How To Hide Your VPN Connections In China, Iran, United Arab Emirates, Oman and Pakistan

These VPN providers are the best to use in countries with internet censorship:

  • ExpressVPN (fast, excellent customer support) — uses a confidential method of packet obfuscation
  • VPN.AC uses TLS authentication to mask OpenVPN handshake packets (thus hiding them from Deep Packet Inspection)

If you need an introduction to VPNs (Virtual Private Networks), please see this article.

Avoiding Deep Packet Inspection

“Deep Packet Inspection” is usually done at the ISP (internet service provider) level on behalf of a government. A “packet” is a chuck of computer data sent over a network. Packet Inspection involves examining your internet traffic and determining what you are doing (for example, using a VPN).

To avoid Deep Packet Inspection, you must hide the fact that you are using a VPN. One of the simplest ways to do this is to forward your OpenVPN traffic through port 443. OpenVPN uses port 80 by default, which is usually heavily monitored by firewalls. When you switch to port 443, your traffic will be camouflaged. This is because 443 is the default port for HTTPS, and web browsers heavily use this protocol for secure connections. Whenever you see “HTTPS” in a web browser address (for example, while accessing an online bank or accessing a web-based email), your browser uses an HTTPS connection on port 443.

So using port 443 makes a lot of sense because it is very difficult to detect your traffic amongst all the other secure traffic on this port.

However, some governments (China and Iran) are now using methods to detect the difference between “normal” SSL encryption and VPN encryption. In cases like this, you will need more sophisticated cloaking techniques (see below).

Avoiding Advanced Deep Packet Inspection

There are several ways to avoid advanced deep packet inspection, but they will probably require cooperation from your VPN providers, and they will slow down your internet connection.

Commonly used techniques include:

  • Using the Obfsproxy tool
  • Using OpenVPN through an SSL tunnel
  • Using OpenVPN through an SSH tunnel

Using Obsfsproxy

Obfsproxy is a tool designed to make VPN connections difficult to detect. It was created by the Tor network when China started blocking Tor nodes — but it can be used outside of the Tor network to mask VPN connections.

To use Obfsproxy, you must install it on your computer, and it must be installed on the VPN server you are connecting to. In most cases, you’ll have to ask your VPN provider to set it up.

Obfsproxy does not encrypt your traffic, but it also does not require much overhead, so it is useful in countries with limited bandwidth (e.g., Syria or Ethiopia).

There are instructions for setting up Obsfproxy with OpenVPN on this page.

Using OpenVPN through an SSL tunnel

Another method of avoiding Advance Deep Packet Inspection is to use OpenVPN through an SSL tunnel to wrap your data in another layer of encryption. This makes your OpenVPN traffic virtually indistinguishable from regular SSL traffic because Deep Packet Inspection cannot penetrate this additional layer of encryption.

Typically, you’ll want to install stunnel application and get your VPN provider to install the stunnel application too.

One provider — AirVPN does this by default; they state:

We offer OpenVPN on ports 80 TCP / UDP, 443 TCP / UDP and 53 TCP / UDP. Additionally, every Air server supports directly OpenVPN over SSH and OpenVPN over SSL. This means that even the most brutal techniques of monitoring, censorship, throttling and traffic shaping will fail against AirVPN, because your ISP and your government will see only TCP or UDP traffic (as you prefer) on a unique port.

Please note that using an SSL tunnel will slow down your internet connection.

OpenVPN through an SSH tunnel

Using OpenVPN with an SSH tunnel is similar to using it with an SSL tunnel. The difference is that you wrap your OpenVPN traffic with SSH encryption instead of SSL encryption. SSH is the “secure shell” software used to make connections to shell accounts in Unix. You can find SSH clients for most operating systems — see PuTTY, for example.

VPN.AC and AirVPN also support SSH tunneling by default.

20 thoughts on “How To Hide Your VPN Connections In China, Iran, United Arab Emirates, Oman and Pakistan”

  1. I visited oman in 2018 and had no problem useing a vpn. I was not able to use a encrypted messenger without a vpn. So i started running encrypted im over vpn. Still doing it now for a little extra security.

  2. im in singapore and i use maskvpn.net they really help me with my router setup. very good support and very stable conecton. i recomend.

  3. Also check out SSTP. SSTP establishes a connection over secure HTTPS (Port 443). Not only is the use of SSTP, which like HTTPS uses SSL encryption, very difficult to detect over port 443, but blocking that port would severely cripple access to the internet and is therefore not usually a viable option for would-be web censors. SSTP is also considered as the strongest and most secure VPN tunneling system for the usage of SSL, authentication certificates and 2048-bit encryptions. Thus, it could be a workaround to securely access networks that is behind such a sophisticated firewall—in which the traffic for VPN connections is being blocked.

    1. Iran does not block any ports. They have DPI, they block the actual packets of certain types of connections from being transferred.

      Also, the way the DPI works is if a connection to a specific IP has a data/connection time ratio above a certain amount, the firewall will throttle it to a standstill and after some time drop and blacklist that connection.

      Your best bet is to setup a simple SSH tunnel and ONLY use it on websites actively blocked by Iran and try to look for alternatives on opening websites.

      For example the plugin HTTPS Everywhere is a VERY good way to bypass reddit/imgur and some other website’s filtering.

  4. I’ve noticed that the China deep packet inspection is more strong than before recently. Especially after their proud 9/3 military weapons show off, and considering to add stunnel to my vpn server and client. However, I am wondering if it will work. Since, it should be very easy to detect a non-https request. simply send a http request to the server, and if got no http response, then they might know this is a fake https server. However, since their deep packet inspection is more and more powerful, I’ll give it a try to add stunnel both in my server and client.

    However, do you have any comment if they use http request to detect if this is a fake http server or not ? and is it possible to make the server with stunnel to OpenVPN to pretend a http server ?

    Also, since stunnel will wrap the packet as ssl packet, should we use OpenVPN ? Or maybe use other more simplified VPN protocol under stunnel ?

  5. hi again, sorry for commentfailure, i have a quastion aboout another software, i have an vpn privider which offer 3 connectionclient, i can use openvpn shrew and cisco anyconnect, the last option cisco anyconnect uses tls over 443, if i use this software to connect to the vpn servers in countries like iran or china, which shape would see my isp from my traffic, will he see that im using vpn ? and i have another quastion about anyconnect itself, this software uses rc4 to encrypte the traffic, is this option still safe or is it broken ? and if its broken, what can i do to still use anyconnect with a safe configuration ? thanks a lot ! 🙂

  6. have a question for you. I’m looking for a Vpn service that will work in Iran where censorship is strong. Vpn.ac has recommended Xor obfuscation for openvpn and airvpn has recommended openvpn through SSH and SSL tunneling. Which scenario is going to work better in a country with heavy censorship?

    Thanks

    1. Both of those methods could potentially work — OpenVPN via SSL/SSH can be more covert. The idea is to make VPN traffic appear like regular traffic, as much as possible.

  7. In my practical experience, I think China has no ability to detect OpenVPN protocol, because I am using OpenVPN, our own servers.

    I’ve noticed that damm China might be able to detect your OpenVPN by using their new FBBH( Fiber to the Home) modem. This modem is also a router. For example, we are using( or assigned ) HG8245C

    When we are assigned by the HG8245C, our OpenVPN is quickly detected and blocked soon, and then we change the IP. Soon, sometimes in 1 day, they block it again.

    Then, I telnet into the HG8245C and decrypt the super password. Then, I login HG8245C as super admin. I’ve noticed there is a weird Vlan called TR069. Delete it, then your OpenVPN will work!!

    1. This is exactly what I was trying to find. I just moved a we house, and before I moved my interior fine and fast. The day he came to install my internet, I noticed that modem, which I never had before, and ever since then, my internet has been slow and my vpn has not be able to connect or maintain a stable connection. I want to throw this modem out the window. I knew it wasn’t my vpn that was the problem, I knew it had to be that stupid modem. Could you please tell me how you did what you did to get your internet working normally again?

      1. I have logged into the modem through telnet. I’m trying to obtain the superuser and superpassword and that is where I’m stuck. I thought I could grep the xml file to obtain them but I don’t know what to type in. Could you please help? Thank you so much!

        1. Don’t know you are asking for this. Sorry.
          Do it in the following steps ( This is my note how get the superadmin password )

          1. telnet 192.168.1.1 ( or other IP of the damm router )

          2. login: root, password: admin

          3. WAP>shell

          4. WAP(Dopra Linux) #cd /mnt/jffs2

          5. $ cp hw_ctree.xml myconf.xml.gz // copy the hw_ctree.xml file

          6. $ aescrypt2 1 myconf.xml.gz tmp

          // decrypt the file `myconf.xml.gz`, HG8245C is different from HG8245, because the ‘C’ means they encrypt the document

          7. gzip -d myconf.xml.gz
          // Use `gzip` to unzip the myconf.xml.gz, and you will get myconf.xml

          8. vi myconf.xml

          9. search for the superadmin password : /telecomadmin , then you find the password

          Then, you can use browser login the damm router, and delete the TR069 Vlan, which is the one watching you. 🙂

          1. Hi,

            How did you even connect?
            Reason I ask is:
            telnet 192.168.1.1
            Connecting To 192.168.1.1…Could not open connection to the host, on port 23: Connect failed

            ping 192.168.1.1

            Pinging 192.168.1.1 with 32 bytes of data:
            Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
            Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
            Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
            Reply from 192.168.1.1: bytes=32 time=1ms TTL=64

            So I can't even telnet to their modem, my ISP is China Telecom.

          2. How did you connect?

            telnet 192.168.1.1
            Connecting To 192.168.1.1…Could not open connection to the host, on port 23: Connect failed

            ping 192.168.1.1

            Pinging 192.168.1.1 with 32 bytes of data:
            Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
            Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
            Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
            Reply from 192.168.1.1: bytes=32 time=1ms TTL=64

  8. Great article and very educational. I’m in China and having a very tough time finding a reliable VPN. I’m going to try AirVPN or VPN.AC, thanks to your help. I hope one of them works!

Leave a Comment

Your email address will not be published. Required fields are marked *