WireGuard obfuscation

I am surprised how easily WireGuard can be blocked by firewalls. Changing port does not help, as they might be using some kind of deep packet inspection.

Is there any solution for this on OpenWrt? I saw a project named udp2raw but looks like it is not available on OpenWrt repository.

What/which firewall?

1 Like

Yeah, I was surprised, too. The "easier" option for this particular location for me is to use OpenVPN on 443/TCP.

The original author provides binary downloads on his github repository, but I've never tried them.

Try shadowsocks. I had a case where Openvpn was blocked by deep packet inspection and Shadowsocks was able to pass through.

Shadowsocks could help, but you might want to experiment first to see if you can use wireguard without such a solution first, as things like shadowsocks and udp2raw add overhead. It would help if you could give us more details about what difficulty you're up against exactly.

Some things you can try:

If you are dealing with a firewall or nat that is aggressive about releasing the port bind, try setting wireguard's persistent_keepalive to a lower value. The default is 25 seconds, but some cgnats can release the bind in as little as 10 seconds. Also, it is possible to bypass a nat if you can use ipv6.

If you are dealing with some corporate firewall that doesn't like udp applications, you could try using udp port 53. As long as the firewall doesn't check the payload for a well-formed dns message or restrict the destination ip, there's a good chance you can get through. Other udp ports you can try are 123 (ntp) and 443 (quic).

If you are dealing with government censorship such as the great firewall of China which tries to prevent the smuggling of counter-revolutionary propaganda over udp, then something like shadowsocks or udp2raw is probably what you will have to use.

Too bad. Shadowsocks is in the list of Fortinet application filter. It is useless now.

Is it possible to have it support fw4?

what is fw4?

Firewall4 that was introduced officially with 22.03 release. The biggest difference between FW3 and FW4 was the change from iptables to nftables.


I don't have a 22.03 openwrt so I tested it on alpine linux with nftables. The same iptables rules works.

With nftables, iptables is a symbolic link to a nft variant, xtables-nft-multi. Looks like it has no problem recognizing legacy iptables rules. The kernel code also works regardless userland is legacy iptables or nftables.

1 Like

Maintainer: @infinet
Compile tested: (ramips-mt7620 19.07.9 and 22.03.2, x86_64 19.07.9)
Run tested: (x86_64 19.07.9)

  • You may want to clarify this statement then.
  • Is there a reason you were unable to test?
  • So it works in fw4 or no?
  • If yes, how to setup?
  • What is the equivalent OpenWrt package?
  • How do we get your software to work on fw4-based OpenWrt versions?

You may wish to develop for current OpenWrt next time. BTW, thank you for this module!

I look forward to it's inclusion in the OpenWrt repository soon!

1 Like

Do you think it would be possible to implement this for Android too? From what I understand, both ends of the connection need to use this module.

Wonder if it could be implemented in the main wireguard code.

1 Like

You asked and I answered what FW4 is.

1 Like

Back then I built it for 22.03 rampips, but didn't have a 22.03 device to test. I built and tested it on a 19.07 device though.

Anyway, I downloaded the 22.03.3 x86_64 SDK and got a VM to test. It builts OKAY and runs OKAY. Pre 22.03 there was /etc/firewall.user to run custom firewall script. With fw4, /etc/firewall.user is gone, however, the legacy iptables command is still there with default 22.03.3 installation. To use it, ssh into openwrt, manually execute two iptables command to add two rules to mangle table, as describe in xt_wgobfs readme.

  • What legacy command (my default doesn't have iptables)? That's why I asked
  • Execute what 2 iptables commands?
  • Add what 2 rules?
  • How does the module get added?

I really think you may wanna finish getting this officially added. It's really hard to guess what steps you intend version 22.03.x users to perform to make it work.

It is in x86_64 version of 22.03.3, or installing the two ipk packages pulled iptables as dependence. The kernel module is automatically loaded during my test. And yes, use these two iptables command as in https://github.com/infinet/xt_wgobfs#usage.

1 Like

I had to setup a connection for someone on low end Broadcom equipment and he needed the speed of WireGuard vs OpenVPN.
WireGuard was blocked by the ISP.

I used DDWRT to set this up as DDWRT has the ability to use obfuscation out of the box via the GUI:

But it must be possible to use it also for OpenWRT

Yes it is, you must have missed the rest of the thread:

  • :spiral_notepad: the developer only makes it available for OpenWrt for x86_64
  • :bulb: The developer of the software you linked is one of the posters and responders in this thread
  • Developer says they did indeed compile, test, etc. on OpenWrt
  • Developer explains how
  • Developer has not further explained if they want to make it compatible with a default user experience or simple install/setup methods of OpenWrt's package repository, etc.
1 Like