On 13/05/15 02:05, Lisa Minogue wrote: > Hi David > >> From: David Sommerseth <openvpn.l...@topphemmelig.net> >> Sent: Tue May 12 23:07:52 CEST 2015 >> To: Lisa Minogue <lmino...@mail.be>, Jonathan K. Bullard >> <jkbull...@gmail.com> >> Subject: Re: [Openvpn-devel] Request peer review of modified OpenVPN client >> software > >> The XOR patch which we've basically rejected so far, modifies how >> OpenVPN packets looks like. Piping the traffic through stunnel will >> actually encrypt the OpenVPN packets once more, thus the packets will >> not look like OpenVPN packets. And the same happens if you use obfsproxy >> from the Tor project, which also is used to mangle the network >> packets. > > Briefly what are your reasons for rejecting the XOR patch?
Read carefully below, as I already answered that. >> We have generally recommended obfsproxy, as that's a tool >> especially designed to do this clever magic in a very flexible way. So when a >> firewall learns the new packet fingerprint, obfsproxy can easily and >> quickly be extended with another mangler. And that is why we don't want this >> functionality built into OpenVPN. Because it is far harder for >> OpenVPN to follow what passes through various "Great Firewalls" (you >> have more countries doing that than just China). The Tor projects have a >> special interest in making such mangling work as smooth as possible, >> with great success. Hence that has been our primary recommendation. > > Thanks once again for your time and effort in helping me understand > the advantages of using obfsproxy over XOR patch or stunnel4. > > Do OpenVPN developers have an official wiki on how to use obfsproxy > with OpenVPN? Or is the article referenced by the following > URL--https://community.openvpn.net/openvpn/wiki/TrafficObfuscation--your > official guide? No, that's the general approach. Using obfsproxy is actually fairly simple. I've not tested the setup which is demonstrated here in a long time, but I see that nowadays obfsproxy supports a better protocol, obfs3 instead of obfs2. And that's the power of obfsproxy, when newer tweaks are needed to combat these "Great Firewalls", the Tor projects have a solution for you. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
