WireGuard obfuscation

I am surprised how easily WireGuard can be blocked by firewalls. Changing port does not help, as they might be using some kind of deep packet inspection.

Is there any solution for this on OpenWrt? I saw a project named udp2raw but looks like it is not available on OpenWrt repository.

What/which firewall?

1 Like

Yeah, I was surprised, too. The "easier" option for this particular location for me is to use OpenVPN on 443/TCP.

The original author provides binary downloads on his github repository, but I've never tried them.

Try shadowsocks. I had a case where Openvpn was blocked by deep packet inspection and Shadowsocks was able to pass through.

This post was flagged by the community and is temporarily hidden.

Shadowsocks could help, but you might want to experiment first to see if you can use wireguard without such a solution first, as things like shadowsocks and udp2raw add overhead. It would help if you could give us more details about what difficulty you're up against exactly.

Some things you can try:

If you are dealing with a firewall or nat that is aggressive about releasing the port bind, try setting wireguard's persistent_keepalive to a lower value. The default is 25 seconds, but some cgnats can release the bind in as little as 10 seconds. Also, it is possible to bypass a nat if you can use ipv6.

If you are dealing with some corporate firewall that doesn't like udp applications, you could try using udp port 53. As long as the firewall doesn't check the payload for a well-formed dns message or restrict the destination ip, there's a good chance you can get through. Other udp ports you can try are 123 (ntp) and 443 (quic).

If you are dealing with government censorship such as the great firewall of China which tries to prevent the smuggling of counter-revolutionary propaganda over udp, then something like shadowsocks or udp2raw is probably what you will have to use.

Too bad. Shadowsocks is in the list of Fortinet application filter. It is useless now.