this post was submitted on 13 Sep 2025
43 points (100.0% liked)

Privacy

2487 readers
541 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Ategon@programming.dev
danielintempesta@programming.dev
43
Introducing QUIC Obfuscation for WireGuard (mullvad.net)
submitted 3 days ago by Blaze@lemmy.zip to c/privacy@programming.dev
10 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] who@feddit.org 3 points 3 days ago (2 children)

The announcement explains the benefit, near the bottom of the page:

What we call QUIC obfuscation builds on the MASQUE protocol described by RFC 9298 - Proxying UDP in HTTP. As the title of the RFC implies, QUIC obfuscation works by tunneling UDP through an HTTP server acting as a proxy. For a censor looking at the traffic being sent between a client and server, the traffic will appear as web traffic. HTTP is generally not blocked by state-level censors, since much of the internet would be unreachable without it.

[–] doritoshave9sides@lemmy.world 2 points 1 day ago

Oh yea. I am sorry but I used reading mode with tts and it cut off the bottom half without me noticing. Thanks for the reply

[–] Nomad -1 points 3 days ago (1 children)

Sad to say, this is not a good solution. Any firewall can be taught to detect this if it's not using https. If it is, this usually requires state approved certificates, so any firewall can just man in the middle. I guess this targets the same gateway astorr bridges. Using big load balancers to shuttle traffic via an unblocked big IP like google toa an app in the google network that acts as a proxy. It works, butt not out of the box sadly.

[–] tenchiken@anarchist.nexus 3 points 2 days ago (1 children)

All the examples in the spec itself are https.

[–] Nomad 2 points 1 day ago (1 children)

I guess that's a magic bullet then... Just ensure you are using a certificate chain that's not issued by a authority inside the country.

[–] tenchiken@anarchist.nexus 2 points 1 day ago

Along that line, I'd be self signing and requiring a specific client cert to allow connection.

But yes absolutely good point