WireGuard Obfuscator – Enhancing Privacy By Concealing VPN Traffic

This is a simple obfuscator for WireGuard. It is designed to make it harder to detect WireGuard traffic by making it look like something else.

It does this by wrapping WireGuard packets in a layer of obfuscation using a simple XOR cipher. Usefull for bypassing DPI (Deep Packet Inspection) firewalls, e.g. if your ISP/government blocks WireGuard traffic.

How It Works

+----------------+
| WireGuard peer |
+----------------+
        ^
        |
        v
+----------------+
|   Obfuscator   |
+----------------+
        ^
        |
        v
+----------------+
|   Internet     |
+----------------+
        ^
        |
        v
+----------------+
|   Obfuscator   |
+----------------+
        ^
        |
        v
+----------------+
| WireGuard peer |
+----------------+

Since the obfuscator is a simple XOR cipher, it is totally simmetric. You need to install this application on the same network as the WireGuard peer you want to obfuscate, you need to do this on the other peer too.

The obfuscator will then obfuscate the WireGuard packets and send them to the Internet. On the other side the obfuscator will deobfuscate the packets and send them to the WireGuard peer.

It can be used even if one of the peers is behind a NAT or has a dynamic IP address. The obfuscator will keep track of the IP address of the peer after handshake and will send the packets to the correct IP address.

How To Use

You can pass parameters to the obfuscator using a configuration file or command line arguments. Available parameters are:

• source-if – source interface to listen on. Optional, default is 0.0.0.0, e.g. all interfaces. Can be used to listen only on a specific interface.
• source – source client address and port in address:port format. Optional. By default any address and port is accepted but server replies will be sent to the last successfully handshake address, so it can work over NAT. If specified, only packets from this address will be accepted and all server replies will be sent to this address, in such case target side cat initiate connections to the source side too.
• source-lport – source port to listen. Source client should connect to this port. Required.
• target-if – target interface to listen on. Optional, default is 0.0.0.0, e.g. all interfaces. Can be used to listen only on a specific interface.
• target – target address and port in address:port format. Obfuscated data will be sent to this address. Required.
• target-lport – target port to listen. Optional. Default is auto (assigned by the OS). If specified, target can initiate connections to the source side too.
• key – obfuscation key. Just string. Longer – better. Required.
• verbose – verbosity level, 0-4. Optional, default is 2.

You can use configuration file with those parameters in key=value format. For example:

# Port to listen for the source client (real client or client obfuscator)
source-lport = 13255

# Host and port of the target to forward to (server obfuscator or real server)
target = 10.13.1.100:13255

# Obfuscation key, must be the same on both sides
key = test

For more information click here.