We've had success using wireguard over wstunnel in places where wireguard is blocked.

https://github.com/erebe/wstunnel

This looks great, thanks.

I should have mentioned that our use case isn't avoiding government firewalls, it's transiting through broken network environments.

WireGuard by itself has a pretty noticeable network pattern and I don't think they make obfuscating it a goal.

There are some solutions that mimic the traffic and, say, route it through 443/TCP.

Wow, kinda crazy to think about a government blocking a protocol that just simply lets two computers talk securely over a tunnel.

Well, think about it - almost every other interaction you can have with an individual in another country is mediated by government. Physical interaction? You need to get through a border and customs. Phone call? Going through their exchanges, could be blocked, easy to spy on with wiretaps. Letter mail? Many cases historically of all letters being opened before being forwarded along.

We lived through the golden age of the Internet where anyone was allowed to open a raw socket connection to anyone else, anywhere. That age is fading, now, and time may come where even sending an email to someone in Russia or China will be fraught with difficulty. Certainly encryption will be blocked.

We're going to need steganographic tech that uses AI-hallucinated content as a carrier, or something.

That is how you know they haven't got a clue on what they're doing.

On the contrary, it shows that they know very well what they're doing. Their goal is censorship. If that disrupts connectivity for some niche but valid use cases, so be it. The vast majority of people have never used a WireGuard tunnel, so they are unimpacted. Some corporate use cases that even that government would approve of are disrupted, but they can either lie with that or have a whitelist. Most non-corporate use of this and other similar protocols is not something the government would allow.

So, given their nefarious goal, they are doing a great job by blocking WireGuard (and similar protocols, presumably).

> surprised that wireguard as a protocol is just blocked.

Honestly this is the route I'm sure the UK will decide upon in the not too distant future.

The job of us hackers is going to become even more important...

Same in Egypt.

A year ago I was traveling through Uzbekistan while also partly working remotely. IKEv2 VPN was blocked but thankfully I was able to switch to SSL VPN which worked fine. I didn't expect that, everything else (people, culture) in the country seemed quite open.

Cloak + wireguard should work fine on the server side. The problem is that I didn't find any clients for Android and I doubt there are clients for iOs that can (a) open a cloak tunnel and then (b) allow wireguard to connect to localhost...

AmneziaWG is obfuscated, wireguard-based, and has clients for whatever.

I'll give it a shot, thanks!

Is it the protocol that's blocked as a result of DPI, or just the default 51820 UDP port that's blocked? If the latter, just changing your Wireguard server's port might work.

It's DPI, I run on a non standard port.

Damnnn, wonder what hardware you need to run DPI on a nation's internet.

I think the hardware doesn't keep up. Uzbekistan has the worst internet compared to Kazakhstan and Kyrgyzstan whilst the infrastructure in general is much better (in my fairly uneducated opinion). I expected to have the best internet until I got around to trying to use it.

XRay protocol based VPN worked for me in Uzbekistan when I were travelling there.

Wireguard is indeed blocked.

xray is a proxy. They may have needed an actual VPN.

how can they detect it is wireguard, I thought the traffic is encrypted?

how does it differ from regular TLS 1.3 traffic?

It's UDP, not TCP (like TLS) and has a distinguishable handshake. Wireguard is not designed as a censorship prevention tool, it's purely a networking solution.

The tunnel itself is encrypted, but the tunnel creation and existence is not obfuscated.

Same in Russia