On Tue, Jan 3, 2017 at 12:10 AM, Samuli Seppänen <sam...@openvpn.net> wrote:
> We've discussed traffic obfuscation in the past many times, and have
> always concluded that we don't want to play that cat-and-mouse game in
> the _core_ OpenVPN.
>
I agree - sort of. I'd say the one exception would be to add proxy-over-TLS
support into openvpn. It's merely an extension of existing code but means
those who choose to use it would gain the ability to appear exclusively as
an TCP/TLS transaction - no evidence of vpn traffic at all.
ie, set up squid on your openvpn server with a TLS port (https_port), acl
it down to only be a proxy for localhost:1194 (say). Then configure openvpn
client as
<connection>
remote localhost:1194 tcp
http-proxy squid.server 443
</connection>
All anyone would see is the client making a TLS (with SNI) connection to
https://squid.server/ (and lots of traffic...). Would look effectively
identical to Skype, Hangouts, etc. ie large volumes of (assumed) HTTPS
traffic. Could probably configure squid so that it defaults to a real
Apache server, and does the "trick" just for "CONNECT localhost:1194" -
that way even connecting to it would show a website
Hmm, on second thoughts, this would be easier/cleaner to do in Apache via
mod_proxy...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
