Install udp2raw on GL-AXT1800 to obfuscate WG

Hi!

I would like to install udp2raw on the router where it will act as a client to obfuscate WireGuard traffic. I have used shadowsocks to obfuscate and unfortunately the obfuscation it offers is not enough and the WireGuard’s UDP traffic gets dropped/blocked, which I believe is because it doesn’t obfuscate headers. I have 21.02-SNAPSHOT openwrt on my router but I can’t find an exact build as I have for cross compilation of udp2raw:

DISTRIB_ID=‘OpenWrt’
DISTRIB_RELEASE=‘21.02-SNAPSHOT’
DISTRIB_REVISION=‘r16399+159-c67509efd7’
DISTRIB_TARGET=‘ipq807x/ipq60xx’
DISTRIB_ARCH=‘arm_cortex-a7’
DISTRIB_DESCRIPTION=‘OpenWrt 21.02-SNAPSHOT r16399+159-c67509efd7’
DISTRIB_TAINTS=‘no-all busybox override’
DISTRIB_TIP=‘OpenWrt 21.02-SNAPSHOT r16399+159-c67509efd7 / TIP-devel-d303bd39’
DISTRIB_TIP_VERSION=‘devel’

If it is not possible to install udp2raw, can you provide other alternative Wireguard obfuscation methods that are supported on the router?

@bring.fringe18 Special privacy treatment required :sunglasses:
No, for real. He is the user who can help you with this, I would say.

1 Like

Unfortunately I’ve never compiled anything for OWRT. I’m not seeing that package in the default GL feeds for Flint’s 4.46.6-r1 underlying OpenWrt 21.02-SNAPSHOT r16399+159-c67509efd7 either.

I think I’d quite like to experiment with it as well. @hansome , is there a chance of getting udp2raw complied & dropped into the repos for OP?

Thanks @bring.fringe18

For more info, I am tunneling WireGuard VPN traffic over shadowsocks client on my router to a shadowsocks (and WireGuard) server located outside the country I am in currently. Every 1-2 days the WireGuard VPN is unable to connect and keep restarting as the traffic is dropped/blocked. I am not sure if it is the shadowsocks itself or WireGuard traffic that is detected. The current workaround I have is to just change shadowsocks server port and reconnect. I have tried UDP ports below 1000 as well. From what I understand the ISP does some sort of DPI every couple of days and drops/blocks outgoing traffic on that port. I am afraid I can’t keep doing this as it may raise more flags.

It’s probably related to WG leaking somehow; IIRC shadowsocks is/has been pretty successful breaching the CPC’s Great Firewall. I could be confusing the VPN tech, though; I’ve not used it.

FYI: WG is a ‘stateless’ protocol (which is why PersistentKeepalive = 25 within the [Peer] is so helpful) so if it’s randomly disconnecting I’d also be leaning toward ISP(s) DPI.

It’s probably related to WG leaking somehow

Yes I think so too. When I came to this country initially the WG worked without any proxy for a couple of days until it was blocked and I had to find a solution with shadowsocks. Between my last message and this I found out the traffic gets blocked more quicker in a couple minutes than days as was seen earlier. So changing ports is almost futile now.

Congratulations, my guy; you’re (probably) on someone’s watchlist.

It might be time to consider encrypting your files &/or deep wiping (‘secure erase’) your drives. AES256 & ChaCha20+Poly1305 are purported to be post-quantum crypto ready.

https://archive.kernel.org/oldwiki/ata.wiki.kernel.org/index.php/ATA_Secure_Erase.html

@hansome

It seems someone has OWRT/LEDE source(s)… and precompiled binaries ready to go:


Where did you see precompiled binaries for OWRT?
The sources repo doesn’t seem to have any releases/downloads and the main repo downloads only have amd/arm/mips/x86 variants.

Thanks for that info.
These binaries do work.

Here to download: @shadowsocks
image

3 Likes

That works @hansome and I am able to establish a connection. I have a question about “PreUp”/“PostDown” directives as present in the guide here. If I add them to [Interface] section they do not get saved from the router UI config - it appears those keys are not supported hence the configuration discards them. Is there any way I can add them at the start/close of WG VPN cnxn?

If that’s the case you should start a new thread with that [BUG].

(… & be sure to list the device, firmware.)

1 Like

wg-quick script is not installed on the router by default. I doubt it can work.

You can run commands manually to start udp2raw program, before or after enable wiregurd will work.

  • Wireguard server(445 is TCP listen port to accept remote connection, 51820 is wireguard server listen port) :
sudo -g nonevpn ./udp2raw_arm -s -l 192.168.10.160:445 -r 127.0.0.1:51820 -k "W0ee0z6/rcwql8ZNRLP1GQQiYDOxRHzSIIkp+xLhcyY="
  • Wireguard client(51820 is listened by udp2raw to accecp connection from wireguard client, 445 is the remote TCP server):
sudo -g nonevpn ./udp2raw_arm -c -l 127.0.0.1:51820 -r 192.168.10.160:445 -k "W0ee0z6/rcwql8ZNRLP1GQQiYDOxRHzSIIkp+xLhcyY="

The wireguard client config is like this.
Only Endpoint option is modified to adapt udp2raw usage.

[Interface]
Address = 10.0.0.2/24
PrivateKey = uO9HGgNOl/pS57VPQkD/A8ng41ttrT3wnjHDK/pZ9Ew=
DNS = 64.6.64.6
MTU = 1200

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 127.0.0.1:51820
PersistentKeepalive = 25
PublicKey = WGhD4/sMyr1c932GdA+mmDjO/Tr9BArkGoY9txLE71Q=

Notes of the command:

  1. adding “sudo -g nonevpn” is to mark udp2raw traffic to not use VPN, for the purpose of avoid route loop.
  2. I removed the original -a parameter in the guide, Because I found it add drop iptables rule, that should be a bug.
    WireGuard Over TCP | Pro Custodibus

So manually opening port 445 at the server firewall is necessary.