I work IT… how exactly are they blocking wireguard?
Edit: Okay, I did the search, and as I guessed, they do not. Users seem to report UDP blocking and throttling in general, not wireguard (I’m not sure that would be possible). It’s not even particularly confirmed though.
They do block Wireguard. They use DPI (Deep Packet Inspection) at the national level (it’s as expensive as it sounds). They filter and monitor all traffic. Once you have something as invasive as DPI in place, Wireguard becomes rather easy to detect, because it doesn’t hide the fact that you’re establishing a tunnel (its purpose is just to obscure the data being tunneled).
According to the specification, a specific sequence of bytes (Handshake Initiation packet) is sent by the “client” to negotiate a connection, and a Handshake Response is sent back by the “server”. The handshake packets used to negotiate a connection are basically a recognizable signature of the Wireguard protocol, so if you are able to analyze all outgoing and incoming packets (which DPI enables you to do), you can monitor for these signature packets and block the connection attempt.
There are variants of the Wireguard protocol that can circumvent this method of censorship (Amnezia Wireguard is one example), but they only work as long as they stay under the radar and don’t see mass adoption. Their own “signatures” would also just get blocked in that case.
Ultimately, bypassing this level of censorship just isn’t something Wireguard was created for. Wireguard assumes you are only concerned with obscuring your traffic, not hiding the fact that you’re using a VPN. There are better tools for this job, like this: https://www.v2fly.org/en_US/
Edit: Better link with the language set to English
Heh they block VPNs, Tor and that type of stuff in Saudi. They block wireguard in Jordan, at least according to my friend there lol
I work IT… how exactly are they blocking wireguard?
Edit: Okay, I did the search, and as I guessed, they do not. Users seem to report UDP blocking and throttling in general, not wireguard (I’m not sure that would be possible). It’s not even particularly confirmed though.
They do block Wireguard. They use DPI (Deep Packet Inspection) at the national level (it’s as expensive as it sounds). They filter and monitor all traffic. Once you have something as invasive as DPI in place, Wireguard becomes rather easy to detect, because it doesn’t hide the fact that you’re establishing a tunnel (its purpose is just to obscure the data being tunneled).
According to the specification, a specific sequence of bytes (Handshake Initiation packet) is sent by the “client” to negotiate a connection, and a Handshake Response is sent back by the “server”. The handshake packets used to negotiate a connection are basically a recognizable signature of the Wireguard protocol, so if you are able to analyze all outgoing and incoming packets (which DPI enables you to do), you can monitor for these signature packets and block the connection attempt.
There are variants of the Wireguard protocol that can circumvent this method of censorship (Amnezia Wireguard is one example), but they only work as long as they stay under the radar and don’t see mass adoption. Their own “signatures” would also just get blocked in that case.
Ultimately, bypassing this level of censorship just isn’t something Wireguard was created for. Wireguard assumes you are only concerned with obscuring your traffic, not hiding the fact that you’re using a VPN. There are better tools for this job, like this: https://www.v2fly.org/en_US/
Edit: Better link with the language set to English
Thanks for the excellent and thorough explanation!
I have no idea, that is what he told me :shrug:
That’s… uh… my condolences.