Ok so I’ve been using Wireguard with my pfsense box for about a year now. Things worked great. I did have an issue early on where a place I worked straight up blocked the connect port, but I would just hotspot for the handshake and then switch over to the wifi. That changed about a month ago.
I’ve currently encountered several places that seem to be using DPI. In my searching i discovered that a lot of people use shadowsocks to obfuscate the wireguard packets. Should I just switch to only shadowsocks? If not can someone walk me through how I get both working on my pfsense box? I think I would have to use libdev, but I’m not sure.
You’re asking a pretty deep question
Obfuscating network traffic to evade DPI is neither simple, nor a one click/turn key proposition while maintaining ownership.
Simplest way is static IP from home and disguising 8080 traffic as https, but this reveals your destination and long lived VPN/VNC traffic is uniquely unique on charts.
I have one that uses 4+ TB/month and is super simple to find by any sysadmin reviewing logs.
A DDNS only side steps the initial handshake if you have a dynamic WAN IP, the traffic itself remains.
Be sure to configure HTTPS for your initial handshake and share keys as the default is HTTP for most implementations of SOCKS5/Shadowsocks which if your adversary is running DPI will deauth and block you from the network on both sides.