Many authoritarian states try to censor free speech. To do this, they block access to web sites, commercial VPNs, VPN protocols, and in some cases even block complete internet access. I will explain how to bypass protocol blocking for Wireguard on this post.
To bypass blocking, you need to encapsulate Wireguard packets in a TCP tunnel, hiding them from the firewall appliances of the state. For minimum overhead, maximum performance and the least stress on your servers, you can do this with a simple xor
encryption. Since Wireguard is already encrypted with a strong cypher, this is only used for hiding its traffic, thus creating no weakness in security. As most censors block the protocol on all UDP ports, trying different ports with while using Wireguard without any hiding mechanism will be futile.
For this solution to work, you’ll need to have your own Wireguard routers on both your server side and client side. If you don’t have a router on your client side, you can get a cheap Raspberry Pi 4 and install Wireguard on it. From this point on, this post assumes that you have correctly configured Wireguard installations on both client and server sides which have the systemd
infrastructure (Debian/Ubuntu etc). NOTE: If you will be routing all your traffic over Wireguard, you need to have PostUp
and PostDown
configurations, which are not discussed here. But you can find a sample configuration on this page.
- Download
udp2raw
binary archive from this link. When you extract the tar.gz file, you’ll see that there are different binaries for different computer architectures. Select the correct binary for both your client and server architectures and copy or link it under/usr/local/bin/
asudp2raw
. - On your server, create the file
/etc/udp2raw.conf
and enter the following configuration into it. You’ll need to change the following according to your own configuration:TCP_PORT
, an unused port on your server to listen to,WIREGUARD_PORT
, the current port that your Wireguard instance on your server listens to andPASSWORD
, an alphanumeric password that you will create now.
-s
# Local
-l 0.0.0.0:TCP_PORT
# Remote
-r 127.0.0.1:WIREGUARD_PORT
# Key
-k PASSWORD
--auth-mode hmac_sha1
--raw-mode faketcp
-a
--fix-gro
--cipher-mode xor
- On your client, again create the file
/etc/udp2raw.conf
and enter the following configuration into it. Again, you’ll need to change the following according to your own configuration:LOCAL_PORT
, a UDP port that your router will listen to,SERVER_IP
, the IP address of your server,SERVER_TCP_PORT
, the TCP port that you just entered on your server above andPASSWORD
, again the same alphanumeric password you created above.
-c
# Local
-l 0.0.0.0:LOCAL_PORT
# Remote
-r SERVER_IP:SERVER_TCP_PORT
# Key
-k PASSWORD
--auth-mode hmac_sha1
--raw-mode faketcp
-a
--fix-gro
--cipher-mode xor
- On both the server and client, create the file
/etc/systemd/system/udp2raw.service
and enter the following into it:
[Unit]
Description=udp2raw service
ConditionFileIsExecutable=/usr/local/bin/udp2raw
ConditionPathExists=/etc/udp2raw.conf
After=network.target
[Service]
Type=simple
User=root
Group=root
#LimitNOFILE=32768
PIDFile=/run/udp2raw.pid
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
ExecStart=/usr/local/bin/udp2raw --conf-file /etc/udp2raw.conf
Restart=on-failure
[Install]
WantedBy=multi-user.target
- On both devices, run the following commands:
systemctl enable udp2raw.service
systemctl start udp2raw.service
- If you have used the correct binaries, your
udp2raw
configuration should be up and running. The only thing that you need to do now is, changing the Wireguard configuration of your client and adding itself as the new server, using theLOCAL_PORT
information on itsudp2raw
configuration and settingMTU
to1280
. You’ll need to add something like below:
Endpoint = 127.0.0.1:LOCAL_PORT
MTU = 1280
Also if you use Wireguard on iOS or Android, you can change their configuration to the port of your client side router’s udp2raw
port and have them use the same TCP tunnel. This will only work when they are on the same network as the client side router though. So on cellular it would not work.
When you make all these changes, you’ll be able to access your Wireguard server with very little performance penalty.
hi
not working for me.
but when i run with cli working fine.
The binary may be incompatible with your system. Or try other ciphers.
just a quick question is this like a feature that astrorelay offers?. because they have this feature that turns udp to tcp connection.
Never used Astrorelay but it looks similar according to your description.
Merhaba Kerem Bey,
Ben DizaynVip Mercedes Benz van partner dan Gokhan Dogan. Bir projemiz hakkinda sizinle gorusme saglamak isterim. Iletisim numaram 0532 237 97 29