Support for BoringTun over TCP

[floating-cat]

There was a similar feature request in WireGuard mailing list1, and Tunsafe (another implementation of the WireGuard protocol in the userspace) has already supported this feature in their beta version.

Though Wireguard kernel version may not want to support this feature for various reason, but I think this is a good idea to support this feature in the userspace Wireguard implementation.

Various ISP providers and corporate drop/block UDP packets, so it is useful to have this feature in these situations. Also most VPN traffic obfuscation techniques require a TCP connection instead of UDP. VPN traffic obfuscation is useful in countries where Internet censorship is applied (quote from 2). Though the BoringTun over TCP's performance can be much worse than the UDP based one, I think these users can also accept this fact.

So I want to proposal BoringTun

1. Support for BoringTun over TCP.
2. Support for masquerading TCP connections as HTTPS traffic.
3. Support for encrypted SNI and also letting user custom the SNI URLs (unencrypted) on the above HTTPS traffic obfuscation mode.

TunSafe has a documentation for their TCP implementation3, I think this is a good reference. It's a good thing If BoringTun can collaborate with TunSafe author to improve this spec. You can see TunSafe's TCP support details in their changelog4 (TunSafe v1.5-rc2).

Thanks.

[saleh-old]

This would be awesome. UDP gets blocked in many countries easily. I don't understand why no one has done this already. I'm not a Rust or Go programmer, if I were, I would have done it myself.

[TheLinuxGuy]

+1 for adding support for traffic obfuscation.

I use tunsafe with obfuscation but that project seems to have been abandoned. BoringTun looks promising and a possible better/faster implementation to replace it but unfortunately BoringTun doesn't evade deep packet inspection at this time. It would be great to add this obfuscation layer.