Ways to obfuscate VPN connections

This is an area that I've ignored for too long. More and more countries are using DPI to detect VPN connections. And their systems test suspected servers for VPN-specific response patterns. There are good introductions at http://www.ab9il.net/crypto/openvpn-cloaking.html and https://www.bestvpn.com/blog/5919/how-to-hide-openvpn-traffic-an-introduction/ .

I gather that there are at least two approaches for hiding VPN connections. One approach, which is offered by AirVPN, uses stunnel. The other, which is offered by iVPN, uses obfsproxy (developed by the Tor Project). Both tunnel TCP-mode VPN links through an additional SSL layer. I gather that stunnel simulates HTTPS, while obfsproxy can simulate various sorts of SSL connections, using plug-ins.

I also gather that neither approach totally hides OpenVPN. Neither hides packet size or timing, and the OpenVPN handshake is distinctive. Also, neither prevents the throttling of all encrypted traffic

Anyway, I plan to test these approaches for usability and effectiveness. Initially, I'll capture traffic with Wireshark,
and compare IO graphs. I invite suggestions of other approaches, other providers, other analytic approaches, etc.

 

I assume you have read through the Air stuff on how to use these. You actually have two options: SSH or SSL. The procedures were put in place to directly address the DPI issues that China caused for Air customers that live there. Both methods allow for bypassing an extremely sensitive DPI (deep packet inspection) process. I am not sure you are correct about the visibility of OpenVpn. The fingerprint that China was detecting was the OpenVpn signature. The two methods I mentioned allow for the payload packets to pass undetected as OpenVpn packets. There was never an issue where China could actually read the contents of the payload package, only that they discovered via DPI how to see OpenVpn was being used. Once seen they would take action.

 

The link that I have is < https://airvpn.org/ssl/ >. What else do you recommend that I read?

I'm not saying that packets can be characterized as OpenVPN vs SSH or whatever. I'm wondering whether patterns of packets over time, including changes in packet size, can be used to distinguish between OpenVPN and other protocols.

 

Here are a two example Wireshark IO charts. The first is from a capture on pfSense WAN interface. An Insorg client starts connecting at 60 seconds. The second is from a capture on pfSense Insorg interface. A connection to https://www.google.ru/ starts at 60 seconds, and a connection to the same URL in a new tab starts at 180 seconds.

They're quite different, no?

 

Interesting idea.

 

On the reading, only that you follow the links inside the page that pops up using the link you pasted. The stunnel page also has further nested links to follow along. Don't rule out SSH either because its solid. I do like stunnel because its open source.

This thread is a thinker! You would be inclined to assume Gov "control" as thorough as China would be proactive if the stunnel "wrapper" could easily be torn away, making the OpenVpn inside traceable. Let me think on this. Its a great question to consider.

 

VyperVPN have introduced the Chameleon protocol which is supposed to ensure OpenVPN packet metadata is not recognizable via DPI. I'm not sure whether this is a third way.

Source: http://www.goldenfrog.com/vyprvpn/chameleon

 

Thanks, I'll take a closer look.

And yes, open source is important.

I've read that GFW also probes servers to see if they're speaking OpenVPN, IPSec, or whatever.

This is already an important issue for those in China, Iran and other countries that block VPN connections. And it may well become important more broadly. But it takes using VPNs from being at least somewhat suspicious to circumventing blocks. That may well become outright illegal, with consequences.

It's too bad that I can't test inside China, Iran etc. If anyone knows a VPN with an exit in a country that blocks, please share.

 

Thanks

However, their approach is closed source. Maybe that's security through obscurity