This is a simple obfuscator for WireGuard. It is designed to make it harder to detect WireGuard traffic by making it look like something else.
It does this by wrapping WireGuard packets in a layer of obfuscation using a simple XOR cipher. Usefull for bypassing DPI (Deep Packet Inspection) firewalls, e.g. if your ISP/government blocks WireGuard traffic.
+----------------+
| WireGuard peer |
+----------------+
^
|
v
+----------------+
| Obfuscator |
+----------------+
^
|
v
+----------------+
| Internet |
+----------------+
^
|
v
+----------------+
| Obfuscator |
+----------------+
^
|
v
+----------------+
| WireGuard peer |
+----------------+
Since the obfuscator is a simple XOR cipher, it is totally simmetric. You need to install this application on the same network as the WireGuard peer you want to obfuscate, you need to do this on the other peer too.
The obfuscator will then obfuscate the WireGuard packets and send them to the Internet. On the other side the obfuscator will deobfuscate the packets and send them to the WireGuard peer.
It can be used even if one of the peers is behind a NAT or has a dynamic IP address. The obfuscator will keep track of the IP address of the peer after handshake and will send the packets to the correct IP address.
You can pass parameters to the obfuscator using a configuration file or command line arguments. Available parameters are:
source-if
– source interface to listen on. Optional, default is 0.0.0.0
, e.g. all interfaces. Can be used to listen only on a specific interface.source
– source client address and port in address:port
format. Optional. By default any address and port is accepted but server replies will be sent to the last successfully handshake address, so it can work over NAT. If specified, only packets from this address will be accepted and all server replies will be sent to this address, in such case target side cat initiate connections to the source side too.source-lport
– source port to listen. Source client should connect to this port. Required.target-if
– target interface to listen on. Optional, default is 0.0.0.0
, e.g. all interfaces. Can be used to listen only on a specific interface.target
– target address and port in address:port
format. Obfuscated data will be sent to this address. Required.target-lport
– target port to listen. Optional. Default is auto (assigned by the OS). If specified, target can initiate connections to the source side too.key
– obfuscation key. Just string. Longer – better. Required.verbose
– verbosity level, 0-4. Optional, default is 2.You can use configuration file with those parameters in key=value
format. For example:
# Port to listen for the source client (real client or client obfuscator)
source-lport = 13255
# Host and port of the target to forward to (server obfuscator or real server)
target = 10.13.1.100:13255
# Obfuscation key, must be the same on both sides
key = test
For more information click here.
This Python script for Linux can analyze Microsoft Windows *.msi Installer files and point out…
Bear C2 is a compilation of C2 scripts, payloads, and stagers used in simulated attacks…
Discover your application security risks and vulnerabilities in only a few minutes. In this guide…
The idea behind waymore is to find even more links from the Wayback Machine than…
The Pycript extension for Burp Suite is a valuable tool for penetration testing and security…
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and…