Hi everyone, this is a continuation of my previous post: https://lemmy.world/post/7542500

Tl;Dr: Do Suricata/snort/Security onion have mechanisms to perform DPI if one provides them with a valid certificate? Any other open source software I should be looking at that can do DPI?


Background:

I have been trying to find ways to masquerade Wireguard traffic as normal HTTPS traffic to circumvent blocks by networks which do not like such traffic. It is quite easy to identify Wireguard traffic with a default setup because their method of implementing SSL is different from normal HTTPS, and most packet analysers can pick up that Wireguard traffic is passing through.

With that said, I have come across 3 methods to alleviate this problem:

(before you implement these, make sure to convert Wireguard traffic into TCP using udp2raw or updtunnel and force operations on port 443)

  1. Use stunnel - seems to be a project that has been around for a while. Encrypts data using SSL, makes it look like HTTPS.
  2. Use obfsproxy - created by the TOR project, can be used alongside OpenVPN.
  3. Use wstunnel - refer to this tutorial.

The alternatives are mainly: use OpenVPN (which can use stunnel or obfsproxy) or Softether (which uses SSL for its VPN).


Question:

I would like to test said software in a comparison of their efficacy against firewalls employing DPI. Which is why I'm looking at FOSS which can do DPI. Does anyone do this for their network at home? This will be for private use only, I won't be allowing any external access on my network.

Thanks!


Edit: I realise that this might not be much of a problem for a lot of people, but regardless of whether one is facing this problem or not, I believe it is important to keep abreast of such technology and engage with it to improve one's digital privacy. There is no doubt that such networks exist, and whether one actively engages with them or not is up to the user. In fact, the question is about DPIs, so I'd like to know if anyone has any experience working with FOSS DPIs in their homelab/at work. Thanks!

  • MrPoopyButthole@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    Wireshark is the best FOSS for packet inspection, but you'll have to test the efficacy of your solution on enterprise hardware directly if you'd like to know which ones it works for. You can virtualize many of these FW on Azure cloud for an hour and it won't cost much, but you'd need to know what you're doing.

  • t0m5k1@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    I think you might get part of the way but may still find you get detected. Foss DPI projects will not be able to implement the methods used by say fortinet,sonicwall, f5, juniper, Cisco, a10, and others. This is because they all use proprietary DPI created in house. They're not going to use Foss DPI for obvious reasons, you'll be able to create workarounds for detection and implement that in a bad payload.

    • MigratingtoLemmy@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Thanks. Someone mentioned using a cloud service to rent such DPIs by the hour for some processing, which might be a good idea to start with. I could get a traffic capture of some inconsequential traffic using these protocols and then upload to said services maybe. Thanks again

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

    Fewer Letters More Letters
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    SSL Secure Sockets Layer, for transparent encryption
    UDP User Datagram Protocol, for real-time communications
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)

    5 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.

    [Thread #255 for this sub, first seen 31st Oct 2023, 20:00] [FAQ] [Full list] [Contact] [Source code]

    • MigratingtoLemmy@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thank you, I didn't know much about this project before. How does it compare to the usual IPSec, OpenVPN, Softether and Wireguard?

      • i_uuuh_what@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        To be honest, I'm also not that knowledgeable about it even though I do have it running on a VPS. And can't say I'm too knowledgeable about networking/VPNs either - I do use Wireguard which I also manage, but that's about it.

        So, some bulletpoints instead:

        • It's kinda a pain to set up
        • It's default server configuration logs all requests, so you might want to disable this
        • As far as I understand, it's more of a proxy than a VPN, so you won't be able to make connections from one client to another
        • It mimics standard HTTPS
        • When using the "reality" protocol it successfuly mimics any website of your choosing for any unauthenticated clients by forwarding HTTPS certificates and whatnot, which protects you from active probing
        • People use it to get around the Great Firewall of China
        • MigratingtoLemmy@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Thanks for the note. Good to know that it is more like a proxy which simulates SSL: makes it similar to stunnel. I will likely have to run a VPN protocol underneath with this on top.

          Funny, I heard obfsproxy is used to circumvent the Chinese firewall too. I'll have to take a look, thanks

          • i_uuuh_what@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Yeah, no problem.

            I did try wrapping Wireguard inside of xray, but didn't manage to make it work. Not sure if it's impossible, but yeah.

            xray clients can work as a system-wide VPN if you're worried about usability. Just no communication between different machines connected to the same server (probably).

          • moonpiedumplings@programming.dev
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            I heard obfsproxy

            Yeah, tor obs4 bridges.

            But somehow, my high school managed to block those. My high school was literally more locked down than the great firewall of China.

            I set up: https://github.com/cognetwork-dev/Metallic

            At first, then I eventually switched to https://github.com/v2ray/v2ray-core as metallic struggled on some things. Both v2ray and xray are built for the great firewall of China, and iirc, they use the same tech.

            It's not too fast though. That privacy comes at a price. This may be the slowest proxy/vpn out there (although it's speedy enough for normal web browsing), whereas wireguard is the fastest. Maybe you want something in between? It depends on your threat model.

            • MigratingtoLemmy@lemmy.worldOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Thank you for the links. I'm amazed at what your school has achieved.

              I will try out v2core and xray - I'll need to search if they have any whitepapers/documentation explaining exactly how these protocols work (at a high-level).

              Thanks again.

    • cybersandwich@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I'm found that airports, airline WiFi, and some hotels will block certain VPNs. But they mostly do it the lazy way by blocking certain ports. If you use a random port it usually works. Or they'll just straight block UDP.

    • MigratingtoLemmy@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Not necessarily my ISP, but I have come across networks which do not allow VPN traffic (OpenVPN, Wireguard, maybe even IPSec but I didn't try).