2017-01-03 5:55 GMT+03:00 Jason Haar <jason_h...@trimble.com>:
>
> On Tue, Jan 3, 2017 at 12:10 AM, Samuli Seppänen <sam...@openvpn.net>
> wrote:
>
>> We've discussed traffic obfuscation in the past many times, and have
>> always concluded that we don't want to play that cat-and-mouse game in
>> the _core_ OpenVPN.
>>
>
> I agree - sort of. I'd say the one exception would be to add
> proxy-over-TLS support into openvpn. It's merely an extension of existing
> code but means those who choose to use it would gain the ability to appear
> exclusively as an TCP/TLS transaction - no evidence of vpn traffic at all.
>
there's dilemma what to include in "openvpn core".
while several advanced transport options like socks5 or http-proxy (even
with working ntlm!!) are included into openvpn core, you will always hear
"we do not want any obsufcation included into openvpn core" (while it might
be considered as another transport option).
please notice, you will not hear "ok, provide patches". it makes me think
that actual reason of not including any obfuscation in core is something
people usually not talking about.
so, you will have more luck if you will provide patches and remove the word
"obfuscation" from them. I think "advanced transport option" is a good
replacement for "obfuscation".
>
> ie, set up squid on your openvpn server with a TLS port (https_port), acl
> it down to only be a proxy for localhost:1194 (say). Then configure openvpn
> client as
>
> <connection>
> remote localhost:1194 tcp
> http-proxy squid.server 443
> </connection>
>
> All anyone would see is the client making a TLS (with SNI) connection to
> https://squid.server/ (and lots of traffic...). Would look effectively
> identical to Skype, Hangouts, etc. ie large volumes of (assumed) HTTPS
> traffic. Could probably configure squid so that it defaults to a real
> Apache server, and does the "trick" just for "CONNECT localhost:1194" -
> that way even connecting to it would show a website
>
> Hmm, on second thoughts, this would be easier/cleaner to do in Apache via
> mod_proxy...
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
