At Obscura we just tunnel WireGuard over QUIC's unreliable datagram mechanism to make it look like HTTP/3 (for DPI): https://github.com/Sovereign-Engineering/obscuravpn-client/b...

We just upstreamed our patch to quinn-rs that pads Datagrams to MTU: https://github.com/quinn-rs/quinn/pull/2274

Some DPIs just flat out block HTTP/3 already.

> Some DPIs just flat out block HTTP/3 already.

Actually, some DPIs just straight-up reject UDP (and since DNS and NTP are UDP-based*, just straight-up interception-and-redirect).

* TCP DNS exists but practically not used for most "normal" tasks, and at this point the censor is trying to block anything anyways.

> Too bad managing [Wireguard] is such a pain[.]

It is? My clients on OpenBSD need about ten lines in /etc/hostname.wg[0-9]+ and that includes the routes!

If hub-and-spoke does it for you, it's manageable.

True. but based on my researches don't use DPI on the NIN, so you might be able to use WG or OpenVpn on a VPS inside Iran but not to a VPS on let's say digital ocean. They can also selectively increase the or decrease the strength of their DPI as well, for example a range of IP can be graylisted and nothing will work on it, or they put more active probing effort on some ranges of IPs.