this post was submitted on 31 Oct 2023
32 points (97.1% liked)

Selfhosted

40427 readers
569 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
32
submitted 1 year ago* (last edited 1 year ago) by MigratingtoLemmy to c/selfhosted
 

Hi everyone, this is a continuation of my previous post: https://lemmy.world/post/7542500

Tl;Dr: Do Suricata/snort/Security onion have mechanisms to perform DPI if one provides them with a valid certificate? Any other open source software I should be looking at that can do DPI?


Background:

I have been trying to find ways to masquerade Wireguard traffic as normal HTTPS traffic to circumvent blocks by networks which do not like such traffic. It is quite easy to identify Wireguard traffic with a default setup because their method of implementing SSL is different from normal HTTPS, and most packet analysers can pick up that Wireguard traffic is passing through.

With that said, I have come across 3 methods to alleviate this problem:

(before you implement these, make sure to convert Wireguard traffic into TCP using udp2raw or updtunnel and force operations on port 443)

  1. Use stunnel - seems to be a project that has been around for a while. Encrypts data using SSL, makes it look like HTTPS.
  2. Use obfsproxy - created by the TOR project, can be used alongside OpenVPN.
  3. Use wstunnel - refer to this tutorial.

The alternatives are mainly: use OpenVPN (which can use stunnel or obfsproxy) or Softether (which uses SSL for its VPN).


Question:

I would like to test said software in a comparison of their efficacy against firewalls employing DPI. Which is why I'm looking at FOSS which can do DPI. Does anyone do this for their network at home? This will be for private use only, I won't be allowing any external access on my network.

Thanks!


Edit: I realise that this might not be much of a problem for a lot of people, but regardless of whether one is facing this problem or not, I believe it is important to keep abreast of such technology and engage with it to improve one's digital privacy. There is no doubt that such networks exist, and whether one actively engages with them or not is up to the user. In fact, the question is about DPIs, so I'd like to know if anyone has any experience working with FOSS DPIs in their homelab/at work. Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] MigratingtoLemmy 1 points 1 year ago (6 children)

Thank you, I didn't know much about this project before. How does it compare to the usual IPSec, OpenVPN, Softether and Wireguard?

[–] i_uuuh_what 3 points 1 year ago (5 children)

To be honest, I'm also not that knowledgeable about it even though I do have it running on a VPS. And can't say I'm too knowledgeable about networking/VPNs either - I do use Wireguard which I also manage, but that's about it.

So, some bulletpoints instead:

  • It's kinda a pain to set up
  • It's default server configuration logs all requests, so you might want to disable this
  • As far as I understand, it's more of a proxy than a VPN, so you won't be able to make connections from one client to another
  • It mimics standard HTTPS
  • When using the "reality" protocol it successfuly mimics any website of your choosing for any unauthenticated clients by forwarding HTTPS certificates and whatnot, which protects you from active probing
  • People use it to get around the Great Firewall of China
[–] MigratingtoLemmy 1 points 1 year ago (4 children)

Thanks for the note. Good to know that it is more like a proxy which simulates SSL: makes it similar to stunnel. I will likely have to run a VPN protocol underneath with this on top.

Funny, I heard obfsproxy is used to circumvent the Chinese firewall too. I'll have to take a look, thanks

[–] i_uuuh_what 2 points 1 year ago (1 children)

Yeah, no problem.

I did try wrapping Wireguard inside of xray, but didn't manage to make it work. Not sure if it's impossible, but yeah.

xray clients can work as a system-wide VPN if you're worried about usability. Just no communication between different machines connected to the same server (probably).

[–] MigratingtoLemmy 1 points 1 year ago

Thanks, I'll take a look

load more comments (2 replies)
load more comments (2 replies)
load more comments (2 replies)