AB9IL.net

OpenVPN Cloaking with Stunnel or Obfsproxy

Disclosure: AB9IL.net is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program such that this site earns advertising fees by linking to Amazon.com. If you make a qualifying purchase after clicking a link on this website, the associate affiliated with this site may earn a comission at no cost to you.


#Advert: Supercharge your computing on systems and parts from Prostar

New Features: Global Quick Tune Internet SDR List Improve Your Radio Knowledge at "YouTube SDR School"
Article Index --- click here to unfold ---
Newest Pages NEW: Trumpists Kicking the Hornets Nest
NEW: Introduction to Catbird Linux
NEW: Skywave Linux Updated to ver 4.1
NEW: i3wm: Using i3-ipc to Float Windows
How to Record from WebSDR and OpenWebRX Sites
Programmatic RTL-SDR Frequency Claibration
Public KiwiSDR Lists
Malaysia Airlines Flight MH17: Simply Mass Murder
The Anonymous Cathay Pacific Employee Letter to Hong Kong
For For Cathay Crews Crossing Borders With Electronics
Photo Gallery 9: The New Life Movement in China, 1944
E Pluribus Unum: From Many, One, Dammit
HFGCS Quick Tune SDR List
The Robert Mueller Iron Triangle Speech
A Rant About One Party Rule
Best OpenWebRX and WebSDR Servers
SDR School via YouTube
ADALM-PlutoSDR on Linux Systems
MOFO Linux: Defeating State Censorship and Surveillance
Linux: Distros, Code, and Nifty Software NEW: Introduction to Catbird Linux
NEW: Skywave Linux Updated to ver 4.1
NEW: i3wm: Using i3-ipc to Float Windows
Skywave Linux: HPSDR, WebSDR, and RTL-SDR ready to run.
Siduction Linux with the Cinnamon Desktop
Siduction Linux with the LXQT Desktop
Andy's Ham Radio Linux 15 and QtRadio
Booting Multiple Linux Disc Images with Grub2
Porteus Linux Hard Drive Installation
UPDATED: MOFO Linux - For Unrestricted Internet
Aptosid with LXDE
Asus EeePC 1215N with Linux
Autostart Tweaks for KDE3 and KDE4
Broadband Speed Tweaks For Linux
Fixing the Firefox 3 Rendering Bug
Linux on Solid State Drives
Linux Wireless Interface Driver Updates
Setting Polkit to Automount USB Devices
Sidux with LXDE
Fixing Skype Inverted Video
SLAX Remix - kernel upgrades
Flash Drive Linux - Introduction
Flash Drive Knoppix 5.3 - Part 1
Flash Drive Knoppix 5.3 - Part 2
Flash Drive Knoppix 6.0 - Part 1
Flash Drive Knoppix 6.0 - Part 2
Flash Drive SLAX - Part 1
Flash Drive SLAX - Part 2
Flash Drive Bluewhite64 - Part 1
Flash Drive Bluewhite64 - Part 2
Flash Drive Linux - Basic Customization
SLAX Customization - Part 1
SLAX Customization - Part 2
Bluewhite64 Customization - Part 1
Bluewhite64 Customization - Part 2
Long Range Wi-Fi Basics of Long Range Wireless Networking
Linear Focus Parabolic Wi Fi Antenna
High Gain Wi Fi Dish Antenna
High Gain Helical Wi Fi Antenna
High Gain Yagi Wi Fi Antenna
High Power Wireless Adapters
Wi Fi Extender Antenna for Routers
Belkin F5D7050 External Wi Fi Antenna
Linksys WUSB54GC External Antenna Mod
Compat Wireless Linux Drivers
Installing WPA_Supplicant for Wi-Fi Security
Linux Wireless Interface Driver Updates
Linux Wireless Interface Driver Support
NetworkManager and Consolekit
RT73 Wireless Drivers for Linux Kernel 2.6.27+
RT2860 Wireless Drivers for Linux Kernel 2.6.27+
Radio: Amateur Radio, Aero Radio, Shortwave, etc NEW: Programmatic RTL-SDR Frequency Claibration
NEW: Public KiwiSDR Lists
NEW: GHFS Quick Tune SDR List
UPDATED: Best OpenWebRX and WebSDR Servers
UPDATED: Skywave Linux: HPSDR, WebSDR, and RTL-SDR ready to run.
CubicSDR on Debian, Ubuntu, and Linux Mint
Dump1090 for Linux Mint 17.1 and Siduction 2014.1
Software Defined Radio - An Introduction
QS1R Direct Sampling SDR
Chaining SDR Audio Interfaces
FLEX-6000 Direct Sampling SDR
UPDATED: RTL2832 Software Defined Radio
WebSDR Digimode Reception
Enabling FLASH in Jack Audio
Realtime Software Audio Processing
Liberation Technology MOFO Linux - For Unrestricted Internet
Veracrypt Encryption for Linux
Veracrypt Encryption for Windows
Using Google Within China
Popcorn Time and Flixtor for Uncensored Streaming Media
DNS Encryption using DNSCrypt
Galaxy Nexus Privacy and Robustness Enhancements
Galaxy SIII Privacy and Robustness Enhancements
Flash Drive Encryption for Linux
Flash Drive Encryption for Windows
Multihop VPN Connections for Strong Internet Privacy
Open and Free DNS Server List
OpenVPN Cloaking against Deep Packet Inspection The Serval Mesh Phone Project
Skype's Robust Security
Man in the Middle Wireless Security Risks
Wireless Security and Surveillance
Digital Audio Adjusting Audio Dynamics in VLC
Backing Track Prep Guide
Ipod Music Processing Guide
How To Record Record Live Music Performances
Realtime Software Audio Processing
Chaining SDR Audio Interfaces
Aerospace Radio, Aviation, Pontification, and Opinion NEW: Trumpists Kicking the Hornets Nest
NEW: The Anonymous Cathay Pacific Employee Letter to Hong Kong
NEW: For For Cathay Crews Crossing Borders With Electronics
NEW: E Pluribus Unum: From Many, One, Dammit
NEW: HFGCS Quick Tune SDR List
NEW: The Robert Mueller Iron Triangle Speech
NEW: A Rant About One Party Rule
Captains Authority Versus Autocratic Airline Management
Malaysia Airlines Flight MH17: Simply Mass Murder
Malaysia Airlines Flight MH370 - A Media Circus
High Gain Air Band Antennas
Apollo Unified S Band Communications
Chinese Anti-Stealth VHF Radar
Oceanic Communications - Procedures, Equipment, Voice and HFDL
Boeing 737NG Radio Equipment
Boeing 767 Radio Equipment
NAOC-TACAMO Monitoring
My Flight on 9/11
Joshua Chamberlain's Leadership Tips
Special Operations Forces Truths
TWA 800: Just Give Me Some Truth
Photo Gallery Aviation Photo Gallery 1: Snapshots From My Journeys
Aviation Photo Gallery 2: On the Road With ATA Airlines
Aviation Photo Gallery 3: More ATA Airlines
Aviation Photo Gallery 4: Southwest Airlines is the Borg Empire
Aviation Photo Gallery 5: Starting Over, Moving On...
Aviation Photo Gallery 6: More Viva Macau
Aviation Photo Gallery 7: Mainland China Airline Flying
Aviation Photo Gallery 8: Chinese Smog and Fog
NEW: Photo Gallery 9: The New Life Movement in China, 1944
Broadcasting BBC Radio Blooper - Adolf Merckle
TV DXing the World Trade Center
New York TV after 9/11
Live Music Recording Adjusting Audio Dynamics in VLC
Backing Track Prep Guide
Ipod Music Processing Guide
How To Record Record Live Music Performances
Radio Poetry and Arts In Distress, by David Wagoner
Just A Radio Operator, by Robert A. Wallace
Radio Circuit Modifications ATS-909 Modifications
ATS-909 Manuals
ATS-909 Alignment Procedure
ATS-909 Alignment Spectrograms
Very Low Frequency (VLF) Radio Internet Based VLF Radio Listening
Windows Tips Windows Performance Enhancement Tips
A Faster Windows 7
Windows 7 SSD Setup

Given here are two methods of maintaining OpenVPN service against filtering attacks by governments opposed to anonymity, security, and freedom of access on the internet. Both methods have come about due to the deployment of advanced surveillance technologiy, known as "deep packet inspection (DPI)," which identifies and enables blocking of VPN connections. OpenVPN connections are high priority targets due to the protocol's speed, security, and high popularity among internet users. Stunnel and Obfsproxy both conceal the VPN packets within an encrypted shell and make them resistant to deep packet inspection "find and block" activities. At some point in the future, expect OpenVPN to alter its protocol for more immunity to detection and blocking. Until that time, use these instructions to evade DPI. These methods are not perfect - a determined attacker, with enough time, can find and block anything it can't identify or decrypt. By regularly changing server IP addresses and keys, national firewalls will be ineffective against cloaked OpenVPN.

Note: The instructions given here for cloaking OpenVPN with Stunnel or Obfsproxy were accomplished on a system running Debian Sid Gnu/Linux. They should be applicable, with minor changes, to other Linux systems. Mac OSX and Windows systems can also use Stunnel or Obfsproxy with OpenVPN, but the installation method differs from what is shown here.

Configuring an OpenVPN System for Stunnel

Stunnel will sit between the server and the internet. Inbound packets from clients will be decrypted and routed to the openVPN server. Outbound packets will be encrypted and sent to clients, looking like pure SSL data to any surveillance agents on the network.

#Advert: Supercharge your computing on systems and parts from Eluktronics

Stunnel on the OpenVPN Server

Install Stunnel:

apt-get install stunnel4

Move to the stunnel directory:

cd /etc/stunnel/

Create a self-signed security certificate for the server:

openssl genrsa -out server.key 4096

Create a "Certificate Signing Request":

openssl req -new -key server.key -out server.csr

Create another self-signed certificate:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Put the key and certificate into a pem file:

cat server.key > server.pem && cat server.crt >> server.pem

After the keys security certificates are created, specify the confiuration for stunnel. Create a config file, named stunnel.conf, and edit it using any suitable editor (vi, nano, gedit, for example). Copy the following into stunnel.conf:

sslVersion = all
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
client = yes
compression = zlib
[openvpn]
client = yes
accept = 127.0.0.1:3389
connect = ENDPOINT_IP:16080

The accept port should preferably be a high port number not used by other applications. The connect port MUST be the TCP port to be used by OpenVPN. After editing and double checking the entries, save the file and quit the editor.

Enable stunnel and start stunnel. First, open the file /etc/default/stunnel4 in a text editor. Find the ENABLED parameter and change it from Find the enabling parameter and change ENABLED=0 to ENABLED=1. After editing and double checking the entries, save the file and quit the editor. Start stunnel4 with the command:

/etc/init.d/stunnel4 start

To start stunnel automatically at system boot time, put the above start-up command into the file /etc/init.d/rc.local.

Restart OpenVPN with the command:

service openvpn restart

Stunnel on the OpenVPN Client

Install Stunnel:

sudo apt-get install stunnel4

Use the following configuration data for the client's /etc/stunnel/stunnel.conf. ENDPOINT_IP should be written as the actual IP address of the OpenVPN server.

client = yes
compression = zlib
[openvpn]
client = yes
accept = 127.0.0.1:16080
connect = ENDPOINT_IP:16080

Edit the openvpn config file "remote" line:

remote 127.0.0.1 16080

Add the following line to the openvpn config file:

route ENDPOINT_IP 255.255.255.255 net_gateway

Add the following iptables rule:

sudo iptables -A INPUT -p tcp -m tcp --dport 16080 -j ACCEPT


Configuring an OpenVPN System for Obfsproxy

Obfsproxy will sit between the server and the internet. Inbound packets from clients will be decrypted and routed to the openVPN server. Outbound packets will be encrypted and sent to clients, looking like random gibberish to any surveillance agents on the network. It differs from Stunnel in that stunnel sends SSL packets and Obfsproxy sends packets with no discernable identity.

Obfsproxy on the OpenVPN Server

Install obfsproxy:

apt-get install obfsproxy

Obfsproxy will be configured to listen to TCP port 3389 and to send any obfsproxy clients to the OpenVPN server, which will operate on 127.0.0.1, port 16080. And remember to allow TCP connections from the "outside" to port 3389 in your firewall config.

Obfsproxy uses static keys (the "shared-secret")for security. The system works, but the static keys should be regularly rotated to prevent an attacker from eventually breaking the key and accessing the openvpn data packets. Of course, the end user's actual internet data is encrypted, but why yield anything to an attacker? For the "shared secret" key, use a long string of random letters and numbers. Both client and server obfsproxy instances should use identical strings. Want a LONG string of random characters? Use a hash calculator to generate some gibberish.

Start obfsproxy on the server running openvpn. Use "sudo" if you are not root:

obfsproxy obfs2 --dest=127.0.0.1:16080 --shared-secret=ba016a998458864983848a2a6 server 0.0.0.0:3389

To start obfsproxy automatically at system boot time, put the above startup command in the file /etc/init.d/rc.local.

The OpenVPN server needs a line in the config file to run on port 16080:

port 16080

Obfsproxy on the OpenVPN Client

The openvpn client will be configured for talking to obfsproxy using 127.0.0.1 and port 443. Obfsproxy will communicate over the internet using port 443.

Install obfsproxy:

apt-get install obfsproxy

Add the following lines to your existing openvpn config file:

pull
remote your.vpn.server’s.IP 3389
route your.vpn.server’s.IP 255.255.255.255 net_gateway
socks-proxy-retry
socks-proxy 127.0.0.1 443

Be aware that the "remote" line specifies the port number the server side obfsproxy is listening. By contrast, the "socks-proxy" line specifies where the openvpn client should find the local obfsproxy server.

Start obfsproxy on the client computer:

obfsproxy obfs2  --shared-secret=ba016a998458864983848a2a6 socks 127.0.0.1:443

To start obfsproxy automatically at system boot time, put the above startup command in the file /etc/init.d/rc.local.

Last, connect to the OpenVPN server using whatever method is preferred scripts, networkmanager, or a graphical interface should all work. The magic is in the *.ovpn configuration and the data used to run Obfsproxy.

Either Obfsproxy or Stunnel work well in circumventing the current round of increased censorship enabled by deep packet inspection. Eventually, countries like Syria, Iran, and China will resort to full segregation of their computer networks to maintain control of content accessed by their citizens. Until they muster enough guts to totally cut off access (and suffer the resulting economic and social consequences), the methods given here will be effective against national firewalls.

Update: Experimental patches are being tested that will incorporate protocol obfuscation into OpenVPN and make the fixes given on this page unnecessary. See the discussion thread in OpenVPN's community forum.

Tags: openvpn, obfiscated openvpn, openvpn china, openvpn iran


©2005 - 2020 AB9IL, All Rights Reserved.
About, Contact, Privacy Policy and Affiliate Disclosure, XML Sitemap.