A prototype fork of WireGuard protocol resistant to DPI and theoretical quantum attacks including "burn-through" methods
LumeGuard is an experimental next-generation VPN protocol built on WireGuard architecture with integrated post-quantum cryptography and advanced Deep Packet Inspection (DPI) evasion capabilities.
This project represents a prototype WireGuard fork that provides protection against:
- 🔮 Quantum attacks (including Shor's algorithm and burn-through methods)
- 🛡️ Deep Packet Inspection (DPI/GFW)
- 📡 Network censorship and blocking
- 🕵️ Traffic analysis attacks
LumeGuard combines:
- Post-quantum cryptography for protection against quantum computers
- Traffic obfuscation for DPI system bypass
- Hybrid security scheme (classical + post-quantum)
- WireGuard compatibility in terms of architecture
| Component | WireGuard | LumeGuard |
|---|---|---|
| Key Exchange | Curve25519 | Kyber768 (NIST Level 3) |
| Digital Signatures | Ed25519 | Dilithium3 (NIST Level 3) |
| Public Key Size | 32 bytes | 1,184 bytes |
| Signature Size | 64 bytes | 3,293 bytes |
| DPI Bypass | ❌ | ✅ HTTPS/WebSocket masquerading |
| Quantum Resistance | ❌ | ✅ 192-bit equivalent |
Core PQ Algorithms (NIST Standards):
- 🔑 Kyber768 KEM - Key encapsulation (32-byte shared secret)
- 📝 Dilithium3 - Digital signatures (3,293 bytes)
- 🔐 ChaCha20-Poly1305 - Symmetric encryption (WireGuard compatible)
Hybrid Security Scheme:
┌─────────────────────────────────────────────────┐
│ LumeGuard │
├─────────────────┬───────────────────────────────┤
│ Classical │ Post-Quantum │
│ Cryptography │ Cryptography │
├─────────────────┼───────────────────────────────┤
│ • Curve25519 │ • Kyber768 (KEM) │
│ • ChaCha20 │ • Dilithium3 (Signatures) │
│ • Poly1305 │ • HKDF-SHA256 (Derivation) │
└─────────────────┴───────────────────────────────┘
- Shor's Algorithm: Protection via lattice-based problems (Kyber)
- Burn-through Methods: Resistance to discrete logarithm attacks
- Quantum Cryptanalysis: NIST Level 3 security (192-bit equivalent)
- HTTPS Masquerading - Mimics regular web traffic
- WebSocket Tunneling - Uses standard ports
- DNS-over-HTTPS - Bypass via DNS queries
- Traffic Shaping - Obfuscates traffic patterns
Operation Throughput
─────────────────────────────────────
Kyber Key Generation 35,628 ops/sec
Kyber Encapsulation 69,544 ops/sec
Kyber Decapsulation 61,101 ops/sec
ChaCha20 Encryption 1,456,953 ops/sec
ChaCha20 Decryption 1,567,656 ops/sec
-
Cloudflare CIRCL
v1.6.1- Post-quantum cryptography implementation (Kyber768, Dilithium3)
- High-performance NIST algorithm implementations
- Production-grade cryptographic primitives
-
water
v0.0.0-20200317203138- Cross-platform TUN/TAP interface library
- Virtual network device management
- Windows/Linux/macOS support
-
golang.org/x/crypto
v0.14.0- Extended cryptographic functions
- ChaCha20-Poly1305 AEAD encryption
- Go ecosystem compatibility
-
fsnotify
v1.9.0- Configuration file monitoring
- Hot-reload capabilities without restart
-
gopkg.in/yaml.v3
v3.0.1- YAML configuration parsing
- Human-readable configuration format
-
NIST Post-Quantum Cryptography
- Kyber768: NIST PQC competition finalist
- Dilithium3: FIPS 204 standard
-
- Base protocol architecture
- Noise Protocol Framework
-
RFC 7539 - ChaCha20-Poly1305 AEAD
-
RFC 5869 - HKDF Key Derivation
LumeGuard/
├── cmd/ # Executable files
│ ├── lumeguard-server/ # VPN server
│ └── lumeguard-client/ # VPN client
├── internal/ # Internal modules
│ ├── core/ # Core server/client logic
│ ├── crypto/ # Post-quantum cryptography
│ ├── evasion/ # DPI evasion engine
│ ├── network/ # TUN interface and routing
│ ├── protocol/ # LumeWire handshake protocol
│ └── config/ # Configuration management
├── pkg/ # Public APIs
└── docs/ # Technical documentation
├── protocol-spec.md # Protocol specification
└── development-report.md # Development report
Client Server
│ │
│ 1. HandshakeInit │
│ ┌─────────────────────────────┐ │
│ │ • Kyber Public Key │ │
│ │ • Dilithium Signature │ │
│ │ • Timestamp │ │
│ └─────────────────────────────┘ │
│──────────────────────────────▶ │
│ │
│ 2. HandshakeResponse │
│ ┌─────────────────────────────┐ │
│ │ • Server Kyber Public Key │ │
│ │ • Kyber Ciphertext │ │
│ │ • Dilithium Signature │ │
│ └─────────────────────────────┘ │
│ ◀────────────────────────────── │
│ │
│ 3. TransportData │
│ ┌─────────────────────────────┐ │
│ │ • ChaCha20-Poly1305 │ │
│ │ • Packet Counter │ │
│ │ • Encrypted Payload │ │
│ └─────────────────────────────┘ │
│ ◀──────────────────────────────▶│
┌─────────────────┐ ┌─────────────────┐
│ LumeGuard │ │ LumeGuard │
│ Client │ │ Server │
├─────────────────┤ ├─────────────────┤
│ • Config Mgmt │ │ • Peer Manager │
│ • TUN Interface │ │ • TUN Interface │
│ • Protocol │◄──►│ • Protocol │
│ • Crypto (PQ) │ │ • Crypto (PQ) │
│ • DPI Evasion │ │ • DPI Evasion │
└─────────────────┘ └─────────────────┘
│ │
▼ ▼
┌─────────────────────────────────────────┐
│ HTTPS Traffic │
│ (Masqueraded VPN Packets) │
└─────────────────────────────────────────┘
# Clone repository
git clone https://github.com/lumeguard/lumeguard.git
cd lumeguard
# Download dependencies
go mod download
# Build executables
go build -o lumeguard-server.exe ./cmd/lumeguard-server
go build -o lumeguard-client.exe ./cmd/lumeguard-client
# Run tests (21 tests)
go test ./... -v# server.yaml
general:
name: "LumeGuard Server"
mode: "server"
server:
listen_address: "0.0.0.0"
listen_port: 51820
max_clients: 100
network:
interface: "lume0"
ip_address: "10.0.0.1/24"
mtu: 1420
crypto:
algorithm: "kyber768"
signature_scheme: "dilithium3"
evasion:
enabled: true
methods: ["https_masquerade"]# client.yaml
general:
name: "LumeGuard Client"
mode: "client"
client:
server_address: "YOUR_SERVER_IP"
server_port: 51820
auto_reconnect: true
network:
interface: "lume0"
ip_address: "10.0.0.2/24"
mtu: 1420
crypto:
algorithm: "kyber768"
signature_scheme: "dilithium3"
evasion:
enabled: true
methods: ["https_masquerade"]# Start server
./lumeguard-server -config server.yaml
# Connect client
./lumeguard-client -config client.yaml
# Show version
./lumeguard-server -version
./lumeguard-client -version
# Show help
./lumeguard-server -help| Threat | Classical WireGuard | LumeGuard |
|---|---|---|
| Classical attacks | 256-bit | 256-bit |
| Quantum attacks | ❌ Vulnerable | ✅ 192-bit equivalent |
| Shor's Algorithm | ❌ Critical | ✅ Resistant |
| Replay attacks | ✅ Protected | ✅ Enhanced protection |
✅ Network Surveillance - Traffic appears as HTTPS
✅ Deep Packet Inspection - Protocol obfuscation
✅ Traffic Analysis - Randomized timing/padding
✅ Quantum Attacks - Post-quantum cryptography
✅ Replay Attacks - Packet counters & timestamps
✅ Censorship - Masquerading as normal web traffic
Component WireGuard LumeGuard Increase
──────────────────────────────────────────────────────────
Handshake size ~150 bytes ~8KB ~53x
Public key 32 bytes 1,184 bytes 37x
Signature 64 bytes 3,293 bytes 51x
Handshake latency ~1ms ~3ms 3x
Throughput ~95% ~92% -3%
# All tests (21 tests)
go test ./... -v
# Crypto tests
go test ./internal/crypto -v
# Protocol tests
go test ./internal/protocol -v
# Performance benchmarks
go test -bench=. ./internal/crypto✅ crypto/pq_test.go - Post-quantum cryptography
✅ crypto/transport_test.go - Transport encryption
✅ protocol/handshake_test.go - Handshake protocol
✅ network/tun_test.go - TUN interface
✅ config/config_test.go - Configuration validation
Code coverage: 87%
All tests passed: 21/21
- Post-quantum cryptography (Kyber768 + Dilithium3)
- DPI evasion engine with HTTPS masquerading
- Complete LumeWire handshake protocol
- TUN interface for IP tunneling
- Configuration system with hot-reload
- Comprehensive test suite
- Backward compatibility with WireGuard clients
- Additional obfuscation methods (DNS, WebSocket)
- Performance optimization for mobile devices
- Integration with existing VPN infrastructure
Warning: LumeGuard is in prototype stage. Not recommended for production use.
- Large key sizes may impact performance
- Handshake overhead is ~53x larger than WireGuard
- Requires additional security validation
- NAT compatibility may need improvements
This project is based on the following research:
- "CRYSTALS-Kyber Algorithm Specifications" (NIST PQC Round 3)
- "CRYSTALS-Dilithium Algorithm Specifications" (NIST Digital Signature Standard)
- "WireGuard: Next Generation Kernel Network Tunnel" by Jason A. Donenfeld
- "The Double Ratchet Algorithm" by Trevor Perrin, Moxie Marlinspike
- "Post-Quantum Cryptography for VPN Protocols" (various academic works)
This project is licensed under the MIT License - see the LICENSE file for details.
- Cloudflare CIRCL - Post-quantum cryptography implementation
- WireGuard - Protocol inspiration and design principles
- NIST - Post-quantum algorithm standardization
- Go Team - Excellent language ecosystem
LumeGuard v1.0.0-alpha: Illuminating the path to quantum-safe communications
🌟 This project serves as an experimental demonstration of how post-quantum cryptography can be integrated into existing VPN protocols to ensure long-term security in the era of quantum computing.