Given here are two methods of maintaining OpenVPN service against filtering attacks by governments opposed to anonymity, security, and freedom of access on the internet. Both methods have come about due to the deployment of advanced surveillance technologiy, known as "deep packet inspection (DPI)," which identifies and enables blocking of VPN connections. OpenVPN connections are high priority targets due to the protocol's speed, security, and high popularity among internet users. Stunnel and Obfsproxy both conceal the VPN packets within an encrypted shell and make them resistant to deep packet inspection "find and block" activities. At some point in the future, expect OpenVPN to alter its protocol for more immunity to detection and blocking. Until that time, use these instructions to evade DPI. These methods are not perfect - a determined attacker, with enough time, can find and block anything it can't identify or decrypt. By regularly changing server IP addresses and keys, national firewalls will be ineffective against cloaked OpenVPN.
Note: The instructions given here for cloaking OpenVPN with Stunnel or Obfsproxy were accomplished on a system running Debian Sid Gnu/Linux. They should be applicable, with minor changes, to other Linux systems. Mac OSX and Windows systems can also use Stunnel or Obfsproxy with OpenVPN, but the installation method differs from what is shown here.
Stunnel will sit between the server and the internet. Inbound packets from clients will be decrypted and routed to the openVPN server. Outbound packets will be encrypted and sent to clients, looking like pure SSL data to any surveillance agents on the network.
Install Stunnel:
apt-get install stunnel4
Move to the stunnel directory:
cd /etc/stunnel/
Create a self-signed security certificate for the server:
openssl genrsa -out server.key 4096
Create a "Certificate Signing Request":
openssl req -new -key server.key -out server.csr
Create another self-signed certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Put the key and certificate into a pem file:
cat server.key > server.pem && cat server.crt >> server.pem
After the keys security certificates are created, specify the confiuration for stunnel. Create a config file, named stunnel.conf, and edit it using any suitable editor (vi, nano, gedit, for example). Copy the following into stunnel.conf:
sslVersion = all setuid = stunnel4 setgid = stunnel4 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 client = yes compression = zlib [openvpn] client = yes accept = 127.0.0.1:3389 connect = ENDPOINT_IP:16080
The accept port should preferably be a high port number not used by other applications. The connect port MUST be the TCP port to be used by OpenVPN. After editing and double checking the entries, save the file and quit the editor.
Enable stunnel and start stunnel. First, open the file /etc/default/stunnel4 in a text editor. Find the ENABLED parameter and change it from Find the enabling parameter and change ENABLED=0 to ENABLED=1. After editing and double checking the entries, save the file and quit the editor. Start stunnel4 with the command:
/etc/init.d/stunnel4 start
To start stunnel automatically at system boot time, put the above start-up command into the file /etc/init.d/rc.local.
Restart OpenVPN with the command:
service openvpn restart
Install Stunnel:
sudo apt-get install stunnel4
Use the following configuration data for the client's /etc/stunnel/stunnel.conf. ENDPOINT_IP should be written as the actual IP address of the OpenVPN server.
client = yes compression = zlib [openvpn] client = yes accept = 127.0.0.1:16080 connect = ENDPOINT_IP:16080
Edit the openvpn config file "remote" line:
remote 127.0.0.1 16080
Add the following line to the openvpn config file:
route ENDPOINT_IP 255.255.255.255 net_gateway
Add the following iptables rule:
sudo iptables -A INPUT -p tcp -m tcp --dport 16080 -j ACCEPT
Obfsproxy will sit between the server and the internet. Inbound packets from clients will be decrypted and routed to the openVPN server. Outbound packets will be encrypted and sent to clients, looking like random gibberish to any surveillance agents on the network. It differs from Stunnel in that stunnel sends SSL packets and Obfsproxy sends packets with no discernable identity.
Install obfsproxy:
apt-get install obfsproxy
Obfsproxy will be configured to listen to TCP port 3389 and to send any obfsproxy clients to the OpenVPN server, which will operate on 127.0.0.1, port 16080. And remember to allow TCP connections from the "outside" to port 3389 in your firewall config.
Obfsproxy uses static keys (the "shared-secret")for security. The system works, but the static keys should be regularly rotated to prevent an attacker from eventually breaking the key and accessing the openvpn data packets. Of course, the end user's actual internet data is encrypted, but why yield anything to an attacker? For the "shared secret" key, use a long string of random letters and numbers. Both client and server obfsproxy instances should use identical strings. Want a LONG string of random characters? Use a hash calculator to generate some gibberish.
Start obfsproxy on the server running openvpn. Use "sudo" if you are not root:
obfsproxy obfs2 --dest=127.0.0.1:16080 --shared-secret=ba016a998458864983848a2a6 server 0.0.0.0:3389
To start obfsproxy automatically at system boot time, put the above startup command in the file /etc/init.d/rc.local.
The OpenVPN server needs a line in the config file to run on port 16080:
port 16080
The openvpn client will be configured for talking to obfsproxy using 127.0.0.1 and port 443. Obfsproxy will communicate over the internet using port 443.
Install obfsproxy:
apt-get install obfsproxy
Add the following lines to your existing openvpn config file:
pull remote your.vpn.server’s.IP 3389 route your.vpn.server’s.IP 255.255.255.255 net_gateway socks-proxy-retry socks-proxy 127.0.0.1 443
Be aware that the "remote" line specifies the port number the server side obfsproxy is listening. By contrast, the "socks-proxy" line specifies where the openvpn client should find the local obfsproxy server.
Start obfsproxy on the client computer:
obfsproxy obfs2 --shared-secret=ba016a998458864983848a2a6 socks 127.0.0.1:443
To start obfsproxy automatically at system boot time, put the above startup command in the file /etc/init.d/rc.local.
Last, connect to the OpenVPN server using whatever method is preferred scripts, networkmanager, or a graphical interface should all work. The magic is in the *.ovpn configuration and the data used to run Obfsproxy.
Either Obfsproxy or Stunnel work well in circumventing the current round of increased censorship enabled by deep packet inspection. Eventually, countries like Syria, Iran, and China will resort to full segregation of their computer networks to maintain control of content accessed by their citizens. Until they muster enough guts to totally cut off access (and suffer the resulting economic and social consequences), the methods given here will be effective against national firewalls.
Update: Experimental patches are being tested that will incorporate protocol obfuscation into OpenVPN
and make the fixes given on this page unnecessary. See the discussion thread in OpenVPN's community
forum.
© 2005 - 2023 AB9IL.net, All Rights Reserved.
About Philip Collier / AB9IL,
Commentaries and Op-Eds,
Contact,
Privacy Policy and Affiliate Disclosure,
XML Sitemap.
This website is reader-supported. As an Amazon affiliate, I earn from qualifying purchases.