udpobfs -- simple point-to-point UDP obfuscation proxy
This is trivial UDP proxy, that obfuscates UDP traffic between two UDP
-ports. It does no handshaking, no key agreement, no peer authentication,
-weak replay protection. Key setup/renew must be made for example through
-OpenSSH, TLS or similar channels. udpobfs's purpose is to obfuscate UDP
-traffic between two WireGuard peers with minimal CPU and traffic overhead.
+ports. Aimed to generate fully pseudorandom traffic indistinguishable
+from the noise from the point of the third party observer.
-Assume that WG was running peered with [2001:db8::dc]:1194.
-You can run two udpobfs instances to obfuscate traffic between them:
+It initiates TLS 1.3 connection between the peers to mutually
+authenticate them and agree on shared keying material. After that it
+passes traffic on the same port numbers for UDP. There could be multiple
+simultaneous sessions alive.
- # udpobfs -keygen > key.txt
-
- wg0# wg set endpoint [::1]:4911
- wg0# udpobfs -bind [::1]:4911 -dst [2001:db8::ac]:1194 < key.txt
-
- wg1# wg set listen-port 21194
- wg1# udpobfs -bind [2001:db8::ac]:1194 -dst [::1]:21194 -responder < key.txt
-
-One of the instances is responder -- it awaits when initiator starts
-talking. If UDP binded connection is lost, daemon exits. So it is
-advisable to run it under process supervisor.
-
-udpobfs continuously reads Base32-encoded 256-bit keys from stdin -- you
-can renew them without restarting the daemons. Of course there is some
-time window when key knowledge differs on both peers and they will loose
-the traffic. Not a big deal.
+It assures that at least single packet is passed on ten second
+intervals. If no (real) traffic is passed for two minutes, then
+connections (both TCP and UDP) are closed. Every minute ping/pong
+occurs over the TLS channel to keep it alive.
Obfuscated packet is 8 bytes longer, so you have to slightly lower your
MTU in VPN tunnel.
+
+udpobfs is free software: see the file COPYING for copying conditions.