this post was submitted on 30 Oct 2023
53 points (96.5% liked)

Selfhosted

39435 readers
5 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

ChatGPT led me to tunsafe however the project seems to be abandoned?

I'm trying to find ways to convert wireguard traffic into plain HTTPS so as to not trigger some advanced DPI. So far, I have come across udp2raw and updtunnel which convert the traffic to TCP, but AFAIK the SSL used in Wireguard triggers DPIs.

Does anyone have a workaround? Thanks!


Everyone, there seems to be a way go achieve this:

Wireguard (change port to 443) + udp2raw or udptunnel to convert packets to TCP + stunnel (configured on both client and server - used by OpenVPN to encapsulate traffic in TLS).

This is basically what OpenVPN does, and theoretically this should do OK. I haven't tested it however, so if you have, please let us know!

all 29 comments
sorted by: hot top controversial new old
[–] [email protected] 15 points 1 year ago (1 children)

I have heard of shadowsocks for this purpose. I have not tried it myself but I recall having read it being used to hide VPN traffic behind the great firewall. A brief intro to it here:

https://errande.com/obfuscate-wireguard/

[–] [email protected] 2 points 1 year ago (1 children)

Thank you. It's between this and SoftEther now

[–] [email protected] 1 points 1 year ago (1 children)

Keep in mind there's another very easy method to mess with wg traffic: breaking the connection once every 30 seconds or so. This won't affect the vast majority of real HTTPS connections but will ruin long lived connections like ssh or streaming.

[–] [email protected] 1 points 1 year ago (1 children)

Hi, is there a point to doing this? My ISP/any advanced DPI will still know that I'm using Wireguard

[–] [email protected] 3 points 1 year ago (1 children)

They are talking about how whoever or whatever you are trying to get around can still mess with your wg tunnels even if you are masking them as https

[–] [email protected] 1 points 1 year ago (1 children)

How can someone else mess with the timeout of my wg tunnel if I mask them as HTTPS traffic?

[–] [email protected] 2 points 1 year ago (1 children)

They can break the session every 30 seconds, which would be fine for a normal web session but mess with your wg tunnel

[–] [email protected] 1 points 1 year ago

Would breaking a TCP session every 30 seconds be OK for something like video streaming/content browsing?

I wonder if I can automate the breaking and forming of session on clients. Hopefully Android has something that will let me do this, I'm sure I can figure something out on Linux

[–] [email protected] 8 points 1 year ago (1 children)

Please update the post if you found solution to this. Also check this out.

[–] [email protected] 2 points 1 year ago

I have found 3 different possible solutions to the problem but not sure if anyone in the community has done this yet. Thanks for the link.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
TCP Transmission Control Protocol, most often over IP
TLS Transport Layer Security, supersedes SSL
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network

7 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.

[Thread #253 for this sub, first seen 30th Oct 2023, 16:40] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 1 year ago
[–] [email protected] -1 points 1 year ago (2 children)

OpenVPN? You can literally set it to run on port 443 tcp

[–] [email protected] 3 points 1 year ago (1 children)

True, but I just figured that it is possible to run Wireguard with stunnel, the latter is used by OpenVPN to wrap packets in TLS and masquerade as HTTPS traffic. If I can do that, and convert UDP packets to TCP with the software I mentioned in the post (changing the port is trivial), then I could achieve what I want!

[–] [email protected] 2 points 1 year ago (2 children)

I used stunnel years ago to tunnel both openVPN and SSH traffic and it worked flawlessly. Looks just like https web traffic to dpi software. Beware though, that long open connections can also set off flags, so don't keep connection's open permanently.

[–] [email protected] 1 points 1 year ago

I see. Thanks, good to know. I'll see if I can automate opening and closing connections. However, I do think that a lot of applications (especially chat/video applications) maintain fairly long connections these days: long livestreams on YT, discord client, lemmy, Instagram etc. Basically, if you're consuming content online, there's a good chance that your device might keep the connection going.

With that said, it's important to blend in: I wonder if I can automate the disconnect-connect process on Android

[–] [email protected] 1 points 1 year ago

Hey, can I ask which DPI software were you using, and how did you get access to it?

[–] [email protected] 3 points 1 year ago

I agree. It sounds like this Rube Goldberg contraption would basically sacrifice all advantages of WireGuard.

At that point you might as well fall back to OpenVPN and at least get the reliability of a proven mature solution.