{"id":43217040,"url":"https://github.com/infinet/xt_wgobfs","last_synced_at":"2026-02-01T08:11:04.622Z","repository":{"id":68761670,"uuid":"534979483","full_name":"infinet/xt_wgobfs","owner":"infinet","description":"Iptables WireGuard obfuscation extension. Windows/Mac/BSDs see the fully compatible cross-platform CLI rs-wgobfs.","archived":false,"fork":false,"pushed_at":"2026-01-31T14:20:37.000Z","size":59,"stargazers_count":300,"open_issues_count":4,"forks_count":32,"subscribers_count":14,"default_branch":"main","last_synced_at":"2026-02-01T01:17:43.453Z","etag":null,"topics":["kernel-module","linux-kernel","obfuscation","wireguard"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/infinet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-09-10T11:38:01.000Z","updated_at":"2026-01-29T13:25:33.000Z","dependencies_parsed_at":"2025-01-01T13:33:24.466Z","dependency_job_id":"6810ddd1-077d-45cd-a130-27d06837dde2","html_url":"https://github.com/infinet/xt_wgobfs","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/infinet/xt_wgobfs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infinet%2Fxt_wgobfs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infinet%2Fxt_wgobfs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infinet%2Fxt_wgobfs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infinet%2Fxt_wgobfs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/infinet","download_url":"https://codeload.github.com/infinet/xt_wgobfs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infinet%2Fxt_wgobfs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28973300,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-01T06:46:42.625Z","status":"ssl_error","status_checked_at":"2026-02-01T06:44:56.173Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kernel-module","linux-kernel","obfuscation","wireguard"],"created_at":"2026-02-01T08:11:04.063Z","updated_at":"2026-02-01T08:11:04.614Z","avatar_url":"https://github.com/infinet.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Iptables WireGuard obfuscation extension\n\nThis is a Linux kernel module that runs on Linux. Users on Windows, Mac, BSD,\nand pfSense can use the fully compatible cross-platform CLI\n[rs-wgobfs](https://github.com/infinet/rs-wgobfs).\n\n\n### How it works\n\nThe sender and receiver share a secret key, which is used by `chacha6` to hash\nthe same input into identical pseudo-random numbers. These pseudo-random\nnumbers are used in obfuscation.\n\n- The first 16 bytes of WG message is obfuscated.\n- The mac2 field is also obfuscated, if it is all zeros.\n- Padding WG message with random long random bytes.\n- Drop keepalive message with 80% probability.\n- Change the Diffserv field to zero.\n\n`Chacha6` is chosen for its speed, as the goal is not encryption.\n\nTested working on Alpine linux kernel 5.15, CentOS 7, Debian 10 to 13 and\nopenSUSE 15.5.\n\n\n### Build dependence\n\n- Alpine: alpine-sdk iptables-dev linux-lts-dev or linux-virt-dev\n- CentOS 7: iptables-devel kernel-devel\n- Debian 10 to 13 : autoconf libtool libxtables-dev linux-headers pkg-config\n- openSUSE 15: autoconf automake gcc kernel-default-devel libtool libxtables-devel make\n\n\n### Build and install\n\nBuild:\n\n```shell\n./autogen.sh\n./configure\nmake\n```\n\nInstall:\n\n```shell\nsudo make install\n```\n\nOne may need run `depmod -a \u0026\u0026 modprobe xt_WGOBFS` to load the kernel module.\n\nBy default, openSUSE does not allow unsupported kernel modeule. To override,\ncreate or modify `/etc/modprobe.d/10-unsupported-modules.conf`, add the\nfollowing line:\n\n```shell\nallow_unsupported_modules 1\n```\n\n\n### DKMS\n\nTo use DKMS, first generate a source tarball, then install it as superuser:\n\n```shell\n./autogen.sh\n./configure\nmake tarball\nsudo make dkms-install\n```\n\n\n### Usage\n\nThis extension takes two parameters.\n\n`--key` for a shared secret between client and server. If a key is a long\nstring, it will be cut at 32 characters; if a key is short, then it will be\nrepeated until reaches 32 characters. This 32 characters long string is the key\nused by `chacha6` hash.\n\n`--obfs` or `--unobfs` to indicate the operation mode.\n\n**Before** bring up wg, on client, insert two iptables rules:\n\n```shell\niptables -t mangle -I INPUT -p udp -m udp --sport 6789 -j WGOBFS --key mysecretkey --unobfs\niptables -t mangle -I OUTPUT -p udp -m udp --dport 6789 -j WGOBFS --key mysecretkey --obfs\n```\n\nThe above rules assuming remote server is listening on port 6789. On server, do\nthe opposite:\n\n```shell\niptables -t mangle -I INPUT -p udp -m udp --dport 6789 -j WGOBFS --key mysecretkey --unobfs\niptables -t mangle -I OUTPUT -p udp -m udp --sport 6789 -j WGOBFS --key mysecretkey --obfs\n```\n\n### As a relay\n\nSince this is a Linux kernel module, users on Windows, Mac, or mobile devices\nwill not be able to use it directly. However, a possible workaround is to use it\nthrough a relay.\n\nFor setting it up on a relay server (assuming default policy for FORWARD chain is\nACCEPT):\n\n\n```shell\niptables -t nat -A PREROUTING -p udp -d RELAY_WAN_IP --dport 6789 -j DNAT --to-destination real_wg_server_ip:6789\niptables -t nat -A POSTROUTING -p udp -d real_wg_server_ip --dport 6789 -j MASQUERADE\n\niptables -t mangle -A FORWARD -p udp -d real_wg_server_ip --dport 6789 -j WGOBFS --key mysecretkey --obfs\niptables -t mangle -A FORWARD -p udp -s real_wg_server_ip --sport 6789 -j WGOBFS --key mysecretkey --unobfs\n\n```\n\nWindows, Mac or mobile clients then use the IP and port of the relay as WG\nserver endpoint. The setup for the remote WG server is the same as in previous\nsection.\n\n\n### IPv6\n\nFor IPv6, replace `iptables` with `ip6tables` in rules. It is also necessary to\nreduce the MTU of wireguard interface, for example, set the MTU to 1280.\n\n\n### TCP MSS fix\n\nIt is necessary to clamp TCP MSS on TCP traffic over tunnel. Symptoms of TCP\nMSS problems including HTTP not working on some websites, ssh works but scp\ndoesn’t work.\n\n```shell\niptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n```\n\n\n### Performance\n\nTest in two Alpine linux VMs on same host. Each VM has 1 CPU and 256M RAM.\nIperf3 over wg reports 1.1Gbits/sec without obfuscation, 950Mbits/sec with\nobfuscation.\n\n\n### OpenWrt\n\nSee [openwrt/package/README.md](/openwrt/package/README.md)\n\n\n### License\n\nGPL v2\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfinet%2Fxt_wgobfs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finfinet%2Fxt_wgobfs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfinet%2Fxt_wgobfs/lists"}