Description
Motivation
Wireguard while being one of the most popular VPN solutions is unfortunately heavily restricted and censored in countries with oppressive regimes. For a long time the best method to circumvent the restrictions was to wrap the wireguard traffic in an obfuscator like udp2raw. Vopono is a nice utility and i personally use it and recommend to others, but the Internet is not becoming any less censored so the protocols like wireguard, openvpn and others are becoming barely usable in the third world, so there must be a way to use vopono with udp2raw and thats what this issue is about.
Example
Lets try to open discord app with vopono and udp2raw.
Prerequisites
There must be a working end server with udp2raw to wireguard setup hosted to which the udp2raw client in vopono is going to be trying to connect.
Wireguard config
To start vopono with custom wireguard provider we need to create a wireguard config for vopono to work with. Here is an example:
# ~/example/wg0.conf
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Address = X.X.X.X/X
DNS = 8.8.8.8
[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 127.0.0.1:43891
PersistentKeepalive = 30
In this config the endpoint is going to be udp2raw local client. Udp2raw guides suggest launching the client with a PreUp hook which unfortunately is not supported in vopono and is ignored if explicitly stated. The trick is to start a udp2raw client inside of a script which will be target script for vopono as described in the user guide.
To run extra commands inside the network namespace you can wrap your target application with a bash script and provide that script as the target to vopono.
Launch script
The launch script must accomplish the following requirements:
- Make a workaround for the udp2raw to tunnel all traffic.
Since your VPN traffic goes throught udp2raw, if your VPN hijacks udp2raw's traffic then there will be a traffic loop and your udp2raw will lose connection.
- Set MTU to a lower value for udp2raw to work.
Udp2raw won’t work to tunnel packets over the Internet with a data payload of 1375 bytes or larger, so we need to lower the MTU (Maximum Transmission Unit) on the WireGuard interface.
Providing the desired MTU value inside of wireguard config wont work as it is not supported in vopono and is ignored if explicitly stated.
- Start the udp2raw client
- Start the desired program (discord in this example)
With those goals in mind i came up with this:
#!/bin/bash
# ~/example/discord.sh
# workaround
DROUTE=$(ip route | grep default | awk '{print $3}')
sudo ip route add X.X.X.X via $DROUTE # the censored part is the end server ip address where udp2raw itself is hosted
# change MTU
sudo ip link set dev disvop2raw mtu 1300
# start udp2raw
sudo udp2raw -c -a -l 127.0.0.1:43891 -r X.X.X.X:X -k XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --raw-mode faketcp --log-level 0 & # the censored parts are the end server ip address:udp2raw server listen port and udp2raw secret key respectively
# target program
discordIn this example udp2raw listens to 127.0.0.1:43891 but it is possible to change the listen port to any other value as long as it still listens to localhost ip. Its critical to mention the changed port in the wireguard config in Endpoint part of Peer section.
Final command
With the wireguard config and target script ready its time to pass them to vopono and see the magic. After endless trial and error the working command i discovered turned out to be this:
vopono exec --no-killswitch --custom-netns-name disvop2raw --protocol wireguard --custom ~/example/wg0.conf "~/example/discord.sh"In this example custom namespace name is disvop2raw but it is possible to change it to any other name. Its critical to mention the changed namespace name in the launch script in MTU section. The important part here are the --no-killswitch and --custom-netns-name flags which are not described in the user guide and only mentioned in the issues. The --no-killswitch flag is the most important one without which the setup breaks.
Conclusion
This issue is created to raise the awareness of the Internet censorship and to highlight the obstacles and rough edges of vopono itself. Is there any ways to make it more straight-forward and less obscure? Any feedback is welcome.