wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
* Building DPI bypass systems on top of wireguard
@ 2019-06-19  0:41 Amir Omidi
  2019-07-17 20:01 ` Saeid Akbari
  0 siblings, 1 reply; 2+ messages in thread
From: Amir Omidi @ 2019-06-19  0:41 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1.1: Type: text/plain, Size: 1454 bytes --]

Hi,

I've lived in countries under oppressive DPI systems and I want to see if
its possible to create a DPI bypass system using the wireguard protocol.
During my time under these DPI systems, I've seen them evolve and grow and
get stronger and better in detecting various bypass systems.

In Iran, when there's a lot of political news the government deploys a
traffic/endpoint ratio strategy. Essentially, instead of blocking specific
protocols, they block amount of traffic going to a specific IP (or
sometimes IP:PORT combination if they want to be less strict). This breaks
every single bypassing solution as they all rely on sending traffic to
another endpoint.

The strategy I had in mind was creating a microservice VPN that can be
deployed across thousands of endpoints with thousands of IPs and Ports. The
servers would be in contact with each other to "restructure" a packet that
has gone through to them, and send it off to the actual endpoint.

Essentially, the client can split a packet into many pieces, send it off to
a thousand systems, and then get a response back from several servers and
reconstruct the actual message itself. This would break the ratio based
detection system. Alongside general hiding techniques such as masquarding
as https/dns/QUIC traffic, this could be a pretty robust and unstoppable
system. Especially with IPv6 becoming a lot more popular and maintaining an
IP ban list much more expensive.

Thoughts?

Thanks!

[-- Attachment #1.2: Type: text/html, Size: 2634 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Building DPI bypass systems on top of wireguard
  2019-06-19  0:41 Building DPI bypass systems on top of wireguard Amir Omidi
@ 2019-07-17 20:01 ` Saeid Akbari
  0 siblings, 0 replies; 2+ messages in thread
From: Saeid Akbari @ 2019-07-17 20:01 UTC (permalink / raw)
  To: wireguard; +Cc: Amir Omidi

On Wednesday, June 19, 2019 5:11:03 AM +0430 Amir Omidi wrote:
> Hi,
> 
> I've lived in countries under oppressive DPI systems and I want to see if
> its possible to create a DPI bypass system using the wireguard protocol.
> During my time under these DPI systems, I've seen them evolve and grow and
> get stronger and better in detecting various bypass systems.
> 
> In Iran, when there's a lot of political news the government deploys a
> traffic/endpoint ratio strategy. Essentially, instead of blocking specific
> protocols, they block amount of traffic going to a specific IP (or
> sometimes IP:PORT combination if they want to be less strict). This breaks
> every single bypassing solution as they all rely on sending traffic to
> another endpoint.
> 
> The strategy I had in mind was creating a microservice VPN that can be
> deployed across thousands of endpoints with thousands of IPs and Ports. The
> servers would be in contact with each other to "restructure" a packet that
> has gone through to them, and send it off to the actual endpoint.
> 
> Essentially, the client can split a packet into many pieces, send it off to
> a thousand systems, and then get a response back from several servers and
> reconstruct the actual message itself. This would break the ratio based
> detection system. Alongside general hiding techniques such as masquarding
> as https/dns/QUIC traffic, this could be a pretty robust and unstoppable
> system. Especially with IPv6 becoming a lot more popular and maintaining an
> IP ban list much more expensive.
> 
> Thoughts?
> 
> Thanks!

Hi,

I get you man, and I know exactly what you are talking about :)) Anyway, 
here's my two cents.

In theory, yes, but in practice, this is far from being even possible. For 
starters, the amount of overhead it incurs is just massive and unbearable by 
any network; there is some kind of packet re-ordering and assembling involved, 
which makes any slight difference in servers' latencies problematic (let alone 
the packet loss). Also, the communication between the servers is just 
unnecessary and detrimental to the packet throughput.

Even if the proposed solution doesn't sacrifice throughput for fault-tolerance, 
it definitely would be darn inefficient to the network as a whole; so I don't 
think any company or community really wants to implement such an 
infrastructure.

However, the closest thing I've encountered, is VTrunkD project which is not 
maintained anymore, and it's meant to be run on a single server and a single 
client, utilizing only multiple *network interfaces*, not servers and such.


_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-07-18  7:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-19  0:41 Building DPI bypass systems on top of wireguard Amir Omidi
2019-07-17 20:01 ` Saeid Akbari

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).