VPN

WireGuard Obfuscator – Enhancing Privacy By Concealing VPN Traffic

This is a simple obfuscator for WireGuard. It is designed to make it harder to detect WireGuard traffic by making it look like something else.

It does this by wrapping WireGuard packets in a layer of obfuscation using a simple XOR cipher. Usefull for bypassing DPI (Deep Packet Inspection) firewalls, e.g. if your ISP/government blocks WireGuard traffic.

How It Works

+----------------+
| WireGuard peer |
+----------------+
        ^
        |
        v
+----------------+
|   Obfuscator   |
+----------------+
        ^
        |
        v
+----------------+
|   Internet     |
+----------------+
        ^
        |
        v
+----------------+
|   Obfuscator   |
+----------------+
        ^
        |
        v
+----------------+
| WireGuard peer |
+----------------+

Since the obfuscator is a simple XOR cipher, it is totally simmetric. You need to install this application on the same network as the WireGuard peer you want to obfuscate, you need to do this on the other peer too.

The obfuscator will then obfuscate the WireGuard packets and send them to the Internet. On the other side the obfuscator will deobfuscate the packets and send them to the WireGuard peer.

It can be used even if one of the peers is behind a NAT or has a dynamic IP address. The obfuscator will keep track of the IP address of the peer after handshake and will send the packets to the correct IP address.

How To Use

You can pass parameters to the obfuscator using a configuration file or command line arguments. Available parameters are:

source-if – source interface to listen on. Optional, default is 0.0.0.0, e.g. all interfaces. Can be used to listen only on a specific interface.
source – source client address and port in address:port format. Optional. By default any address and port is accepted but server replies will be sent to the last successfully handshake address, so it can work over NAT. If specified, only packets from this address will be accepted and all server replies will be sent to this address, in such case target side cat initiate connections to the source side too.
source-lport – source port to listen. Source client should connect to this port. Required.
target-if – target interface to listen on. Optional, default is 0.0.0.0, e.g. all interfaces. Can be used to listen only on a specific interface.
target – target address and port in address:port format. Obfuscated data will be sent to this address. Required.
target-lport – target port to listen. Optional. Default is auto (assigned by the OS). If specified, target can initiate connections to the source side too.
key – obfuscation key. Just string. Longer – better. Required.
verbose – verbosity level, 0-4. Optional, default is 2.

You can use configuration file with those parameters in key=value format. For example:

# Port to listen for the source client (real client or client obfuscator)
source-lport = 13255

# Host and port of the target to forward to (server obfuscator or real server)
target = 10.13.1.100:13255

# Obfuscation key, must be the same on both sides
key = test

For more information click here.

WireGuard Brings The Evolution of VPNs

March 16, 2020

In "Cyber security"

AWS Pen-Testing Laboratory : Pentesting Lab With A Kali Linux Instance Accessible Via Ssh And Wireguard VPN And With Vulnerable Instances In A Private Subnet

July 7, 2021

In "Kali Linux"

OpenBSD – Dynamic IP, WireGuard VPN, And Encrypted DNS

March 6, 2024

In "Cyber security"

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.