Our great sponsors
-
Xray-core
Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
wstunnel
Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available
-
Wireshark
Read-only mirror of Wireshark's Git repository at https://gitlab.com/wireshark/wireshark. ā ļø GitHub won't let us disable pull requests. ā ļø THEY WILL BE IGNORED HERE ā ļø Upload them at GitLab instead.
-
I have been researching VPN protocols that work in China and found that Xray [0] is the most recommended route to escape the GFW. An ideal VPN setup is one where packets appear as normal https traffic. Some VPN setups take it a step further and proxy the traffic through Cloudflare. Setting all this up is nowhere as easy as Wireguard. Coincidentally, I came across this project on Github earlier today which is an obfuscation proxy for Wireguard [1], but I haven't found any information about how well it works.
[0] https://github.com/XTLS/Xray-core
[1] https://github.com/database64128/swgp-go
I have been researching VPN protocols that work in China and found that Xray [0] is the most recommended route to escape the GFW. An ideal VPN setup is one where packets appear as normal https traffic. Some VPN setups take it a step further and proxy the traffic through Cloudflare. Setting all this up is nowhere as easy as Wireguard. Coincidentally, I came across this project on Github earlier today which is an obfuscation proxy for Wireguard [1], but I haven't found any information about how well it works.
[0] https://github.com/XTLS/Xray-core
[1] https://github.com/database64128/swgp-go
While working in an environment where VPN connections were pretty much all blockedā° a friend of mine had success using https://guacamole.apache.org/ to access a remote machineĀ¹. Not quite the same as a direct VPN connection but worth a try if nothing else functions, it looks enough like normal HTTPS traffic that he got away with it.
To keep your wireguard setup more as-is, you could try https://kirill888.github.io/notes/wireguard-via-websocket/ to tunnel that via a web server. In fact https://github.com/erebe/wstunnel which that uses could be used just as well with any other UDP based VPN.
I once tinkered with https://github.com/yarrick/iodine and successfully connected to resources over the wireless on a train, bypassing its traffic capture and sign-up requirement, so that might be an option, though I think fully blocking external DNS is more common now so this is less likely to workĀ²Ā³.
--
[0] practically only HTTP(S) permitted, not even SSH, DPI in use that detected just using SSH or OpenVPN over port 443
[1] NOTE: be careful breaching restrictions like this, you are at risk of an insta-sacking if discovered, or worse if operating in some securiry environments!
[2] and the latency when it does work is significant!
[3] and that much traffic over port 53 might get noticed by the heuristics of data exfiltration scanner, encouraging sysadmins to notice and implement a way to block it
While working in an environment where VPN connections were pretty much all blockedā° a friend of mine had success using https://guacamole.apache.org/ to access a remote machineĀ¹. Not quite the same as a direct VPN connection but worth a try if nothing else functions, it looks enough like normal HTTPS traffic that he got away with it.
To keep your wireguard setup more as-is, you could try https://kirill888.github.io/notes/wireguard-via-websocket/ to tunnel that via a web server. In fact https://github.com/erebe/wstunnel which that uses could be used just as well with any other UDP based VPN.
I once tinkered with https://github.com/yarrick/iodine and successfully connected to resources over the wireless on a train, bypassing its traffic capture and sign-up requirement, so that might be an option, though I think fully blocking external DNS is more common now so this is less likely to workĀ²Ā³.
--
[0] practically only HTTP(S) permitted, not even SSH, DPI in use that detected just using SSH or OpenVPN over port 443
[1] NOTE: be careful breaching restrictions like this, you are at risk of an insta-sacking if discovered, or worse if operating in some securiry environments!
[2] and the latency when it does work is significant!
[3] and that much traffic over port 53 might get noticed by the heuristics of data exfiltration scanner, encouraging sysadmins to notice and implement a way to block it
They even have a nice comment explaining the heuristic: https://github.com/wireshark/wireshark/blob/ef9c79ae81b00a63...
* Heuristics to detect the WireGuard protocol:
> If you are using a JS based browser, you don't deserve security in first place.
In some cases, that is true, but not all, and I suggest not even most. In many cases, I think people are just as liable for being unwilling to use Whonix.
> If I had time I could set up a tutorial not to use SSH as a proxy, but as a client to a remote VPS/tilde to use the offpunk client there to browse web/gemini and gopher sites anonymously.
https://github.com/browsh-org/browsh can be pretty decent, too. It's a shame that it's not common practice to provide resource gleanings in the form of such access to random others from one's VPS. Easily reproduced NixOS tool in VM with locked down containers proxying through a local tor would scale up alright and significantly limit risks for the donor. I find very few people take up the offer to even use another's VPS though.