Anyone know openvpn obfuscate technology?
-
I need to know if openvpn obfuscate technology is available using pfSense. If so, how do you configure it?
Currently, I have two openvpn servers on my router. Both work great. Occasionally, they get blocked, once at a hospital and once at a large public university. Both were on public wifi.
In both instances, a commercial VPN could get out. They told me they use openvpn-obfuscate technology to get by the problems I encountered.
One of my servers is tun 443/tcp. I use it for remote browsing. The other is tap 1194/udp. I use it to bridge into my home network securely. The tap interface allows me to securely use my home network just as if I were at home. Remote desktop over the lan exclusively is very secure this way. It's much safer than port forwards and other more traditional connections to the home network.
Or, is there another way to bypass the blocking I encountered. Changing ports will not work.
-
So your home pfsense server runs 443/tcp tun, and why exactly do you run 1194/udp on tap?? I rdp to my boxes over my tun connection all the time. You for sure do not need tap to access remote desktop. If you need to broadcast for names ok. So your saying both your connections via 443 tcp and 1194 udp are blocked into your home server. Or just the 1194 one?
-
Both were blocked. The public wifi was blocking openvpn without regard to the port used.
443/tcp tun is for secure remote browsing via the home network. My home ip is visible, not the public wifi ip.
1194/udp tap is for secure bridging into my home network remotely over public wifi. It gives me access just as if I were sitting in my living room easy chair. I use it for NAS access and remote desktop.
You are correct that there are many ways to access remote desktop. I prefer this one. It works only over the local lan, requires no open ports that need to be forwarded, and allows multiple layers of security via openvpn and how pfSense implements it.
-
I am not saying that access to remove desktop over a vpn is not more secure what I am saying you sure and the hell do not need tap to do that. I access all my local stuff just like I was in my home via tun. Tap as one purpose, that is when you need broadcast/layer2 traffic over the connection. Doing so comes with its own headaches and less performance since you have to leave the headers, etc.
So your saying this location blocked access to opven be it tcp or udp and didn't care for port. So it was doing DPI to identify that it was openvpn, but allowed some other vpn protocol? And what vpn protocol was that?
The only way that I know of "hiding" your openvpn traffic from dpi is to hide it some other tunnel. Simple ssltunnel could be used, if ssh is open you could run the openvpn inside a ssh tunnel. Or you could use obfsproxy to tunnel your openvpn traffic in.
You sure it wasn't being blocked because they were enforcing the use of a proxy – this much simpler way of blocking the vpn traffic vs doing DPI to identify its vpn traffic vs common ssl traffic over 443. If such a place is doing dpi on 443 traffic they are most likely doing MITM against ssl in general. I wouldn't want to use such a connection anyway. In such a location just hotspot of your phone and then vpn into your network.
But you can bounce tcp openvpn off a proxy most of the time, this is yet another reason for the 443/tcp - 443 is almost always open and very friendly to bouncing off locations that force proxy use. I do it off my work proxy all the time ;)
-
Thank you for your reply.
I'll look into tun into the home network. I didn't know you could. I assumed tap was the only way. I'll use it as a 3rd server to try to bypass blocking once I figure out how.
I doubt they were using Deep Packet Inspection. The university might have been as a student exercise. The hospital would have been too cheap to go that far.
About the proxy stuff … The vendor vpn was openvpn based and they said they use the same ports as I do. If you could point me to a page with documentation about the possible overrides, I can take it from there to learn more about them and give them a try. I'm still a newby in some respects here.
-
I just added another openvpn tun server. I didn't notice before that unchecking the force traffic through vpn connection opened a local network box. I'll test it later when I'm away from home. If that's all it took to get to my local lan then I'm a little embarrassed it was that easy. I set it to port 22 for this purpose.
When downloading the certs I noticed a proxy option. Is that what you were referring to? If so, where is some info that will explain how to use it for obfuscation This might be effective. Some earlier research used many of the same terms but I could not figure out how to apply them.
-
Yes you can set a proxy to use in your config, or you can just set it on the gui in the client when you use it. When at work on my laptop I set proxy, when travel and say at a hotel I do not.
Keep in mind that if your running any software firewalls on your machine, they will have to be set to allow your tunnel network your using to access what you want, ie remote desktop the windows firewall out of the box would block access other than same segment.
For example my tunnel network is 10.0.8/24 so when I remote in I am coming from 10.0.8.100 (I set specific IP in client overrides) so any software firewalls running on your lan would have to allow that network or the specific IP you set for specific remote vpn users, etc.
-
Yes you can set a proxy to use in your config, or you can just set it on the gui in the client when you use it. When at work on my laptop I set proxy, when travel and say at a hotel I do not.
Keep in mind that if your running any software firewalls on your machine, they will have to be set to allow your tunnel network your using to access what you want, ie remote desktop the windows firewall out of the box would block access other than same segment.
For example my tunnel network is 10.0.8/24 so when I remote in I am coming from 10.0.8.100 (I set specific IP in client overrides) so any software firewalls running on your lan would have to allow that network or the specific IP you set for specific remote vpn users, etc.
Thank you!. I will look at this more closely soon.
-
Finally got around to testing remote network access via tun. It worked great. Remote desktop fired right up. Simply putting the ipv4 subnet for the main network in the little box worked. I also checked the wins netbios box, although it seemed to work without it being checked. (Hint to next user: don't forget to move the firewall entry for this server above the last 'block all' entry.)
More testing is on my to do list.
I'm, still a tap user, though. At this time, I haven't been able to map a network drive using tun but can easily do so with tap. There may be a lot of overhead with tap and it's certainly more difficult to set up, but the overhead is not noticeable in use and it's convenient in this circumstance. So far.
I'm still trying to figure out the proxy setup. I think I'm missing something but it appears to be a common way to bypass network blocks. Any help sites known to anyone?
-
Finally got around to testing remote network access via tun. It worked great. Remote desktop fired right up. Simply putting the ipv4 subnet for the main network in the little box worked. I also checked the wins netbios box, although it seemed to work without it being checked. (Hint to next user: don't forget to move the firewall entry for this server above the last 'block all' entry.)
More testing is on my to do list.
I'm, still a tap user, though. At this time, I haven't been able to map a network drive using tun but can easily do so with tap. There may be a lot of overhead with tap and it's certainly more difficult to set up, but the overhead is not noticeable in use and it's convenient in this circumstance. So far.
I'm still trying to figure out the proxy setup. I think I'm missing something but it appears to be a common way to bypass network blocks. Any help sites known to anyone?
FYI, I can map network drive using TUN.
-
FYI, I can map network drive using TUN.
Thanks. So can I now, too. pfSense makes it easy. I came from a DD-WRT background and was happy just to get it working in that case. I was originally under the impression that tun was for private browsing and tap was for network browsing.
Now I have 3 servers:
1 tun for safe remote browsing - easy to sign on to.
1 tun for network access: difficult to sign on to and uses different certs and sign on requirements. Also allows safe browsing
1 tap just because I had it and it worked fine. Wouldn't do it again, though, now that I know how to make tun 'bridging' work.Still looking for openVPN obfuscate insights. I put the new server on port 4664 tcp (google docs) but don't expect it to hide and better than the other servers.
-
"now that I know how to make tun 'bridging' work."
HUH??? You sure and the hell do not need to bridge to access file shares..
-
"now that I know how to make tun 'bridging' work."
HUH??? You sure and the hell do not need to bridge to access file shares..
Chill. It's a figure of speech. That's why it put it in quotes. I don't live and breath routers like you do. Mentally replace 'bridge' with 'network access just as if it were bridged'. If that's wrong terminology, try well ….
Anyway, back to the original question about obfuscation .....
-
Bridge would not be the term.. But to your obfuscation question, already answered. The only way to hide that its openvpn ssl traffic would be to put the tunnel inside a different tunnel, be that normal SSL tunnel or SSH tunnel, etc.
-
Bridge would not be the term.. But to your obfuscation question, already answered. The only way to hide that its openvpn ssl traffic would be to put the tunnel inside a different tunnel, be that normal SSL tunnel or SSH tunnel, etc.
Thanks. I expected to still do a lot of look up work after some pointers, but this is still too vague. Just say "I don't know but this is probably what the ones with programming staff who CAN hide it do" next time. MY paid VPN providers must make it look like normal traffic. That's why they can get though and my port switch-a-roos don't work.
I guess if it were easy, everyone would be doing it and I wouldn't be asking here.
Thanks, anyway. At least I got tun 'bridging' to work.
-
not freaking 'bridging" dude..
What part do you not understand about putting your vpn inside a ssl?? Hot spots for internet traffic sure and the hell are not doing deep packet inspection saying oh shit that is a vpn, block that. They are just blocking non standard ports like UDP 1194.. Run your openvpn connection over tcp 443 so it looks like normal https traffic. Only doing a DPI would where your at be able to know its not normal ssl..
-
@johnpoz JohnPoz, I understand we can use port TCP 443 for OpenVPN. Is there any way to use it without port forwarding the port i.e. not visible to port scanners? If not, how dangerous is it to leave open port TCP 443 to the internet? Shieds-Up always gives me a warning flag that TCP 443 is open and very dangerous to leave open. Thoughts?
-
@frankzappa said in Anyone know openvpn obfuscate technology?:
Shieds-Up always gives me a warning flag that TCP 443 is open and very dangerous to leave open.
It gives you a warning about ANY Port ;) Opening services to the public is always a risk.. But to access even to attempt to access your vpn has to pass signature on the packet.. Or its just dropped..
example.
Oct 7 18:08:43 openvpn 68875 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authenticationLookup how the tls key auth works.
Is there any way to use it without port forwarding the port i.e. not visible to port scanners?
No - how would that work.. The only way to do what would be able to limit the source IP on who can talk to the service. Sure if you know what IPs would be talking to you, you could prevent them from talking to your service, and the firewall would just drop the traffic because the source IP is not on the allow list..
You can with say pfblocker create an alias that only allows say IPs from the company your phone uses for cell connections. Or could limit to specific country your in.. To lower the exposure.
If you know your only going to be accessing the vpn from your work location - then you could limit access to only the public IP from your work site, etc.
-
@johnpoz Thanks. The part that makes no sense to me is how OpenVPN can listen all day on UDP1194 and be stealthy, but we have to "open" a port to listen on TCP443, even if OpenVPN lets you share port 443. I guess I don't understand why we don't need to open other ports e.g. 80, 25, or 8080, and yet they work fine and don't show up on a port scan as open., Sorry, I'm rambling. I'll get off my soapbox now.
-
@frankzappa said in Anyone know openvpn obfuscate technology?:
all day on UDP1194 and be stealthy
No its not stealthy at all.. That grc scanner is only looking for tcp.. If the port is open its open and you could connect to it.. If it answers..
Are you running services on 80, 25 or 8080?? Then no you don't need to open them.. If you want people to connect to your "service" on 443 - then you have to have it open.. If its open, then people can see it via a scan.. Just like if you were running services on 25 (smtp) or 80 http.. or 8080 normally used as proxy or just http if 80 is blocked inbound, etc.
