How to hide your OpenVPN traffic

Censorship is one of the main threat for internet users and while many have chosen to bypass restrictions with the help of a VPN, governments are looking for ways to prevent the use of this technology. Case in point, China, which with its Great Firewall controls internet access, is also implementing blocks on VPN services, trying to ensure that the restrictive measures in place are not circumvented.

Although it is not possible to get visibility of the data in an encrypted VPN tunnel, firewalls are becoming more advanced and some of them use Deep Packet Inspection (DPI) in order to establish that encryption is being used. This would allow them to identify the SSL encryption used by OpenVPn, for example. There are different ways to tackle this issue, but in the majority of cases, certain level of technical skills is required. For this reason, we will focus on a simple introduction of the options available.

Port Forward OpenVPN through TCP port 443

This is without a doubt, the easiest solution and it can be done from your end (in the client), without requiring implementation on the server’s side. By default, OpenVPN uses TCP port 1194, which is why firewalls are more likely to monitor this and other commonly used options. They would reject traffic that attempts to use this or other related ports.

On the other hand, TCP port 443 is used by default by HTTPS (Hypertext Transfer Protocol Secure), which is the protocol that secures https:// websites and it is is widely used on internet by banking services, email providers, websites like Facebook, Twitter and more. Used over port 443, OpenVPN traffic is very difficult to detect and since blocking that port would have a significant impact on internet access, censors are not likely to attempt that option.

Most custom OpenVPN clients support port forwarding, which means that you can easily change to TCP port 443. However, it must be kept in mind that the SSL encryption used by OpenVPN is not like standard SSL and sophisticated Deep Packet Inspection like the one used in China, will be able to determine if encrypted traffic corresponds to the actual SSL/HTP handshake.

Forwarding your OpenVPN traffic through TCP port 443 is effective in most cases, but if it doesn’t work for you, consider contacting your VPN provider to check if they would implement any of the other methods that we will list, or look for a VPN that already supports a solution to avoid firewalls.

OpenVPN through an SSL tunnel

It is possible to use a Secure Socket Layer (SSL) tunnel on its own, instead of OpenVPN. Alternatively, SSL can be used to conceal the use of OpenVPN. It’s worth keeping in mind that OpenVPN uses a TSL/SSL encryption protocol that slightly differs from “real” SSL and it can be detected by advanced DPI techniques. To prevent this, the OpenVPN data can be covered in an additional layer of encryption. Since DPIs can’t get through this outer layer of SSL encryption, they won’t be able to detect the OpenVPN encryption that is concealed within.

SSL tunnels are usually created using stunnel, an open-source multi-platform software that has to be set up on the server (your provider’s VPN server) as well as the client running on your computer. If you want to use SSL tunneling, the best option would be to reach out to your provider to see if they are willing to give you configuration instructions. Some companies like AirVPN, offer this as part of their services. Keep in mind that using this option will have an impact on the performance because an additional layer of data is added to the signal.

OpenVPN through an SSH tunnel

This method is similar to using OpenVPN trough an SSL tunnel, but in this case, the OpenVPN encrypted data is hidden within a layer of Secure Shell (SSH) encryption. SSH is not as popular as SSL, it is generally used to access shell accounts on Unix systems and it is mostly used for business purposes.

Just like with SSL tunneling, it is necessary to contact your VPN provider to get SSH tunneling. The PuTTY telnet/SSH client is used for SSH tunneling and you can find setup guides online. A more convenient option would be to choose a VPN service that supports this by default.

Obfsproxy

This is a tool that covers data in an obfuscation layer that makes it difficult to detect that OpenVPN (or other VPN protocol) is in use. The Tor network recently adopted this solution to deal with China’s attempts to block access to public nodes. Obfsproxy can be configured on OpenVPN, but it has to be installed on the client’s computer, as well as in the VPN server. All that is needed is that the below command line is entered on the server:

obfsproxy obfs2 -dest=127.0.0.1.1194 (assuming that port 1194 is used) server x.x.x.x:5573 T

The x.x.x.x should be replaced with your IP address or 0.0.0.0 to listen on all network interfaces

This will prompt obfsproxy to listen on port 1194, to connect to port 1194 locally and to forward the de-encapsulated data to it. The best option would be to set up a static IP with your VPN provider to ensure that the server knows which port to listen in on. Obfsproxy is not as secure as the tunneling options previously listed, but it offers a considerably lower bandwidth overhead because it doesn’t involve an additional layer of encryption. Its setup is also easier.

Conclusion

When there is no sophisticated deep packet inspection being used, OpenVPN encrypted data appears as regular SSL traffic, particularly if it is routed via TCP port 443. SSL traffic is common in this port and blocking it would pretty much disable internet. That being said, in countries with restricted internet, authorities are taking measures to strengthen their control and are working to detect OpenVPN encrypted traffic effectively. This is why it is important to use one of the methods listed.