding security, with a view to potentially bringing someone else into the team. There's always a demand for capable people who demonstrate a knack for creative thinking.

We would, however, have an issue with any employee trying to circumvent the corporate VPN. But that's a different story.

Depending on your employer's policies and application of those policies, you might find it's worth having a chat with someone to identify the reason for any objection as well as discuss possible approaches to ease your employer's concerns. We're not all ogres in Security, you know.

lleachii, Thanks for your suggestion. However i read thru the forum and im not sure the solutions are applicable to my situation.

I have a glinet router, i have openwrt luci installed. However normally i utilize the glinet gui.

if youre not familiar, i can show you a video of what i did exactly.

Use Home IP Address While Traveling with GL.iNet AX Slate, Opal, and WireGuard® VPN - YouTube

This is my current set up to the T.

then you're not using any official openwrt release, and whatever we suggest to you, might be completely bonkers.

install proper openwrt, or ask at gl.inet.

3 Likes

Hello,

Alright so there is more to the story. I work for a major corporation, we have remote work all around the world. The only policies that would be something to look out for is to attempt to work in a country that is on a restricted list (gray, yellow, red) . China and Russia are on the red, im attempting to work from a country that is not even on any list of restrictions. I have never been pinged due to utilizing my wireguard set up (6 months)

However my wife, has a work from home job that utilizes my personal laptop and connects to a virtual system. She was the one that got pinged via an email like 2 months after working. I am assuming there was a DPI, and perhaps was flagged.

So after reading more about wireguard and DPI, i installed wireshark to see if wireguard would show as a protocol, which it doesnt, just shows up as HTTP. However the info states get/..../wireguard

So im concerned with 2 things:

  1. Does my company see the same but not care that i use a vpn at home?

  2. Does her company care only becuase they strictly dont allow for out of country work?

I know obfuscate is a hot topic for newbies and an old topic for subject matter experts. However, remember im using glinet routers (server and client), i dont install any programs onto the routers via command lines .

Im considering buying a desktop for home to set up a server and implement a solution of wireguard over TSL tunnelling.

Hey Frollic,

I can access LuCi.

You can use the GL.Inet web interface to re-flash your device using OpenWrt (Upgrade > Local Upgrade). You can also access LuCi (the normal OpenWrt web interface) and from there you can upload and install a new OpenWrt firmware as normal.

As long as you have the gl.inet webUI, you're still running their version of openwrt, doesn't matter if you find Luci or Jimmy Hoffa underneath it.

Thats funny (find luci).

Ok , seems to your eyes glinet is not enough to do what i need.

Not what I said.

Gl.inets fw is a black box to us, whatever we tell you to do, might be wrong or non working, because of the (possible or probable, pick one) differences between their and "our" Openwrts.

2 Likes

No idea. But you could ask your employer. It's always possible.

No idea. But she could ask her employer. It's always possible.

I will not suggest that either one of you breaches your respective companies' policies, but there's (usually) no harm in having a conversation. There's a difference between "we detected the presence of a VPN; care to explain?" and "we prohibit the use of VPNs; care to explain?"

Anyway, this is straying away from your original query. Encapsulation is certainly possible (tunnelling one VPN through another VPN), but it carries its own challenges. Every time you encapsulate one protocol inside another protocol, you eat away at the available space for payloads, so each successively-encapsulated packet carries less and less information.

This is a grossly over-simplified and not-to-scale shoddy diagram (see my profile for an excellent tool for shoddy diagrams) showing the concept:

In each encapsulated packet the header has to remain the same size, which is why the payload shtinks. (And yes, I know that the header sections in my diagram are not all the same size; my artistic skills are poor.)

So while it might be possible to obfuscate the use of WireGuard by the use of encapsulation, you might face the possibility of a performance / throughput hit by doing so.

This is a great illustration!

I am more than willing to deal with the hit on performance.

Not sure if you saw this link, but its literally what i utilized to set up my "setup". Again, very basic set up.

Would you know of a way for me to utilize LuCi to install a obfsproxy or somethign equivalent?

Not offhand, as I haven't played with multi-protocol encapsulation in a while, and certainly not on OpenWRT. It's possible another forum member may be able to suggest which - if any - package(s) to install and what configuration to apply.

As an aside, that still image first shown when loading the YouTube page pretty much illustrates what I thought you were describing (and also my own setup; wanting a tiny, device-independent VPN back to home is what prompted me to buy a Vocore 2).

Like I originally said, your employer's DPI cannot detect Wireguard tunnel running between your two locations, as these packets don't go through your employers network.

The way they probably detect it is:

  • MTU discrepancy - and the solution to that issue is to set it to: 1500 inside the tunnel. This will cause the outer packets to be fragmented between your current location and your home and will hurt performance, as fragmented packets cannot be offloaded to NIC hardware to fill in missing details.
  • Agent software your employer installed running your your local machine that either scans for other wifi networks and detects your location or something similar. The only solution there is to use wired networking and don't have wifi turned on at all.

Now thinking about it:

  • are you sure you are not leaking your location by using IPv6? If you have an IPv4 tunnel but have IPv6 connectivity, and your employer has IPv6 set up for the VPN endpoint, they will see your IPv6 address as that doesn't go through the tunnel at all.

In any case, why do you want to obfuscate wireguard unless you are in China or another country where VPNs are forbidden?

Hey Zekica,

Hmm interesting lesson, my work laptop connects to my VPN. Currently I do not have IPv6 enabled on the client router.

I just wanted to add greater encryption to my existing wg set up.

Your explanation may indicate the reason why my employer doesn't bother me since I'm connecting my work laptop to my router only via lan.

I've been with this set up for 6 months Hassel free. However I'm not sure that means I'm clear or if my company since being so large doesn't have the policies nor procedures in place.

However my wife uses our personal laptop, they made her install a version of OpenVPN and she then logs into a virtual machine. For two months nothing was noticed, until recently . A email generated stating she maybe using VPN or be working outside of the country. Which to be fair yes. However I can't determine why they found out or at least suspect. Since their system of open VPN is installed directly onto my personal laptop I assume they have easier ways to determine my location.

Unless she accidentally left the wifi on while connected to lan as well. And for some reason her job decided to use her wifi to determine location.

I will double check my IPv6 setting.

My goal is to minimize the risk.

However google and edge make it so much harder , due to saving geo location when pages are accessed to get a more precise location.

The obvious approach is to ask them. If they do have a genuine issue with it then it's better to know what that issue is and how you can mitigate it. Attempting to obfuscate the issue could have worse consequences down the line.

4 Likes