1 Prepare X.509 keypair for both server and client, with CA certificate
2 able to authenticate both peers. For example with zeasypki
3 (http://www.git.stargrave.org/?p=zeasypki.git;a=blob;f=README):
5 $ zeasypki ca eddsa udpobfs-ca
6 $ zeasypki new ee/eddsa/udpobfs-ca/server-name
7 $ zeasypki new ee/eddsa/udpobfs-ca/client
8 $ zeasypki keypair ee/eddsa/udpobfs-ca/server-name > server.pem
9 $ zeasypki keypair ee/eddsa/udpobfs-ca/client > client.pem
10 $ cp ca/eddsa/udpobfs-ca/cer.pem ca.pem
11 $ zeasypki dane ee/eddsa/udpobfs-ca/server-name > server.hash
13 Assume that WireGuard was running peered with [2001:db8::dc]:1194.
14 Run udpobfs instances to obfuscate traffic between them:
16 wg0# wg set endpoint [::1]:4911
17 wg0# udpobfs-init -bind [::1]:4911 -dst [2001:db8::ac]:1194 \
18 -ca ca.pem -keypair client.pem -name server-name -hash `cat server.hash`
20 wg1# wg set listen-port 21194
21 wg1# udpobfs-resp -bind [2001:db8::ac]:1194 -dst [::1]:21194 \
22 -ca ca.pem -keypair server.pem