Enhancing Cloudron's VPN application
-
We want to find ways to improve Cloudron's excellent VPN application.
WireGuard runs over UDP (typically port 51820) with a very distinctive packet structure and handshake. Deep Packet Inspection (DPI) by ISPs, firewalls, or governments can easily identify and block it. OpenVPN over TCP (especially port 443) is already stealthier because it can blend with HTTPS traffic.
Here are a few ideas. We hope they might be considered in future updates:
1. AmneziaWG (AWG) Support (Highest Priority Recommendation)
What it is: A WireGuard fork with built-in obfuscation (junk data injection, header manipulation) that makes traffic much harder for DPI to fingerprint while keeping WireGuard’s speed and simplicity.
Why it fits perfectly: Battle-tested in high-censorship countries. Clients use the free AmneziaVPN app (or compatible clients). Server-side is relatively lightweight.
Implementation ideas:Toggle “Obfuscated WireGuard (AmneziaWG)” mode in the app settings.
Generate AmneziaWG-compatible configs (or QR codes/links).
Use existing community installers or Docker setups as a base.There’s already community interest in Amnezia on Cloudron forums.
2. Advanced Obfuscated Proxy Protocols (sing-box / Xray / VLESS + Reality)
Add support for modern anti-censorship protocols alongside or instead of plain WireGuard.
Best options:VLESS + Reality (or Trojan): Traffic looks like legitimate TLS connections to real websites (excellent fingerprint resistance).
Full sing-box or Xray core with multiple transports (Reality, gRPC, WebSocket + TLS, HTTP/2, etc.).These are extremely effective against DPI and are widely used for censorship circumvention.
Cloudron could offer a “Stealth Proxy” mode that deploys a lightweight sing-box/Xray instance.3. Hysteria2 Support
What it is: A modern QUIC-based protocol (UDP) with strong built-in obfuscation, speed optimization, and masquerading features. Very resistant to detection and great on unstable/mobile networks.
Excellent complement or alternative to WireGuard.
Easy to run alongside the existing VPN app.4. WireGuard-Specific Obfuscation
LayersIntegrate lightweight tools like:wg-obfuscator (simple header scrambling/randomization).
Mullvad-style Lightweight WireGuard Obfuscation concepts (if open-sourced).Or run WireGuard inside another obfuscated tunnel (e.g., via sing-box).
5. TCP + TLS Camouflage
for Any ProtocolMake it trivial to run any VPN protocol over TCP port 443 with proper TLS.
Use Caddy/Nginx (already common in Cloudron) as a reverse proxy or TLS wrapper.
This makes traffic indistinguishable from normal HTTPS to basic DPI.6. UI & Management Improvements
“Stealth / Obfuscation Mode” toggle in the app settings with recommended configurations.
Multi-protocol support in one app (WireGuard + AmneziaWG + Hysteria2 + VLESS+Reality).
One-click “Censorship-resistant setup” that configures ports, TLS, and generates client links/QR codes optimized for apps like Hiddify, Nekobox, or AmneziaVPN.
Support for connection links (not just .conf/QR) for modern clients.
Fallback mechanisms (multiple ports/protocols).
Better DNS options (DoH/DoT inside the tunnel).7. Other Useful Additions
Integration with reverse proxies or Cloudflare Tunnel for extra layers.
Port knocking or dynamic port features (advanced).
Detailed logging/analytics of connection attempts (to detect blocking).
Documentation and templates for popular obfuscated clients. -
Interesting aspect. The current VPN app is more like an overlay network. I think your request is about making it have some stealth mode and help work around deep packet introspection . As @robi said might be worth trying to package those other VPNs and see if they help .
I also don't completely understand why running on port 443 somehow beats deep packet introspection . Maybe it beats some firewall which doesn't allow anything other than port 443 (are these still common?).
-
With the upcoming changes in Cloudron 10 (VPN-able apps), I like the idea of choosing which VPN: WireGuard (current) or AmneziaWG (for high security) assuming this can be added. Then people can decide how to route their traffic.
@crazybrad yes, that’s the gap for me
-
It would be very cool!
I would like to see AmneziaWG 2.0.
You could take the amnezia app itself, which supports a large number of VPN protocols, and add your awesome web ui to it
AmneziaWG is a fork of WireGuard-Go, inheriting the architectural simplicity and high performance of the original implementation, but eliminating the identifiable network signatures that make WireGuard easily detectable by Deep Packet Inspection (DPI) systems.
Version 1.5 took obfuscation to the next level: traffic can now be disguised as common UDP protocols (such as QUIC, DNS, etc.).
Version 2.0 extends this approach to full "mimicry": traffic becomes even less recognizable to DPI not only at connection time but also during data transmission, thanks to constantly changing headers and packet sizes. This reduces the likelihood of VPN traffic being identified by characteristic patterns and complicates heuristic analysis.
-
Interesting aspect. The current VPN app is more like an overlay network. I think your request is about making it have some stealth mode and help work around deep packet introspection . As @robi said might be worth trying to package those other VPNs and see if they help .
I also don't completely understand why running on port 443 somehow beats deep packet introspection . Maybe it beats some firewall which doesn't allow anything other than port 443 (are these still common?).
Running a VPN on port 443 helps circumvent censorship for two main reasons: it bypasses simple port-based blocking (extremely common) and makes the traffic much harder for Deep Packet Inspection (DPI) to flag without causing massive collateral damage.
1. It defeats basic port-based firewalls (the most common form of blocking)
Many networks: corporate firewalls, hotel/airport Wi-Fi, university networks, and even some national censors, don't allow arbitrary outbound ports. They only permit port 80 (HTTP) and port 443 (HTTPS) because those are required for normal web browsing.
- Standard VPN ports get blocked instantly:
- OpenVPN UDP: 1194
- WireGuard: 51820
- IKEv2: 500/4500
- Port 443 is untouchable for practical purposes. Blocking it would break online banking, shopping, video calls, government services, etc. Censors and network admins almost never do this.
This alone explains why "just change the port to 443" works in many restrictive environments (hotels, offices, schools, etc.).
2. It helps against Deep Packet Inspection (DPI) but not magically by itself
DPI goes beyond ports and looks inside the packets for protocol signatures, handshake patterns, traffic shapes, entropy, etc.
Why port 443 still helps here:
- Legitimate HTTPS traffic on port 443 is encrypted and highly variable. DPI systems have to be very careful when analyzing it, because false positives would break real websites.
- Blanket-blocking or aggressively throttling port 443 is politically and technically expensive for censors.
- When your VPN runs on 443 and starts with a TLS handshake, it at least looks like normal web traffic at first glance. This forces the DPI system to do deeper (more expensive) analysis on a huge volume of traffic.
However, plain OpenVPN or WireGuard on TCP/UDP 443 is often still detectable by modern DPI. The TLS handshake and subsequent traffic patterns differ from real browser HTTPS traffic (missing ALPN extensions, different JA3 fingerprints, packet timing/size distributions, etc.).
3. Real stealth comes from combining port 443 + proper obfuscation
This is where modern censorship circumvention shines:
Technique How it works on port 443 DPI resistance Notes Plain OpenVPN TCP 443 TLS handshake on 443 Weak–Medium Better than other ports but detectable OpenVPN + obfsproxy/stunnel Wraps traffic to look more like HTTPS Medium Classic but dated Trojan Real TLS + behaves like a real web server Very High Excellent — returns fake website on probe VLESS + REALITY / XTLS Borrows real domain TLS fingerprint Very High Current state-of-the-art Shadowsocks + obfs Simple + obfuscation layer High Lightweight and effective Hysteria2 / TUIC (QUIC) UDP 443 mimicking HTTP/3 High Fast + good obfuscation SSTP or proprietary Stealth Built-in TLS wrapping Medium–High Easy for commercial VPNs Trojan is particularly elegant: it performs a real TLS handshake on port 443. If the client doesn't present the correct password hash, the server just serves a normal web page (or 404). To DPI and active probing, it looks like a legitimate HTTPS website.
Summary: Why 443 is special
- Port blocking → Defeated almost completely.
- Basic/moderate DPI → Significantly harder (especially with obfuscation).
- Advanced DPI (e.g. China's GFW with ML) → Not sufficient alone, but still the best starting port. You need good obfuscation/protocol on top of it.
This is why almost every serious censorship-circumvention tool (commercial "Stealth"/"Obfuscated" servers, Outline, V2Ray/Xray configs, Trojan setups, etc.) defaults to or strongly recommends port 443.
Bottom line:
Port 443 doesn't "beat" advanced DPI by magic — but it is one of the most important ingredients in any stealth strategy because it avoids easy blocks and forces censors into expensive, imperfect analysis of traffic that looks like normal web browsing. For real-world reliability against strong DPI, combine it with a proper obfuscated protocol (Trojan, REALITY, etc.).If you're building or evaluating a specific VPN app, the winning pattern in 2026 is usually: TLS-based stealth protocol on port 443 (or QUIC on 443) with good fingerprint resistance.
- Standard VPN ports get blocked instantly:
-
Running a VPN on port 443 helps circumvent censorship for two main reasons: it bypasses simple port-based blocking (extremely common) and makes the traffic much harder for Deep Packet Inspection (DPI) to flag without causing massive collateral damage.
1. It defeats basic port-based firewalls (the most common form of blocking)
Many networks: corporate firewalls, hotel/airport Wi-Fi, university networks, and even some national censors, don't allow arbitrary outbound ports. They only permit port 80 (HTTP) and port 443 (HTTPS) because those are required for normal web browsing.
- Standard VPN ports get blocked instantly:
- OpenVPN UDP: 1194
- WireGuard: 51820
- IKEv2: 500/4500
- Port 443 is untouchable for practical purposes. Blocking it would break online banking, shopping, video calls, government services, etc. Censors and network admins almost never do this.
This alone explains why "just change the port to 443" works in many restrictive environments (hotels, offices, schools, etc.).
2. It helps against Deep Packet Inspection (DPI) but not magically by itself
DPI goes beyond ports and looks inside the packets for protocol signatures, handshake patterns, traffic shapes, entropy, etc.
Why port 443 still helps here:
- Legitimate HTTPS traffic on port 443 is encrypted and highly variable. DPI systems have to be very careful when analyzing it, because false positives would break real websites.
- Blanket-blocking or aggressively throttling port 443 is politically and technically expensive for censors.
- When your VPN runs on 443 and starts with a TLS handshake, it at least looks like normal web traffic at first glance. This forces the DPI system to do deeper (more expensive) analysis on a huge volume of traffic.
However, plain OpenVPN or WireGuard on TCP/UDP 443 is often still detectable by modern DPI. The TLS handshake and subsequent traffic patterns differ from real browser HTTPS traffic (missing ALPN extensions, different JA3 fingerprints, packet timing/size distributions, etc.).
3. Real stealth comes from combining port 443 + proper obfuscation
This is where modern censorship circumvention shines:
Technique How it works on port 443 DPI resistance Notes Plain OpenVPN TCP 443 TLS handshake on 443 Weak–Medium Better than other ports but detectable OpenVPN + obfsproxy/stunnel Wraps traffic to look more like HTTPS Medium Classic but dated Trojan Real TLS + behaves like a real web server Very High Excellent — returns fake website on probe VLESS + REALITY / XTLS Borrows real domain TLS fingerprint Very High Current state-of-the-art Shadowsocks + obfs Simple + obfuscation layer High Lightweight and effective Hysteria2 / TUIC (QUIC) UDP 443 mimicking HTTP/3 High Fast + good obfuscation SSTP or proprietary Stealth Built-in TLS wrapping Medium–High Easy for commercial VPNs Trojan is particularly elegant: it performs a real TLS handshake on port 443. If the client doesn't present the correct password hash, the server just serves a normal web page (or 404). To DPI and active probing, it looks like a legitimate HTTPS website.
Summary: Why 443 is special
- Port blocking → Defeated almost completely.
- Basic/moderate DPI → Significantly harder (especially with obfuscation).
- Advanced DPI (e.g. China's GFW with ML) → Not sufficient alone, but still the best starting port. You need good obfuscation/protocol on top of it.
This is why almost every serious censorship-circumvention tool (commercial "Stealth"/"Obfuscated" servers, Outline, V2Ray/Xray configs, Trojan setups, etc.) defaults to or strongly recommends port 443.
Bottom line:
Port 443 doesn't "beat" advanced DPI by magic — but it is one of the most important ingredients in any stealth strategy because it avoids easy blocks and forces censors into expensive, imperfect analysis of traffic that looks like normal web browsing. For real-world reliability against strong DPI, combine it with a proper obfuscated protocol (Trojan, REALITY, etc.).If you're building or evaluating a specific VPN app, the winning pattern in 2026 is usually: TLS-based stealth protocol on port 443 (or QUIC on 443) with good fingerprint resistance.
@LoudLemur based on your message, which was written to you by AI . You are not suitable for openvpn and wireguard , which are exactly VPN connections. But suitable VLESS , Shadowsocks and Hysteria , which are proxies . For them you can in a couple of clicks to raise a single server with web ui -for example 3xui .
- Standard VPN ports get blocked instantly:
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login