-- Leo's gemini proxy
-- Connecting to jacksonchen666.com:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;lang=en
2023-06-19 18:19:32Z (last updated 2023-10-16 08:55:03Z)
Today I figured out a setup that can circumvent censorship on a... certain network.
With full autonomy of my computer, I have figured out how to bypass censorship and also get good speeds at the same time.
Here's the situation: There are 2 networks to connect to. One is for users, and one is for guests.
The users' network is *fast*, but also censored. The guest network however, is less censored, allowing use of my WireGuard VPN, but the guest network has its speed artificially capped.
(And yes, I actually use the VPN as intended: Accessing internal stuff not exposed to the internet. Censorship circumvention is also included in the use case but the intended use case exists.)
The Yggdrasil network... needs introduction
It's basically an experimental mesh network thingy. I don't know how else to describe it.
It's relatively new, being almost 5 and a half years old since its initial commit
Now, why Yggdrasil? Well, just because.
Now, my ideas was to run WireGuard over Yggdrasil.
However, there were a few problems:
There is no UDP support on Yggdrasil anymore, only TCP
WireGuard does not run over TCP, only UDP
So... Now what?
On the WireGuard website, there's a page about WireGuard over TCP.
It suggested 2 solutions: udp2raw or udptunnel.
I tried udp2raw, but I was unable to exactly compile as intended (I had to do "cmake" on server and "make mac" on my Mac) and the program would crash with a stack overflow when a connection happens. Fun.
Seeing the extreme complications that would come with udp2raw (including extremely confusing source destinations whatever and *a lot of hints of Chinglish*), I decided to settle with a different one: udptunnel.
Review of udp2raw: It's very complicated and sucked at explaining/being obvious.
With udptunnel, it has no README, no real commit history, not much. It does have code, and compiling was just running "make" on both my server and my Mac. I didn't even have to install anything to make it work (except for whatever I already had installed).
The help info printed by udptunnel explains pretty much everything you need to know, so I won't go into the details. Just run udptunnel on both the server and the Mac and it works.
Review of udptunnel: Lacks a README but has some examples. Also not super complicated. Good if you know what you're doing, otherwise... good luck.
Now the part I can't exactly show you: Modifying my WireGuard configuration to not also tunnel the tunnel AKA bypassing WireGuard for Yggdrasil.
This is the part where it gets complicated: I have to exclude some IP addresses from being tunneled by the WireGuard VPN. It's complicated because WireGuard doesn't support excluding, only including. So you must make inclusions without the exclusions.
These are the IP address you'll need to exclude are:
All peers specified in your yggdrasil config
The destination IP address in yggdrasil AKA the server you're connecting to
Your IP address in yggdrasil
I used an online tool for this (It's also a blog post so you can read on): WireGuard Allowed IPs calculator
Note: Form requires JavaScript, not client-sided AKA your data will be sent to the servers.
So now that udptunnel has been prepared along with Yggdrasil and WireGuard, this is where the real connection part begins:
1. Run udptunnel on the server
2. Run udptunnel on the client to point to your server over Yggdrasil (or not)
3. Point WireGuard to your client udptunnel if you haven't already
4. Turn on the WireGuard VPN
And it works! Well, at least for me. For you though, that's up to you to figure out if it works or not.
-- Response ended
-- Page fetched on Fri May 10 01:52:50 2024