AmneziaWG plugin library request

[wiresock]

Could there be a possibility to have the AmneziaWG WireGuard obfuscation method available as a C/C++/Rust library? Some of my users are interested in AmneziaWG support for the WireSock VPN Client, and having such a library would simplify integration and allow for future enhancements.

[osiris-plus]

There's forks of WireGuard repos with AWG support:

https://github.com/amnezia-vpn/amneziawg-windows-client
https://github.com/amnezia-vpn/amneziawg-go

btw why not open source wiresock? :)

[wiresock]

https://github.com/amnezia-vpn/amneziawg-windows-client

https://github.com/amnezia-vpn/amneziawg-go

It would be significantly more convenient to have a reference implementation in the form of a library rather than extracting the relevant functions from the WireGuard source code.

btw why not open source wiresock? :)

Major parts of the WireSock implementation are already open source—such as ndisapi (excluding the driver), boringtun, and shared utility C++ classes, which are also available in ProxiFyre. I don’t believe that fully open-sourcing WireSock would offer any substantial benefits to the project. When ProxiFyre was made open source, it didn’t notably accelerate the project’s development, and some parts were even reused commercially without contributing back. Given that WireSock is a much more complex system, the potential downsides—such as the risk of its components being exploited commercially without reciprocal benefits—raise serious questions about how open-sourcing it would truly aid its progress.

[Phleesty]

I used wiresock before the protocol was blocked in Russia. It worked just perfectly, Oh, how I wish there was at least some way to use AmneziaWG with normal application tunneling. And ideally with good routing and the ability to add domains

[wiresock]

Could you please provide more details on what you mean by “ability to add domains”?

[Phleesty]

It is possible to add the AllowedIPs parameter in the wireguard config. Wiresock adds the ability to add AllowedApps to the wireguard config. In my fantasies it would be cool to be able to use AllowedDomains to bypass blocking individual sites by their domain respectively.
The thing is that I tried to use known ip lists for youtube or discord. For example from here https://iplist.opencck.org/ with the same AmneziaVPN or v2ray and in the end it opens many unnecessary sites through VPN connection. And I'm talking about thousands of exact Ipv4 addresses not about CIDR.
But as far as I understand the wireguard protocol itself works only with ip and if it is possible, it will be a huge job

[wiresock]

Since many domains on CDNs share the same IP, filtering by domain at the IP level becomes impractical. This shared infrastructure means that the decision to route traffic via VPN has to happen as soon as the initial TCP SYN packet is sent, which is before the TLS handshake reveals the SNI (Server Name Indication) and, by extension, the domain. Without SNI data, accurately routing by domain becomes nearly impossible.

Implementing domain-based filtering would require an additional DNS-aware layer, essentially watching DNS traffic and tracking which domains resolve to which IPs. This layer could attempt to “guess” the destination domain when a connection targets an IP that a recent DNS query resolved to. However, this approach has limitations: IPs change frequently, CDNs dynamically assign them, and multiple domains often share the same IP at different times.