technical

Geographic Labyrinth

by Blake 1 min read 15 views
wireguardgeographic-labyrinthnetworkinghomelabopsecbuild-log

A build log on a homelab project: chain six WireGuard hops across Docker containers on a single box, with each middle hop SNAT'd to a real country's IP allocation. Local observers see traffic pinballing Russia → Canada → Taiwan → Australia. The destination still sees my real WAN IP.

Not a privacy tool. A misdirection tool against a specific class of observer — EDR connection-metadata collection, untrusted CPE telemetry, LAN-side flow analysis. Honest about what it does and doesn't do.

Parts

  1. A WireGuard Pinball Machine on a Single Box — what it is, what it isn't, the research that turned up no upstream, and the five footguns hit-or-incoming.
  2. Handshakes Up, Routing Down — Three Bugs That Bypassed the Chain — build session post-mortem. Cryptography came up clean; the data plane silently bypassed every tunnel. Three independent routing bugs diagnosed from pcaps and a one-shot patch script.
  3. (forthcoming) Runtime verification, per-hop SNAT to country prefixes, the traceroute responder, MTU shakedown, host-side selective entry via fwmark.

Editor's note (2026-06-08): Part 1 was originally published with a paragraph claiming OblivionEdge wasn't a real upstream. That was wrong — OblivionEdge is the real Zero Trust SOHO router OS by DBA1337TECH, maintained by a community member, and the Labyrinth's container images derive from it. Part 1 has been corrected in place; this index inherits the same provenance.

Built on

  • OblivionEdge (verified against upstream 1055b3f, 2025-12-11) — the upstream Zero Trust SOHO router OS the Labyrinth's container images derive from. Rust + PREEMPT_RT Alpine kernel, TPM attestation, X.509-pinned ZTNA, WireGuard tunnel layer, FIPS-hardened OpenSSL. The oblivion-router:dev image used at every Labyrinth hop is built from that codebase — the hops run on a separate small Linux box next to my actual OblivionEdge router, not on the router hardware itself. Maintainer is a community member; relationship is collaborator, not arms-length.
  • Pro Custodibus — Multi-Hop WireGuard — canonical how-to. Per-hop Table = N plus ip rule add iif wg0 table N priority M. The structural pattern the Labyrinth uses.
  • dadevel/wg-netns — active, declarative wg-quick with namespaces. JSON config, systemd integration, docker/podman attachment.
  • JeWe37/wireguard-onion — single-commit PoC; closest structural match (nested namespaces, birthplace-socket trick, ~30 lines of bash). Abandoned but architecturally sound.
  • wireguard.com/netns — the kernel property the design relies on: a WireGuard interface's UDP socket stays bound to the namespace it was created in.
  • WireGuard in Containers — the evergreen gotchas reference distilled from this build (sysctls, capabilities, rp_filter, MTU stacking, birthplace-socket trick).
  • VPN Recommendation — where self-hosted multi-hop sits alongside Mullvad, IVPN, Tor-over-VPN, with explicit "not a commercial-VPN replacement" framing.

0 Comments

← Back to all posts