Add `mock` for `amneziawg`

[bobpaul]

AmeneziaWG (described here) is a fork of Wireguard that adds some basic obfuscation. It's very much wireguard specific and couldn't be implemented as an obfuscator (with the -o option) because it's not bi-directional the way the XOR obfuscators are. The implementation would need a -m amnezia_client for outgoing transforms and a -m amnezia_server for incoming traffic.

Reasonably, the amnezia mockers could be combined with other mockers. Amnezia would be the first transform in the pipeline on out going traffic (transforming the payload before wrapping in protocols or before feeding into dns or websocket traffic) and the last transform on incoming traffic (after pulling the payload out of other protocols or mockers).

Why?

• AmneziaWG's obfuscation strategy doesn't use any information internal to WireGuard, so it can be implemented as an external wrapper

• AmneziaWG maintains a fork of wireguard-go as well as the linux-wireguard kernel module and 2 Android clients. It's possible that security or bug fixes from Wireguard upstream might not make it into Amnezia's fork in a timely matter. Implementing externally would allow someone to run any standard Wireguard client they trust but still benefit from Amnezia's obfuscation strategy.

• AmneziaWG requires all peers use the same obfuscation tunables for the transfoms (S1, S2, H1, H2, H3, H4), though each peer can have custom settings for the "Pre-initialization junk packets". With an implementation in obfscation-tunnel, one could connect to an existing AmneziaWG tunnel but still customize their own obfuscation tunables between their client and wherever they're running ./tunnel.

• ./tunnel does not require root; someone with user-level access to a system could use that system as a relay between their own amnezia client and an amnezia or wireguard server.

Why Not?

• While the Amnezia's obfuscation doesn't require Wireguard internals, session tracking does, and that justifies their decision to make a fork rather than an external wrapper. With WireGuard -> tunnel -> AmneziaWG, only 1 user can connect through the tunnel at a time. On the other hand, 1 user per tunnel is how this project is generally intended to be used.

• AmneziaWG has a LOT of tunables. This might look ugly on the commandline without support for configuration file parsing.