[Feature Request] Add Support For WireGuard Over Shadowsocks (or other obfuscation protocols)

[ProgressiveArchitect]

Currently, there is in-app support for Shadowsocks being used as multi-hop to connect to OpenVPN servers. I'd like to see the same support available when connecting to WireGuard servers.

[faern]

This is blocked on the fact that WireGuard currently can't operate over TCP and Shadowsocks can't really relay UDP. But yes, using bridges with WireGuard connections is surely a desired feature, so it's something we will work on when there is time.

[faern]

Let's keep the issue open. It's something we want to implement. If it's open other people might see it easier and not create duplicate issues.

[maximbaz]

This is blocked on the fact that WireGuard currently can't operate over TCP and Shadowsocks can't really relay UDP

According to the usage page, Shadowsocks does support relaying UDP, see -u (Enable UDP relay) and -U (Enable UDP relay and disable TCP relay).

Does this mean this could potentially be implemented now, or there is more to this?

[PacoBell]

@faern Any comment on the apparent removal of this blocker? I've seen evidence of folks getting this working on their own single VPS instances. Someone just needs to code the backend now to glue it all together.

[ProgressiveArchitect]

@faern It looks like ShadowSocks can be routed over UDP now. So any updates for implementing this on WireGuard?

[faern]

Last time I checked it was not using purely UDP. Even if you enable the UDP relaying it was handshaking over TCP. But that might have changed. Please also note that we use the shadowsocks-rs Rust implementation in this VPN app, so it has to be supported there for us to use it. Changing which Shadowsocks implementation we use would be a bigger task.

[aveao]

A year later, shadowsocks-rs has a "udp_only" mode and it's possible to relay wireguard traffic through it.

So, any updates?

[faern]

We are currently working looking at ways of tunneling WireGuard etc. But we are currently not looking at shadowsocks. Thanks for the update on their UDP only support.

[whywhah]

It's been another year and Wireguard still has no Shadowsocks or other UDP tunneling. Just a reminder that this feature is still pretty much needed.

[faern]

This is being actively worked on. Good timing on your question as we will likely merge the initial support for WireGuard obfuscation very soon.

[ProgressiveArchitect]

@faern I've noticed your language shift from "shadowsocks" to "obfuscation". Does this mean that the Mullvad devs intend to utilize a different obfuscation protocol? If so, which protocol is being looked at as most likely to be implemented with UDP in mind?

[faern]

We shift the language because our obfuscation support is not only for Shadowsocks. We recently merged (#3431) a new "obfuscation engine" or whatever you want to call it, for our WireGuard connections. This is a framework in mullvad-daemon that allows it to connect WireGuard over any proxy implementation that can listen to a localhost UDP port and in some way send that obfuscated over the network.

Currently the only supported protocol is udp-over-tcp. This allows connecting to WireGuard servers using TCP. We supported this before the mentioned PR, but then we modeled it differently internally, now it's classified as an obfuscation protocol instead.

Shadowsocks is likely going to be the next protocol added to this new obfuscation framework of ours. But it's not 100% decided upon yet.

You configure what obfuscation WireGuard should use via the CLI command mullvad obfuscation. This has not been released yet, but if you build from the latest source code you can see this subcommand.

[PragmaTwice]

Hi, any updates here?

I want to try mullvad but I am live in a country where bridge mode is needed in my phone (I know that I can use mullvad with shadowsocks app manually, but it will be more complex than other VPN solutions).

Bridge mode on phone app will hugely facilitate many people like me and make mallvad a more good choice.

[faern]

Hi @PragmaTwice.

WireGuard over TCP has been in the desktop app for a while now. Not yet on mobile, it's in the backlog.
We are also looking at enabling custom proxies for WireGuard for desktop. But nothing on using our own bridges yet. However, this is more at the idea stage than implementation stage so far sadly.

[Pilaton]

Is there any news?

[faern]

Not really. What I can say is that it's being frequently discussed as an anti-censorship measure we want to add. But it's not currently at the top of the pile. So other anti-censorship measures will be implemented during Q3.

[Panuchi]

Any news here?

[Cohenl19]

Hey any updates? It's 2024 and still wondering if there are ways to use Wireguard let's say at a school or library that would otherwise block the VPN connection. I've used shadowsocks before and I liked it, I just wasn't much of a fan of needing to use OpenVPN

[duxsco]

fyi, the release android/2024.5 features Wireguard over Shadowsocks, but doesn't mention whether UDP is used. At least, there are Shadowsocks bridges that run over UDP:

❯ curl -fsS https://api.mullvad.net/app/v1/relays | jq .bridge.shadowsocks
[
  {
    "protocol": "tcp",
    "port": 443,
    "cipher": "aes-256-gcm",
    "password": "mullvad"
  },
  {
    "protocol": "udp",
    "port": 1234,
    "cipher": "aes-256-cfb",
    "password": "mullvad"
  },
  {
    "protocol": "udp",
    "port": 1236,
    "cipher": "aes-256-gcm",
    "password": "mullvad"
  }
]

[duxsco]

Now, I use version 2024.6-beta2 on Linux, and Wireguard with obfuscation via Shadowsocks over UDP works.

[Serock3]

🎉 🥷 WireGuard over Shadowsocks has been released for desktop and Android 🥷 🎉

It's coming to iOS sometime later, I'll close this issue when that happens.