computerscot.github.io

WireGuard + obfuscated UDP using udp2raw

September 17, 2023

This tutorial shows you how to obfuscate WireGuard UDP packets with udp2raw.

Linux server

The examples assume that you are using Ubuntu 22.04 and that you logged in as the root user.

1. Choose a port on which the server will accept input. Choose something other than 51820.

echo $(($RANDOM + 10000))

Our example will be 30199.

2. Open this port (udp/30199 in our example) for UDP input in your server firewall. To keep your server hidden, the WireGuard default port (udp/51820) should be kept closed.

3. Update your server.

apt update && apt upgrade -y

4. Open a browser. Visit https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator.

5. Install WireGuard. When you are asked for the IP address, enter the public IP address of your server. When you are asked for a port number, use 51820. When you are asked for Allowed IPs, enter the calculated line. When you are asked for a name for the first client, enter (for example) windows.

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
./wireguard-install.sh

6. Visit https://github.com/wangyu-/udp2raw/releases to determine the latest release of udp2raw.

7. Install the latest release of udp2raw:

wget https://github.com/wangyu-/udp2raw/releases/download/20230206.0/udp2raw_binaries.tar.gz
tar -xf udp2raw_binaries.tar.gz
cp udp2raw_amd64 /usr/local/bin/udp2raw

8. Generate a preshared secret for udp2raw:

< /dev/urandom tr -dc a-z-0-9 | head -c${1:-16};echo

Example:

056y9ohbg6ms0m2t

9. Configure WireGuard to use udp2raw. Edit /etc/wireguard/wg0.conf. Add the following settings to the [Interface] section of /etc/wireguard/wg0.conf:

MTU = 1300
PreUp = udp2raw -s --raw-mode udp -l 0.0.0.0:30199 -r 127.0.0.1:51820 -k "056y9ohbg6ms0m2t" -a >/var/log/udp2raw.log 2>&1 &
PostDown = killall udp2raw || true

10. Restart WireGuard with the revised configuration:

systemctl restart wg-quick@wg0

11. This is the end of the server work for now. udp2raw is listening on udp/30199. Behind udp2raw, WireGuard is listening on udp/51820 (which need not be open in your server firewall). Exit your SSH session with the server:

exit

Windows client

Our client in this tutorial runs Windows.

1. Install the WireGuard for Windows client from https://www.wireguard.com/install. For Windows you get an installer named wireguard-installer.exe, which you must run to install the Windows WireGuard GUI client. Initially there are no tunnels defined to the GUI client.

2. Download the WireGuard client configuration file that you generated on the server. Open PowerShell. Replace YOUR.SERVER.IP.ADDRESS by your server IP address:

scp root@YOUR.SERVER.IP.ADDRESS:wg0-client-windows.conf Downloads

3. Visit https://github.com/wangyu-/udp2raw-multiplatform/releases to determine the latest release of udp2raw. Download the most recent udp2raw_mp_binaries.tar.gz. Use 7-Zip to extract udp2raw_mp_binaries.tar. Extract the folder udp2raw_mp_binaries. To make it easier to find, copy udp2raw_mp.exe up to your main Downloads folder.

4. Open a new Command Prompt window. Issue the commands:

cd Downloads
.\udp2raw_mp.exe -c --raw-mode udp -l 127.0.0.1:51820 -r YOUR.SERVER.IP.ADDRESS:30199 -k "056y9ohbg6ms0m2t"

5. Make some final changes to the generated client configuration. The WireGuard client must think it is talking to a server on localhost, which in fact is where udp2raw is listening.

Endpoint = 127.0.0.1:51820

6. Also add a line to the [Interface] section:

MTU = 1300

7. Now import the amended tunnel configuration into your WireGuard GUI client.

8. Press Edit and manually uncheck the box that blocks untunneled traffic (kill-switch).

9. In the WireGuard GUI client, Activate the tunnel.

10. Open a browser and test your connection.