WireGuard and AmneziaWG
WireGuard
WireGuard is the encrypted routing protocol known for its efficiency, slim code case, and low data overhead. NymVPN has chosen it for its Fast Mode to optimize decentralized routing more efficiently than alternatives like OpenVPN or IPSec. Check out Nym’s deep dive into WireGuard to learn what makes it such an optimal protocol.
AmneziaWG
AmneziaWG is a fork of wireguard-go, the official user-space implementation of WireGuard, designed specifically to protect against VPN blocking via Deep Packet Inspection.
By incorporating additional obfuscation techniques to disguise VPN traffic, AmneziaWG allows VPN traffic to blend into the background of internet traffic. AmneziaWG’s ability to mask its VPN traffic provides an additional layer of protection for users who need reliable access to unrestricted internet content without the risk of their VPN connection being blocked or throttled. Importantly, this is all accomplished while retaining WireGuard’s simplified architecture and high performance, ensuring that users continue to benefit from the same speed and efficiency for which WireGuard is well known.
So how do censorship technologies identify and block VPNs, and how does Amnezia help bypass this?
How are VPNs blocked?
Just as metadata is the fodder of online surveillance, it is also what countries and ISPs use to block the use of VPNs to enforce censorship restrictions. Even when the content of our online traffic is encrypted, there is a lot of data that is legible about it: the IP addresses of sender and recipient, timing signatures, connection durations, etc. This metadata can be compiled to track our communications, activities, and personal information over time. IP addresses are also what internet censors use to block access to specific domains.
The same is true when using a VPN: while our personal IP might be hidden behind the VPN proxy server, the public IP address of the VPN company is visibly attached to our traffic. This means that countries or ISPs enforcing censorship measures can identify when people are using known VPN services. Many VPN services are now blacklisted in countries like China, Russia, and India, significantly limiting the tools available for people to access needed information.
Now imagine that you’ve turned to a decentralized VPN like NymVPN for a proxy service that is less easily blocked by surveillance or censorship. Compared to the servers of larger, centralized VPN companies, Nym’s network of independent operators makes it harder to identify the IPs of node operators as part of a VPN network. However, even a decentralized VPN can still be identified through other surveillance techniques beyond blacklisting the IP of the VPN server or censored website. One of these techniques is Deep Packet Inspection.
What is Deep Packet Inspection (DPI)?
DPI is a technique for analyzing network traffic by inspecting data packets as they move through a network. On open or ISP-controlled networks, unencrypted traffic can be read, while VPNs encrypt data to protect it. However, DPI can still recognize VPN protocols by detecting unique packet patterns or “signatures” in the encryption format. This allows networks with strict censorship or filtering policies to identify and block VPN traffic, thus restricting access to these services.
While the WireGuard protocol is renowned for its speed and efficiency, its distinct packet signature can make it vulnerable to such detection and blocking. This is where AmneziaWG comes in.
How does AmneziaWG resist DPI?
As we’ve seen, DPI works by analyzing the metadata of routed traffic to identify the unique signatures of the protocols like WireGuard or OpenVPN used by VPN apps. AmneziaWG implements several techniques to further obscure VPN traffic and avoid detection. Each concerns a piece of metadata in WireGuard traffic that can make it stand out to censorship surveillance.
By strategically modifying packet characteristics during the connection process, AmneziaWG helps mask identifiable signatures, reducing the risk of detection and blocking.
Packet sizes
The first way for DPI surveillance to identify the WireGuard protocol is through the unique sizes of data packets used in the handshake initiation. In encrypted routing, a handshake is simply the step in which parties in an encrypted exchange establish a secure connection in order to exchange encryption keys.
With AmneziaWG, decoy or “junk” packets can be sent before the handshake initiation, with both the number and length of these packets configurable. Additionally, decoy bytes can be prepended to both the handshake initiation and response messages, making the connection harder to identify.
The second way to identify WireGuard via DPI is through the unique header type of encrypted packets. By default, WireGuard data packets share the same header format, meaning the encrypted traffic of different users can be identified as using the same encryption protocol.
With AmneziaWG, the four header-type values can also be remapped to alternative values to add further complexity. Effectively, this means that different AmneziaWG have different header values, making it extremely difficult to associate them based on a universal header structure.
While adding decoy packets requires only a client-side change, the remapping of header type values and modifications to the handshake messages require both the client and server to run AmneziaWG with matching configuration settings.
AmneziaWG implementation on NymVPN
For NymVPN, we’ve opted for a client-side implementation of AmneziaWG, which effectively enhances privacy without the need for server-side configuration, offering a streamlined and efficient solution that still provides enhanced protection against detection. This means that with NymVPN, decoy packets are introduced prior to the handshake initiation, however headers are not modified.
How to benefit from AmneziaWG on NymVPN?
It’s simple: download NymVPN, get an anonymous access code, and turn on Fast Mode. AmneziaWG is now the default encrypted routing protocol for all traffic on this mode. So no matter where you are in the world or what you’re looking for, NymVPN makes it so your traffic won’t be easily targeted by censorship technologies.
What’s next for censorship resistance with NymVPN?
AmneziaWG is just the beginning of an extensive research and development project at Nym to provide the most state-of-the-art censorship resistance VPN technology available. Nym will continuously add more features to make connections through NymVPN more secure and resilient against blocking.
