This has bamboozled me for about a year. I have set up wireguard on my server and it works beautifully. However, when I first did that, my intention was to bypass school filters as well as other things. To my suprise, the scumbags use DPI and block any attempts to use a VPN. I confirmed it was DPI through research and then using Psiphon 3 (a VPN/proxy combo) to test it and it worked. But psiphon 3 is very slow so I wanted to have my own setup.
My plan was to use Wireguard (I set it up with pivpn) for encryption but have a proxy be the middle man for interaction’s between wireguard clients that way the use of VPN cannot be detected via DPI and I can circumvent filters.
For whatever reason, nothing related to proxies every works. Meaning that i could never connect. I have tried:
Wireguard with Stunnel
Shadowsocks
Wireguard with Tor or whatever the heck it is called.
Now I graduated school a while ago… but i still want to figure out how to do this.
I disabled firewalls, opened all ports, hosted on a VPS instead of personal rigs and still they would never work.
I just want help hosting a VPN (Wireguard or OpenVPN) that can be obfuscated to circumvent DPI.
I prefer Wireguard. All help is appreciated. Sorry if I do not have enough info to help figure out what went wrong but I don’t need to figure out what went wrong. I just want to do it now.
Another interesting thing is that the network does not allow mobile devices by default. However, if you randomize your MAC address and use the proxy/vpn then it would grant you internet access. Not a single person was caught since the software has been distributed.
I’m not at all familiar with VPNs, but I do routinely use SSH tunneling to create proxies. If they don’t block SSH, then you can either use the SOCKS5 proxy directly, to use some sort of setup to route all your traffic through that proxy.
I currently have something setup with redsocks to route local network traffic of specific subnets to the proxy corresponding to that subnet, so I can easily access my local network from anywhere without having to switch on and off a VPN.
If SSH is blocked, I assume there’s a way to setup a SOCKS5 password protected proxy, then at that point it’s just HTTPS traffic.
I see you have Shadowsocks now working but you don’t say what you have used as obfuscation and that’s really the key here. I can recommend xray (also backwardly compatible with v2ray traffic) and/or Cloak. Routing this via a CDN like Cloudflare will also help as their IP ranges get a lot of traffic anyway so it’s not as big a red flag as all your traffic going to a single residential IP or VPS provider…
An alternative which is less likely to get into trouble with network admins - as it isn’t really bypassing their firewall per se - is to simply stand up a webtop or a web-based remote desktop connection like Mesh Central and browse on ‘that’ dekstop inside your browser session. Not only is this normally less looked down upon than deliberately breaking free of network restrictions you may have agreed to in TOS, but it protects the client you’re using form malware etc should you be on a school device. GL.
I got it to work succesfully. Ditched wireguard and successfully launched Shadowsocks. Shadow already supports AES256 so all goods.
A few things, im in Australia and the term “scumbag” is actually used pretty playfully, when I say it I do not mean that i actually think those people are bad. Especially since I now work in an IT company and getting my CCNA later this year.
To address your claim of it always been blocked. So far it cannot be, using the same technology as peoole in china who want to circumvent surveillance and internet censorship. If the CCP cannot block it then I doubt anyone else can. Especially when combing a VPN and obfuscated proxies since they strip the headers that could be used to identify VPN traffic.
P.S School is in a 4G deadzone
P.S.S School found out about the issue since I distributed software that circumvents their blocks, they attempted to block that but were unsuccessful and instead resorted to threatening suspension or worse if they caught students using it. Proxy obfuscation was so effective because it appeared as regular HTTPS traffic and even users who use their own school email and password to get wifi access were never caught cos that web traffic never looked suspicious.
P.S.S.S However, you do seem confident. Maybe setup a shadowsox proxy in your own lab environment and see if you can get equipment to flag the traffic as suspcious. Keep in mind that there would be 1000 users connected and all including the few shadowsox users will be connecting to either port 80 or 443.
Yes using a proxy with SSH as the tool to encrypt should work really well assuming that you SSH over the HTTP/s ports. I just got shadowsocks working which is a proxy that supports encryption and I set it up to use port 443.
Thanks, that great advice. Shadowsox works but I will be experimenting with your recommendstions. I don’t think RDP is good since most of the time the RDP port is blocked.
Fair enough but if I am a minor than I cannot even agree to legal documention or enter into any legal agreement and I dont think parents or guardians can do that type of argument for me. Or am I missing something?
Crazy what were willing to do just to watch YouTube on any wifi network we want
