Re: [Openvpn-users] OpenVPN on port 443
On 24.01.24 13:31, Hans via Openvpn-users wrote: From: "Gert Doering" mailto:g...@greenie.muc.de>> Date: Wednesday, 24 January 2024 at 13:03:30 On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis via Openvpn-users wrote: How can I make OpenVPN look like an HTTPS connection? You can't. OpenVPN is not https, so even if you use tcp/443, on a close enough look it will be clear "this is not HTTPS". How about using stunnel instead? stunnel may be able to wrap your (TCP) traffic into TLS, whose unencrypted parts may look more or less like the TLS interwoven into HTTPS, but it still won't make your hours-long single-server VPN connection with keepalives and key renegs in regular intervals and carrying an SSH login with its single-keystroke upstream packets look like you browsed a couple websites. Also, don't forget to configure the VPN server with --port-share, in case one of the nation-level censors you're trying to fool gets the idea of looking at your "interesting website" himself ... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH smime.p7s Description: S/MIME Cryptographic Signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
How about using stunnel instead? From: "Gert Doering" mailto:g...@greenie.muc.de>> Date: Wednesday, 24 January 2024 at 13:03:30 To: "Peter Davis" mailto:peter.davis1...@proton.me>> Cc: "openvpn-users@lists.sourceforge.net" mailto:openvpn-users@lists.sourceforge.net>> Subject: Re: [Openvpn-users] OpenVPN on port 443 Hi, On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis via Openvpn-users wrote: > How can I make OpenVPN look like an HTTPS connection? You can't. OpenVPN is not https, so even if you use tcp/443, on a close enough look it will be clear "this is not HTTPS". gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
Hello, On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis wrote: > I am testing this scenario in a virtual environment before moving it to the > real world. So, use subnets within private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), or possibly some other reserved addresses [1]. Do not use public addresses unless you own them. > How can I make OpenVPN look like an HTTPS connection? Do you mean to obfuscate OpenVPN traffic so that an attacker thinks it is legit web traffic? I don't think OpenVPN does that: but you can run OpenVPN over TCP over tor, and use all obfuscation methods that tor supports (obfs4, maybe even snowflake), some of them look like HTTPS. PS: please quote correctly (removing non pertaining text). [1] https://en.wikipedia.org/wiki/Private_network ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
Hi, On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis via Openvpn-users wrote: > How can I make OpenVPN look like an HTTPS connection? You can't. OpenVPN is not https, so even if you use tcp/443, on a close enough look it will be clear "this is not HTTPS". gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
>On Wednesday, January 24th, 2024 at 11:18 AM, Marc SCHAEFER > wrote: > Hello, > > On Wed, Jan 24, 2024 at 06:14:22AM +, Peter Davis via Openvpn-users wrote: > > > 1- I don't understand what you mean about "server 20.20.0.0 255.255.255.0". > > What is the difference between IP range 10.X and 20.X? > > > 10.0.0.0/8 is a private range, that you can use as you please for private > networks, including 10.0.0.0/24. > 20.20.0.0/24 is: > > schaefer@reliant:~$ whois 20.20.0.0 > > NetRange: 20.0.0.0 - 20.31.255.255 > CIDR: 20.0.0.0/11 > NetName: MSFT > NetHandle: NET-20-0-0-0-1 > Parent: NET20 (NET-20-0-0-0-0) > NetType: Direct Allocation > OriginAS: > Organization: Microsoft Corporation (MSFT) > RegDate: 2017-10-18 > Updated: 2021-12-14 > Ref: https://rdap.arin.net/registry/ip/20.0.0.0 > > OrgName: Microsoft Corporation > OrgId: MSFT > Address: One Microsoft Way > [ ... ] > > This will work, as long as you have a NAT between those addresses and > Internet, > and obviously you won't be able to contact any of those Microsoft IPs anymore, > > In short: bad idea. Use private ranges only (or any public range that you > own). > > > 2- But this is a remote server, not an internal server, and I want to > > connect to this server through OpenVPN, but my connection looks like HTTPS. > > > Parse error. Hello, Thanks. I am testing this scenario in a virtual environment before moving it to the real world. For this reason, my server has two NICs. One that is directly connected to the Internet (enp0s3) and the other to the internal network (enp0s8). What is problem? How can I make OpenVPN look like an HTTPS connection? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
On 24.01.24 08:48, Marc SCHAEFER wrote: and obviously you won't be able to contact any of those Microsoft IPs anymore, Considering all the times Peter mentioned that "evade [nation-level] censors" is among his objectives, blackholing the clients' connections to Microsoft (auto)update servers while they're deep-diving might well be the *idea*. :-3 Kind regards, -- Jochen Bern Systemingenieur Binect GmbH smime.p7s Description: S/MIME Cryptographic Signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users