I would like to install udp2raw on the router where it will act as a client to obfuscate WireGuard traffic. I have used shadowsocks to obfuscate and unfortunately the obfuscation it offers is not enough and the WireGuard’s UDP traffic gets dropped/blocked, which I believe is because it doesn’t obfuscate headers. I have 21.02-SNAPSHOT openwrt on my router but I can’t find an exact build as I have for cross compilation of udp2raw:
Unfortunately I’ve never compiled anything for OWRT. I’m not seeing that package in the default GL feeds for Flint’s 4.46.6-r1 underlying OpenWrt 21.02-SNAPSHOT r16399+159-c67509efd7 either.
I think I’d quite like to experiment with it as well. @hansome , is there a chance of getting udp2raw complied & dropped into the repos for OP?
For more info, I am tunneling WireGuard VPN traffic over shadowsocks client on my router to a shadowsocks (and WireGuard) server located outside the country I am in currently. Every 1-2 days the WireGuard VPN is unable to connect and keep restarting as the traffic is dropped/blocked. I am not sure if it is the shadowsocks itself or WireGuard traffic that is detected. The current workaround I have is to just change shadowsocks server port and reconnect. I have tried UDP ports below 1000 as well. From what I understand the ISP does some sort of DPI every couple of days and drops/blocks outgoing traffic on that port. I am afraid I can’t keep doing this as it may raise more flags.
It’s probably related to WG leaking somehow; IIRC shadowsocks is/has been pretty successful breaching the CPC’s Great Firewall. I could be confusing the VPN tech, though; I’ve not used it.
FYI: WG is a ‘stateless’ protocol (which is why PersistentKeepalive = 25 within the [Peer] is so helpful) so if it’s randomly disconnecting I’d also be leaning toward ISP(s) DPI.
Yes I think so too. When I came to this country initially the WG worked without any proxy for a couple of days until it was blocked and I had to find a solution with shadowsocks. Between my last message and this I found out the traffic gets blocked more quicker in a couple minutes than days as was seen earlier. So changing ports is almost futile now.
Congratulations, my guy; you’re (probably) on someone’s watchlist.
It might be time to consider encrypting your files &/or deep wiping (‘secure erase’) your drives. AES256 & ChaCha20+Poly1305 are purported to be post-quantum crypto ready.
Where did you see precompiled binaries for OWRT?
The sources repo doesn’t seem to have any releases/downloads and the main repo downloads only have amd/arm/mips/x86 variants.
That works @hansome and I am able to establish a connection. I have a question about “PreUp”/“PostDown” directives as present in the guide here. If I add them to [Interface] section they do not get saved from the router UI config - it appears those keys are not supported hence the configuration discards them. Is there any way I can add them at the start/close of WG VPN cnxn?
Thanks a lot for detailed instructions here. I managed to get limited success, I think my issue is about a route loop
root@GL-SFT1200:~# sudo -g nonevpn ./udp2raw_mips24kc_le_asm_aes -c -l 127.0.0.1:51819 -r <my-server-ip>:51819 -k "secret-pass" --raw-mode udp
[2024-12-11 03:11:13][INFO]argc=10 ./udp2raw_mips24kc_le_asm_aes -c -l 127.0.0.1:51819 -r <my-server-ip>:51819 -k secret-pass --raw-mode udp
[2024-12-11 03:11:13][INFO]parsing address: 127.0.0.1:51819
[2024-12-11 03:11:13][INFO]its an ipv4 adress
[2024-12-11 03:11:13][INFO]ip_address is {127.0.0.1}, port is {51819}
[2024-12-11 03:11:13][INFO]parsing address: <my-server-ip>:51819
[2024-12-11 03:11:13][INFO]its an ipv4 adress
[2024-12-11 03:11:13][INFO]ip_address is {<my-server-ip>}, port is {51819}
[2024-12-11 03:11:13][INFO]important variables: log_level=4:INFO raw_mode=udp cipher_mode=aes128cbc auth_mode=md5 key=passwd12 local_addr=127.0.0.1:51819 remote_addr=<my-server-ip>:51819 socket_buf_size=1048576
[2024-12-11 03:11:13][WARN]you can run udp2raw with non-root account for better security. check README.md in repo for more info.
[2024-12-11 03:11:13][INFO]remote_ip=[<my-server-ip>], make sure this is a vaild IP address
[2024-12-11 03:11:13][INFO]const_id:9a2ca3af
[2024-12-11 03:11:13][WARN] -a has not been set, make sure you have added the needed iptables rules manually
[2024-12-11 03:11:13][INFO]source_addr is now 10.17.0.4
[2024-12-11 03:11:13][INFO]using port 54372
[2024-12-11 03:11:13][INFO]state changed from client_idle to client_pre_handshake
[2024-12-11 03:11:13][INFO](re)sent handshake1
[2024-12-11 03:11:13][INFO]new packet from 127.0.0.1:47222,conv_id=2e1566ed
[2024-12-11 03:11:13][INFO]changed state from to client_handshake1 to client_handshake2,my_id is 63a8520d,oppsite id is a2b9a440
[2024-12-11 03:11:13][INFO](re)sent handshake2
[2024-12-11 03:11:14][INFO]changed state from to client_handshake2 to client_ready
[2024-12-11 03:11:26][INFO]state back to client_idle from client_ready bc of client-->server direction timeout
[2024-12-11 03:11:26][INFO]source_addr is now 10.17.0.4
[2024-12-11 03:11:26][INFO]using port 60323
[2024-12-11 03:11:26][INFO]state changed from client_idle to client_pre_handshake
[2024-12-11 03:11:26][INFO](re)sent handshake1
[2024-12-11 03:11:26][INFO]changed state from to client_handshake1 to client_handshake2,my_id is 88988e50,oppsite id is 6294ddc0
[2024-12-11 03:11:26][INFO](re)sent handshake2
[2024-12-11 03:11:27][INFO]changed state from to client_handshake2 to client_ready
[2024-12-11 03:11:39][INFO]state back to client_idle from client_ready bc of client-->server direction timeout
[2024-12-11 03:11:39][INFO]source_addr is now 10.17.0.4
[2024-12-11 03:11:39][INFO]using port 52390
[2024-12-11 03:11:39][INFO]state changed from client_idle to client_pre_handshake
[2024-12-11 03:11:39][INFO](re)sent handshake1
[2024-12-11 03:11:40][INFO]changed state from to client_handshake1 to client_handshake2,my_id is 10807d83,oppsite id is 2dadee85
[2024-12-11 03:11:40][INFO](re)sent handshake2
[2024-12-11 03:11:40][INFO]changed state from to client_handshake2 to client_ready
[2024-12-11 03:11:52][INFO]state back to client_idle from client_ready bc of client-->server direction timeout
[2024-12-11 03:11:53][INFO]source_addr is now 10.17.0.4
[2024-12-11 03:11:53][INFO]using port 21994
it seems like everytime my wireguard connects the source addr changes. Do you have any suggestions on how can we fix this? I used the nonevpn option but maybe this has changed.
I tested this setup in another way by putting the udp2raw on a different host and then changed the vpn
Wireguard config
[Peer]
PublicKey = <super-secret>
PresharedKey = <secret>
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 0
Endpoint = 192.168.8.149:51819 #ip addr of the host that is running udp2raw
this works ^
but if i run the udp2raw on local it goes into that source change loop.
EDIT:
I managed to make it work on glinet router too, however i need to do this everytime.
ip route add <my-server-ip> via <the gateway you want to use to reach it>
I have an opal router (v4.3.25) as wireguard client. wireguard works to remote server fine. Udp2raw can connect to remote server and pass info, however, I can't get wireguard to connect to udp2raw locally to connect to remote wiregard server.
When I use wireguard GUI i get message about can't open '/tmp/run/wg_resolved_ip': No such file or directory. It doesn't like 127.0.0.1 I edited the /lib/netifd/proto/wireguard.sh to create wg_resolved_ip manually and this error goes away but wireguard still won't connect. Tcpdump does not see any connection attempt from wireguard to the listening port (i used 51830) on any interface. Tcpdump does show socat udp test and ping.
I haven't added route command mentioned, because I believe the problem is with wiregard to connect to 127.0.0.1 locally. I also tried manually bringing up wireguard with ip commands.
If relevant, I did try to install wireguard tools in hope to get wg-quick to work, but it didn't not.
Can one of you tell me how you got this work and if it still works on latest firmeware version?
