https://github.com/snawoot/wg-decoy

Decoy handshake for Wireguard
https://github.com/snawoot/wg-decoy

dpi dpi-bypassing wireguard wireguard-vpn

Last synced: 16 days ago
JSON representation

Decoy handshake for Wireguard

• Host: GitHub
• URL: https://github.com/snawoot/wg-decoy
• Owner: Snawoot
• License: mit
• Created: 2023-08-20T11:16:42.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2023-08-27T15:40:21.000Z (over 1 year ago)
• Last Synced: 2025-03-27T13:51:22.905Z (about 1 month ago)
• Topics: dpi, dpi-bypassing, wireguard, wireguard-vpn
• Language: Go
• Homepage:
• Size: 16.6 KB
• Stars: 37
• Watchers: 5
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# wg-decoy

Decoy handshake for Wireguard. Allows some initial exchange between wireguard server and client in order to derail DPI filtering.

## Installation

### Binaries

Pre-built binaries are available [here](https://github.com/Snawoot/wg-decoy/releases/latest).

### Build from source

Run in the source directory:

```

make

```

Binary will be available in the `bin` directory.

Alternatively, you may invoke Go directly:

```

go build ./cmd/wg-decoy -o bin/wg-decoy

```

## Running application

## Server (Linux only)

Add iptables rule to capture small packets targeted to wireguard port:

```sh

iptables -t mangle -A PREROUTING -i eth0 -p udp -m udp --dport 51820 -m addrtype --dst-type LOCAL -m length --length 0:44 -j TPROXY --on-port 1820 --on-ip 127.0.0.1

```

where instead of `eth0` use actual address of your public interface, instead of port `51820` use actual wireguard server port.

Then just run server:

```

wg-decoy server

```

### Client

Make sure you use some random but fixed port in your wireguard config like this:

```

ListenPort = 56218

```

and then right before connection start run command:

```

wg-decoy client SERVER_ADDRESS:SERVER_PORT LOCAL_PORT

```

where `SERVER_ADDRESS:SERVER_PORT` is a WG server endpoint and `LOCAL_PORT` is your `ListenPort` value in your client config.

If you use `wg-quick` it may be convenient to add wg-decoy invokation as a `PreUp` command in your client config.

## Synopsis

```

$ wg-decoy -h

Usage:

wg-decoy [OPTION]... server

wg-decoy [OPTION]... client  

wg-decoy version

Options:

  -attempts uint

    	number of client request attempts (default 10)

  -bind-address string

    	server bind address (default "127.0.0.1:1820")

  -break-early

    	return as soon as minimal number of responses acquired (default true)

  -client-req string

    	client request (default "PING")

  -min-responses uint

    	minimal number of responses to collect (default 5)

  -server-resp string

    	server response (default "PONG")

  -timeout duration

    	network operation timeout (default 5s)

```