Install udp2raw on GL-AXT1800 to obfuscate WG

Hi!

I would like to install udp2raw on the router where it will act as a client to obfuscate WireGuard traffic. I have used shadowsocks to obfuscate and unfortunately the obfuscation it offers is not enough and the WireGuard’s UDP traffic gets dropped/blocked, which I believe is because it doesn’t obfuscate headers. I have 21.02-SNAPSHOT openwrt on my router but I can’t find an exact build as I have for cross compilation of udp2raw:

DISTRIB_ID=‘OpenWrt’
DISTRIB_RELEASE=‘21.02-SNAPSHOT’
DISTRIB_REVISION=‘r16399+159-c67509efd7’
DISTRIB_TARGET=‘ipq807x/ipq60xx’
DISTRIB_ARCH=‘arm_cortex-a7’
DISTRIB_DESCRIPTION=‘OpenWrt 21.02-SNAPSHOT r16399+159-c67509efd7’
DISTRIB_TAINTS=‘no-all busybox override’
DISTRIB_TIP=‘OpenWrt 21.02-SNAPSHOT r16399+159-c67509efd7 / TIP-devel-d303bd39’
DISTRIB_TIP_VERSION=‘devel’

If it is not possible to install udp2raw, can you provide other alternative Wireguard obfuscation methods that are supported on the router?

@bring.fringe18 Special privacy treatment required
No, for real. He is the user who can help you with this, I would say.

Unfortunately I’ve never compiled anything for OWRT. I’m not seeing that package in the default GL feeds for Flint’s 4.46.6-r1 underlying OpenWrt 21.02-SNAPSHOT r16399+159-c67509efd7 either.

I think I’d quite like to experiment with it as well. @hansome , is there a chance of getting udp2raw complied & dropped into the repos for OP?

Thanks @bring.fringe18

For more info, I am tunneling WireGuard VPN traffic over shadowsocks client on my router to a shadowsocks (and WireGuard) server located outside the country I am in currently. Every 1-2 days the WireGuard VPN is unable to connect and keep restarting as the traffic is dropped/blocked. I am not sure if it is the shadowsocks itself or WireGuard traffic that is detected. The current workaround I have is to just change shadowsocks server port and reconnect. I have tried UDP ports below 1000 as well. From what I understand the ISP does some sort of DPI every couple of days and drops/blocks outgoing traffic on that port. I am afraid I can’t keep doing this as it may raise more flags.

It’s probably related to WG leaking somehow; IIRC shadowsocks is/has been pretty successful breaching the CPC’s Great Firewall. I could be confusing the VPN tech, though; I’ve not used it.

FYI: WG is a ‘stateless’ protocol (which is why PersistentKeepalive = 25 within the [Peer] is so helpful) so if it’s randomly disconnecting I’d also be leaning toward ISP(s) DPI.

It’s probably related to WG leaking somehow

Yes I think so too. When I came to this country initially the WG worked without any proxy for a couple of days until it was blocked and I had to find a solution with shadowsocks. Between my last message and this I found out the traffic gets blocked more quicker in a couple minutes than days as was seen earlier. So changing ports is almost futile now.

Congratulations, my guy; you’re (probably) on someone’s watchlist.

It might be time to consider encrypting your files &/or deep wiping (‘secure erase’) your drives. AES256 & ChaCha20+Poly1305 are purported to be post-quantum crypto ready.

https://archive.kernel.org/oldwiki/ata.wiki.kernel.org/index.php/ATA_Secure_Erase.html

@hansome

It seems someone has OWRT/LEDE source(s)… and precompiled binaries ready to go:

Where did you see precompiled binaries for OWRT?
The sources repo doesn’t seem to have any releases/downloads and the main repo downloads only have amd/arm/mips/x86 variants.

Thanks for that info.
These binaries do work.

image934×137 4.74 KB

Here to download: @shadowsocks

That works @hansome and I am able to establish a connection. I have a question about “PreUp”/“PostDown” directives as present in the guide here. If I add them to [Interface] section they do not get saved from the router UI config - it appears those keys are not supported hence the configuration discards them. Is there any way I can add them at the start/close of WG VPN cnxn?

If that’s the case you should start a new thread with that [BUG].

(… & be sure to list the device, firmware.)

wg-quick script is not installed on the router by default. I doubt it can work.

You can run commands manually to start udp2raw program, before or after enable wiregurd will work.

• Wireguard server(445 is TCP listen port to accept remote connection, 51820 is wireguard server listen port) :

sudo -g nonevpn ./udp2raw_arm -s -l 192.168.10.160:445 -r 127.0.0.1:51820 -k "W0ee0z6/rcwql8ZNRLP1GQQiYDOxRHzSIIkp+xLhcyY="

• Wireguard client(51820 is listened by udp2raw to accecp connection from wireguard client, 445 is the remote TCP server):

sudo -g nonevpn ./udp2raw_arm -c -l 127.0.0.1:51820 -r 192.168.10.160:445 -k "W0ee0z6/rcwql8ZNRLP1GQQiYDOxRHzSIIkp+xLhcyY="

The wireguard client config is like this.
Only Endpoint option is modified to adapt udp2raw usage.

[Interface]
Address = 10.0.0.2/24
PrivateKey = uO9HGgNOl/pS57VPQkD/A8ng41ttrT3wnjHDK/pZ9Ew=
DNS = 64.6.64.6
MTU = 1200

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 127.0.0.1:51820
PersistentKeepalive = 25
PublicKey = WGhD4/sMyr1c932GdA+mmDjO/Tr9BArkGoY9txLE71Q=

Notes of the command:

1. adding “sudo -g nonevpn” is to mark udp2raw traffic to not use VPN, for the purpose of avoid route loop.
2. I removed the original -a parameter in the guide, Because I found it add drop iptables rule, that should be a bug.
   WireGuard Over TCP | Pro Custodibus

So manually opening port 445 at the server firewall is necessary.

Thanks a lot for detailed instructions here. I managed to get limited success, I think my issue is about a route loop

root@GL-SFT1200:~# sudo -g nonevpn ./udp2raw_mips24kc_le_asm_aes -c -l 127.0.0.1:51819 -r <my-server-ip>:51819 -k "secret-pass" --raw-mode udp
[2024-12-11 03:11:13][INFO]argc=10 ./udp2raw_mips24kc_le_asm_aes -c -l 127.0.0.1:51819 -r <my-server-ip>:51819 -k secret-pass --raw-mode udp 
[2024-12-11 03:11:13][INFO]parsing address: 127.0.0.1:51819
[2024-12-11 03:11:13][INFO]its an ipv4 adress
[2024-12-11 03:11:13][INFO]ip_address is {127.0.0.1}, port is {51819}
[2024-12-11 03:11:13][INFO]parsing address: <my-server-ip>:51819
[2024-12-11 03:11:13][INFO]its an ipv4 adress
[2024-12-11 03:11:13][INFO]ip_address is {<my-server-ip>}, port is {51819}
[2024-12-11 03:11:13][INFO]important variables: log_level=4:INFO raw_mode=udp cipher_mode=aes128cbc auth_mode=md5 key=passwd12 local_addr=127.0.0.1:51819 remote_addr=<my-server-ip>:51819 socket_buf_size=1048576 
[2024-12-11 03:11:13][WARN]you can run udp2raw with non-root account for better security. check README.md in repo for more info.
[2024-12-11 03:11:13][INFO]remote_ip=[<my-server-ip>], make sure this is a vaild IP address
[2024-12-11 03:11:13][INFO]const_id:9a2ca3af
[2024-12-11 03:11:13][WARN] -a has not been set, make sure you have added the needed iptables rules manually
[2024-12-11 03:11:13][INFO]source_addr is now 10.17.0.4
[2024-12-11 03:11:13][INFO]using port 54372
[2024-12-11 03:11:13][INFO]state changed from client_idle to client_pre_handshake
[2024-12-11 03:11:13][INFO](re)sent handshake1
[2024-12-11 03:11:13][INFO]new packet from 127.0.0.1:47222,conv_id=2e1566ed
[2024-12-11 03:11:13][INFO]changed state from to client_handshake1 to client_handshake2,my_id is 63a8520d,oppsite id is a2b9a440
[2024-12-11 03:11:13][INFO](re)sent handshake2
[2024-12-11 03:11:14][INFO]changed state from to client_handshake2 to client_ready
[2024-12-11 03:11:26][INFO]state back to client_idle from  client_ready bc of client-->server direction timeout
[2024-12-11 03:11:26][INFO]source_addr is now 10.17.0.4
[2024-12-11 03:11:26][INFO]using port 60323
[2024-12-11 03:11:26][INFO]state changed from client_idle to client_pre_handshake
[2024-12-11 03:11:26][INFO](re)sent handshake1
[2024-12-11 03:11:26][INFO]changed state from to client_handshake1 to client_handshake2,my_id is 88988e50,oppsite id is 6294ddc0
[2024-12-11 03:11:26][INFO](re)sent handshake2
[2024-12-11 03:11:27][INFO]changed state from to client_handshake2 to client_ready
[2024-12-11 03:11:39][INFO]state back to client_idle from  client_ready bc of client-->server direction timeout
[2024-12-11 03:11:39][INFO]source_addr is now 10.17.0.4
[2024-12-11 03:11:39][INFO]using port 52390
[2024-12-11 03:11:39][INFO]state changed from client_idle to client_pre_handshake
[2024-12-11 03:11:39][INFO](re)sent handshake1
[2024-12-11 03:11:40][INFO]changed state from to client_handshake1 to client_handshake2,my_id is 10807d83,oppsite id is 2dadee85
[2024-12-11 03:11:40][INFO](re)sent handshake2
[2024-12-11 03:11:40][INFO]changed state from to client_handshake2 to client_ready
[2024-12-11 03:11:52][INFO]state back to client_idle from  client_ready bc of client-->server direction timeout
[2024-12-11 03:11:53][INFO]source_addr is now 10.17.0.4
[2024-12-11 03:11:53][INFO]using port 21994

it seems like everytime my wireguard connects the source addr changes. Do you have any suggestions on how can we fix this? I used the nonevpn option but maybe this has changed.

I tested this setup in another way by putting the udp2raw on a different host and then changed the vpn

Wireguard config

[Peer]
PublicKey = <super-secret>
PresharedKey = <secret>
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 0
Endpoint = 192.168.8.149:51819 #ip addr of the host that is running udp2raw

this works ^

but if i run the udp2raw on local it goes into that source change loop.

EDIT:

I managed to make it work on glinet router too, however i need to do this everytime.

ip route add <my-server-ip> via <the gateway you want to use to reach it>

Is there a more elegant way to do this?