mullvadvpn-app icon indicating copy to clipboard operation
mullvadvpn-app copied to clipboard

Published 20 hours ago verified publisher icon mullvad

[Feature Request] Add Support For WireGuard Over Shadowsocks (or other obfuscation protocols)

Open ProgressiveArchitect opened this issue 4 years ago • 18 comments

Currently, there is in-app support for Shadowsocks being used as multi-hop to connect to OpenVPN servers. I'd like to see the same support available when connecting to WireGuard servers.

ProgressiveArchitect avatar Aug 19 '19 10:08 ProgressiveArchitect

This is blocked on the fact that WireGuard currently can't operate over TCP and Shadowsocks can't really relay UDP. But yes, using bridges with WireGuard connections is surely a desired feature, so it's something we will work on when there is time.

faern avatar Aug 28 '19 14:08 faern

Let's keep the issue open. It's something we want to implement. If it's open other people might see it easier and not create duplicate issues.

faern avatar Aug 29 '19 08:08 faern

This is blocked on the fact that WireGuard currently can't operate over TCP and Shadowsocks can't really relay UDP

According to the usage page, Shadowsocks does support relaying UDP, see -u (Enable UDP relay) and -U (Enable UDP relay and disable TCP relay).

Does this mean this could potentially be implemented now, or there is more to this?

maximbaz avatar Feb 22 '20 22:02 maximbaz

@faern Any comment on the apparent removal of this blocker? I've seen evidence of folks getting this working on their own single VPS instances. Someone just needs to code the backend now to glue it all together.

PacoBell avatar Apr 03 '20 11:04 PacoBell

@faern It looks like ShadowSocks can be routed over UDP now. So any updates for implementing this on WireGuard?

ProgressiveArchitect avatar Apr 03 '20 21:04 ProgressiveArchitect

Last time I checked it was not using purely UDP. Even if you enable the UDP relaying it was handshaking over TCP. But that might have changed. Please also note that we use the shadowsocks-rs Rust implementation in this VPN app, so it has to be supported there for us to use it. Changing which Shadowsocks implementation we use would be a bigger task.

faern avatar Apr 06 '20 07:04 faern

A year later, shadowsocks-rs has a "udp_only" mode and it's possible to relay wireguard traffic through it.

So, any updates?

aveao avatar Mar 25 '21 23:03 aveao

We are currently working looking at ways of tunneling WireGuard etc. But we are currently not looking at shadowsocks. Thanks for the update on their UDP only support.

faern avatar Mar 26 '21 09:03 faern

It's been another year and Wireguard still has no Shadowsocks or other UDP tunneling. Just a reminder that this feature is still pretty much needed.

whywhah avatar Mar 11 '22 05:03 whywhah

This is being actively worked on. Good timing on your question as we will likely merge the initial support for WireGuard obfuscation very soon.

faern avatar Mar 14 '22 16:03 faern

@faern I've noticed your language shift from "shadowsocks" to "obfuscation". Does this mean that the Mullvad devs intend to utilize a different obfuscation protocol? If so, which protocol is being looked at as most likely to be implemented with UDP in mind?

ProgressiveArchitect avatar Mar 25 '22 08:03 ProgressiveArchitect

We shift the language because our obfuscation support is not only for Shadowsocks. We recently merged (#3431) a new "obfuscation engine" or whatever you want to call it, for our WireGuard connections. This is a framework in mullvad-daemon that allows it to connect WireGuard over any proxy implementation that can listen to a localhost UDP port and in some way send that obfuscated over the network.

Currently the only supported protocol is udp-over-tcp. This allows connecting to WireGuard servers using TCP. We supported this before the mentioned PR, but then we modeled it differently internally, now it's classified as an obfuscation protocol instead.

Shadowsocks is likely going to be the next protocol added to this new obfuscation framework of ours. But it's not 100% decided upon yet.

You configure what obfuscation WireGuard should use via the CLI command mullvad obfuscation. This has not been released yet, but if you build from the latest source code you can see this subcommand.

faern avatar Mar 25 '22 08:03 faern

Hi, any updates here?

I want to try mullvad but I am live in a country where bridge mode is needed in my phone (I know that I can use mullvad with shadowsocks app manually, but it will be more complex than other VPN solutions).

Bridge mode on phone app will hugely facilitate many people like me and make mallvad a more good choice.

PragmaTwice avatar Dec 03 '22 17:12 PragmaTwice

Hi @PragmaTwice.

WireGuard over TCP has been in the desktop app for a while now. Not yet on mobile, it's in the backlog. We are also looking at enabling custom proxies for WireGuard for desktop. But nothing on using our own bridges yet. However, this is more at the idea stage than implementation stage so far sadly.

faern avatar Dec 16 '22 12:12 faern

Is there any news?

Pilaton avatar Jul 10 '23 18:07 Pilaton

Not really. What I can say is that it's being frequently discussed as an anti-censorship measure we want to add. But it's not currently at the top of the pile. So other anti-censorship measures will be implemented during Q3.

faern avatar Jul 11 '23 07:07 faern

Any news here?

Panuchi avatar Aug 16 '23 15:08 Panuchi

Hey any updates? It's 2024 and still wondering if there are ways to use Wireguard let's say at a school or library that would otherwise block the VPN connection. I've used shadowsocks before and I liked it, I just wasn't much of a fan of needing to use OpenVPN

Cohenl19 avatar Feb 03 '24 05:02 Cohenl19