When my WireGuard client connects to the WireGuard server on my router, it’s still possible for my clients to detect that they’re connected via VPN. Could someone explain how to conceal or mask the VPN connection?
Could be because of the MTU or because the Wireguard server address is known, not sure if you can really suppress it.
This is false positive! I just did a test on the same website WITHOUT a VPN and:
You cannot hide that you’re using a VPN unless you change the default ports and use your own custom server - not a known VPN provider.
I am using my own server
with default ports? And even if you change the default Wireguard ports, as I said you cannot hide you’re using a VPN tunnel, because if you capture it on Wireshark/tcpdump you will see encrypted payloads in the network traffic - this indicates a generic or VPN tunnel.
Even your ISP knows that you are using a VPN of some sort, as the encrypted connection indicates this. This is why some people connect to OpenVPN on port 443 to simulate SSL/HTTPS browsing. At the end of the day someone capturing your traffic (i.e. ISP) knows that this is an encrypted connection but without being able to sneak on it.
Changing the default ports of VPN protocol is just a trick to avoid simple detection through the port numbers!
no defautl ports, port 88, 7777,8888
I am forwading 7777 and 8888 udp to 88 to wg server ip 10.10.0.1
I can try chaining it to 443 i doubt it will make any difference
It WON’T ! Please read carefully what I described.
Isn’t it possible to assume that VPN is used because the MTU is lower than standard?
hmm let me think if i understand this correctly.
Your clients are Windows, other devices configurated with a vpn client to your router which runs as the server?
^ if it is this, thats easily detected because android uses in their api a vpn provider hook, Windows probably does the same if not, it can be easily spotted by detecting the driver/interface.
Theres also various other ways it can be detected:
-
they cross check between dns origin and the vpn, if mismatched their detection says proxy/vpn.
-
not actually a typical detection i see netflix doing, but isps: that is deep packet inspection in where the packets protocol get mapped as wireguard.
-
some of them uses known block lists for vpn, others go even a step further and take all datacenters like OVH, leaseweb their ripe/ASN blocks and block them, because its rather strange if a server watches netflix
If you want to mask it for something like netflix… my only thought would be using something like shadowsocks or trojan and let the router do it that means clients will be unaware it is a vpn, but your issue here is they pretty well block ip.
Sometimes i think they start to make it impossible , best is to ask a friend in such country to share it through a L2 tunnel via vpn → vxlan or something and pretend you are litterly part of their network.
If its only to hide from isp… well trojan or shadowsocks is your best option on port 443, what i see alot of people do is split tunnel them for certain sites that way a isp see no real difference and also not a constant tunnel connection.
the VPN is between router to router , there is nothing (vpnclient) installed on the client(s), using openvpn does not make any difference , chainging port also does not make any difference. changeing MTU also does not make any difference.
You can use Adguard on your PC (paid version) but not guarantee to hide IP… It is calling stealth mode.
Sometime website showing my IP 192.168.0.0 (I entered manual IP address in stealth mode setting Adguard).
Nah, none of these will work. It‘s just disabling some fingerprint methods.
The website does show VPN usage because of some examples - guess we can’t figure it out.