wireguard is not undetectable, even wireshark has a simple way to identify it, but there are more accurate ways
Comment on UK households could face VPN 'ban' after use skyrockets following Online Safety Bill
derpgon@programming.dev 3 weeks agoI mean anyone can rent a server in Europe and install OpenVPN themselves. Hell, it doesn’t even need to open OpenVPN, Wireguard works just as well and is basically undetectable.
Eat shit, UK government, for real. Idiots think that by speaking the same language as US fascists they can have similarly dumb ideas.
WhyJiffie@sh.itjust.works 3 weeks ago
derpgon@programming.dev 3 weeks ago
Wouldn’t it be detected via initial connection only? WG does not send packets while connected, does it?
WhyJiffie@sh.itjust.works 3 weeks ago
update: I think not only the handshake packets contain a recognizable pattern. look at “Subsequent Messages: Exchange of Data Packets”
especially if the receiver/sender_index and the counter are what I think they are.
also have a look at this page: www.wireguard.com/known-limitations/
WhyJiffie@sh.itjust.works 3 weeks ago
now that you say, I think I remember reading something like this earlier
jabjoe@feddit.uk 3 weeks ago
To be honest, I’ve found WireGuard’s performance is harmed more by reply attacks than OpenVPN. Least that is what I put it down to when I tried them both from a VPN provider that offered both.
derpgon@programming.dev 3 weeks ago
How is WG vulnerable to replay attacks? They already address that in their documentation.
jabjoe@feddit.uk 3 weeks ago
It’s doesn’t fall over, it just slows down. Or appears to much more than OpenVPN. There could be something else going on, but for what ever the problem was, OpenVPN was coping better and just spitting out errors about a possible replay attack and continuing like nothing was wrong. I’ve not looked again as OpenVPN is working fine. For everything else, I’m using WireGuard.
xthexder@l.sw0.com 3 weeks ago
What’s a reply attack? Do you have people activity MITM-ing your connection? Personally I’ve found Wireguard performance to be significantly better, especially on spotty mobile Internet
jabjoe@feddit.uk 3 weeks ago
Man in the middle can be part of it. It’s just basically recording and sending stuff back. Generally I use WireGuard, but on unhygienic networks, were OpenVPN is warning about possible replay attacks, WireGuard doesn’t work as well. Could be something else of course, but I’ve got one end. It’s not constant or always.
xthexder@l.sw0.com 3 weeks ago
Oh replay attacks, that makes a bit more sense. Honestly I’ve never been on such a poor network to run into that. I don’t know your situation, but I’d be doing anything I could to get away from that ISP if they’re actively manipulating your traffic
MehBlah@lemmy.world 3 weeks ago
It would have been my go to. But they can detect openvpn and other protocols. I would just use a ssh tunnel with squid proxy. The squid wont cache ssh traffic unless you run your own cert and set up the squid that way. It will however seamlessly allow you to connect through a ssh tunnel with one port forward.
tal@lemmy.today 3 weeks ago
I’ve certainly happily used SSH tunnels — on Linux it’s great in that it’s readily available wherever you already have OpenSSH installed — but one downside of OpenSSH as a general-purpose tool for tunneling is that it is intrinsically TCP and thus forces packet ordering across multiple tunneled connections, which may not be necessary for whatever you’re doing and can have performance impact. Part of the reason mosh exists is to deal with that (not for the SSH-as-a-tunneling-protocol case, but rather for the “SSH-as-a-remote-shell” case).
Wireguard is UDP, and OpenVPN can use either TCP or UDP, depending upon how it’s configured.
If we were going to move the world to a single “tunneling” protocol, SSH wouldn’t be my first choice, even though it’s awfully handy as a quick-and-dirty way to tunnel data.
MehBlah@lemmy.world 3 weeks ago
I used putty for tunnels on windows machines. As for mosh I forgot it exist. I use wireguard now. But if they ban VPN it will be harder for them to prove the SSH is being used for the purpose evading their stupid law. The high bandwidth usage could be a lot of things… right?
While in the hospital ten years ago I did get a visit from the IT dept. They didn’t have any qos on ssh and I was moving a lot of data through it. They just asked me to limit my high usage to late night.
tal@lemmy.today 3 weeks ago
Fair enough, and come to think of it, I think I have too. Just was pointing out that not all SSH implementations have tunnelling functionality.
Yeah, that’s true.