Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps - Status | Demo | Docs | Install
  1. Cloudron Forum
  2. VPN
  3. Enhancing Cloudron's VPN application

Enhancing Cloudron's VPN application

Scheduled Pinned Locked Moved VPN
vpncensorshipamneziawgsing-boxhysteria2
6 Posts 6 Posters 130 Views 7 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L Offline
    L Offline
    LoudLemur
    wrote last edited by
    #1

    We want to find ways to improve Cloudron's excellent VPN application.

    WireGuard runs over UDP (typically port 51820) with a very distinctive packet structure and handshake. Deep Packet Inspection (DPI) by ISPs, firewalls, or governments can easily identify and block it. OpenVPN over TCP (especially port 443) is already stealthier because it can blend with HTTPS traffic.

    Here are a few ideas. We hope they might be considered in future updates:

    1. AmneziaWG (AWG) Support (Highest Priority Recommendation)

    What it is: A WireGuard fork with built-in obfuscation (junk data injection, header manipulation) that makes traffic much harder for DPI to fingerprint while keeping WireGuard’s speed and simplicity.
    Why it fits perfectly: Battle-tested in high-censorship countries. Clients use the free AmneziaVPN app (or compatible clients). Server-side is relatively lightweight.
    Implementation ideas:Toggle “Obfuscated WireGuard (AmneziaWG)” mode in the app settings.
    Generate AmneziaWG-compatible configs (or QR codes/links).
    Use existing community installers or Docker setups as a base.

    There’s already community interest in Amnezia on Cloudron forums.

    2. Advanced Obfuscated Proxy Protocols (sing-box / Xray / VLESS + Reality)

    Add support for modern anti-censorship protocols alongside or instead of plain WireGuard.
    Best options:VLESS + Reality (or Trojan): Traffic looks like legitimate TLS connections to real websites (excellent fingerprint resistance).
    Full sing-box or Xray core with multiple transports (Reality, gRPC, WebSocket + TLS, HTTP/2, etc.).

    These are extremely effective against DPI and are widely used for censorship circumvention.
    Cloudron could offer a “Stealth Proxy” mode that deploys a lightweight sing-box/Xray instance.

    3. Hysteria2 Support

    What it is: A modern QUIC-based protocol (UDP) with strong built-in obfuscation, speed optimization, and masquerading features. Very resistant to detection and great on unstable/mobile networks.
    Excellent complement or alternative to WireGuard.
    Easy to run alongside the existing VPN app.

    4. WireGuard-Specific Obfuscation

    LayersIntegrate lightweight tools like:wg-obfuscator (simple header scrambling/randomization).
    Mullvad-style Lightweight WireGuard Obfuscation concepts (if open-sourced).

    Or run WireGuard inside another obfuscated tunnel (e.g., via sing-box).

    5. TCP + TLS Camouflage

    for Any ProtocolMake it trivial to run any VPN protocol over TCP port 443 with proper TLS.
    Use Caddy/Nginx (already common in Cloudron) as a reverse proxy or TLS wrapper.
    This makes traffic indistinguishable from normal HTTPS to basic DPI.

    6. UI & Management Improvements

    “Stealth / Obfuscation Mode” toggle in the app settings with recommended configurations.
    Multi-protocol support in one app (WireGuard + AmneziaWG + Hysteria2 + VLESS+Reality).
    One-click “Censorship-resistant setup” that configures ports, TLS, and generates client links/QR codes optimized for apps like Hiddify, Nekobox, or AmneziaVPN.
    Support for connection links (not just .conf/QR) for modern clients.
    Fallback mechanisms (multiple ports/protocols).
    Better DNS options (DoH/DoT inside the tunnel).

    7. Other Useful Additions

    Integration with reverse proxies or Cloudflare Tunnel for extra layers.
    Port knocking or dynamic port features (advanced).
    Detailed logging/analytics of connection attempts (to detect blocking).
    Documentation and templates for popular obfuscated clients.

    1 Reply Last reply
    7
    • robiR Offline
      robiR Offline
      robi
      wrote last edited by
      #2

      Wire it up into a custom app based on the existing app

      Conscious tech

      1 Reply Last reply
      3
      • girishG Offline
        girishG Offline
        girish
        Staff
        wrote last edited by
        #3

        Interesting aspect. The current VPN app is more like an overlay network. I think your request is about making it have some stealth mode and help work around deep packet introspection . As @robi said might be worth trying to package those other VPNs and see if they help .

        I also don't completely understand why running on port 443 somehow beats deep packet introspection . Maybe it beats some firewall which doesn't allow anything other than port 443 (are these still common?).

        1 Reply Last reply
        1
        • C Offline
          C Offline
          crazybrad
          wrote last edited by
          #4

          With the upcoming changes in Cloudron 10 (VPN-able apps), I like the idea of choosing which VPN: WireGuard (current) or AmneziaWG (for high security) assuming this can be added. Then people can decide how to route their traffic.

          timconsidineT 1 Reply Last reply
          6
          • C crazybrad

            With the upcoming changes in Cloudron 10 (VPN-able apps), I like the idea of choosing which VPN: WireGuard (current) or AmneziaWG (for high security) assuming this can be added. Then people can decide how to route their traffic.

            timconsidineT Offline
            timconsidineT Offline
            timconsidine
            App Dev
            wrote last edited by
            #5

            @crazybrad yes, that’s the gap for me

            Indie app dev, huge fan of Cloudron PaaS, scratching my itches : communityapps.appx.uk

            1 Reply Last reply
            1
            • R Offline
              R Offline
              rbzvr
              wrote last edited by
              #6

              It would be very cool!
              I would like to see AmneziaWG 2.0.
              You could take the amnezia app itself, which supports a large number of VPN protocols, and add your awesome web ui to it


              AmneziaWG is a fork of WireGuard-Go, inheriting the architectural simplicity and high performance of the original implementation, but eliminating the identifiable network signatures that make WireGuard easily detectable by Deep Packet Inspection (DPI) systems.

              Version 1.5 took obfuscation to the next level: traffic can now be disguised as common UDP protocols (such as QUIC, DNS, etc.).

              Version 2.0 extends this approach to full "mimicry": traffic becomes even less recognizable to DPI not only at connection time but also during data transmission, thanks to constantly changing headers and packet sizes. This reduces the likelihood of VPN traffic being identified by characteristic patterns and complicates heuristic analysis.

              1 Reply Last reply
              0

              Hello! It looks like you're interested in this conversation, but you don't have an account yet.

              Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

              With your input, this post could be even better 💗

              Register Login
              Reply
              • Reply as topic
              Log in to reply
              • Oldest to Newest
              • Newest to Oldest
              • Most Votes


              • Login

              • Don't have an account? Register

              • Login or register to search.
              • First post
                Last post
              0
              • Categories
              • Recent
              • Tags
              • Popular
              • Bookmarks
              • Search