Hi. On Mon, Dec 19, 2016 at 7:10 PM, Kevin Long <kevin.l...@haloprivacy.com> wrote: > I was just browsing the Mastering OpenVPN book and a paragraph jumped out at > me which basically said that using OpenVPN on port 443 is a common way people > try to duck firewalls. Indeed, this is what I do. My clients are all over > the place, airports, hotels, different countries etc, and we do seem to have > better luck on port 443 tcp than 1194 tcp or udp. > > But the book states, as I have just learned just recently coincidentally, > that OpenVPN traffic (even running on TCP) does not really look like normal > browser TLS traffic. > > > I saw in the release notes I believe, that the new tls-crypt feature helps > prevent metadata about auth certificates from being exposed, as well as > blocking deep-packet inspections of the traffic.
One approach that could help would be to use obfsproxy. However that requires a separate program to be running on OpenVPN clients, which can be difficult for VPN service providers. Another approach would be to use the openvpn_xorpatch [1], which can be built into the OpenVPN client that VPN service providers supply to their clients and thus doesn't require a separate program. It adds a "scramble" option which obfuscates the traffic between an OpenVPN server and client, based on a shared secret. Although the patch is __disapproved__of__by__the__OpenVPN__developers__ (details on the Tunnelblick page), at least one VPN provider that I know of has found it helps their clients. I developed a version of the patch which fixes several bugs in the original. A somewhat out-of-date writeup is available at [2]. For the last 18 months my version has been included in copies of OpenVPN that are included in Tunnelblick [3] (a GUI for OpenVPN on macOS). There was recently a short discussion about it at GitHub Issue #347 [4]. In recent versions of Tunnelblick the patch is broken into five separate patches, with each patch modifying a single file. The patches can be found in the Tunnelblick source code [5] at third_party/sources/openvpn/openvpn-xxxx/patches, where xxxx is the OpenVPN version. The "master" branch of Tunnelblick includes patches for OpenVPN 2.3.14 and 2.4_rc1 (patches for 2.4_rc2 will be replace that within the next day or two). Older branches include the patch for older versions of OpenVPN. Best regards, Jon Bullard [1] https://forums.openvpn.net/viewtopic.php?f=15&t=12605&hilit=openvpn_xorpatch [2] https://tunnelblick.net/cOpenvpn_xorpatch.html [3] https://tunnelblick.net [4] https://github.com/Tunnelblick/Tunnelblick/issues/347 [5] https://tunnelblick.net/source.html ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
