Thanks to visit codestin.com
Credit goes to Github.com

Skip to content
/ xt_wgobfs Public

Iptables WireGuard obfuscation extension. Windows/Mac/BSDs see the fully compatible cross-platform CLI rs-wgobfs.

License

GPL-2.0 license
302 stars 33 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

infinet/xt_wgobfs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
include
include
 
 
kernel
kernel
 
 
xtables
xtables
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Iptables WireGuard obfuscation extension

The sender and receiver share a secret key, which is used by chacha8 to hash the same input into identical pseudo-random numbers. These pseudo-random numbers are used in obfuscation.

  • The first 16 bytes of WG message is obfuscated.
  • The mac2 field is also obfuscated, if it is all zeros.
  • Padding WG message with random long random bytes.
  • Drop keepalive message with 80% probability.
  • Change the Diffserv field to zero.

Chacha8 is used here since the goal is not encryption.

Tested working on Alpine linux kernel 5.15 and CentOS 7 kernel 3.10.

Build dependence

  • Alpine: alpine-sdk, iptables-dev, linux-lts-dev or linux-virt-dev
  • CentOS 7: iptables-devel, kernel-devel
  • Debian: iptables-dev, linux-headers

Build and install

Run make in kernel/ to build kernel module. sudo make install will install the kernel module; or, copy xt_WGOBFS.ko to /lib/modules/yourkernelversion/kernel/net/netfilter/ manually, followed by depmod -a && modprobe xt_WGOBFS.

Run make in xtables/ to build iptables extension. Copy libxt_WGOBFS.so to xtables directory.

- Alpine: /usr/lib/xtables/
- CentOS 7: /usr/lib64/xtables
- Debian: /usr/lib/x86_64-linux-gnu/xtables

Usage

This extension takes two parameters.

--key for a shared secret between client and server. If a key is a long string, it will be cut at 32 characters; if a key is short, then it will be repeated until reaches 32 characters. This 32 characters long string is the key used by chacha8 hash.

--obfs or --unobfs to indicate the operation mode.

Before bring up wg, on client, insert two iptables rules:

iptables -t mangle -I INPUT -p udp -m udp --sport 6789 -j WGOBFS --key mysecretkey --unobfs
iptables -t mangle -I OUTPUT -p udp -m udp --dport 6789 -j WGOBFS --key mysecretkey --obfs

The above rules assuming remote server is listening on port 6789. On server, do the opposite:

iptables -t mangle -I INPUT -p udp -m udp --dport 6789 -j WGOBFS --key mysecretkey --unobfs
iptables -t mangle -I OUTPUT -p udp -m udp --sport 6789 -j WGOBFS --key mysecretkey --obfs

Mangle FORWARD chain shall also work.

Performance

Test in two Alpine linux VMs on same host. Each VM has 1 CPU and 256M RAM. Iperf3 over wg reports 1.1Gbits/sec without obfuscation, 950Mbits/sec with obfuscation.

License

GPL v2

About

Iptables WireGuard obfuscation extension. Windows/Mac/BSDs see the fully compatible cross-platform CLI rs-wgobfs.

Topics

obfuscation kernel-module linux-kernel wireguard

Resources

Readme

License

GPL-2.0 license
Activity

Stars

302 stars

Watchers

15 watching

Forks

33 forks
Report repository

Releases 8

v0.6.2 Latest
Aug 13, 2025
+ 7 releases

Packages

No packages published

Contributors 6

Languages