I live in a country where wireguard, openvpn and other vpn protocols have been blocked. Tailscale and Cloudflare Tunnels don’t wok either. I do have a public ip and my router supports DMZ and port forwarding. For security concerns I’m not willing to forward ports. Is there any other method to use my VPS to forward traffic to my home server?
Does ssh works? If yes, you can use
autossh
to create persistent ssh tunnel to your VPS.Yeah SSH still works. Thanks for the suggestion.
autossh
That’s what I’ve been doing for the last 7 months. Works perfectly !
I think your best bet is try to use OpenVPN via TCP over port 80 or 443. You could also try setting up an SSH VPN tunnel.
That used to work but it doesn’t anymore. Openvpn over cloak still works apparently. I’ll give it a try.
I’m surprised they block WireGuard, especially with a preshared key. That makes it essentially pure randomness over UDP. I’d assume they block popular VPN providers and tunneling services which makes it easier to block by blocking the setup process which is usually just HTTPS.
Have you tried a basic plain WireGuard between your home and your VPS, with a preshared key and using some other protocol’s port? Maybe like UDP on port 443 so it looks like QUIC?
I haven’t tried this. Will do. When wireguard still worked i used to use this script to set it up.
Quick glance at the script shows it does randomize the port (but in the upper end of the space), but does not do preshared keys.
The PSK can hide the protocol better by not looking like a key handshake. Although I’m not sure ISPs have quite reached that level yet.
If you’re in China, there’s been some recent research showing that they block things that looks encrypted based on the entropy of the bits in a packet. I couldn’t find the bypass software anymore but that might help you as well.
If you’re not in China something like the XRay/v2ray proxy or shadowsocks might help as well.
Although honestly, port forwarding with a firewall only allowing your VPS IP should honestly be fairly sufficient security-wise. You could also try inverting the WireGuard connection and have the VPS connect to your home through port forwarding, traffic analysis is usually on egress not ingress.
Wireguard is not meant to bypass detection of any kind of Deep Packet Inspection technology. It’s also stated by the project website, under the Known Limitations sections.
https://www.wireguard.com/known-limitations/
There are many characteristics (except the handshake) which can make it stand out as a P2P or VPN(-ish) traffic, and then get blocked.
Some time ago I’ve done a “public IP implementation” on my VPS when I was on mobile network (no public IP).
Basically set up IPSec/Wireguard on VPS and connect your router to it. Then setup EoIP over VPN between VPS and your router. Then add EoIP tunnel to your LAN’s bridge in your router.
Then setup all ports forwarding (using iptables) from your VPS to your router on LAN, so if you connect to your VPS using tcp80, it will be simply forwarded (NAT’ed) to your router. Except tcp22, for SSH to your VPS obviously…
And now you have yet another public IP lol.
This is not something you asked, but might give you some ideas.
So that setup effectively gives you an all-ports available connection (except 22) from your mobile device and anything that connects through it, like a laptop? The exit node would be the VPS.
Could I skip the home router and EoIP+VPN directly between mobile and VPS, for instance?
I am in a situation (restrictive firewall on ethernet/wifi, prefer personal mobile connection but it’s cgnat or something equally crap) this could be very useful for me.
Technically like this:
Anyone -tcp80-> vps -tcp80-> router -tcp80-> homeserver.
Exit of homeserver-originated traffic would be your router, not vps. Unless you specify custom routes in your router, then yeah, might be possible.
Also you don’t need EoIP tunnel at all, since it’s all in Layer4.
Might I suggest Fast Reverse Proxy ( https://github.com/fatedier/frp )
It’s a great solution if you don’t have a public IP or can’t/don’t want to open any ports.
I found it super easy to setup and configure. I put caddy in front of the server side for mine to ssl offload there. But you could also route everything down the tunnel it makes and use a local reverse proxy to handle SSL offloading
What is your ultimate goal? Are you trying to host stuff from your home though the VPS? Or are you trying to use the VPS as an internet connection? Or something else.
I would follow the other comments first try OpenVPN over 80 or 443 or SSL.
If your just interested is using the VPS’s internet at home you could look at a hosting an internet proxy from the VPS. I think that would be all HTTPs traffic so it would just look like normal web traffic to the outside world and be hard to detect. Although it would limit your traffic to just HTTP traffic.
If your just trying to access your network remotely though the VPS. Depending on what kind of access you need. You could look at something like hosting Meshcentral on your VPS. It is mostly for remote controlling computers so you could access your network via a local computer or you could look at a feature called meshcentral router.
You can install that on a laptop and then used that to remote port to a local port on your laptop.
My goal is to be able to access local services running in a NUC at home. Currently it’s Jellyfin and i plan to set up Immich too for backing up photos.
I currently use Xray/Shadowsocks on the same vos to bypass the censorship, but they are proxies not VPNs.
Never heard of meshcentral, will have a look at documentation. Thanks.
A ssh tunnel probably is your best option
I think so as well and it is sad that that the OP has to be in a place where internet is so heavily censored.
My country also block VPN.
The solution that always worked for me is using OpenVPN with static key configuration. https://openvpn.net/community-resources/static-key-mini-howto/
Never heard of this. Thanks.
Try harder.
But no actually try a different vpn on a port like https or something up like a Skype call port
It’s not about port numbers anymore. Their firewall even blocks normal https traffic when huge amount of data is being sent/received. They are getting smarter at guessing if the traffic is normal or it’s a vpn.
So they’re scanning destinations. If they look like a vpn then they squash you. Very ccp of them
I have no idea how to set it up but you’re looking for is v2ray and shadow socks
They are what I use but they’re proxies not VPNs. Not sure they work for tunneling traffic from vps to home.
If you live in a country with the regular vpn protocols being blocked, you will need to be more specific with a vpn that obfuscates the network connection. Something like Astril or expressvpn will both have tunnel obfuscation. At that point it’s less about hiding your activity, and more about gaining access to other sites because I wouldn’t vouch for the privacy on those two vpns.
ExpressVPN used to work but it got blocked too. I need a personal VPN solution to host on my own server. Currently we use Xray/V2ray to access restricted websites but they’re proxies, not proper VPNs.
Express has been shit since forever.
I’m assuming you’re in China? Astrill is using a proprietary vpn protocol and hardly ever has downtimes (use the stealth mode or install it on the router directly).
As godless has stated, and I was also using astril when I was in China. For a personal option, I am not aware of a personal vpn that also includes obfuscation and is not using blocked vpn technologies/techniques.
Maybe you can give Outline a try. It is based on shadowsocks a proxy tunnel with enough obfuscation to fly even under the radar of the GFW of Communist China.
SSH is an obvious thing to try, but I suppose it may get cut off by the same DPI.
Possibly, ShadowSocks or obfs4proxy might be of some help? E.g. you can wrap Wireguard traffic in ShadowSocks (AFAIK it supports UDP).
SSH still works but I need to learn to set up a persistent , resilient tunnel. Just found this guide in using Wireguard over shadowsocks: https://errande.com/2021/07/obfuscate-wireguard/
Using OpenVPN will force you to open ports and do NAT on your local network.
I would suggest to install Tailscale… And you will never use anything else.
Lot me know how it goes!
Please re-read the original post re: tailscale.
Yup, Tailscale is perfect for that…
Tailscale works on WireGuard. WireGuard is blocked in OP’s nation. Tailscale does not work in his country.