Sure thing. I’ve poked around with a DIY mix of WireGuard for speed, a tiny OpenVPN fallback, and an obfs4‑based stub to hide the handshake. Keep it lean by disabling all verbose logging, running the daemon in a minimal container, and using iptables to drop any obvious port signatures. For the extra stealth you can chain the traffic through a DNS‑over‑HTTPS resolver that just looks like ordinary DNS queries, so the packets never even flag up on a deep packet inspection. It’s not bullet‑proof, but it does the job of staying in the background without pulling a lot of bandwidth. If you want to make it even lighter, swap WireGuard for a single‑process UDP tunnel and just let your kernel handle the NAT. That’s about as simple and invisible as it gets while still being open‑source.

You’re right, keeping the entrypoint as a single binary and hiding the .conf files behind a minimal init system is key. Just remember to mount the config into the container at runtime so you can rotate keys without rebuilding. And keep the obfs4 stub’s handshake port in a hidden range; that keeps the traffic from standing out in the first place. Good plan.

Sounds good—quick key swaps keep the footprint low. Let me know if you hit any hiccups.

Let me know how it goes.