Jason once suggested use a netfilter module for obfuscation[1]. Here is one.


It uses SipHash 1-2 to generate pseudo-random numbers in a reproducible way.
Sender and receiver share a siphash secret key. Sender creates and receiver
re-creates identical siphash output, if input is same. These siphash outputs
are used for obfuscation.

- The first 16 bytes of WG message is obfuscated.
- The mac2 field is also obfuscated if it is all zeros.
- Padding WG message with random bytes, which also has random length. They are
  from kernel get_random_bytes_wait() though.
- Drop 80% of keepalive message at random. Again randomness is from kernel.
- Change the Diffserv field to zero.

Tested working on Alpine linux kernel 5.15 and CentOS 7 kernel 3.10.

Performance test in two Alpine VMs running on same host. Each VM has 1 CPU and
256 MB RAM. Iperf3 results 1.1Gbits/s without,vs 860Mbits/s with obfuscation.


1. https://lists.zx2c4.com/pipermail/wireguard/2021-September/007155.html

Reply via email to