Stealth mode / obfuscation OpenVPN

Dear Community,

my ISP slow down every VPN Connection (Vodafone Kabel).
This have also an impact to my OPEN VPN Server.

You can use a stealth mode or obfuscation to use another layer in the Protocol and hide for example with the Port 443 the traffic.

Now i need help.
I would like to config the Stealhmode on the OPEN VPN Ipfire.
Have someone an idea how todo it correct on the IPFire or maybe a how to?

Thanks a lot
Best Regards

If your ISP identifies the OpenVPN traffic just by filtering the traffic to port 1194, you can just easily change the port in the configuration web page of IPFire.

If instead the ISP is doing deep packet inspection, as you said you need to encapsulate the traffic inside another protocol e.g. the HTTPS protocol. For this purpose you need to install another server (a sort of reverse proxy) running in front of the OpenVPN that takes the packets coming from the OpenVPN server and encapsulates them in HTTPS packets. Therefore you also need another proxy server that takes those packets and correctly de-encapsulate and forward them to the OpenVPN instance on the other side of the tunnel.

This is true for client-server communication (roadwarrior) or server to server (net-to-net) communication.

Here is a tutorial on how to do that in ubuntu using obfs4proxy as a reverse proxy server. This software is not available as a plug-in in IPFire, therefore either you package it or you use another machine in your lan to do the reverse proxy job running obfs4proxy. Another possibility is to use a reverse proxy available as a plug-in in IPFire like nginx, a quick google search gave me this tutorial, but I have no idea if this is accurate.

2 Likes

Hi all,
another possibility might ‘–tls-crypt’. According to the OpenVPN reference manual the following three points

  • provides more privacy by hiding the certificate used for the TLS connection
  • makes it harder to identify OpenVPN traffic as such
  • provides “poor-man’s” post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy)

are the main differences to on IPFire the already existing ‘–tls-auth’.
A topic in OpenVPN forum discusses also a related problem whereby it seems that ‘–tls-crypt’ makes there a good job.

Since ‘–tls-crypt’ uses the same static key like ‘–tls-auth’ you would need to only change the directive if you have had an active ‘–tls-auth’ from
server site:
tls-auth /var/ipfire/ovpn/certs/ta.key
to
tls-crypt /var/ipfire/ovpn/certs/ta.key

and the same on client side. May a try can deliver more insights if this works.

Best,

Erik

P.S.: As cfusco already wrote, changing the port might also be important but i would leave UDP for the first as protocol.
Also, SSLH might be an idea for encapsulating OpenVPN packets into HTTPS, just as a addition the the above mentioned possibility.

6 Likes

Thanks for your Feedbacks and Input.
Of course i will try first the “easy” things like the tls-auth and port of OPEN VPN.

Do you have any recommendation for a Port? I can use normaly every dynamic port.

Thanks !

No real recommendation but e.g.

snmpdtls 10161 udp SNMP-DTLS
hncp-dtls-port 8232 udp HNCP over DTLS
odette-ftps 6619 tcp udp Odette File Transfer Protocol (OFTP) over TLS/SSL Official

if you do not use one of those services… but anything is possible to go for a try :wink:

Best,

Erik

1 Like

my ISP slow down every VPN Connection (Vodafone Kabel).

Hi,

could you please add some evidence for your statement? Since I am a customer of the same provider, I would like to learn how you got notice of this.

Thx!

1 Like

Hi,

when you have the same provider, i will add a link what explain the traffic shaping. (German)

I use a VPN Service, too.
I made some test with obfuscation and different Ports.
In normal usage i have 100 Mbit (you can see there is exactly a limit) with some tweaks i get 200 Mbit but no more.
(and yes, the VPN Provider can Provide speed until 1Gbit)

Kabel Providers are shapping all the protocols for Netflix, Disney+, HBO, etc… because of DOCSIS.
It is not a secret and normal technic of the Kabel Providers.

Best Regards

1 Like