StarBrilliant <co...@poorlab.com> writes:
> On Mon, Sep 27, 2021, at 10:21, Bruno Wolff III wrote: >> If your ISP is blocking your Wireguard traffic call them up and complain. > > All ISPs in China is blocking Wireguard traffic. If you call any of > them up, you will end up in jail. There was a case where one user sued > their ISP for blocking Google, and got prosecuted until disappear in > public. > [...] Thanks a lot for the detailed explanation. While we have become a bit off-topic (more of the why then the how) in regards to wireguard, I think above explanation is important. Wireguard's purpose is to be a secure VPN tunnel and I personally would love if we can add "reliable" to its feature list. However that would need more advanced support, like obfuscation is providing. I'm not saying obfuscation is the only method, but compared to a DPI with statistical analysis, I think we are pretty far away from being reliable in hostile networks. Maybe extending wireguard with obfuscation is out of scope of this project, but then it might be an idea to wrap the wireguard traffic into other protocols. I'm not sure how much wireguard depends on the IP/UDP layers, but assuming it only uses it for payload, maybe it makes sense to wrap wireguard into HTTP, HTTPS, SMTP (+TLS), IMAP(S) or even DNS (slow). I am aware that there is a variety of tools out there that handle some of the tunnel ideas. Given that all of these approaches are actually rather trivial to implement, is there any easy way to grab the outgoing wireguard packets without the need of creating n artifical local UDP endpoints? Best regards, Nico -- Sustainable and modern Infrastructures by ungleich.ch