💾 Archived View for jacksonchen666.com › posts › 2023-06-19 › 18-19-32 › index.gmi captured on 2024-08-31 at 11:51:07. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-11-04)

-=-=-=-=-=-=-

The Most Ridiculous Censorship Circumvension Setup: Wireguard over TCP over Yggdrasil

2023-06-19 18:19:32Z (last updated 2023-10-16 08:55:03Z)

Today I figured out a setup that can circumvent censorship on a... certain network.

With full autonomy of my computer, I have figured out how to bypass censorship and also get good speeds at the same time.

The network situation

Here's the situation: There are 2 networks to connect to. One is for users, and one is for guests.

The users' network is *fast*, but also censored. The guest network however, is less censored, allowing use of my WireGuard VPN, but the guest network has its speed artificially capped.

(And yes, I actually use the VPN as intended: Accessing internal stuff not exposed to the internet. Censorship circumvention is also included in the use case but the intended use case exists.)

Yggdrasil network

The Yggdrasil network... needs introduction

It's basically an experimental mesh network thingy. I don't know how else to describe it.

Yggdrasil network website

It's relatively new, being almost 5 and a half years old since its initial commit

Initial commit of Yggdrasil

Now, why Yggdrasil? Well, just because.

WireGuard over Yggdrasil

Now, my ideas was to run WireGuard over Yggdrasil.

However, there were a few problems:

UDP support for Yggdrasil

So... Now what?

WireGuard over TCP?

On the WireGuard website, there's a page about WireGuard over TCP.

WireGuard over TCP

It suggested 2 solutions: udp2raw or udptunnel.

udp2raw

udptunnel

udp2raw

I tried udp2raw, but I was unable to exactly compile as intended (I had to do "cmake" on server and "make mac" on my Mac) and the program would crash with a stack overflow when a connection happens. Fun.

Seeing the extreme complications that would come with udp2raw (including extremely confusing source destinations whatever and *a lot of hints of Chinglish*), I decided to settle with a different one: udptunnel.

Review of udp2raw: It's very complicated and sucked at explaining/being obvious.

udptunnel

With udptunnel, it has no README, no real commit history, not much. It does have code, and compiling was just running "make" on both my server and my Mac. I didn't even have to install anything to make it work (except for whatever I already had installed).

The help info printed by udptunnel explains pretty much everything you need to know, so I won't go into the details. Just run udptunnel on both the server and the Mac and it works.

Review of udptunnel: Lacks a README but has some examples. Also not super complicated. Good if you know what you're doing, otherwise... good luck.

Setting up WireGuard for udptunnel

Now the part I can't exactly show you: Modifying my WireGuard configuration to not also tunnel the tunnel AKA bypassing WireGuard for Yggdrasil.

This is the part where it gets complicated: I have to exclude some IP addresses from being tunneled by the WireGuard VPN. It's complicated because WireGuard doesn't support excluding, only including. So you must make inclusions without the exclusions.

These are the IP address you'll need to exclude are:

I used an online tool for this (It's also a blog post so you can read on): WireGuard Allowed IPs calculator

WireGuard Allowed IPs calculator

Note: Form requires JavaScript, not client-sided AKA your data will be sent to the servers.

WireGuard over TCP, prepared

So now that udptunnel has been prepared along with Yggdrasil and WireGuard, this is where the real connection part begins:

1. Run udptunnel on the server

2. Run udptunnel on the client to point to your server over Yggdrasil (or not)

3. Point WireGuard to your client udptunnel if you haven't already

4. Turn on the WireGuard VPN

And it works! Well, at least for me. For you though, that's up to you to figure out if it works or not.

public inbox (comments and discussions)

public inbox archives

(mailing list etiquette for public inbox)