Il 31/12/2016 20:36, Илья Шипицин ha scritto: > > Вт, 20 дек. 2016 г. в 5:13, Kevin Long <kevin.l...@haloprivacy.com > <mailto:kevin.l...@haloprivacy.com>>: > > > > I was just browsing the Mastering OpenVPN book and a paragraph > jumped out at me which basically said that using OpenVPN on port 443 > is a common way people try to duck firewalls. Indeed, this is what > I do. My clients are all over the place, airports, hotels, > different countries etc, and we do seem to have better luck on port > 443 tcp than 1194 tcp or udp. > > > > But the book states, as I have just learned just recently > coincidentally, that OpenVPN traffic (even running on TCP) does not > really look like normal browser TLS traffic. > > > > > > I saw in the release notes I believe, that the new tls-crypt feature > helps prevent metadata about auth certificates from being exposed, > as well as blocking deep-packet inspections of the traffic. > > > > Could anyone possibly elaborate on this? Will this in practice help > do mitigate OpenVPN blocking on port 443 in cases where normal TLS > 443 traffic is permitted? > > > > Also, could anyone elaborate on tis-crypt being “poor man’s quantum” > protection > > > > Thank you again, > > > > Kevin > > > > > I think traffic obfuscation need more attention. OpenVPN becomes more > and more popular, even http://openvpn.net is prohibited in several > countries. > > we recently tried tls-crypt from China, it does not bypass great wall > software.
Hi, We've discussed traffic obfuscation in the past many times, and have always concluded that we don't want to play that cat-and-mouse game in the _core_ OpenVPN. That said, there could definitely be a separate project that basically bundles OpenVPN with obfuscation software such as obfsproxy. Then _that_ project would play the cat-and-mouse game. I would argue that this approach would be more effective, as the participants in that project would have vested interest in the obfuscation working. I believe many VPN providers already implement obfuscation, each reinventing the wheel, which typically tends to produce half-baked implementation as well as lots of wasted effort in the name of commercial differentiation. If someone is willing to cobble something together and publish it, I'm sure other people will soon follow and the "Obfuscated OpenVPN" project will start gaining momentum. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
