Anyone know openvpn obfuscate technology?



  • I need to know if openvpn obfuscate technology is available using pfSense. If so, how do you configure it?

    Currently, I have two openvpn servers on my router. Both work great. Occasionally, they get blocked, once at a hospital and once at a large public university. Both were on public wifi.

    In both instances, a commercial VPN could get out. They told me they use openvpn-obfuscate technology to get by the problems I encountered.

    One of my servers is tun 443/tcp. I use it for remote browsing. The other is tap 1194/udp. I use it to bridge into my home network securely. The tap interface allows me to securely use my home network just as if I were at home. Remote desktop over the lan exclusively is very secure this way. It's much safer than port forwards and other more traditional connections to the home network.

    Or, is there another way to bypass the blocking I encountered. Changing ports will not work.


  • LAYER 8 Global Moderator

    So your home pfsense server runs 443/tcp tun, and why exactly do you run 1194/udp on tap??  I rdp to my boxes over my tun connection all the time.  You for sure do not need tap to access remote desktop.  If you need to broadcast for names ok.  So your saying both your connections via 443 tcp and 1194 udp are blocked into your home server.  Or just the 1194 one?



  • Both were blocked. The public wifi was blocking openvpn without regard to the port used.

    443/tcp tun is for secure remote browsing via the home network. My home ip is visible, not the public wifi ip.

    1194/udp tap is for secure bridging into my home network remotely over public wifi. It gives me access just as if I were sitting in my living room easy chair. I use it for NAS access and remote desktop.

    You are correct that there are many ways to access remote desktop. I prefer this one. It works only over the local lan, requires no open ports that need to be forwarded, and allows multiple layers of security via openvpn and how pfSense implements it.


  • LAYER 8 Global Moderator

    I am not saying that access to remove desktop over a vpn is not more secure what I am saying you sure and the hell do not need tap to do that.  I access all my local stuff just like I was in my home via tun.  Tap as one purpose, that is when you need broadcast/layer2 traffic over the connection. Doing so comes with its own headaches and less performance since you have to leave the headers, etc.

    So your saying this location blocked access to opven be it tcp or udp and didn't care for port.  So it was doing DPI to identify that it was openvpn, but allowed some other vpn protocol?  And what vpn protocol was that?

    The only way that I know of "hiding" your openvpn traffic from dpi is to hide it some other tunnel.  Simple ssltunnel could be used, if ssh is open you could run the openvpn inside a ssh tunnel.  Or you could use obfsproxy to tunnel your openvpn traffic in.

    You sure it wasn't being blocked because they were enforcing the use of a proxy – this much simpler way of blocking the vpn traffic vs doing DPI to identify its vpn traffic vs common ssl traffic over 443.  If such a place is doing dpi on 443 traffic they are most likely doing MITM against ssl in general.  I wouldn't want to use such a connection anyway.  In such a location just hotspot of your phone and then vpn into your network.

    But you can bounce tcp openvpn off a proxy most of the time, this is yet another reason for the 443/tcp - 443 is almost always open and very friendly to bouncing off locations that force proxy use. I do it off my work proxy all the time ;)



  • Thank you for your reply.

    I'll look into tun into the home network. I didn't know you could. I assumed tap was the only way. I'll use it as a 3rd server to try to bypass blocking once I figure out how.

    I doubt they were using Deep Packet Inspection. The university might have been as a student exercise. The hospital would have been too cheap to go that far.

    About the proxy stuff … The vendor vpn was openvpn based and they said they use the same ports as I do. If you could point me to a page with documentation about the possible overrides, I can take it from there to learn more about them and give them a try. I'm still a newby in some respects here.



  • I just added another openvpn tun server. I didn't notice before that unchecking the force traffic through vpn connection opened a local network box. I'll test it later when I'm away from home. If that's all it took to get to my local lan then I'm a little embarrassed it was that easy. I set it to port 22 for this purpose.

    When downloading the certs I noticed a proxy option. Is that what you were referring to? If so, where is some info that will explain how to use it for obfuscation This might be effective. Some earlier research used many of the same terms but I could not figure out how to apply them.


  • LAYER 8 Global Moderator

    Yes you can set a proxy to use in your config, or you can just set it on the gui in the client when you use it.  When at work on my laptop I set proxy, when travel and say at a hotel I do not.

    Keep in mind that if your running any software firewalls on your machine, they will have to be set to allow your tunnel network your using to access what you want, ie remote desktop the windows firewall out of the box would block access other than same segment.

    For example my tunnel network is 10.0.8/24 so when I remote in I am coming from 10.0.8.100 (I set specific IP in client overrides) so any software firewalls running on your lan would have to allow that network or the specific IP you set for specific remote vpn users, etc.




  • @johnpoz:

    Yes you can set a proxy to use in your config, or you can just set it on the gui in the client when you use it.  When at work on my laptop I set proxy, when travel and say at a hotel I do not.

    Keep in mind that if your running any software firewalls on your machine, they will have to be set to allow your tunnel network your using to access what you want, ie remote desktop the windows firewall out of the box would block access other than same segment.

    For example my tunnel network is 10.0.8/24 so when I remote in I am coming from 10.0.8.100 (I set specific IP in client overrides) so any software firewalls running on your lan would have to allow that network or the specific IP you set for specific remote vpn users, etc.

    Thank you!. I will look at this more closely soon.



  • Finally got around to testing remote network access via tun. It worked great. Remote desktop fired right up. Simply putting the ipv4 subnet for the main network in the little box worked. I also checked the wins netbios box, although it seemed to work without it being checked. (Hint to next user: don't forget to move the firewall entry for this server above the last 'block all' entry.)

    More testing is on my to do list.

    I'm, still a tap user, though. At this time, I haven't been able to map a network drive using tun but can easily do so with tap. There may be a lot of overhead with tap and it's certainly more difficult to set up, but the overhead is not noticeable in use and it's convenient in this circumstance. So far.

    I'm still trying to figure out the proxy setup. I think I'm missing something but it appears to be a common way to bypass network blocks. Any help sites known to anyone?



  • @coffeecup25:

    Finally got around to testing remote network access via tun. It worked great. Remote desktop fired right up. Simply putting the ipv4 subnet for the main network in the little box worked. I also checked the wins netbios box, although it seemed to work without it being checked. (Hint to next user: don't forget to move the firewall entry for this server above the last 'block all' entry.)

    More testing is on my to do list.

    I'm, still a tap user, though. At this time, I haven't been able to map a network drive using tun but can easily do so with tap. There may be a lot of overhead with tap and it's certainly more difficult to set up, but the overhead is not noticeable in use and it's convenient in this circumstance. So far.

    I'm still trying to figure out the proxy setup. I think I'm missing something but it appears to be a common way to bypass network blocks. Any help sites known to anyone?

    FYI, I can map network drive using TUN.



  • @Jackish:

    FYI, I can map network drive using TUN.

    Thanks. So can I now, too. pfSense makes it easy. I came from a DD-WRT background and was happy just to get it working in that case. I was originally under the impression that tun was for private browsing and tap was for network browsing.

    Now I have 3 servers:

    1 tun for safe remote browsing - easy to sign on to.
    1 tun for network access: difficult to sign on to and uses different certs and sign on requirements. Also allows safe browsing
    1 tap just because I had it and it worked fine. Wouldn't do it again, though, now that I know how to make tun 'bridging' work.

    Still looking for openVPN obfuscate insights. I put the new server on port 4664 tcp (google docs) but don't expect it to hide and better than the other servers.


  • LAYER 8 Global Moderator

    "now that I know how to make tun 'bridging' work."

    HUH???  You sure and the hell do not need to bridge to access file shares..



  • @johnpoz:

    "now that I know how to make tun 'bridging' work."

    HUH???  You sure and the hell do not need to bridge to access file shares..

    Chill. It's a figure of speech. That's why it put it in quotes. I don't live and breath routers like you do. Mentally replace 'bridge' with 'network access just as if it were bridged'. If that's wrong terminology, try well ….

    Anyway, back to the original question about obfuscation .....


  • LAYER 8 Global Moderator

    Bridge would not be the term..  But to your obfuscation question, already answered.  The only way to hide that its openvpn ssl traffic would be to put the tunnel inside a different tunnel, be that normal SSL tunnel or SSH tunnel, etc.



  • @johnpoz:

    Bridge would not be the term..  But to your obfuscation question, already answered.  The only way to hide that its openvpn ssl traffic would be to put the tunnel inside a different tunnel, be that normal SSL tunnel or SSH tunnel, etc.

    Thanks. I expected to still do a lot of look up work after some pointers, but this is still too vague. Just say "I don't know but this is probably what the ones with programming staff who CAN hide it do" next time. MY paid VPN providers must make it look like normal traffic. That's why they can get though and my port switch-a-roos don't work.

    I guess if it were easy, everyone would be doing it and I wouldn't be asking here.

    Thanks, anyway. At least I got tun 'bridging' to work.


  • LAYER 8 Global Moderator

    not freaking 'bridging" dude..

    What part do you not understand about putting your vpn inside a ssl??  Hot spots for internet traffic sure and the hell are not doing deep packet inspection saying oh shit that is a vpn, block that.  They are just blocking non standard ports like UDP 1194.. Run your openvpn connection over tcp 443 so it looks like normal https traffic.  Only doing a DPI would where your at be able to know its not normal ssl..


Log in to reply