Need obfuscation on home OpenVPN server [SOLVED]

graysky · 2017-08-10 19:08:28

I am running OpenVPN on a home server setup to listen on port 443/TCP in order to maximize compatibility with the external networks to which I connect with my many devices. With this setup, I have been reliability able to connect to my OpenVPN box from many public wifi networks until now on certain wifi networks. When I connect my iphone to a particular wifi network I am unable to connect to the VPN. This suggests more sophisticated blocking strategies to me based on my reading.

It seems that I need to use a utility like obfsproxy on both the server and client (iphone). This particular solution won't work as obfsproxy isn't offered for iphones. I am seeking suggestions that will work with Apple devices. The goal is to circumvent whatever VPN-countermeasures are in place.

Last edited by graysky (2018-11-11 15:43:39)

ewaller · 2017-08-10 19:59:20

Not sure about obfsproxy, but are you sure you are not just fighting some good-ole-fashioned captive portal?

brebs · 2017-08-10 20:19:21

For your personal needs, you could probably use stunnel, instead of openvpn. Then, Deep Packet Inspection would be more likely to recognize the traffic as "legitimate" HTTPS.

progandy · 2017-08-10 20:19:27

Maybe this particular network is blocking traffic on SSL ports or forcing it through their own SSL proxy? Maybe try port 80 or IMAP/SMTP ports instead?

graysky · 2017-08-10 20:29:29

All good suggestions.

@ewaller - Not sure about CP. Need to read up on it.
@brebs - My use case is iphone --> VPN so I don't think stunnel is an option, is it?
@progandy - I don't know how to tell if a proxy is present. The iphone simple connects to the wifi.

I did find this openvpn-over-https blog entry. It's not totally clear to me how that differs from just running openvpn on 443/TCP but I need to spend some additional time re-reading it.

EDIT: finally got around to trying the setup I linked above. For the sake of completeness, here is a post that might interest others trying this as well. It relates to the security of running the setup.

Last edited by graysky (2017-08-12 09:52:54)

ewaller · 2017-08-10 20:41:22

I did find this for android: https://play.google.com/store/apps/deta … pps.tunnel
It looks like it will stunnel....

R00KIE · 2017-08-10 21:35:20

You could try shadowsocks, maybe with the simple-obfs plugin. I suppose these should be available for iphone too since they are made to go around a famous firewall.

That said, if the problem is DPI and you wanted to make the traffic look as much like genuine ssl traffic as possible I would also say stunnel, but the lack of smartphone clients breaks the deal.

That openvpn port sharing looks neat but I kind of doubt it will fool anything but the most basic packet inspection. Openvpn's traffic is easy to fingerprint and the devs have said they have no intention of changing that. I think there was someone who had implemented some simple obfuscation, if I recall just xor the transmitted data with some fixed value and then xor it again upon reception, but I don't know if that has been kept up to date and if there are any apps for smartphone.

Another thing that might still be able to fly under the radar is wireguard, but just like other solutions there are no smartphone apps.

Edit:
I forgot to say, if using some tls based solution such as stunnel make sure you set it up so both sides authenticate each other. Last time I checked it was quite easy to setup an insecure stunnel server. It seems they have since changed the configuration options and explain a little better which certificates you need and where to make things secure.

Last edited by R00KIE (2017-08-10 21:37:55)

brebs · 2017-08-10 21:50:23

Related Slashdot article, with great timing

kokoko3k · 2017-08-11 06:49:47

In the past i had success in using tinc on port 23

graysky · 2017-08-15 19:44:38

graysky wrote:

...
I did find this openvpn-over-https blog entry. It's not totally clear to me how that differs from just running openvpn on 443/TCP but I need to spend some additional time re-reading it.

An update: if I try to connect via my iphone to my OpenVPN server (443/tcp) while connected to that wifi source using a conf that has my domain specified the connection times out. If I try the same using a config that uses my numerical WAN IP address, it also times out. Interestingly, if I browse to https://mydomain.com that too times out BUT if I browse to https://my.ip.addy it connects. What can we conclude?

Seems as if they are not blocking my IP to https but some how blocking DNS resolution. As well, they seem able to block OpenVPN traffic. I would like to circumvent this but am unsure what the next steps would be to do it without a jailbreaked phone.

brebs · 2017-08-15 20:06:39

graysky wrote:

Seems as if... blocking DNS resolution

Is there no app available on iphone, to check DNS resolution, so you can be *certain* about this?

I think this should be moved to the iphone forum, since Linux isn't the limiting factor here

graysky · 2018-07-29 22:13:33

Old thread but unsolved issue. Disregard my observations about DNS. Let me quickly recap:

Need: allow iphone to use openvpn to connect to my home openvpn box on a wifi network that as some mechanism of blocking it.

What has been tried on the iphone and that has failed:
* Running an openvpn profile using a commercial openvpn service (port 443/UDP)
* Running an openvpn profile to my home openvpn server on port 443/TCP (failed to connect)
* Running an openvpn profile to my home openvpn server on port 443/UDP (failed to connect)
* Running an openvpn profile to my home openvpn server on port 44101/TCP (failed to connect)

Here is an example log from the iphone connected to wifi attempting to get out to my server:

2018-07-28 13:16:59 EVENT: RESOLVE
2018-07-28 13:16:59 Contacting [xxx.xxx.xxx.xxx]:443/TCP via TCP
2018-07-28 13:16:59 EVENT: WAIT
2018-07-28 13:16:59 Connecting to [www.my.openvpn.server.net]:443 (xxx.xxx.xxx.xxx) via TCPv4
2018-07-28 13:16:59 TCP recv EOF
2018-07-28 13:16:59 Transport Error: Transport error on 'www.my.openvpn.server.net: NETWORK_EOF_ERROR
2018-07-28 13:16:59 EVENT: TRANSPORT_ERROR Transport error on 'www.my.openvpn.server.net: NETWORK_EOF_ERROR [ERR]
2018-07-28 13:16:59 Client terminated, restarting in 5000 ms...
2018-07-28 13:17:00 EVENT: DISCONNECTED
2018-07-28 13:17:00 Raw stats on disconnect:
  BYTES_OUT : 56
  PACKETS_OUT : 1
  NETWORK_EOF_ERROR : 1
  TRANSPORT_ERROR : 1
2018-07-28 13:17:00 Performance stats on disconnect:
  CPU usage (microseconds): 60493
  Network bytes per CPU second: 925
  Tunnel bytes per CPU second: 0
2018-07-28 13:27:31 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28
2018-07-28 13:27:31 Frame=512/2048/512 mssfix-ctrl=1250
2018-07-28 13:27:31 UNUSED OPTIONS
3 [resolv-retry] [infinite]
4 [nobind]
5 [persist-key]
6 [persist-tun]
7 [verb] [3]

Thanks for any suggestions.

R00KIE · 2018-07-30 20:45:15

I would check the server logs and see if anything at all reaches the server. If possible try connecting with a different device when connected to the same network, ideally a pc with arch and openvpn so you can increase the verbosity level as there may be some clue there.

If "normal" https sites work then most probably you are up against deep packet inspection and the only way around that might be encapsulating the openvpn traffic inside something else like ssl.

graysky · 2018-07-30 21:28:55

@R00KIE - Excellent idea, will try it and report back.

Last edited by graysky (2018-07-30 21:42:13)

graysky · 2018-08-01 09:50:34

I don't get anything on my home server when trying to connect and verb 6 enabled on the server.

progandy · 2018-08-01 10:06:46

Maybe you are lucky and only openvpn is blocked. Then you can try cisco anyconnect on iOS with the openconnect server (ocserv).

Edit: Did you try to run an https server on your home server to test if at least that works?

Last edited by progandy (2018-08-01 10:08:46)

graysky · 2018-08-01 11:07:47

@progandy - I will spin up an https server and test it.

graysky · 2018-11-11 15:43:25

graysky wrote:

@progandy - I will spin up an https server and test it.

I forgot to update, the solution (which I find baffling) is to use port 80/TCP for OpenVPN traffic. How can a network admin block 443/TCP for encrypted traffic via OpenVPN but leave 80/TCP open?

R00KIE wrote:

Another thing that might still be able to fly under the radar is wireguard, but just like other solutions there are no smartphone apps.

When you posted this, R00KIE, it was true. I wanted to point out that as of 6 days ago, Roopesh and Jason announced, an alpha/beta app for iOS:

https://lists.zx2c4.com/pipermail/wireg … 03526.html
https://github.com/trailofbits/algo/issues/1190
https://git.zx2c4.com/wireguard-ios/

Last edited by graysky (2018-11-11 15:50:57)

Arch Linux

#1 2017-08-10 19:08:28

Need obfuscation on home OpenVPN server [SOLVED]

#2 2017-08-10 19:59:20

Re: Need obfuscation on home OpenVPN server [SOLVED]

#3 2017-08-10 20:19:21

Re: Need obfuscation on home OpenVPN server [SOLVED]

#4 2017-08-10 20:19:27

Re: Need obfuscation on home OpenVPN server [SOLVED]

#5 2017-08-10 20:29:29

Re: Need obfuscation on home OpenVPN server [SOLVED]

#6 2017-08-10 20:41:22

Re: Need obfuscation on home OpenVPN server [SOLVED]

#7 2017-08-10 21:35:20

Re: Need obfuscation on home OpenVPN server [SOLVED]

#8 2017-08-10 21:50:23

Re: Need obfuscation on home OpenVPN server [SOLVED]

#9 2017-08-11 06:49:47

Re: Need obfuscation on home OpenVPN server [SOLVED]

#10 2017-08-15 19:44:38

Re: Need obfuscation on home OpenVPN server [SOLVED]

#11 2017-08-15 20:06:39

Re: Need obfuscation on home OpenVPN server [SOLVED]

#12 2018-07-29 22:13:33

Re: Need obfuscation on home OpenVPN server [SOLVED]

#13 2018-07-30 20:45:15

Re: Need obfuscation on home OpenVPN server [SOLVED]

#14 2018-07-30 21:28:55

Re: Need obfuscation on home OpenVPN server [SOLVED]

#15 2018-08-01 09:50:34

Re: Need obfuscation on home OpenVPN server [SOLVED]

#16 2018-08-01 10:06:46

Re: Need obfuscation on home OpenVPN server [SOLVED]

#17 2018-08-01 11:07:47

Re: Need obfuscation on home OpenVPN server [SOLVED]

#18 2018-11-11 15:43:25

Re: Need obfuscation on home OpenVPN server [SOLVED]

Board footer