My need: access to my private network over public networks that block VPN traffic
Hello, I frequent public wifi spots that occasionally have DPI and block VPN traffic. WG is obviously blocked, and even running OpenVPN as TCP over port 443 gets blocked shortly after opening, presumably due to the unique handshake.
I see some people use shadowsocks as an alternative for bypassing restrictions due to converting traffic to pure HTTPS, however from what I understand that is more of a proxy and thus not as a VPN where I’d have access to my home network (and thus all the services on my home network).
How can I go about obfuscating my wireguard/OpenVPN traffic such that it hides its VPN signature and I can maintain access to my home network and server?
I have Cloudflare-fronted Shadowsocks with V2Ray and Shadowsocks with Cloak as my fallbacks for if WireGuard is blocked.
Worrying about the somewhat technical differentiation between VPN and proxy is moot generally. If you’re using an SS client which opens a VPN connection on your phone when you connect to your server then to all intents and purposes you’re using it as a VPN.
In my day-to-day use it makes no odds if I use my phone to connect to my home setup via WG or Shadowsocks.
I have had good luck with Softether VPN using TCP on port 443. You can limit the time of each TCP stream, and run multiple TCP streams, so your traffic looks more like WEB SSL traffic, and it improves throughput. Check out https://www.softether.org
SoftEther is really good for this, it can create an SSL/TLS vpn that runs on port 443. This is super handy to get around pretty much any firewall that is blocking access to your VPN. Just make sure you have your SSL certs correct.
I personally us SSTP that comes built into my Synology router. It accomplishes the same thing in the end as SoftEther. VPN running on port 443 and uses SSL/TLS so firewalls and packet inspection can’t block it.
oh i see - so you’re saying connecting to my network via shadowsocks will allow me to see and thus access my local network devices
also side note, ive done a bit of reading on V2ray, almost everything ive seen is in chinese (understandably with their use case), from what i understand its a framework for network protocols - what specifically does it offer to shadowsocks?
This is what I’ll be trying today! And I’m still learning, to be clear by having my SSL certs correct, do you mean having all of my services having active SSL certs? For example currently the webui for my nextcloud and ubiquiti webuis are not https but it’s never been an issue since when using them over WG/OpenVPN the traffic is encrypted anyway. So you are saying to use soft ether I will need those services to have active SSL certifications?
well this wouldnt actually change the visible traffic, no? it doesnt make a difference whether i use a VPS or not since the traffic is still visible VPN traffic
Yeah, the Shadowsocks app (certainly on Android) opens a normal phone VPN connection so barring edge-cases it’ll act like any other VPN connection such as WireGuard if you set it up right.
Most of the V2Ray info is in Chinese as it was originally designed as an obfuscation protocol so that Shadowsocks traffic could traverse China’s Great Firewall (which is why it is so adept at bypassing DPI filters). That answers your last question too - it obfuscates the Shadowsocks traffic so it bypasses DPI. Shadowsocks alone is easy to fingerprint (by design - it’s only a proxy after all).
So I now have a basic shadowsocks setup going on an ubuntu VM, based on my IP checks it looks like im successfully accessing sites from my host machine, however I’m unable to connect to/see any LAN devices. I can’t even SSH into the VM that’s running the shadowsocks server. Is this normal, or is there something I’m missing?
Again, unless the traffic is not encrypted, it can’t be snooped. A port is just a port. I have a VPN myself setup on port 443 for when I’m on public internet at the hospital that blocks all but 25, 465, 587, 80, 443.
I’ve never had an issue getting on the VPN on port 443 (wireguard now, was openvpn initially).
If your traffic is being filtered based on content, the provider would likely not allow any encryption at all, making it all a moot point.
Edit: forgot to mention, needs to be tcp. Udp is likely blocked on port 443.