feature request AmneziaWG 1.5 protocol support

[Erquint 0]

I just signed up for a year plan of AirVPN and gave Eddie a try. It isn't able to connect to AirVPN servers for me.
And in the protocols tab of Eddie settings — all I found were just a bunch of OpenVPN ports and a few WireGuard ones. I don't need to say ports aren't protocols.
I knew AmneziaWG client would work with AirVPN, but was hoping I could find use for Eddie, especially if split-tunnel routing could be set up more intelligently than the barebones AmneziaWG offers in that department.
To give you an idea of routing hoops I was trying to avoid jumping: I'm having to use a self-written script for automatic CIDR-set inversion and input the result into the configs manually… it's a whole chore.
I'm able to connect to AirVPN WireGuard servers using AmneziaWG client by manually enriching the configs generated with the `i1` parameter set to a binary string I had to find myself — one that slips under the DPI radar.
Here's a page about AmneziaVPN, but which illustrates how a suitable binary string may be acquired: https://docs.amnezia.org/documentation/instructions/new-amneziawg-selfhosted/
I'm in Russia on Windows and Android. A poweruser and a coder where it comes to PC. Know my way around GNU/Linux and WSL when needed too.

AmneziaWG 1.5 protocol extends WireGuard with CPS among other client-side obfuscation methods and presents a necessary technique of VPN connection restriction circumvention in Russia.
Basic feature documentation here: https://docs.amnezia.org/documentation/amnezia-wg/#how-it-works
CPS is fully compatible with any ol' WireGuard server due to inherent noise filtering WG is built on and basically only concerns establishment of a persistent connection.
The DPI systems deployed over here are only capable of interrogating and filtering traffic of establishing connections to decide whether the outbound port opening by ISP will be permitted.
My ISP already won't let connections to WireGuard endpoints that are performed without CPS and I'm sure many other ISPs block them as well, judging by rapid CPS adoption observed being reported on Russian Internet censorship circumvention forums.
Used to be that `j` parameters would be enough to get around DPI packet filtering. Now pretty much nothing aside the `i` parameter helps in AmneziaWG client.

To be clear before I proceed, I'd like to call attention to the following all being distinct entities not to be confused with each other, despite overlapping titling convention:

- AmneziaWG protocol extending WireGuard protocol mainly to inject junk that bedazzles active DPI systems in the middle. This is the topic here.
- AmneziaWG software forked openly from WireGuard client sources, implementing the above with its own version numbers not shared with the upstream or either protocols.
- AmneziaVPN service hosted commercially.
- AmneziaVPN software sorta implementing both but mainly geared as a client to the service.

Now here's the pickle… Technical protocol specification documentation for AmneziaWG 1.5, including CPS is somewhat scant. No committee, just scrambling for the arms race. It's probably better to check reference implementations.
IIRC, this commit implements `i#` parameters, where `#` is a digit: https://github.com/amnezia-vpn/amneziawg-go/commit/c20789848019fb494dbe9d280eb246f29b95ab85
WG Tunnel is an independent FOSS Android implementation of AmneziaWG 1.5 CPS in a config-compatible manner to AmneziaWG client: https://github.com/wgtunnel/wgtunnel
I'm also aware of another implementation in a commercial WireGuard client titled WireSock Secure Connect Beta that derives those binaries procedurally, which makes it not directly config-compatible, but that is off topic at the moment.

With everything above in mind, it does not seem like Eddie is going to be usable in Russia until AmneziaWG 1.5 CPS is implemented.
So here's me asking if Eddie could support AmneziaWG 1.5 CPS client extension to the WireGuard protocol.

And to be thorough in avoiding confusion, in case my initial statement is lost in the post, I want to repeat…
No modifications is needed to AirVPN's WireGuard servers in order to implement this — CPS is client-side handshake obfuscation that WireGuard's built-in noise filtering inherently ignores.

Edited ... by Erquint

[Staff 10398]

10 hours ago, Erquint said:

With everything above in mind, it does not seem like Eddie is going to be usable in Russia until AmneziaWG 1.5 CPS is implemented.
So here's me asking if Eddie could support AmneziaWG 1.5 CPS client extension to the WireGuard protocol.

Hello!

We're glad to inform you that AmneziaWG support has been implemented in Eddie Android edition 4.0.0 beta 1 and it will be progressively implemented in all the other AirVPN software. https://airvpn.org/forums/topic/77633-eddie-android-edition-400-preview-available/

Eddie Android edition public beta testing is going very well and the development team is optimistic about a near future release.
 

10 hours ago, Erquint said:

No modifications is needed to AirVPN's WireGuard servers in order to implement this — CPS is client-side handshake obfuscation that WireGuard's built-in noise filtering inherently ignores.

This is only partially true. When you use CPS on your side and you connect to a WireGuard based server, demultiplexers will identify the traffic according to the CPS settings (QUIC, DNS...) only initially. They will soon be able to detect the traffic as WireGuard traffic. With DNS mimicking this happens just after the handshake, while with QUIC the inspection tools need much more time.

We can confirm the above after several experimental tests we repeatedly performed with deep packet inspection. Anyway QUIC mimicking is effective and actually it can nowadays bypass in about 100% of the cases the blocks in both Russia and China. But we have planned to support Amnezia on the server side too, because the current method is anyway not so strong on the long run. When we have Amnezia on the server side too, no tool is able to ever identify the traffic as WireGuard traffic: it remains indefinitely identified as QUIC.

Currently we are still at a testing phase, but the outcome so far is very promising. Stay tuned!

Kind regards