Hi, Jason once suggested use a netfilter module for obfuscation. Here is one.
https://github.com/infinet/xt_wgobfs It uses SipHash 1-2 to generate pseudo-random numbers in a reproducible way. Sender and receiver share a siphash secret key. Sender creates and receiver re-creates identical siphash output, if input is same. These siphash outputs are used for obfuscation. - The first 16 bytes of WG message is obfuscated. - The mac2 field is also obfuscated if it is all zeros. - Padding WG message with random bytes, which also has random length. They are from kernel get_random_bytes_wait() though. - Drop 80% of keepalive message at random. Again randomness is from kernel. - Change the Diffserv field to zero. Tested working on Alpine linux kernel 5.15 and CentOS 7 kernel 3.10. Performance test in two Alpine VMs running on same host. Each VM has 1 CPU and 256 MB RAM. Iperf3 results 1.1Gbits/s without,vs 860Mbits/s with obfuscation. Wei 1. https://lists.zx2c4.com/pipermail/wireguard/2021-September/007155.html