Support direct MASQUE VPN (without WireGuard layer)

[kolon0]

I have checked if others have suggested this already

• I have checked this issue tracker to see if others have reported similar issues.

Feature description

First of all, I am not an expert, so maybe I have a misunderstanding.
But it seems like you have implemented WireGuard over MASQUE.

Why not MASQUE itself (with CONNECT-IP)?
Wouldn't WireGuard over MASQUE lead to significant performance decrease and resource comsumption?
Or was this decision made to make MASQUE work with DAITA, since DAITA is integrated in WireGuard (I saw it here: https://github.com/mullvad/wireguard-go)?

Thank you, and respect for your hard work!

Alternative solutions

If it doesn't lead to unnecessary implementation complexity, maybe use MASQUE directly when DAITA is not enabled?

Type of feature

• Better privacy/anonymity
• Better at circumventing censorship
• Easier to use
• Other

Operating System

• Android
• iOS
• Windows
• macOS
• Linux

[artiwl]

Have the same doubt. Speeds dropped a lot when QUIC was enabled.

[strykenKN]

Speed with QUIC is an absolute disaster and can hardly be used! Pages almost don't open, streams barely work, or pages don't open at all!. Mullvad has once again installed something that is completely half-baked, the main thing is something new that doesn't work again! And absolutely unusable with the Mullvad Proxy Addon, because absolutely no page opens anymore!

[kolon0]

Speed with QUIC is an absolute disaster and can hardly be used! Pages almost don't open, streams barely work, or pages don't open at all!. Mullvad has once again installed something that is completely half-baked, the main thing is something new that doesn't work again! And absolutely unusable with the Mullvad Proxy Addon, because absolutely no page opens anymore!

Maybe your ISP is throttling? Have you tried Cloudflare WARP with MASQUE? If it works perfectly there, then the issue might be with Mullvad, their servers could be too far from you, or it could be a Windows-specific issue. It works fine for me on Linux, and I haven’t experienced problems like pages not opening at all.

[strykenKN]

Speed with QUIC is an absolute disaster and can hardly be used! Pages almost don't open, streams barely work, or pages don't open at all!. Mullvad has once again installed something that is completely half-baked, the main thing is something new that doesn't work again! And absolutely unusable with the Mullvad Proxy Addon, because absolutely no page opens anymore!

Maybe your ISP is throttling? Have you tried Cloudflare WARP with MASQUE? If it works perfectly there, then the issue might be with Mullvad, their servers could be too far from you, or it could be a Windows-specific issue. It works fine for me on Linux, and I haven’t experienced problems like pages not opening at all.

Hello Kolon,

thanks for your info. So I have a gigbite line at the municipal utilities. Without Mullvad I can get a full 1 GB down and up 250 Mbit without any ifs and buts, at any time, around the clock (I can prove everything.!). Once Mullvad is turned on, everything just goes down to 90 Mbit and up to 2 Mbit. And when QUIC is activated, almost nothing works anymore. Everyone I know who uses Mullvad has exactly the same problems and complains about them.

The problem is Mullvad himself, that's a fact, they don't admit it and blame everything on the user and the ISP. This makes it very easy for yourself and then you don't have to worry about the problems you have. I've already tested a few VPNs, but when it comes to speed, Mullvad is the worst! But Mullvad doesn't care that the problem lies with them themselves. If you complain to Mullvad by email or within the app, Mullvad is not the problem, they always blame it on the ISP or yourself. I can always prove the opposite, but Mullvad ignores it. Unfortunately, I've already had some negative experiences with this.

[buggmagnet]

Hi @strykenKN

Consider this your only warning

I notice that you've been commenting recently on multiple issues on our github page pointing out issues you're encountering with our service, notably QUIC, and expressing your discontent.

I understand that you're upset, and not satisfied (I will come to this shortly) with the service provided, but commenting everywhere to bring everything about your problems is a surefire way to get you banned. I would kindly ask you to refrain from doing this, and to stay civil in your comments.

We will not tolerate any form of harassment, and your indignified comments are definitely not a good way to get our attention, or your problems solved.

Now onto the problem you're facing.

It seems you are having many issues with QUIC, and I would kindly ask you to open a separate issue on our tracker about your troubles with QUIC so we can give it a proper place to discuss. I would also invite you to contact [email protected] in case you need help with the configuration you are using with Mullvad.

Hello @kolon0 Just a quick clarification, we have implemented Wireguard over QUIC. MASQUE is built on top of QUIC.

We are aware about MASQUE, and I cannot comment on whether we will support it one day or not, but to give you a short answer, it's not an insignificant effort to add support for new protocols that are not some form of wrapper around Wireguard.

We can keep this issue open however to gauge interest in MASQUE.

See my answer below

[paperclip-dayo]

Speed with QUIC is an absolute disaster and can hardly be used! Pages almost don't open, streams barely work, or pages don't open at all!. Mullvad has once again installed something that is completely half-baked, the main thing is something new that doesn't work again! And absolutely unusable with the Mullvad Proxy Addon, because absolutely no page opens anymore!

Sounds like a you issue really, QUIC works fine over here. If "pages don't open" you may have MTU issues.
Main issue with QUIC at the moment is that there's only a few servers that support QUIC and half of them are M247 which often get blacklisted. Hopefully it won't take ages for QUIC to be rolled out to all relays.

[buggmagnet]

Another clarification.

To quote our official announcement:

What we call QUIC obfuscation builds on the MASQUE protocol described by RFC 9298 - Proxying UDP in HTTP.

I'm editing my previous comment which was not entirely correct about MASQUE. We do use a subset of what MASQUE is capable of, it does more than just proxying UDP traffic, it can also tunnel TCP traffic for instance, which our implementation does not support.
You are right in pointing out @kolon0 that we could simply tunnel the packets without the Wireguard layer.

And we can keep this issue open to track that interest.

[strykenKN]

I notice that you've been commenting recently on multiple issues on our github page pointing out issues you're encountering with our service, notably QUIC, and expressing your discontent.

I understand that you're upset, and not satisfied (I will come to this shortly) with the service provided, but commenting everywhere to bring everything about your problems is a surefire way to get you banned. I would kindly ask you to refrain from doing this, and to stay civil in your comments.

We will not tolerate any form of harassment, and your indignified comments are definitely not a good way to get our attention, or your problems solved.

Now onto the problem you're facing.

Hallo buggmagnet,

first of all, thank you for understanding me, that I "had" a lot of problems and that's why I was angry. Because I had just spent hours trying to somehow find the error. And then I just let my anger out of here. That wasn't right, I have to apologize for that.

So now I've found out the error, it's clearly due to the Realtek LAN driver. I have the latest one from Gigabyte.

I did the following. I uninstalled Mullvad cleanly, then restarted the LAN driver, restarted the computer and first installed the LAN driver, restarted the computer and then reinstalled Mullvad. Then it worked and became much faster. But there is still a problem when I build a new page such as winfuture.de, x.com, chip.de etc. etc. It takes a few seconds for the page to load.

I suspect that the Realtek driver is causing problems. Maybe you can take a look there.

[strykenKN]

Now I have another suggestion regarding MASQUE.

Some VPN providers offer "AmneziaWG" in conjunction with Wireguard Go to improve security. And that in connection with Quic. And multihoop as some do, double tunnel, i.e. a tunnel in the tunnel to keep the attack surface even lower.

I think you should include that in my opinion and offer it. I don't think Quic alone will be enough. Wireguard's problem is that it does not offer standalone protection, does not offer protection against deep packet inspection (DPI), and thus does not provide obfuscation. Some people then don't use Wireguard, but Wireguard Go with AmneziaWG and protect it with Sphinx protocol, for example (such as NymVPN or other dVPN providers and with Multihoop that tunnels, another tunnel over it.

Wouldn't that be something?

[hulthe]

The obfuscation methods that amneziawg uses are indeed interesting, thanks for the tip

[User00123]

Hi, there is a Mullvad AmneziaWG Configuration Example in https://github.com/yoloshii/privacy-first-network/blob/main/openwrt/amneziawg/mullvad-awg0.conf.example

[strykenKN]

The obfuscation methods that amneziawg uses are indeed interesting, thanks for the tip

I don't think the idea is bad either. I came up with it because, for example, NymVPN and others that offer decentralized VPN`s use it and tunnel the VPN tunnel again.

A battle between NymVPN and Mullvad is currently going on on the Internet or in the forums. NymVPN decentralized and Mullvad centralized (in my opinion should switch to decentralized as this will be the future, see Snowden etc. and will be much safer. Above all, the Mixet servers, which are spread all over the world). Mullvad is very, very good and almost unbeatable. But decentralized VPNs will be the future and far more secure NymVPN is leading the way. Mullvad has to decide for the future how they will proceed. Decentralized VPNs will replace decentralized ones. Unfortunately, that is a fact. And NymVPN now seems to be/will be the pioneer. This isn't an advertisement for NymVPN, but Mullvad can't close his eyes to the future and has to think about what else they want to do. VPN`s that run centrally will be completely replaced by decentralization in the long term. And unfortunately that will happen faster than we all would like.

What do you think about that? is Mullvad already thinking about this or is something slowly being set in motion?

NymVPN wrote something else about Obscura and Mullvad and their security when it comes to multihoop and if that's true, Mullvad clearly needs to change something when it comes to security, I quote:

Regarding the independent operators model with Obscura: I think it is a very nice step towards decentralisation that Mullvad partnered with Obscura, as otherwise Mullvad’s 2-hop mode wasn’t really decentralised because they control all the nodes. Pairing with Obscura adds a bit of decentralisation indeed, as in theory you’re routing traffic through 1 node controlled by Obscura and 1 controlled by Mullvad.
Hence, the claim here is that ObscuraVPN cannot decrypt your traffic, and Mullvad’s servers cannot see your original IP address - and cannot correlate your IP with your activities. This is true under the assumption that the two services do not collude—which, of course at this point, is based on a pinky promise as those two companies already collaborate :slight_smile:
Also, worth noting is that since the Obscura app encrypts traffic using WireGuard for the Mullvad exit server before sending it over QUIC to the Obscura entry node, there is no separate WireGuard tunnel between the Obscura app and the Obscura entry server (at least that’s my understanding of their design). This setup requires the client to be aware of both ObscuraVPN and Mullvad’s servers. Specifically, my device must know the public WireGuard key and endpoint of the Mullvad exit server before it can establish a connection. Because my WireGuard session is end-to-end encrypted between my device and Mullvad’s exit node, Mullvad does see my WireGuard public key. If I reuse the same key across multiple sessions, Mullvad could track my activity by associating different connections with the same key. I’m not sure they rotate the long-term public-private WireGuard key pairs between sessions.>

and to Daita:

I think Mullvad is doing some great work towards advancing the privacy for their users! As for DAITA - we looked at it when they announced it. Looking at the code, they implemented the addition of cover traffic with the Maybenot framework. Doing a bit of a deeper dive back then showed that they used four different state machines, but in all cases, the cover traffic patterns were quite predictable and could be easily filtered out with simple traffic analysis. I haven’t checked recently, so I can’t say whether they’ve improved it, but back then, it was doing very little to hinder traffic analysis. And also it wasn’t by default - you have to enable it in

settings.

Link to this from: https://discuss.privacyguides.net/t/nym-and-nymvpn-next-gen-privacy-with-mixnet-and-vpn-service/25072/28

This is not intended to be an advertisement for NymVPN, absolutely not, but this matter is discussed and highlighted in many forums. And I'm watching these two sides; NymVPN and Mullvad because these two are being compared.

Maybe Mullvad can say something about the claim himself. Because it worries me a little bit.

[buggmagnet]

Hi @strykenKN

I'm glad that your problems were solved!

We are very well aware of what NymVPN is doing. And I personally think it's good that there are multiple solutions available to users to find a solution that serves their needs the best.

I'm not going to comment on most of the things you wrote because this is an issue tracker, not a forum, and because I'm only an employee, I do not represent Mullvad's stance in an official capacity.

Some VPN providers offer "AmneziaWG" in conjunction with Wireguard Go to improve security. And that in connection with Quic. And multihoop as some do, double tunnel, i.e. a tunnel in the tunnel to keep the attack surface even lower.
I think you should include that in my opinion and offer it. I don't think Quic alone will be enough.

It looks like you are confused about some of the functionality we provide.
We do offer a multihop functionality in our app on all platforms. We also offer QUIC obfuscation on all platforms now as well.
You keep saying you are worried, but what are you worried about exactly ?

Wireguard's problem is that it does not offer standalone protection, does not offer protection against deep packet inspection (DPI), and thus does not provide obfuscation.

Wireguard offering no protection against DPI does not mean it's insecure. Your connection is still fully undecipherable and no one but you and the wireguard server you are connected to can ever know the content of your traffic.
It just means someone probing your network can see that you are using Wireguard, but they won't be able to decrypt the connection.

To give you a more concrete example, let's say you do a search on DuckDuckGo, and that you are connected to a WireGuard server.

Someone observing the traffic between you and the wireguard server will just see encrypted data. They cannot see that you are trying to reach DuckDuckGo.

DuckDuckGo's server will only see that a random server is sending them traffic. They cannot see your IP address, and they cannot know that this server sending them traffic is running a WireGuard endpoint.

Someone observing the traffic between DuckDuckGo and the wireguard server cannot infer that you are the one sending the traffic.

I hope that clarifies some things you are worried about. Please feel free to reach [email protected] if you have technical questions, or worries about what we do.
We are open source, so you can verify everything I'm saying as well, don't just take my words for it.