GUIDE

How to hide OpenVPN traffic – an introduction

As internet censorship tightens across the world, governments are becoming more and more concerned about preventing the use of VPN to circumvent their restrictions. China, with its Great Firewall, has been particularly active in this regard, and there have been many reports of VPN into and out of China being blocked.

The problem is that while it is impossible to ‘see’  the data in an encrypted VPN tunnel, increasingly sophisticated firewalls are able use Deep Packet Inspection (DPI) techniques to determine that encryption is being used (to detect for example the SSL encryption used by OpenVPN).

There are a number of solutions to this problem, but most of them require a degree of technical expertise and server-side configuration, which is why this article is simply an introduction to the options available. If hiding your VPN signal is important to you and Port 443 forwarding  (see below) is insufficient, then you should contact your VPN provider to discuss whether they would be willing to implement one of the solutions outlined below (or alternatively find a provider, such as AirVPN, who already offers this type of support).

Port Forward OpenVPN through TCP port 443

By far the simplest method, one that can be easily performed from your (the client) end, requires no server-side implementation, and will work in most cases, is to forward your OpenVPN traffic through TCP port 443.

OpenVPN by default uses TCP port 1194, so it is common for firewalls to monitor port 1194 (and other commonly used ports), rejecting encrypted traffic that tries to use it (or them).  TCP port 443 is the default port used by HTTPS (Hypertext Transfer Protocol Secure), the protocol used to secure https:// websites, and used throughout the internet by banks, gmail, twitter, and many more essential web services.

Not only is the use of OpenVPN, which like HTTPS uses SSL encryption, very difficult to detect over port 443, but blocking that port would severely cripple access to the internet and is therefore not usually a viable option for would-be web censors.

Port forwarding is one of the most commonly supported features in custom OpenVPN clients, making changing to TCP port 443 ridiculously easy. If your VPN provider does not supply such a client, then you should contact them.

Unfortunately, the SSL encryption used by OpenVPN is not exactly the same as ‘standard’ SSL, and advanced Deep Packet Inspection (of the type increasingly used in places such as China), can tell if encrypted traffic conforms to the ‘real’ SSL/HTP handshake. In such cases alternative methods of evading detection need to be found.

Obfsproxy

Obfsproxy is a tool designed to wrap data into an obfuscation layer, making it difficult to detect that OpenVPN (or other VPN protocols) are being used. It has recently been adopted by the Tor network, largely as response to China blocking access to public Tor nodes, but it is independent of Tor, and can be configured for OpenVPN .

To work, obfsproxy needs to be installed on both the client’s computer (using for example port 1194), and the VPN server. However, all that is then required is that the following command line be entered on the server:

obfsproxy obfs2 –dest=127.0.0.1:1194 server x.x.x.x:5573

This tells obfsproxy to listen on port 1194, to connect locally to port 1194 and forward the de-encapsulated data to it (x.x.x.x should be replaced with your IP address or 0.0.0.0 to listen on all network interfaces). It is probably best to set up a static IP with your VPN provider so the server knows which port to listen in on.

Compared to the tunnelling options presented below, obfsproxy is not as secure, as it does not wrap the traffic in encryption, but it does have a much lower bandwidth overhead since it is not carrying an additional layer of encryption. This can be a particularly relevant for users in places such as Syria or Ethiopia, where bandwidth is often a critical resource. Obfsproxy is also somewhat easier to set up and configure.

OpenVPN through an SSL tunnel

A Secure Socket Layer (SSL) tunnel can, on its own, be used as an effective alternative to OpenVPN, and in fact many proxy servers use one to secure their connections (an article on setting this up is available here). It can also be used to completely hide the fact that you are using OpenVPN.

As we noted above, OpenVPN uses a TLS/SSL encryption protocol that is slightly different from ‘true’ SSL, and which can be detected by sophisticated DPI’s. In order to avoid this, it is possible to ‘wrap‘ the OpenVPN data in an additional layer of encryption. As DPIs are unable to penetrate this ‘outer’ layer of SSL encryption, they are unable to detect the OpenVPN encryption ‘inside’.

SSL tunnels are usually made using the multi-platform stunnel software, which must be configured on both the server (in this case your VPN provider’s VPN server) and the client (your computer). It is therefore necessary to discuss the situation with your VPN provider if you want to use SSL tunnelling (a setup guides is available here for reference), and receive configuration instructions from them if they agree. A few providers offer this as a standard service, but AirVPN is the only one we have so far reviewed (anonypoz being another).

Using this technique does incur a performance hit, as an extra layer of data is being added to the signal.

OpenVPN through an SSH tunnel

This works in a very similar way to using OpenVPN through an SSL tunnel, except that the OpenVPN encrypted data is wrapped inside a layer of Secure Shell (SSH) encryption instead. SSH is used primarily for accessing shell accounts on Unix systems, so its use is mainly restricted to the business world, and is nowhere near as popular as SSL.

As with SSL tunnelling, you will need to talk to your VPN provider to get it working, although AirVPN supports it ‘out of the box’. SSH tunnelling uses the PuTTY telnet/SSH client, and a relatively simple setup guide can be found here.

Conclusion

Without very deep packet inspection, OpenVPN encrypted data looks just like regular SSL traffic. This is especially true if routed via TCP port 443, where a) you would expect to see SSL traffic and b) blocking it would hamstring the internet.

However, counties such as Iran and China are very determined to control their population’s uncensored access to the internet, and have put into place technically impressive (if morally objectionable) measures to detect OpenVPN encrypted traffic. As even being discovered using OpenVPN can get you into trouble with the law in such countries, it is in these situations a very good idea to use one of the additional precautions outlined above.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


31 responses to “How to hide OpenVPN traffic – an introduction

  1. Hi, is there any chance other way than using port 443 tcp, that can be used on android devices too? Using port 443 usually works in Iran but sometimes they use DPI and we can’t use openvpn anymore. Thanks

    1. Hi anony,

      You can try using providers that offer “stealth” technologies such as obfsproxy (a technology used to hide Tor nodes), or hide VPN connections inside an SSL or SSH tunnel (AirVPN). The VPN provider summaries in my 5 Best VPNs for China article contains information on providers that offer such technologies.

    1. Hi Guy,

      That is fantastic! Thank you for sharing it with us! Did you compile this data yourself? If so, we like would your permission to refer to it (after checking our facts of course,) and where we do so directly, would be happy to give you credit.

  2. Hi Douglas,
    i live in Kenya and one of the isp has blocked openvpn even through Tcp port 443
    I observed the log while launching my config file via OpenVPN that it connects to the TCP and gets to the “WAIT…” but doesn’t go beyond this, only to show a TLS handshake failure.
    DNS tunneling is working fine although very slow. what do you think i should do from my client side to counter this?
    which of the above proedures that you stated do you think can be implemented from the client side and work fine?

    1. Hi Einstein,

      Unfortunately most solutions require server-side assistance from your VPN provider, so your first step should be to contact your provider. Not all providers support anti-censorship technologies such as SSL tunneling or obfsproxy connections, but all the ones listed in our 5 Best VPNs for China article are set up to help customers evade government blocking of their VPN services (in fact, many points made in that article are likely to be useful to you in Kenya.)

  3. Thank you for a very good tutorial. I am having problems for some friends connecting to my openvpn (ASUS router), they can login and ping but they cannot surf, the page does not come up. I have no problems connecting to the server from outside and surfing is fine. My guess is that it is because of firewall settings they have. Reading your tutorial I am a little confused, Is it correct if I change the server form UDP to TCP, and the port it uses today (1194) to 443, after that I generate the .ovpn file and they use it to login. Is it correct?

    1. Hi Kan,

      Changing to TCP port 443 is useful for evading attempts at blocking OpenVPN. If your friends can connect to your router over OpenVPN, though, then that is not the problem (although you are correct about how to change your settings). I’m afraid that am not sure why your friends cannot surf from your router…

  4. Hi

    I am trying to connect to a China website via a Korea VPS, which is extremely stable and fast. I am using openVPN, but it not working, I think possibly because of the port. How do you switch the port to 443 like you mentioned?

    1. Hi Michelle,

      You can change the port used by your OpenVPN instance by editing the OpenVPN server configuration file (server.conf?) and changing/adding the line ‘port 443’ (if you have 2 configuration files ensure this line is added to both).

  5. Surprised you didn’t mention the openvpn “port-share” option that has been there for years – even years before you wrote this post.

    Configure openvpn to listen on TCP-443, configure certificate authentication (with optional password auth, your call), then also enable the additional tls-auth feature. Once that all works, then configure port-share to a valid but very benign HTTPS website. Then setup port 80 with the same website, optionally with a redirect to https/443.

    Any connections that openvpn gets that are not tls-auth’d will be transparently sent to the HTTPS server. If anyone sees your traffic and goes to investigate without the proper tls-key they will simply see the website you sent them too.

    Various use cases I’ve set up:

    hidden openvpn and my person website, both listening on TCP-443

    hidden openvpn and a RSS/ATOM -> Static HTML news feed both on TCP-443

    Setting reverse dns on the IP to the website name, to help feed the illusion this is simply a website that I frequent.

    The best part is, TCP-443 traverses most firewalls and proxies in most locations. Since OpenVPN is based on SSL, it’s traffic looks like a valid, though long running SSL connection. In most cases it goes unnoticed. Usually the give-away is the duration of the connection, and the amount of data transferred. Most proxies don’t appear log until the connection is finished, however, so that helps avoid detection.

    I convinced one client that the connection must be due to a browser bug when reading my news-site.

    99% of the time I can use this to egress most of my client’s networks without issue.

    1. Hi Sinister Brain,

      Thanks for the idea! This does require that you setup your own OpenVPN server, but it is a great way to hide OpenVPN traffic (it is also useful for accessing the internet on locked-down networks where access is typically restricted to ports 80 and 443.) When I get an OpenVPN server up and running again I’ll do a tutorial on this.

  6. How do i find this traffic on network? I think users are using this to play WOW. How do u use Wireshark to catch it? I am new to this. Thanks guys!

    1. You can’t. If users are playing online games, you might be able to induce half a second of lag and let them go crazy and give up.

  7. I’ve read the whole article but I have a question: I know that Thor has implemented obfuscted ssl too. How can I use both OpenVpn, and Thor to encrypt my connection?

    Maybe doing a fusion between OVPN and Thor? If there any configuration for it?

  8. 1- why deep packet inspection cannot be performed on protocols such as SSL and SSH?

    2- please Describe a method for protecting users against URL obfuscation attacks.

    1. This is because a encrypted website is naturally known to be encrypted, so no point trying to do deep packet inspection to find out whether it is encrypted or not.

      Port 80 is deep inspected to see if encrypted, but for a port that is naturally encrypted no point!!!

  9. I have a VPS which I have used to create a VPN service for myself via OpenVPN and using tcp. however, my ISP has recently countered that and I cannot tunnel my internet via my VPN any longer whether TCP or UDP. I was thinking that if any of these suggestions might work.
    I observed the log while launching my config file via OpenVPN that it connects to the TCP and gets to the “WAIT…” but doesn’t go beyond this, only to show a TLS handshake failure.
    I don’t understand as I was thinking that if the ports were outrightly blocked then it wouldn’t get to the WAIT… point or am I wrong. however, I intend to try out your options above.
    I would appreciate any more suggestion if there is.

    also, DNS tunneling seems to be working for some people using some paid for apps or whatever. so, I want to know if I can also use my VPS for DNS tunneling like I have used it in the past for TCP/UDP tunneling.

    thank you in earnest.

  10. Hi, got a question about DNS Tunneling. I’ve been doing some searching regarding using OpenVPN with DNS Tunneling however I have not found any tutorials how to get those working. Perhaps you came across some articles. Thanks!

  11. Hi Niel,

    Well, the simple answer is that unless you live somewhere like Iran or China, then you probably don’t, as it will slow down you connection. As discussed in the article, tunnelling OpenVPN through an SSL layer will prevent an ISP from performing Deep Packet Inspection to detect an OpenVPN fingerprint.

    The advantage of this process over simply using SSL is that OpenVPN provides several important features that are not provided by SSL alone:

    – no need to configure anything to tunnel processes that use UDP
    – no special configuration needed for each application to be tunneled
    – routes, DNS and default gateway push from properly configured servers
    – integrated OpenVPN authentication on servers (AirVPN servers all support by default OpenVPN over SSH/SSL).

    I hope that helps.

    (p.s. I would like to thank the support team at AirVPN for their assistance in answering this question.)

    1. i am from india.i want to connect finch vpn through open vpn configuration.i was download open vpn and tcp port 443 configuration.but when i was going to connect i could not connect it many time showing wait.please suggest me something to solve this problem.help me

      1. Hi subha,

        I’m afraid that you will have to contact FinchVPN’s support, as a provider must support TCP port 443 configuration for this to work. That said, it is often possible to just edit the OpenVPN config file (.ovpn) for TCP/443 by deleteing any line that says “proto udp”, and adding “443 tcp” after the line e.g. “remote vpn.somewhere.com”. For example “remote vpn.somewhere.com 443 tcp”.

Leave a Reply

Your email address will not be published. Required fields are marked *