Hiding OpenVPN server traffic
Due to tightening of worldwide internet censorship, governments are getting more active and concerned about stopping VPN use to evade the restrictions imposed by them. China has been very firm in this regard and by using its “Great Firewall” can block VPN services from entering or leaving China. Advanced and sophisticated firewalls use DPI or Deep Packet Inspection technology to find out the type of encryption being used like OpenVPN’s SSL encryption. This problem can be solved in a number of ways but all require server-side configuration knowledge and some technical expertise. But if the user really wants to hide the VPN traffic then he/she should contact the service provider for implementing a solution mentioned below:
Port Forwarding of OpenVPN through the TCP port 443
This is the most simple method which does not require server-side implementation and can be performed easily from the client’s end. OpenVPN utilizes TCP port 80 by default. Therefore firewalls keep an eye on port 80 or any other frequently used ports. If they detect any encrypted traffic using these ports they immediately reject the traffic. Port 443 is normally used by HTTPS protocol for securing https:// websites. This port is generally used all over the internet by gmail, facebook, twitter, banks and other important web services.
OpenVPN uses SSL encryption just like HTTPS does and therefore it is very hard to spot over port 443. Blocking port 443 can cripple internet access and so it is not really a good option for the web censors to block this port. In traditional OpenVPN clients, port forwarding is a familiar feature. Changing the port number to port 443 is very easy. The VPN provider should be contacted to avail the services of such client.
This tool wraps data into one obfuscation layer which makes it hard for the web-censors to find out which protocol (OpenVPN or other) is being used. This tool has recently been incorporated by Tor network because China has restricted the users from accessing Tor nodes. This tool can be set up for OpenVPN. In order to work, both the VPN server and the client’s computer must have obfsproxy installed on them. Obfsproxy is easier to configure and set up than other tunneling techniques.
OpenVPN through SSL tunnel
An alternative to OpenVPN is SSL or Secure Socket Layer tunnel. Many proxy servers utilize this for securing their connections. It is also applied to hide the use of OpenVPN protocol. OpenVPN makes use of a protocol called TLS/SSL for encryption which is different from the normal SSL protocol. Sophisticated DPIs can detect this. For avoiding this, OpenVPN data can be wrapped inside an extra encryption layer. DPIs cannot breach SSL encryption’s outer layer and as a result OpenVPN encryption remains hidden inside. Multi-platform stunnel software is used for making SSL tunnels. The software must be installed and configured on both client computer and the server. Therefore for any user to use this technique it is essential to discuss the matter with the VPN provider and obtain configuration guides from them.