My %^# isp blocked all vpn protocol, both WireGuardand openvpn cant be connected, But good news is Im able to be coonect with openvpn when I force openvpn to be connected from MY SSH tunle ( I bought a VPS and created a Socks 5 proxy for that ) , My question is how I can Force wireguard to make a connection from SSH Tunle to it Server?
What port are you running WireGuard on?
I’m running WireGuard on UDP port 123 (TimeServer) or 53 (NameServer) and this isn’t blocked in most networks.
As mentioned, change the port - the traffic is UDP and should look arbitrary at best. Default port usage is what gives it away to the ISP (or anyone else) that you’re using XYZ application and what that application’s use case is typically for. 123 and 53 are good ones as /u/Simplixt mentioned since those are sorta fundamental in function and blocking them would cause issues. Otherwise you could find a popular video game that uses a few ports, like Minecraft for instance 25565 would be an easy one to get through most likely.
Of course this isn’t ideal but another option is to use OpenVPN which is quite a bit heavier but it would just be TLS traffic which wouldn’t look any different from an HTTPS website.
Another option is to change ISP.
How can they block wireguard? It’s encrypted UDP.
Have you tried changing the port?
I’m running my WireGuard instance behind a reverse proxy (specifically https://github.com/fatedier/frp) on a VPS. That also has the advantage of not needing DDNS on non-static IPs.
Are you sure your ISP is actually blocking these ports and that it’s not just CGNAT?
If a simple port number change doesn’t do it… then you’ll need to couple it with something else. (like udp2raw)
If it’s a block-list entry, you need to make your traffic unique enough to get around it.
If it’s a white-list entry, you need to make your traffic look like something else to get around it.
client or server? if you are running a wireguard homeserver make sure you are opening/forwarding NAT ports in your router.
tunnel in a tunnel/wrapper/proxy is just going to slow down the connection. If you’re already using an ssh tunnel there is no need to use wireguard inside it, the performance is still limited by the ssh tunnel regardless despite wireguard itself being much faster than ssh.
So if the ssh tunnel itself already performs well enough just use that. But if it’s not fast enough you’d get more speed using a tunnel software that is already using obfuscation built in instead of doing what you’re doing: passing the obfuscation off to an extra layer.
Time for a new provider.
In this #$% country all isp are the same.
You can do some pattern matching on the handshake packets, and filter them out
Damn OP that sounds tough. I hope you find a solution. Do update us with what you end up doing.
I wanna know what country is that lol
I see. I’m surprised it doesn’t have a simple XOR mask of your choosing built in. Maybe one of these will be useful to you:
https://github.com/net4people/bbs/issues/88
https://www.starvpn.com/obfuscate-wireguard-vpn-with-shadowsocks/
https://vpncentral.com/can-wireguard-be-obfuscated-how-to-do-it-step-by-step/
My guess: You are close (regarding the topic, not the geographic location), and it is Iran.