Obfuscation UDP-over-TCP option

[SkynetMDX]

Was obfuscating UDP-over-TCP explored as an option to bypass public network restrictions, any plans to implement it?

[teon]

@SkynetMDX Yes, it’s planned but it’s a large feature. We need a solution that:

1. Enables client-side implementations in Rust (Desktop), Swift (iOS), and Kotlin (Android). No existing solution meets this requirement.

2. Works on the server side not as a standalone tool, but as a library we can embed into our gateways (Linux, FreeBSD, OPNsense, etc.).

This means we will most likely need to implement it from scratch.

We also expect to support not only UDP→TCP transport, but additional obfuscation methods (similar to Mullvad VPN:
https://mullvad.net/en/help/connecting-to-mullvad-vpn-from-restrictive-locations#connecting).

This is actually necessary to ensure reliability in restrictive environments (e.g., airports, some hotels with Deep Packet Inspection), where simple UDP-to-TCP transformation is insufficient.

At the moment, we’re in the middle of a major architectural update for the upcoming 2.0 release (more details on our Blog). These changes are essential to make Defguard significantly easier to deploy, but they are temporarily slowing feature development.

On the positive side, 2.0 will also introduce a completely new UI/UX, which in my opinion will make Defguard the most polished and professional tool on the market. We’re aiming to launch this in February, after which we’ll plan further feature development, including this one.

I hope this clarifies things and is helpful.