Hi FW peeps. I’m living in a region where we soon may see an extensive government firewall. Obviously, VPN would be the tool of choice to circumvent, but OpenVPN and Wireguard seem pretty easy to block, so I was thinking if it is possible to have ALL Firewalla traffic send over HTTPS proxy masked as SSL traffic first, including the VPN traffic to bypass the restrictions.
Has anyone experience in doing so, or can people give me pointers how to set this up?
Thanks a lot!
You might also consider TOR over proxy. There are people that run Snowflake proxies to serve people in your situation.
It might suit your requirements, but have you looked at Tailscale?
I believe if the udp direct connect Nat traversal is blocked, it will use https via a derp relay on tcp 443.
I use it to link with remote networks and run the Tailscale agent directly on my Firewalla gold. It works like a treat.
I believe you can probably configure it to do what I think you need.
All the plans are free for up to 3 users. For Tailscale, and in theory, you probably don’t need the zero trust aspect for multiple users.
Alternatively, you might be able to rent a small vps somewhere else (ovh have unlimited bandwidth options), and set up a WireGuard server hosting on port 443. Then configure the Firewalla as a WireGuard client (3rd party site to site vpn).
Thanks, but I’m looking to hide VPN traffic for all devices and all traffic. My r/firewalla makes the VPN connection for all traffic, all VPN traffic has to go over the proxy.
Maybe I should ask u/firewalla to add the option for proxy and to allow all VPN traffic over proxy to achieve this.
Else, I guess I would need to map the iptables?
Thanks, will look into these but it is my understanding that VPN traffic, and especially WireGuard traffic, is very very easy to recognise no matter the port used and this can be blocked.
This is why people ‘hide VPN’ by using a proxy to make it look as if it is HTTPS traffic and not VPN traffic. However, based on u/Firewalla answer in this thread I think it may even be more difficult unfortunately.
But will look into the vps option, that sounds interesting.
What you need is to hide VPN traffic with HTTPS protocol, and elude detection … This is both an art and a science. We did have another startup that offered us licensing their code before the pandemic, the price was too high, and not many of our customers need it, so we passed.
Thanks for your answer. So the trick is different from simply sending all traffic (including VPN traffic) over a https socks5 proxy? I realise that the GitHub shadowsocks project used to be very popular in some regions where extensive internet blocking exists. Or would deep packet inspection still reveal the traffic is really VPN?
In areas with extensive internet filtering one can access all the global websites when going to American-originating hotels where there seem no blocks, presumably because they proxy to their own servers. You can use VPN as well and it works. Hence my thought to use OpenVPN over socks 5.
I do have a VPN service that can do it on single device (Keepsolid VPN unlimited - a Ukrainian company) using a protocol called Wise which works with OpenVPN over TCP 443 hiding VPN traffic as HTTPS traffic. But sadly I can’t use this for all devices by implementing it on Firewalla.
Appreciate your thoughts
the solution is likely something shadowsocks has been doing … the startup approached us had a ‘better’ way. They want per box license, and we can’t afford it.
Any chance u/firewalla would consider to implement shadowsocks as default on the device and choose which traffic to route over it?
There should be a feature request already here some where https://help.firewalla.com/hc/en-us/community/topics/115000356994-Feature-Requests-
So far, only selective / regional users need this, so interest is very little. But, if people willing to pay for it, we can contact that startup again (I think they are still there) and see if they want to do something with us … but likely it won’t happen since the user base needing this is still small for them to spend time on it
Sorry for the belated reply. I added shadowsocks as a feature request.
I was reading into the options and shadowsocks seems to be the opensource option available. I guess the company offering another solution may be using SSH tunnelling?
Shadowsocks should do the trick though, and is likely cheaper to implement. Users would still need to pay a fee for their own shadowsocks server, or setup one at a friends house.
Thanks again!