This is an automated archive.
The original was posted on /r/wireguard by /u/Electronic_Pumpkin90 on 2024-01-05 14:39:56+00:00.
Hello!
I need help in bypassing a DPI of my ISP which blocks connections to NordVPN Wireguard servers. So far, I found the following:
- The DPI won’t block a connection if it is initiated from an Ubiquiti ER-12 router. The router doesn’t have a Wireguard package installed by default, so I am using this one: The connection works perfectly and I can transfer traffic through the established tunnel.
- Any other connection (made from the NordVPN Linux app, from a Linux PC, from a Windows PC) with the same parameters (keys, server address, keep alive value, etc.) will trigger the DPI and will be blocked. Usually, it happens like this: the client initiates a connection and sends “Handshake Initiation” packet, the server responds with “Handshake response” packet after which “wg show” command starts to show some bytes transferred and received. But all other “Handshake response” packets will be dropped by the DPI. “wg show” will show more bytes sent, but none received. It looks like the DPI “remembers” parameters of the first handshake and will block responses afterwards.
- It looks like that the DPI doesn’t recognize ER-12 handshakes as a Wireguard connection. And all I need is to modify the handshake UPD packet in the same way ER-12 generates it.
I know, that there are exist a lot of threads regarding Wireguard obfuscation. Most of them recommend to obfuscate packets on the client, deobfuscate on the intermediate server and send them to the Wireguard server. I do not want to do this because I don’t want to buy a VPS and because ER-12 doesn’t need any additional server.
I have captured handshake packets using tcpdump from the ER-12 and from a Linux machine, but that’s where my knowledge ends: I don’t know how to find what exact differences exist between these packets and how to modify an UPD handshake packet to make it look like ER-12 one.