Configuring your Linux server to hide OpenVPN traffic
When I first moved to Beijing, I used a VPN provided by my alma mater to bypass censorship and access sites like Facebook, Youtube, and news media. But in less than a year, that VPN was blocked. Rather than shell out for a paid service, I tried rolling my own VPN. I learned about Amazon Web Services and OpenVPN to create what became the basis of my tutorial on how to make your own VPN.
And it worked. For about a day. Then it, too, got blocked. I switched the IP address of my server, thinking it was just a coincidence, only to be blocked again a day later.
How was the Great Firewall, a catch-all term for China’s intricate censorship net, able to detect a single encrypted connection to the outside world?
Deep packet inspection.
Deep packet inspection is a technique that the Great Firewall uses to determine if and how a connection is encrypted. That doesn’t mean it can decrypt it; it just knows whether or not you’re hiding something.
OpenVPN is widely regarded as the most secure VPN protocol available for consumers. The encryption standards paired with it bar ISPs, hackers, and law enforcement from snooping on your internet activity. Even though it’s not yet built into mainstream operating systems, a majority of the most trusted VPN providers today offer OpenVPN as the standard protocol.
But OpenVPN is vulnerable to deep packet inspection. The censors would inspect my web traffic, see that it was encrypted using OpenVPN, and add my EC2 server to the blacklist.
This real situation begs the question: can you conceal OpenVPN traffic? You’ll be happy to know that the answer is yes. There are four main techniques used to do so, three of which should theoretically evade the Great Firewall and any other government censorship technology: Obfsproxy, SSL tunneling, and SSH tunneling. Each of these is used to add an additional layer of security around your existing OpenVPN connection.
I recently tested all of them out to see how effective they are and how difficult they are to implement. I don’t live in China anymore, so I tested each of them against Netflix’s new anti-VPN firewall instead. My server is an Amazon Linux 14.04 AMI EC2 instance, and I’m connecting from a Windows PC, though in theory a Linux PC should be even easier since most of this stuff was built for Unix systems in the first place.
Obfsproxy, an obfuscation proxy tool adopted by the Tor community, makes your VPN traffic look like normal, un-encrypted traffic without actually decrypting it. While it’s most commonly used to disguise traffic between Tor clients and bridges, it’s still independent of Tor and thus can be used with OpenVPN.
Of the three tools I tested, it was by far the most effective at evading firewalls. Netflix was none the wiser, nor was HBO Now.
Setup doesn’t require much configuration other than a couple edits to your OpenVPN config file, but Obfsproxy does require a few dependencies. You’ll need Python and OpenSSL installed on both server and client before you can install Obfsproxy.
The biggest downside is that Obfsproxy, by default, won’t run as a background service. That means you must open two terminals–one to SSH to your server and one on the local machine–and run the Obfsproxy command on each for it to work. The terminals must remain open for as long as it’s being used. A few hackers out there have whipped up some scripts to get it running as a service, but it would be nice if this was the default.
I haven’t tried it yet, but I expect that getting Obfsproxy up and running on a mobile device would be even more of a pain.
An SSH tunnel is the easiest of the three safeguards to implement, because you’ve probably already got everything you need. So long as the right ports are open, there’s no need to do anything beyond running OpenVPN on the server side, assuming it’s already configured to use TCP. All that’s needed on the client side is a couple simple tweaks to the OpenVPN config and a quick port forward.
Unfortunately, my OpenVPN and SSH tunnel setup failed the
Netflix test. I received the same error message that I would have if I had just used the VPN by itself. This makes me think Netflix is either a) blocking all encrypted proxies, b) checking the origin of the DNS request of encrypted connections or c) both. A homemade DNS server is next on my project list, as I suspect my DNS leaking could be the culprit.
Even though Netflix blocked the SSH tunnel, the technique should still work on the Great Firewall or other forms of censorship. There’s no reason why Netflix should be receiving SSH-tunneled traffic, but if a whole country were to block it the results would be disastrous. SSH is far too commonly used for other purposes to ban it outright.
One upside to SSH tunneling is that it’s fairly simple to get working on a mobile device. Setup is just a matter of downloading the right apps and migrating the key and config files from your desktop. On a stock iPhone or Android, the most you can do with it is browse the web. If your device is rooted or jailbroken, however, you can open up ports for all your apps.
SSL tunneling with OpenVPN is last on this list because it’s my least favorite. I found Stunnel, the tool typically used to set up an SSL tunnel, far more difficult to configure than Obfsproxy. It requires a hefty amount of configuration on both client and server, and there’s not much documentation for this particular purpose.
Furthermore, it fails the Netflix test. SSL should still conceal your traffic from deep packet inspection, but it still looks encrypted to a deep packet inspector. This is the same problem SSH tunneling runs into.
The biggest advantage I found to SSL tunneling is that Stunnel will run on both client and server indefinitely as a service. That means, once you do get it
set up and functioning, you don’t need to leave terminal windows open.
If you know the ins and outs of Stunnel then go ahead and give it a shot. Novices, however, should probably opt for one of the other two options.
And the winner is…
Having tried all three methods, I definitely recommend Obfsproxy above the rest. Dig up a script to make it run in the background, and you’ve got one
Of course, if you’re not inclined to build your own VPN, a handful of subscription VPNs support these proxy tools, including PIA, NordVPN, and AirVPN. The
config files are provided to the user so they only have to set up the client side. If bypassing Chinese authorities and watching Netflix isn’t a concern,
we’ve rounded up our favorite VPNs for Linux over at Comparitech.
Leave a Reply
You must be logged in to post a comment.