Enhancing Cloudron's VPN application
-
We want to find ways to improve Cloudron's excellent VPN application.
WireGuard runs over UDP (typically port 51820) with a very distinctive packet structure and handshake. Deep Packet Inspection (DPI) by ISPs, firewalls, or governments can easily identify and block it. OpenVPN over TCP (especially port 443) is already stealthier because it can blend with HTTPS traffic.
Here are a few ideas. We hope they might be considered in future updates:
1. AmneziaWG (AWG) Support (Highest Priority Recommendation)
What it is: A WireGuard fork with built-in obfuscation (junk data injection, header manipulation) that makes traffic much harder for DPI to fingerprint while keeping WireGuard’s speed and simplicity.
Why it fits perfectly: Battle-tested in high-censorship countries. Clients use the free AmneziaVPN app (or compatible clients). Server-side is relatively lightweight.
Implementation ideas:Toggle “Obfuscated WireGuard (AmneziaWG)” mode in the app settings.
Generate AmneziaWG-compatible configs (or QR codes/links).
Use existing community installers or Docker setups as a base.There’s already community interest in Amnezia on Cloudron forums.
2. Advanced Obfuscated Proxy Protocols (sing-box / Xray / VLESS + Reality)
Add support for modern anti-censorship protocols alongside or instead of plain WireGuard.
Best options:VLESS + Reality (or Trojan): Traffic looks like legitimate TLS connections to real websites (excellent fingerprint resistance).
Full sing-box or Xray core with multiple transports (Reality, gRPC, WebSocket + TLS, HTTP/2, etc.).These are extremely effective against DPI and are widely used for censorship circumvention.
Cloudron could offer a “Stealth Proxy” mode that deploys a lightweight sing-box/Xray instance.3. Hysteria2 Support
What it is: A modern QUIC-based protocol (UDP) with strong built-in obfuscation, speed optimization, and masquerading features. Very resistant to detection and great on unstable/mobile networks.
Excellent complement or alternative to WireGuard.
Easy to run alongside the existing VPN app.4. WireGuard-Specific Obfuscation
LayersIntegrate lightweight tools like:wg-obfuscator (simple header scrambling/randomization).
Mullvad-style Lightweight WireGuard Obfuscation concepts (if open-sourced).Or run WireGuard inside another obfuscated tunnel (e.g., via sing-box).
5. TCP + TLS Camouflage
for Any ProtocolMake it trivial to run any VPN protocol over TCP port 443 with proper TLS.
Use Caddy/Nginx (already common in Cloudron) as a reverse proxy or TLS wrapper.
This makes traffic indistinguishable from normal HTTPS to basic DPI.6. UI & Management Improvements
“Stealth / Obfuscation Mode” toggle in the app settings with recommended configurations.
Multi-protocol support in one app (WireGuard + AmneziaWG + Hysteria2 + VLESS+Reality).
One-click “Censorship-resistant setup” that configures ports, TLS, and generates client links/QR codes optimized for apps like Hiddify, Nekobox, or AmneziaVPN.
Support for connection links (not just .conf/QR) for modern clients.
Fallback mechanisms (multiple ports/protocols).
Better DNS options (DoH/DoT inside the tunnel).7. Other Useful Additions
Integration with reverse proxies or Cloudflare Tunnel for extra layers.
Port knocking or dynamic port features (advanced).
Detailed logging/analytics of connection attempts (to detect blocking).
Documentation and templates for popular obfuscated clients. -
Interesting aspect. The current VPN app is more like an overlay network. I think your request is about making it have some stealth mode and help work around deep packet introspection . As @robi said might be worth trying to package those other VPNs and see if they help .
I also don't completely understand why running on port 443 somehow beats deep packet introspection . Maybe it beats some firewall which doesn't allow anything other than port 443 (are these still common?).
-
With the upcoming changes in Cloudron 10 (VPN-able apps), I like the idea of choosing which VPN: WireGuard (current) or AmneziaWG (for high security) assuming this can be added. Then people can decide how to route their traffic.
@crazybrad yes, that’s the gap for me
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login