How to disguise OpenVPN as HTTPS traffic for DPI Filtering



  • Hi,

    I have been using OpenVPN by setting up a server on my pfsense router at home for a few months, it has been working perfectly well locally(connecting from school to home). ;D

    Recently I have read an article regarding some possible ways of blocking OpenVPN:
    https://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=174
    Though it is currently not an issue for me, I am worrying about that, when I am leaving for some countries where the network is highly censored, say, China, would there be problems with the connection?
    At point 2, the article mentioned the Deep Packet Inspection (DPI) techniques in which the firewall will be able to verify if the packets being tunneled through TCP port 443 are real HTTPS packets, eventually distinguishing the OpenVPN traffic from the real HTTPS and blocking them.

    At the moment the port I am using for OpenVPN has already been TCP 443, is there anything I have to set up in order to disguise OpenVPN as HTTPS traffic for DPI Filtering?

    Thank you for your kind attention. :D


  • Rebel Alliance Global Moderator

    Isn't that pretty much a sales pitch for their product?

    "We do offer a stealth OpenVPN Tunneling over HTTPS/SSL which will enable you to create tunnel OpenVPN over HTTPS via SSL tunneling "



  • @johnpoz:

    Isn't that pretty much a sales pitch for their product?

    "We do offer a stealth OpenVPN Tunneling over HTTPS/SSL which will enable you to create tunnel OpenVPN over HTTPS via SSL tunneling "

    Ya, that is a website of a VPN service provider.
    I am simply wondering if their saying is valid and if my setting suffices the harsh environment they described. :P


  • Rebel Alliance Global Moderator

    Why can't you just do on your own what they say they offer?  Can you just use stunnel and then use openvpn over that?



  • @johnpoz:

    Why can't you just do on your own what they say they offer?  Can you just use stunnel and then use openvpn over that?

    Well, it seems you haven't read my post through.
    What I have been asking from the very beginning is "is there anything I have to set up in order to disguise OpenVPN as HTTPS traffic for DPI Filtering?", not sure if anything has irritated you, and in case of so, I am sorry.

    stunnel, now in your reply I can see something related finally, will take a look. Thanks for that. ;)


  • Rebel Alliance Global Moderator

    What irritated me??  I think maybe you've had couple cups too much coffee this morning and your all hyped up about this - that can be irritating ;)

    Something related "finally" ??  Dude this thread has been alive for a couple of minutes, I have only made two posts.  I read the article and it looks to me like a sales pitch with scare mongering.

    Now is it true that openvpn does not look exactly like normal ssl traffic?  Can it be detected with DPI?  I am not sure - sounds feasible I would think.  Is anyone doing it?  That is the other question.

    What I can tell you is that great firewall of china wall, its not that difficult to get around if you ask me.  Company I support has quite a few locations there, and they had in the past just used cloud based websense where proxy was outside china, and that worked just fine, so you could go anywhere you wanted - slow as fuck, but worked.  So I don't think that china firewall is all that difficult to get around ;)

    And I know you can bounce openvpn off just a normal http proxy, I do that to get out of my work network without any issues.



  • The issue with the GFW is that they interfere with the authentication mechanism (TLS).  There are ways around it, although it is not considered secure.  There would be nothing to stop them from killing the connection once it's up.  A shared key configuration would work, although, it isn't exactly secure.


Locked