ChatGPT led me to tunsafe however the project seems to be abandoned?

I’m trying to find ways to convert wireguard traffic into plain HTTPS so as to not trigger some advanced DPI. So far, I have come across udp2raw and updtunnel which convert the traffic to TCP, but AFAIK the SSL used in Wireguard triggers DPIs.

Does anyone have a workaround? Thanks!


Everyone, there seems to be a way go achieve this:

Wireguard (change port to 443) + udp2raw or udptunnel to convert packets to TCP + stunnel (configured on both client and server - used by OpenVPN to encapsulate traffic in TLS).

This is basically what OpenVPN does, and theoretically this should do OK. I haven’t tested it however, so if you have, please let us know!

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Keep in mind there’s another very easy method to mess with wg traffic: breaking the connection once every 30 seconds or so. This won’t affect the vast majority of real HTTPS connections but will ruin long lived connections like ssh or streaming.

          • Sauce@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            They are talking about how whoever or whatever you are trying to get around can still mess with your wg tunnels even if you are masking them as https

              • Sauce@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                They can break the session every 30 seconds, which would be fine for a normal web session but mess with your wg tunnel

                • MigratingtoLemmy@lemmy.worldOP
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Would breaking a TCP session every 30 seconds be OK for something like video streaming/content browsing?

                  I wonder if I can automate the breaking and forming of session on clients. Hopefully Android has something that will let me do this, I’m sure I can figure something out on Linux

    • MigratingtoLemmy@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I have found 3 different possible solutions to the problem but not sure if anyone in the community has done this yet. Thanks for the link.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    4
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    SSH Secure Shell for remote terminal access
    SSL Secure Sockets Layer, for transparent encryption
    TCP Transmission Control Protocol, most often over IP
    TLS Transport Layer Security, supersedes SSL
    UDP User Datagram Protocol, for real-time communications
    VPN Virtual Private Network

    7 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.

    [Thread #253 for this sub, first seen 30th Oct 2023, 16:40] [FAQ] [Full list] [Contact] [Source code]

    • MigratingtoLemmy@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      True, but I just figured that it is possible to run Wireguard with stunnel, the latter is used by OpenVPN to wrap packets in TLS and masquerade as HTTPS traffic. If I can do that, and convert UDP packets to TCP with the software I mentioned in the post (changing the port is trivial), then I could achieve what I want!

      • Jason2357@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I used stunnel years ago to tunnel both openVPN and SSH traffic and it worked flawlessly. Looks just like https web traffic to dpi software. Beware though, that long open connections can also set off flags, so don’t keep connection’s open permanently.

        • MigratingtoLemmy@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I see. Thanks, good to know. I’ll see if I can automate opening and closing connections. However, I do think that a lot of applications (especially chat/video applications) maintain fairly long connections these days: long livestreams on YT, discord client, lemmy, Instagram etc. Basically, if you’re consuming content online, there’s a good chance that your device might keep the connection going.

          With that said, it’s important to blend in: I wonder if I can automate the disconnect-connect process on Android

    • vzq@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I agree. It sounds like this Rube Goldberg contraption would basically sacrifice all advantages of WireGuard.

      At that point you might as well fall back to OpenVPN and at least get the reliability of a proven mature solution.

  • lungdart@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    15
    ·
    1 year ago

    Wireguard is e2e encrypted, no middleman can inspect the packets without the private keys.

    • MigratingtoLemmy@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      19
      ·
      1 year ago

      I’m aware that it is encrypted, however DPIs can pick out Wireguard traffic (due to the behaviour of SSL used in the protocol) and can identify/deny Wireguard traffic. I don’t want that to happen. OpenVPN has a way to mask its traffic, I’m trying to see if anyone has done anything of the sort with Wireguard

      • lungdart@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        8
        ·
        1 year ago

        You can try putting it on pretty 443 or another tls port. It’s not a perfect solution but it could help for your specific setup.

        • TCB13@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          3
          ·
          1 year ago

          Yes this is a good way to baypass a lot of commercial firewalls.

          • railsdev@programming.dev
            link
            fedilink
            English
            arrow-up
            5
            ·
            edit-2
            1 year ago

            That wouldn’t help with deep packet inspection but only those firewalls too lazy to check what’s actually being sent there. Even then I doubt it would work because WireGuard uses UDP, not TCP.

            • TCB13@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              3
              ·
              1 year ago

              I know it doesn’t do shit against DPI, but you would be amazed at the amount of firewalls in corporate networks, hotels and public places that’ll be able to bypass by just running WG on port 443 or 80.