Running mullvad wireguard UDP over shadowsocks UDP (!) to a obfuscation server one hosts themselves (works now, may be used by advanced users as-is, may serve as base for future official obfuscation tricks)

[LindaFerum]

Issue report

Operating system: Debian 10 and 11, "lifehack" and possible feature suggestion
App version: boringtun-cli with wireguard config from mullvad website

Issue description

Not exactly an issue but a trick / lifehack description
I'm operating in a hostile environment and all mullvad bridges and servers are not reachable from here.
BUT Amazon is.
So I decided to host an obfuscator.
BUT of course running a good VPN connection over TCP is unpleasant for a number of famous issues.

Turns out that problem is solvable.
Modern shadowsocks-rust has a "tun device" feature (needs to be build from source) and that allows one to run a wireguard connection to mullvad using vanilla mullvad configs from site, over UDP (yay!) with about 108 byte overhead (kind of boo, I guess but can't be helped and could be worse)

The technique amounts to following Wireguard's own config page with very slight tweak - an additional ip rule to direct traffic to shadowsocks's tun device

My relevant routing tables and rules can be seen here

My mullvad config required only very subtle modification to make it work:

[Interface]
# Device: some animal name
PrivateKey = not posting it :-) 
Address = 10.68.92.182/32,fc00:bbbb:bbbb:bb01::5:5cb5/128
DNS = 10.64.0.1
FwMark = 0x1e59

[Peer]
PublicKey = also removed just in case 
AllowedIPs = 0.0.0.0/0,::0/0

Endpoint = 185.213.154.66:4000

Additional tweaks:
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4,::0/0
for LAN access and stuff like that (also might want to add a rule "sudo ip rule add table main suppress_prefixlength 0 priority 1" for that )

for those who can't use wg-quick for some reason, wg-quick-strip can be used to produce a config compatible with vanilla wg binary
(some additional setup will be needed for interface then, for the benefit of readers it looks about like
sudo /home/user/wg setconf wg0 /home/user/mulstrip.conf && sleep 1 && sudo ifconfig wg0 10.68.92.182/32 mtu 1392 && sleep 1 && sudo ifconfig wg0 inet6 add fc00:bbbb:bbbb:bb01::5:5cb5/128

One more free trick - if you run your obfuscation server on like AWS, you can regularly change IP to avoid it getting blacklisted (AWS has that feature)

I realize it's a long road till anything like that will be in Mullvad app (shadowsocks rust is pretty mature tho, and the tun feature works very reliably for me even tho considered "experimental") so I would appreciate if this gets added to Mullvad instructions so people in heavily censored areas may get themselves a connection with only very modest amount of elbow grease

[faern]

Cool trick. Hope it can help some users. We actually have in the backlog to enable running WireGuard over Shadowsocks. But it's not scheduled yet, can't give you an ETA.

I'm going to close this since the issue itself is not really tracking any feature request in that sense.

[LindaFerum]

Okay, just as a little sidenote one major benefit of this trick is that unlike every other obfuscation tool / trick I know of, this one runs on UDP thus avoiding various TCP-in-TCP gnarliness. Running brilliantly for me so far