Ways to obfuscate VPN connections

Discussion in 'privacy technology' started by mirimir, Apr 23, 2014.

Thread Status:
Not open for further replies.
  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    This is an area that I've ignored for too long. More and more countries are using DPI to detect VPN connections. And their systems test suspected servers for VPN-specific response patterns. There are good introductions at http://www.ab9il.net/crypto/openvpn-cloaking.html and https://www.bestvpn.com/blog/5919/how-to-hide-openvpn-traffic-an-introduction/ .

    I gather that there are at least two approaches for hiding VPN connections. One approach, which is offered by AirVPN, uses stunnel. The other, which is offered by iVPN, uses obfsproxy (developed by the Tor Project). Both tunnel TCP-mode VPN links through an additional SSL layer. I gather that stunnel simulates HTTPS, while obfsproxy can simulate various sorts of SSL connections, using plug-ins.

    I also gather that neither approach totally hides OpenVPN. Neither hides packet size or timing, and the OpenVPN handshake is distinctive. Also, neither prevents the throttling of all encrypted traffic :(

    Anyway, I plan to test these approaches for usability and effectiveness. Initially, I'll capture traffic with Wireshark,
    and compare IO graphs. I invite suggestions of other approaches, other providers, other analytic approaches, etc.
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    I assume you have read through the Air stuff on how to use these. You actually have two options: SSH or SSL. The procedures were put in place to directly address the DPI issues that China caused for Air customers that live there. Both methods allow for bypassing an extremely sensitive DPI (deep packet inspection) process. I am not sure you are correct about the visibility of OpenVpn. The fingerprint that China was detecting was the OpenVpn signature. The two methods I mentioned allow for the payload packets to pass undetected as OpenVpn packets. There was never an issue where China could actually read the contents of the payload package, only that they discovered via DPI how to see OpenVpn was being used. Once seen they would take action.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    The link that I have is < https://airvpn.org/ssl/ >. What else do you recommend that I read?
    I'm not saying that packets can be characterized as OpenVPN vs SSH or whatever. I'm wondering whether patterns of packets over time, including changes in packet size, can be used to distinguish between OpenVPN and other protocols.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Here are a two example Wireshark IO charts. The first is from a capture on pfSense WAN interface. An Insorg client starts connecting at 60 seconds. The second is from a capture on pfSense Insorg interface. A connection to https://www.google.ru/ starts at 60 seconds, and a connection to the same URL in a new tab starts at 180 seconds.

    They're quite different, no?

    [​IMG]
    [​IMG]
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Interesting idea.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594

    On the reading, only that you follow the links inside the page that pops up using the link you pasted. The stunnel page also has further nested links to follow along. Don't rule out SSH either because its solid. I do like stunnel because its open source.

    This thread is a thinker! You would be inclined to assume Gov "control" as thorough as China would be proactive if the stunnel "wrapper" could easily be torn away, making the OpenVpn inside traceable. Let me think on this. Its a great question to consider.
     
  7. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    VyperVPN have introduced the Chameleon protocol which is supposed to ensure OpenVPN packet metadata is not recognizable via DPI. I'm not sure whether this is a third way.

    Source: http://www.goldenfrog.com/vyprvpn/chameleon
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Thanks, I'll take a closer look.

    And yes, open source is important.
    I've read that GFW also probes servers to see if they're speaking OpenVPN, IPSec, or whatever.

    This is already an important issue for those in China, Iran and other countries that block VPN connections. And it may well become important more broadly. But it takes using VPNs from being at least somewhat suspicious to circumventing blocks. That may well become outright illegal, with consequences.

    It's too bad that I can't test inside China, Iran etc. If anyone knows a VPN with an exit in a country that blocks, please share.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Thanks :)

    However, their approach is closed source. Maybe that's security through obscurity ;)
     
Loading...
Thread Status:
Not open for further replies.