infinet / xt_wgobfs Goto Github PK

View Code? Open in Web Editor NEW

197.0 197.0 24.0 64 KB

Iptables WireGuard obfuscation extension

License: GNU General Public License v2.0

C 81.92% Makefile 12.85% Shell 0.17% M4 5.06%

xt_wgobfs's People

Contributors

Stargazers

Watchers

Forkers

fatihusta joaodefelipe gnought master88wi ne00n dignezzz 5l1v3r1 varnie lampotakl evelikov vanym bjin xnullzz xbox85 tftlegal old101

xt_wgobfs's Issues

Ubuntu 22.04 Compile error

Hello, I'm trying to compile xt_wgobfs module on Ubuntu 22.04 but have this output after make:

root@vps:/xt_wgobfs# make
make -C /lib/modules/5.15.0-1032-realtime/build M=/xt_wgobfs/src modules
make[1]: Entering directory '/usr/lib/modules/5.15.0-1032-realtime/build'
make[1]: *** No rule to make target 'modules'.  Stop.
make[1]: Leaving directory '/usr/lib/modules/5.15.0-1032-realtime/build'
make: *** [Makefile:735: modules] Error 2

root@vps:/xt_wgobfs# uname -r
5.15.0-1032-realtime

Output from ./autogen.sh

root@vps:/xt_wgobfs# ./autogen.sh
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: copying file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
configure.ac:11: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
configure.ac:11: You should run autoupdate.
m4/libtool.m4:99: AC_PROG_LIBTOOL is expanded from...
configure.ac:11: the top level
configure.ac:7: installing 'build-aux/compile'
configure.ac:6: installing 'build-aux/missing'
Makefile.am:37: warning: ':='-style assignments are not portable
Makefile.am:37: warning: shell mktemp -dtu: non-POSIX variable name
Makefile.am:37: (probably a GNU make extension)
Makefile.am:13: warning: user target 'install' defined here ...
/usr/share/automake-1.16/am/install.am: ... overrides Automake target 'install' defined here
Makefile.am:15: warning: user target 'clean' defined here ...
automake: ... overrides Automake target 'clean' defined here
Makefile.am:15: consider using clean-local instead of clean

Output from ./configure

root@vps:/xt_wgobfs# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... none
checking for ar... ar
checking the archiver (ar) interface... ar
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for linux/netfilter/x_tables.h... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for xtables >= 1.4.21... yes
checking Xtables module directory... /usr/lib/x86_64-linux-gnu/xtables
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating Makefile.libxt
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands

Bandwidth limited to below 10Mbps

Hello

I have managed successfully to use the extension, but my connection is now always below 10Mbps. Server running latest Debian is 100mbps and client running Arch Linux ARM is 70mbps on v0.4.2.

Below is an iperf3 log from testing:

$ iperf3 -c 10.0.0.30 -n 20M
Connecting to host 10.0.0.30, port 5201
[  5] local 10.0.0.1 port 39378 connected to 10.0.0.30 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  2.88 MBytes  24.1 Mbits/sec  585    102 KBytes       
[  5]   1.00-2.00   sec  1.97 MBytes  16.5 Mbits/sec  303    112 KBytes       
[  5]   2.00-3.00   sec   879 KBytes  7.20 Mbits/sec   43   73.5 KBytes       
[  5]   3.00-4.00   sec   879 KBytes  7.20 Mbits/sec    0   80.2 KBytes       
[  5]   4.00-5.00   sec   879 KBytes  7.20 Mbits/sec    0   89.5 KBytes       
[  5]   5.00-6.00   sec  1.72 MBytes  14.4 Mbits/sec   24   46.8 KBytes       
[  5]   6.00-7.00   sec  0.00 Bytes  0.00 bits/sec    0   41.4 KBytes       
[  5]   7.00-8.00   sec   879 KBytes  7.20 Mbits/sec    0   50.8 KBytes       
[  5]   8.00-9.00   sec   879 KBytes  7.20 Mbits/sec    0   60.1 KBytes       
[  5]   9.00-10.00  sec   879 KBytes  7.20 Mbits/sec    0   69.5 KBytes       
[  5]  10.00-11.00  sec   879 KBytes  7.20 Mbits/sec   23   54.8 KBytes       
[  5]  11.00-12.00  sec   879 KBytes  7.20 Mbits/sec   22   48.1 KBytes       
[  5]  12.00-13.00  sec  0.00 Bytes  0.00 bits/sec    0   56.1 KBytes       
[  5]  13.00-14.00  sec   879 KBytes  7.20 Mbits/sec    0   65.5 KBytes       
[  5]  14.00-15.00  sec   879 KBytes  7.20 Mbits/sec    0   74.8 KBytes       
[  5]  15.00-16.00  sec  1.72 MBytes  14.4 Mbits/sec    0   85.5 KBytes       
[  5]  16.00-17.00  sec   879 KBytes  7.20 Mbits/sec    0   94.9 KBytes       
[  5]  17.00-18.00  sec   942 KBytes  7.71 Mbits/sec   56   52.1 KBytes       
[  5]  18.00-19.00  sec   879 KBytes  7.20 Mbits/sec    0   58.8 KBytes       
[  5]  19.00-19.85  sec   516 KBytes  4.94 Mbits/sec    0   66.8 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-19.85  sec  20.0 MBytes  8.45 Mbits/sec  1056             sender
[  5]   0.00-19.93  sec  17.9 MBytes  7.52 Mbits/sec                  receiver

iperf Done.

What would be the cause of having such performance loss? I don't think the overhead should be this much.

Thanks for the great extension that helps with Internet censorship.

Andriod, IOS and windows client configuration

Hi,

Thanks for sharing your knowledge and hard work.

Just wondering if I need to do anything at client side ?

Thanks

Cant establish connection between little endian and big endian devices.

I cant establish connection between my Openwrt router and Linux PC.
Problem is in operations like "chacha_input = *p64 + 42;" which will give a different result on a different machines.
https://github.com/infinet/xt_wgobfs/blob/main/src/xt_WGOBFS_main.c#L48

Very good project. Thank you!
patch:
wgobfs_big_endian.txt

openwrt snapshot issue

Hi, just installed a fresh openwrt snapshot

OpenWrt SNAPSHOT r22217-dc0de05e10 / LuCI Master git-23.039.28596-41e9b8d

Linux WRT32X 5.15.98 #0 SMP Sat Mar 4 20:27:30 2023 armv7l GNU/Linux

after compiled and installed the ipk, issue a command, then got an error:

root@WRT32X:~# iptables -t mangle -I INPUT -p udp -m udp --sport 6789 -j WGOBFS --key mysecretkey --unobfs
iptables v1.8.8 (nf_tables): unknown option "--key"
Try `iptables -h' or 'iptables --help' for more information.

Don't know why, the patch works very well on openwrt 22.03

Cannot build it on Manjaro

Hi.

Thanks for your work. I managed to install it on Ubuntu server, but am facing an issue while trying to build it on Manjaro (Archlinux-based distro).

Long story short here's the issue:

...
checking for linux/netfilter/x_tables.h... yes
./configure: line 12766: syntax error near unexpected token `libxtables,'
./configure: line 12766: `PKG_CHECK_MODULES(libxtables, xtables >= 1.4.21)'

Here's the full log:

[varnie@heimdal xt_wgobfs]$ ./autogen.sh 
aclocal: warning: couldn't open directory 'm4': No such file or directory
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: copying file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
configure.ac:11: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
configure.ac:11: You should run autoupdate.
m4/libtool.m4:100: AC_PROG_LIBTOOL is expanded from...
configure.ac:11: the top level
configure.ac:9: installing 'build-aux/ar-lib'
configure.ac:7: installing 'build-aux/compile'
configure.ac:11: installing 'build-aux/config.guess'
configure.ac:11: installing 'build-aux/config.sub'
configure.ac:5: installing 'build-aux/install-sh'
configure.ac:6: installing 'build-aux/missing'
Makefile.am:37: warning: ':='-style assignments are not portable
Makefile.am:37: warning: shell mktemp -dtu: non-POSIX variable name
Makefile.am:37: (probably a GNU make extension)
Makefile.am:13: warning: user target 'install' defined here ...
/usr/share/automake-1.16/am/install.am: ... overrides Automake target 'install' defined here
Makefile.am:15: warning: user target 'clean' defined here ...
automake: ... overrides Automake target 'clean' defined here
Makefile.am:15: consider using clean-local instead of clean

and then:

[varnie@heimdal xt_wgobfs]$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... no
checking whether make supports nested variables... no
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... no
checking dependency style of gcc... none
checking for ar... ar
checking the archiver (ar) interface... ar
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for file... file
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... no
checking if : is a manifest tool... no
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for linux/netfilter/x_tables.h... yes
./configure: line 12766: syntax error near unexpected token `libxtables,'
./configure: line 12766: `PKG_CHECK_MODULES(libxtables, xtables >= 1.4.21)'

One thing I noticed is that there's no such package as libxtables-dev nor iptables-dev.
Interestingly, it looks like libxtables is installed according to the output below:

[varnie@heimdal xt_wgobfs]$ ldconfig -v |grep table
ldconfig: Path `/usr/lib64' given more than once
(from <builtin>:0 and <builtin>:0)
ldconfig: Can't stat /usr/libx32: No such file or directory
	libxtables.so.12 -> libxtables.so.12.6.0
	libnftables.so.1 -> libnftables.so.1.1.0

Any help? Thank you.

Create a transparent relay for obfs?

Can I create a relay so that I can use wireguard directly to connect to the obfs relay server?

Client ---> Obfs Relay Server ---> Real wg server

MTU is not taken into consideration when adding random padding

When adding random padding, it would be nice to watch out the MTU to not exceed the maximum UDP packet length to avoid fragmentation. If the packet is already as large as possible, then add nothing at all.

Let's say we have an interface with MTU 1500. Then the maximum UDP payload will be 1472.

If payload is 1472 then we cannot add random padding (we cannot add the padding length either since it would require extra 1 byte that we don't have room for). This case will be tricky for the receiving side to detect. Any suggestions?
If payload is <1472 then the maximum padding length will be 1471-len (plus 1 byte padding length). This fix requires change on the sender side only without loosing backward compatibility.

If you don't want to deal with getting MTU of the outgoing interface, it would be safe to turn the padding off completely somewhere after ~1200 bytes.

Sender:

if len>=1200 then don't add padding
if len<1199 then pad the packet up to maximum 1199 bytes

Receiver:

if len>=1200 consider we have no padding and no padding length byte
if len<1200 consider we do have the padding length byte

PS. This issue was likely affected by this problem:
#3

Different Keys For Tx/Rx

Is it possible to use different secrets for send and receive traffic and is there any benefit in doing so?

Example:

Client:
iptables -t mangle -I INPUT -p udp -m udp --sport 6789 -j WGOBFS --key secretforserverTx --unobfs
iptables -t mangle -I OUTPUT -p udp -m udp --dport 6789 -j WGOBFS --key secretforserverRx --obfs
Server:
iptables -t mangle -I INPUT -p udp -m udp --dport 6789 -j WGOBFS --key secretforserverRx --unobfs
iptables -t mangle -I OUTPUT -p udp -m udp --sport 6789 -j WGOBFS --key secretforserverTx--obfs

iptables unknown option "-J"

sudo iptables -t mangle -I INPUT -p udp -m udp --sport 52925 -J WGOBFS --key mysecretkey --unobfs
iptables v1.8.7 (nf_tables): unknown option "-J"
Try `iptables -h' or 'iptables --help' for more information.

OS: Debian 11 (fresh install)

OpenWRT compiling issue

WARNING: Makefile 'package/feeds/packages/xtables-wgobfs/Makefile' has a dependency on 'kmod-ipt-core', which does not exist

How to fix it?

help

Not sure how to install - https://github.com/WeeJeWel/wg-easy
DO I just put the eserver side ip stuff for wg_pre_up? I know nothing. Thanks

Cant compile v4 for openwrt.

I cant compile for openwrt anymore. Make V=s stops with strange "Error 2" w/o explanation because of missed autogen results.

make[3]: Entering directory '/tmp/wrt/openwrt/feeds/packages/net/xt_wgobfs'
checking for library containing putmsg... SHELL= flock /tmp/wrt/openwrt/tmp/.xt_wgobfs-0.4.tar.xz.flock -c ' /tmp/wrt/openwrt/scripts/download.pl "/tmp/wrt/openwrt/dl" "xt_wgobfs-0.4.tar.xz" "59e89d904035bb51d9c2efc96957f13bb95a75fc532a20e059d916aa2d4d56da" "" "https://github.com/infinet/xt_wgobfs/releases/download/v0.4/" '
rm -f /tmp/wrt/openwrt/build_dir/target-mips_24kc_musl/xt_wgobfs-0.4/.built
touch /tmp/wrt/openwrt/build_dir/target-mips_24kc_musl/xt_wgobfs-0.4/.built_check
make --jobserver-auth=3,4 -C /tmp/wrt/openwrt/build_dir/target-mips_24kc_musl/xt_wgobfs-0.4 ARCH="mips" CROSS_COMPILE="mips-openwrt-linux-musl-" DESTDIR="/tmp/wrt/openwrt/build_dir/target-mips_24kc_musl/xt_wgobfs-0.4/ipkg-install" DEPMOD="/bin/true" all
make[4]: Entering directory '/tmp/wrt/openwrt/build_dir/target-mips_24kc_musl/xt_wgobfs-0.4'
make[4]: Leaving directory '/tmp/wrt/openwrt/build_dir/target-mips_24kc_musl/xt_wgobfs-0.4'
make[3]: *** [Makefile:91: /tmp/wrt/openwrt/build_dir/target-mips_24kc_musl/xt_wgobfs-0.4/.built] Error 2
make[3]: Leaving directory '/tmp/wrt/openwrt/feeds/packages/net/xt_wgobfs'
time: package/feeds/packages/xt_wgobfs/compile#0.19#0.04#1.44
make[2]: *** [package/Makefile:113: package/feeds/packages/xt_wgobfs/compile] Error 2

There is many files missed in v4 in compare to v3. v4 is just a repo.
Also tarball contains old openwrt/Makefile.

tar tvf xt_wgobfs-0.4.tar.xz
drwxr-xr-x wei/wei 0 2023-03-01 16:57 xt_wgobfs-0.4/
drwxr-xr-x wei/wei 0 2023-03-01 16:57 xt_wgobfs-0.4/openwrt/
drwxr-xr-x wei/wei 0 2023-03-01 16:57 xt_wgobfs-0.4/openwrt/package/
-rw-r--r-- wei/wei 2314 2023-03-01 16:57 xt_wgobfs-0.4/openwrt/package/Makefile
-rw-r--r-- wei/wei 862 2023-03-01 16:57 xt_wgobfs-0.4/openwrt/package/README.md
-rw-r--r-- wei/wei 1536 2023-03-01 16:57 xt_wgobfs-0.4/configure.ac
-rw-r--r-- wei/wei 1197 2023-03-01 16:57 xt_wgobfs-0.4/Makefile.am
drwxr-xr-x wei/wei 0 2023-03-01 16:57 xt_wgobfs-0.4/src/
-rw-r--r-- wei/wei 13577 2023-03-01 16:57 xt_wgobfs-0.4/src/xt_WGOBFS_main.c
-rw-r--r-- wei/wei 741 2023-03-01 16:57 xt_wgobfs-0.4/src/chacha8.h
-rw-r--r-- wei/wei 2851 2023-03-01 16:57 xt_wgobfs-0.4/src/wg.h
-rw-r--r-- wei/wei 67 2023-03-01 16:57 xt_wgobfs-0.4/src/Kbuild
-rw-r--r-- wei/wei 4308 2023-03-01 16:57 xt_wgobfs-0.4/src/libxt_WGOBFS.c
-rw-r--r-- wei/wei 2814 2023-03-01 16:57 xt_wgobfs-0.4/src/chacha8.c
-rw-r--r-- wei/wei 337 2023-03-01 16:57 xt_wgobfs-0.4/src/xt_WGOBFS.h
-rwxr-xr-x wei/wei 53 2023-03-01 16:57 xt_wgobfs-0.4/autogen.sh
-rw-r--r-- wei/wei 18092 2023-03-01 16:57 xt_wgobfs-0.4/LICENSE
-rw-r--r-- wei/wei 2485 2023-03-01 16:57 xt_wgobfs-0.4/README.md
-rw-r--r-- wei/wei 777 2023-03-01 16:57 xt_wgobfs-0.4/Makefile.libxt.in

tar tvf 1/xt_wgobfs-0.3.tar.xz
drwxr-xr-x root/root 0 2022-11-24 14:01 xt_wgobfs-0.3/
-rw-r--r-- root/root 18092 2022-11-24 13:58 xt_wgobfs-0.3/LICENSE
-rw-r--r-- root/root 1197 2022-11-24 13:58 xt_wgobfs-0.3/Makefile.am
-rw-r--r-- root/root 777 2022-11-24 13:58 xt_wgobfs-0.3/Makefile.libxt.in
-rw-r--r-- root/root 2118 2022-11-24 13:58 xt_wgobfs-0.3/README.md
-rwxr-xr-x root/root 53 2022-11-24 13:58 xt_wgobfs-0.3/autogen.sh
-rw-r--r-- root/root 1535 2022-11-24 13:58 xt_wgobfs-0.3/configure.ac
drwxr-xr-x root/root 0 2022-11-24 13:58 xt_wgobfs-0.3/src/
-rw-r--r-- root/root 67 2022-11-24 13:58 xt_wgobfs-0.3/src/Kbuild
-rw-r--r-- root/root 2734 2022-11-24 13:58 xt_wgobfs-0.3/src/chacha8.c
-rw-r--r-- root/root 741 2022-11-24 13:58 xt_wgobfs-0.3/src/chacha8.h
-rw-r--r-- root/root 4308 2022-11-24 13:58 xt_wgobfs-0.3/src/libxt_WGOBFS.c
-rw-r--r-- root/root 2851 2022-11-24 13:58 xt_wgobfs-0.3/src/wg.h
-rw-r--r-- root/root 337 2022-11-24 13:58 xt_wgobfs-0.3/src/xt_WGOBFS.h
-rw-r--r-- root/root 13577 2022-11-24 13:58 xt_wgobfs-0.3/src/xt_WGOBFS_main.c
drwxr-xr-x root/root 0 2022-11-24 14:01 xt_wgobfs-0.3/build-aux/
-rw-r--r-- root/root 327114 2022-11-24 14:01 xt_wgobfs-0.3/build-aux/ltmain.sh
-rwxr-xr-x root/root 5827 2022-11-24 14:01 xt_wgobfs-0.3/build-aux/ar-lib
-rwxr-xr-x root/root 7383 2022-11-24 14:01 xt_wgobfs-0.3/build-aux/compile
-rwxr-xr-x root/root 44283 2022-11-24 14:01 xt_wgobfs-0.3/build-aux/config.guess
-rwxr-xr-x root/root 36136 2022-11-24 14:01 xt_wgobfs-0.3/build-aux/config.sub
-rwxr-xr-x root/root 15368 2022-11-24 14:01 xt_wgobfs-0.3/build-aux/install-sh
-rwxr-xr-x root/root 6878 2022-11-24 14:01 xt_wgobfs-0.3/build-aux/missing
drwxr-xr-x root/root 0 2022-11-24 14:01 xt_wgobfs-0.3/m4/
-rw-r--r-- root/root 306432 2022-11-24 14:01 xt_wgobfs-0.3/m4/libtool.m4
-rw-r--r-- root/root 14514 2022-11-24 14:01 xt_wgobfs-0.3/m4/ltoptions.m4
-rw-r--r-- root/root 4384 2022-11-24 14:01 xt_wgobfs-0.3/m4/ltsugar.m4
-rw-r--r-- root/root 699 2022-11-24 14:01 xt_wgobfs-0.3/m4/ltversion.m4
-rw-r--r-- root/root 6140 2022-11-24 14:01 xt_wgobfs-0.3/m4/lt~obsolete.m4
-rw-r--r-- root/root 54272 2022-11-24 14:01 xt_wgobfs-0.3/aclocal.m4
-rwxr-xr-x root/root 442848 2022-11-24 14:01 xt_wgobfs-0.3/configure
-rw-r--r-- root/root 1727 2022-11-24 14:01 xt_wgobfs-0.3/config.h.in
-rw-r--r-- root/root 22954 2022-11-24 14:01 xt_wgobfs-0.3/Makefile.in

Is it possible to roll out a shell script?

iptables v1.8.9 (nf_tables): unknown option "--key"

I did the commands as written, but an error appeared. Debian 12

please add this to pfsense router system

i using pfsense 23.01, please add this to pfsense.

nftables

It would be useful to have example for nftables as soon it's a default packet filter for OpenWRT (and not only).

Kernel panic, when use relay

Could anyone help me? I'm trying to install relay server. This is my rules for iptables

1.1.1.1 = IP of WAN (VDS)
2.2.2.2 = IP of WG server

iptables -t nat -A PREROUTING -p udp -d 1.1.1.1 --dport 5555 -j DNAT --to-destination 2.2.2.2:5555
iptables -t nat -A POSTROUTING -p udp -d 2.2.2.2 --dport 5555 -j MASQUERADE

iptables -t mangle -A FORWARD -p udp -d 2.2.2.2 --dport 5555 -j WGOBFS --key mysecretkey --obfs
iptables -t mangle -A FORWARD -p udp -s 2.2.2.2--sport 5555 -j WGOBFS --key mysecretkey --unobfs

But, i have kernel panic, when package incoming to mangle for obfs.

I've tried:

Debian 10/11/12, Centos 7 - unsuccessful
Different kernel versions - unsuccessful
Build version 0.4.0 and 0.4.1 - still unsuccessful((

Can someone try to test relay option?

It seems tunnel MTU is affected

I had my tunnel MTU at 1440 before using this obfuscation method and it was working without any issue. After obfuscation the tunnel would come up, handshakes were OK and could ping the other side however the tunnel acted weird and could not get my services running properly on it, another weird symptom was having nearly equal transfer amount on both receive and send in output of wg command. Lowering MTU to 1420 resolved the issue. Just putting it here for anyone who might have this issue.

Server with multiple wireguard interfaces

if the server has multiple wireguard interfaces, can xt_wgobfs support obfs/uobfs for all interfaces? was it tested?
thanks

IPv6 support

It seems that it doesn't work with IPv6:

ip6tables -t mangle -I INPUT ... -j WGOBFS --key "xxx" --unobfs
ip6tables v1.8.9 (nf_tables): unknown option "--key"

unable to install module on Manjaro Kernel 6.1.55-1-MANJARO x86_64

Recently, I've discovered that I'm no longer able to 'make install' it properly. I suspect it may be related to the latest Linux update. I'm running on Kernel Kernel: 6.1.55-1-MANJARO x86_64.

Logs:

[varnie@heimdal xt_wgobfs]$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... none
checking for ar... ar
checking the archiver (ar) interface... ar
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for file... file
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... no
checking if : is a manifest tool... no
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for linux/netfilter/x_tables.h... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for libxtables... yes
checking Xtables module directory... /usr/lib/xtables
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating Makefile.libxt
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands
[varnie@heimdal xt_wgobfs]$ make
make -C /lib/modules/6.1.55-1-MANJARO/build M=/home/varnie/thrash/xt_wgobfs/src modules
  CC [M]  /home/varnie/thrash/xt_wgobfs/src/xt_WGOBFS_main.o
  CC [M]  /home/varnie/thrash/xt_wgobfs/src/chacha.o
  LD [M]  /home/varnie/thrash/xt_wgobfs/src/xt_WGOBFS.o
  MODPOST /home/varnie/thrash/xt_wgobfs/src/Module.symvers
  CC [M]  /home/varnie/thrash/xt_wgobfs/src/xt_WGOBFS.mod.o
  LD [M]  /home/varnie/thrash/xt_wgobfs/src/xt_WGOBFS.ko
  BTF [M] /home/varnie/thrash/xt_wgobfs/src/xt_WGOBFS.ko
make -C /home/varnie/thrash/xt_wgobfs/src -f ./../Makefile.libxt all
make[1]: Entering directory '/home/varnie/thrash/xt_wgobfs/src'
gcc -Wp,-MMD,./.libxt_WGOBFS.oo.d,-MT,libxt_WGOBFS.oo   -DPIC -fPIC  -g -O2 -o libxt_WGOBFS.oo -c libxt_WGOBFS.c 
gcc  -shared  -o libxt_WGOBFS.so libxt_WGOBFS.oo -lxtables  
make[1]: Leaving directory '/home/varnie/thrash/xt_wgobfs/src'
make  all-am
make[1]: Entering directory '/home/varnie/thrash/xt_wgobfs'
make[1]: Leaving directory '/home/varnie/thrash/xt_wgobfs'
[varnie@heimdal xt_wgobfs]$ sudo make install
[sudo] password for varnie: 
make -C /lib/modules/6.1.55-1-MANJARO/build M=/home/varnie/thrash/xt_wgobfs/src INSTALL_MOD_PATH= ext-mod-dir='${INSTALL_MOD_DIR}' modules_install
  INSTALL /lib/modules/6.1.55-1-MANJARO/extra/xt_WGOBFS.ko
  SIGN    /lib/modules/6.1.55-1-MANJARO/extra/xt_WGOBFS.ko
At main.c:167:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: crypto/bio/bss_file.c:75
sign-file: ./certs/signing_key.pem
  ZSTD    /lib/modules/6.1.55-1-MANJARO/extra/xt_WGOBFS.ko.zst
  DEPMOD  /lib/modules/6.1.55-1-MANJARO
make -C /home/varnie/thrash/xt_wgobfs/src -f ./../Makefile.libxt install
make[1]: Entering directory '/home/varnie/thrash/xt_wgobfs/src'
install -pm0755 libxt_WGOBFS.so "//usr/lib/xtables"
make[1]: Leaving directory '/home/varnie/thrash/xt_wgobfs/src'
[varnie@heimdal xt_wgobfs]$

Let me know if you need any details and I will be happy to provide them. Thank you.

does it for openwrt and android?

Multiple clients with different circumvention levels

Hi,

if you have 2 clients, client A behind the firewall and need to use xt_wgobfs to connect to the server, client B connects from a loaction where wireguard connection from client to server is not blocked.

what should be the iptables configuration on the server, to selectively apply obfs and unobfs only to traffic from client A?
any smart iptable rule that can do, assuming client IP address is not static?

if server has iptables configured as described in readme, but client B does not use xt_wgobfs, will the traffic be dropped?

thanks and regards

Make failed - ./tools/objtool/objtool: not found

I have struggled with make a Docker container.
I've mounted /lib/modules:/lib/modules and /usr/src:/usr/src for accessing the host kernel when running the container, but compile process failed with objtool: not found which is actually exist on said directory on the Docker host.

Dockerfile

FROM alpine:latest
RUN apk update && \
    apk add curl unzip iptables-dev alpine-sdk linux-lts-dev autoconf automake libtool; \
    #
    mkdir /tmp && cd /tmp; \
    curl -sSL -o archive.zip https://github.com/infinet/xt_wgobfs/archive/refs/heads/main.zip; \
    unzip archive.zip; \
    cd xt_wgobfs-main; \
    #
    ./autogen.sh; \
    ./configure;

WORKDIR /tmp/xt_wgobfs-main
CMD make

make -C /lib/modules/5.19.0-26-generic/build M=/tmp/xt_wgobfs-main/src modules
make[1]: Entering directory '/usr/src/linux-headers-5.19.0-26-generic'
warning: the compiler differs from the one used to build the kernel
  The kernel was built by: x86_64-linux-gnu-gcc-12 (Ubuntu 12.2.0-3ubuntu1) 12.2.0
  You are using:           gcc (Alpine 12.2.1_git20220924-r4) 12.2.1 20220924
  CC [M]  /tmp/xt_wgobfs-main/src/xt_WGOBFS_main.o
/bin/sh: ./tools/objtool/objtool: not found
make[2]: *** [scripts/Makefile.build:257: /tmp/xt_wgobfs-main/src/xt_WGOBFS_main.o] Error 127
make[2]: *** Deleting file '/tmp/xt_wgobfs-main/src/xt_WGOBFS_main.o'
make[1]: *** [Makefile:1851: /tmp/xt_wgobfs-main/src] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-5.19.0-26-generic'
make: *** [Makefile:736: modules] Error 2