Governmental agencies are cracking down and tightening their grip on digital communications. This is pretty worrisome, especially when considering the recent threats to net neutrality as well as the N.S.A. collecting vast amounts of data from domestic citizens.
When your data is in transit through a VPN tunnel, it is encrypted and safe from prying and spying eyes. This is not the same as saying that people can’t see what type of data you are transmitting, though. They may not be able to unscramble and decrypt your data to steal your information, but they can certainly peer into your tunnel and see what type of encryption service you are using. In turn, they can chose to permit or discard that type of traffic on their network.
Fortunately, there is good news. Even if a service provider or other network blocks your OpenVPN traffic, there are several techniques you can use to hide it and circumvent the restrictions. You need a moderate understanding of networking concepts to successfully hide your OpenVPN traffic, but let’s discuss the different options you have at your disposal.
Port Forwarding through Port 443
The easiest way to hide your OpenVPN traffic is to send it to port 443. It is the easiest method because you only have to configure this setting in your VPN client – there is no configuration required on the VPN server. In most cases, it will work. If not, you will need to try one of the other techniques discussed later.
OpenVPN uses port 80 by default, which is the port most commonly used for HTTP traffic (web browsing). Because of this, it is pretty typical for network security devices and firewalls to discard any encrypted traffic they see on port 80. However, you can forward your tunnel traffic to the HTTPS port (port 443) to circumvent this restriction.
HTTPS traffic is encrypted in a similar manner as your OpenVPN traffic by using SSL (secure sockets layer) technology. This is an advantage for two reasons. Firstly, it would be hard to detect that your traffic is an OpenVPN tunnel since the encryption looks very similar. Also, it is highly unlikely that a service provider or corporate network would block encrypted traffic on port 443. This would not allow users to browse the web securely using HTTPS, which would all but debilitate their network.
Please note, however, that the service found in an OpenVPN tunnel is not identical to HTTPS encrypted traffic, and it is still possible (though usually unlikely) that a firewall can both detect and block your traffic.
Hiding Your Tunnel with Obfsproxy
Obfsproxy is a tool that is designed to obfuscate traffic by encapsulating it. In programming terms, this is sometimes called a ‘wrapper.’ Essentially, by wrapping around your data, it makes it extremely hard for people to discern what type of traffic you are sending.
This can be a little more challenging to implement because the software needs to be installed on both the VPN server endpoint as well as the end user’s device. If you don’t have access to the VPN server or your provider refuses to run this service, you will need to try another method to hide your OpenVPN traffic. However, if you are creating a VPN tunnel back to your home network, this is a wonderful option. After the software is installed on your server, you just need to run the following command to configure the server to accept connections:
- obfsproxy obfs2 –dest=127.0.0.1:XXXX server x.x.x.x:5573 (where XXXX is the desired port)
The 127.0.0.1 address is your server’s loopback address, and the command tells the server to listen on port XXXX for new connections. Also, x.x.x.x would be the IP address you want to allow a connection from. If you want to leave it open to any IP address because you frequently hop around to different networks, replace x.x.x.x with 0.0.0.0.
However, configuring any old IP address for connections isn’t likely a viable option for your service provider if they are working with you to complete this task, so you will likely need to get a static IP address.
Leveraging an SSL Tunnel to Hide OpenVPN Traffic
Much like the previous example, you can use SSL as a wrapper for you OpenVPN tunnel traffic. Even an advanced firewall won’t be able to see the traffic inside SSL encryption, and will effectively hide the fact that you are using an OpenVPN connection. To facilitate this technique, the stunnel software would also need to be installed on both the client and the server.
To implement this technique, you will most likely need to pick up the phone and call your VPN service provider to see if they use this software. If they don’t, you will need to see if they will help you by installing it on their server. Furthermore, they will likely need to help you configure the settings on your VPN client.
Leveraging an SSH Tunnel to Hide OpenVPN Traffic
This is very similar to the last technique, except instead of wrapping your data in SSL it will be wrapped in SSH. This is a less-preferred option simply because it isn’t as widely used for hiding VPN traffic as SSL is. In fact, SSH is scarcely used in home and consumer environments. However, it is still a viable way to hide your OpenVPN tunnel. The steps to get this working are similar to the last example as well. You will need to call your provider and see if they will work with you to set this up. To use it in a home environment, you will need to download PutTY to help hide your traffic.
If you find that the network you are on is blocking OpenVPN connections, you can use one of these three methods to hide your traffic. Furthermore, if you combine your hidden OpenVPN tunnel with a service like Tor, you will boost your online security a ton. You will be far ahead of the curve because most Internet users don’t take advantage of these amazing technologies.