Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS Support to bypass UDP blockings #63

Open
amirhmoradi opened this issue Dec 12, 2024 · 10 comments
Open

Add TLS Support to bypass UDP blockings #63

amirhmoradi opened this issue Dec 12, 2024 · 10 comments

Comments

@amirhmoradi
Copy link

Hi, thanks for the great work on this project. I have been searching for quite sometime to find the best combination of amnezia+ui+tor.

Context:

In highly censored countries, UDP traffic is either blocked totally or heavily impacted (ex: 50% of packets are dropped or long delays injected to break handshakes).

Suggestion:

Add a tunnel support like https://github.com/ameshkov/udptlspipe to pass the wireguard udp (even amneziawg is udp...) connection inside the tunnel (important to support the Probing protection config from the udptlspipe project too to avoid the wg server endpoint being blocked)

@NOXCIS
Copy link
Owner

NOXCIS commented Dec 12, 2024

@amirhmoradi I'll look into it

@amirhmoradi
Copy link
Author

@NOXCIS thanks for looking into this.
I was doing some tests and came to the conclusion: We need to have the possibility for clients to either connect directly through udp (as it works currently) or use the tls/tcp tunnel.
This way, for users (and mainly nodes in a site-to-site setup) who are not in those censored countries, there would be no impact (in terms of speed and complexity of connecting).
thanks.

@NOXCIS
Copy link
Owner

NOXCIS commented Dec 13, 2024

@amirhmoradi does the tls tunnel need to work on the client side as well or am I confused?

@amirhmoradi
Copy link
Author

the client side is the responsibility of the client, we need just to explain the feature clearly in the documentation.

the wiregate stack shall expose the tunnel server and configure it to connect to the wireguard server - > details and specific important wireguard details

then, (outside of scope) the client shall install the udptlspipe on their local machine and configure their wireguard clients to connect to the local udptlspipe process with correct mtu settings.

the important part would be:

  • exclude udptlspipe server IP from AllowedIPs in the WireGuard client configuration
  • expose both normal wg (or amneziawg) and the tunnel in the same time

also, the udptlspipe is one of multiple ways to manage the usecase, maybe other projects are also good.

@NOXCIS
Copy link
Owner

NOXCIS commented Dec 14, 2024

@amirhmoradi setting default exclusionary rules is easy.
Same goes for port exposure. I could integrate udptls container or build it into the WireGate container. As long as I maintain backwards compatibility.

@amirhmoradi
Copy link
Author

@NOXCIS I would vote for using their container for easier set up, clarity and maintenance.

@NOXCIS
Copy link
Owner

NOXCIS commented Dec 15, 2024

@amirhmoradi Should it be to the quick installer defaults or should it be always on.

@amirhmoradi
Copy link
Author

@NOXCIS i am not sure if I understood correctly... the usecase of using udptlspipe being quite limited to cases where users are based in heavily censored countries, i would not turn it on by default, but rather leave it to the admin to decide and inform the users.

@amirhmoradi
Copy link
Author

@NOXCIS hi, is there anything I can do to help this issue move forward please ?

@NOXCIS
Copy link
Owner

NOXCIS commented Jan 8, 2025

@amirhmoradi PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants