How am I bypassing school wifi restrictions

I was struggling to connect to wireguard vpn server when while on universities wifi.

I am able to bypass the restrictions on my universities Wi-Fi network by connecting to my phone’s hotspot first from my laptop and then connecting to a WireGuard VPN before finally connecting to the school’s Wi-Fi and disconnecting from my phones hotspot. This method has been working for me and I’m curious to know why.

Does anyone have any insights or ideas about why this method might be effective in bypassing the restrictions on my universities Wi-Fi network?

put your wireguard server in the port 53

connect your phone/laptop to your server through this port

as 53 is usualy used by dns, and it’s udp, it’s should work, it’s worked for my at my school (until I told it to a professor… he Betrayed me…)

Your Uni is blocking the wireguard handskake process using deep packet inspection. Thats how most orgs block wireguard, it cant discern what kind of traffic is happening after the handshake so it doesnt block it, but to your Unis firewall can certainly tell what a wireguard handshake is, youre bypassing DPI by handshaking on a different network, it still works after you join Uni network because the handshake is still valid.

This is usually done using libraries of different network behaviour and wireguard is lumped in by default because its included in one of those libraries.

A simpler answer is that they’re blocking the DNS but you’ve already resolved that via the hotspot connection.

I’ll try and give a shot:

A lot of uni or school networks deny udp traffic, therfore you cannot establish a direct connection.

The rule is limited to initiate a connection, but does not apply for “active” or established connections.

Since your wg interface has the state of established/waiting and not initializing, the switch of networks is just an interrupt or package loss. It just sends the next keepalive from a new (external) ip and the server back home acknowledges and adapt to it.

So you bypass the restriction of initializing by switching networks…

Maybe, maybe not but i think it could be plausable

I’m doing something similar in my favorite bakery chain. I also think they are blocking UDP and also TCP except on 443, 80 and 56.

I am having unrelated issues with my WireGuard setup so I can’t test it just yet, but my best bet so far seems to be to use a program called udp2raw to mimic TCP on port 443.

I also tried two different programs called udptunnel but their network implementation conflicted with WireGuard’s- and performance tunneling over real TCP is appalling.

How can I bypass my work Wi-Fi

Apologies for a basic question - but is it possible to activate the phone’s wifi hotspot as it is connected to a wifi network?

Simply use v2ray for that.

Any updates on this? My school just updated
their filters and I can no longer use OpenVPN on 443 (tcp). I’ve installed WireGuard and have the same problem with initial connection. If I use cellular data and connect and then turn “on” Wi-Fi it keep my VPN connection alive but I can’t initiate WireGuard on the Wi-Fi.

I have a perfect solution, if anyone was wondering it’s just a click of a Windows settings of the wifi of your choice, in your case the school wifi, while you have access to the network and resetting the wifi dropdown menu ( by turning wifi on and off ) you can effectively walk through the barrier!

What the hell, your professor snitched? Boo!

Employees are usually ethically (and sometimes legally) obligated to report it to CISO.

Doesn’t Wireguard re-handshake quite frequently? Wouldn’t those later handshakes be blocked as well?

So finding the IP-address then hardcoding to that would probably work too.

It’s a standard practice to block WireGuard - block initial handshake package. Someone already posted that here.
Here a link for more details. link

The laptop is running Linux mint and the phone is just running stock android.

wg0.conf file in docker container:

```
[Interface]

Address = 10.13.13.1

ListenPort = 51820

PrivateKey = *redacted*

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

​

[Peer]

# peer4

PublicKey = *redacted*

PresharedKey = *redacted*

AllowedIPs = 10.13.13.5/32

```

wg0.conf file on Linux mint laptop

```

[Interface]

Adress = 10.13.13.5

PrivateKey = *redacted*

ListenPort = 51820

DNS = 8.8.8.8

​

[Peer]

PublicKey = *redacted*

PresharedKey = *redacted*

Endpoint = notthedomain.net:51820

AllowedIPs = 0.0.0.0/0, ::/0

```

It worked!

Server config. This is a VPS under my control somewhere in the Internet.

33.33.33.33 represents the public IP addres of that server. 12345 represents the wireguard listen port on the server. 6789 represents the local tunnel listen port on my laptop. 443 is the udp tunnel listen port on the server- this is probably the most likely one to be successful but you can change it.

# /etc/wireguard/wg.conf
[Interface]
Address = 10.0.0.1/24

SaveConfig = false
ListenPort = 12345

PrivateKey = my/server/private/key

[Peer]
PublicKey = my/client/public/key
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

#/etc/systemd/system/udp2raw.service 
[Unit]
Description=udp2raw
After=syslog.target network.target
[Service]
Type=simple
User=root
ExecStart=udp2raw_amd64_hw_aes -s -l 33.33.33.33:443 -r 127.0.0.1:12345 -k "my-chosen-udp2raw-password" --raw-mode faketcp -a
Restart=always
[Install]
WantedBy=multi-user.target

Client config. This is my laptop, behind the restrictive firewall.

[Interface]
# PublicKey EpyiSn2pYFTvE8AyIeRtdj4BW1oRcRr36WdAatSE028=
PrivateKey = my/laptop/private/key
Address = 10.0.0.2/24
SaveConfig = false
MTU = 1300

[Peer]
PublicKey = my/server/private/key
Endpoint = 127.0.0.1:6789 
 
# calculated here https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/, enter all except 33.33.33.33
AllowedIPs = long.list.of.addresses.from.calculator.above
 
PersistentKeepalive = 25

# /etc/systemd/system/udp2raw.service
[Unit]
Description=udp2raw
After=syslog.target network.target
[Service]
Type=simple
User=root
ExecStart=udp2raw_amd64_hw_aes -c -l127.0.0.1:6789  -r33.33.33.33:443 -k "foobar22" --raw-mode faketcp -a
Restart=always
[Install]
WantedBy=multi-user.target

Debugging: Get output by running on client and on server

# monitor udp2raw output
journalctl -u udp2raw -f

# enable wireguard debug output
echo "module wireguard +p" | sudo tee /sys/kernel/debug/dynamic_debug/control

# monitor wireguard debug output
sudo dmesg -wT

After debugging

# disable wireguard debug output
echo "module wireguard -p" | sudo tee /sys/kernel/debug/dynamic_debug/control

I was connect to my phones hotspot via Bluetooth. While connecting to uni’s wifi.

I suspect DNS resolution. My organization will often resolve suspicious domains to an IP address of a “blocked for your safety” page.