Obfuscating Wireguard or just switch to Shadowsocks?

Ok so I’ve been using Wireguard with my pfsense box for about a year now. Things worked great. I did have an issue early on where a place I worked straight up blocked the connect port, but I would just hotspot for the handshake and then switch over to the wifi. That changed about a month ago.

I’ve currently encountered several places that seem to be using DPI. In my searching i discovered that a lot of people use shadowsocks to obfuscate the wireguard packets. Should I just switch to only shadowsocks? If not can someone walk me through how I get both working on my pfsense box? I think I would have to use libdev, but I’m not sure.

You’re asking a pretty deep question

Obfuscating network traffic to evade DPI is neither simple, nor a one click/turn key proposition while maintaining ownership.

Simplest way is static IP from home and disguising 8080 traffic as https, but this reveals your destination and long lived VPN/VNC traffic is uniquely unique on charts.

I have one that uses 4+ TB/month and is super simple to find by any sysadmin reviewing logs.

A DDNS only side steps the initial handshake if you have a dynamic WAN IP, the traffic itself remains.

Be sure to configure HTTPS for your initial handshake and share keys as the default is HTTP for most implementations of SOCKS5/Shadowsocks which if your adversary is running DPI will deauth and block you from the network on both sides.