If you are using OpenVPN in China, even on port 443, you may find that your connections are unstable. The problem is that the Chinese government can detect the difference between “normal” SSL encryption and VPN encryption.
The solution is to mask your OpenVPN connection and make it look like a regular HTTPS connection.
You can do this using one of these methods:
- Using OpenVPN through an SSL tunnel
- Using OpenVPN through an SSH tunnel
- Using a tool called Obsfsproxy
- Masking the OpenVPN packets in other ways
Here are three VPN providers that support obfuscation:
- VPN.AC uses TLS authentication to mask OpenVPN handshake packets (thus hiding it from Deep Packet Inspection)
- AirVPN supports SSH tunneling and SSL tunneling by default
Note that OpenVPN obfuscation techniques will not work on Android devices or iPhones/iPad (yet).
Hosting Your Own VPN on a VPS
You may want to create your own VPS with an OpenVPN installation and obfuscation. I recommend using a reliable VPS like Vultr. You can install OpenVPN using a “one-click” interface, and they have servers in Asia, and see my article How To Set Up Your Own VPN.
Once you have the VPN set up, you can then install an SSL tunnel:
Using OpenVPN through an SSL tunnel
You can make your OpenVPN traffic virtually indistinguishable from regular SSL traffic by tunneling it through SSL because Deep Packet Inspection cannot penetrate this additional layer of encryption.
Note that using an SSL tunnel will slow down your internet connection.
UDP is better for any kind of tunnel because it has lower overhead and doesn’t try to retransmit packets unnecessarily. In certain instances retransmitting packets could be counterproductive. Basically, anything that needs to either have a stateful connection or a connection that is “reliable” (i.e., TCP) already has packet retransmission built into the protocol. If you run two of these protocols on top of each other (such as TCP over a TCP tunnel), then bad things start to happen, as now you have more than one layer trying to retransmit packets. So really, you should use UDP unless there’s a very specific reason you need to use TCP, such as a firewall restriction or something.
OpenVPN through an SSH tunnel
Using OpenVPN with an SSH tunnel is very similar to using it with an SSL tunnel. The difference is that you wrap your OpenVPN traffic with SSH encryption instead of SSL encryption. SSH is the “secure shell” software used to connect shell accounts in Unix. You can find SSH clients for most operating systems — see PuTTY, for example.
When using SSH tunnels, note that:
- There is evidence that the Chinese government is slowing down SSH connections
- SSH is much more than just encryption. Therefore you will see more overhead with SSH tunnels
- SSH is difficult to set up on Windows, whereas stunnel is cross-platform
Obfsproxy is a tool designed to make VPN connections difficult to detect. It was created by the Tor network when China started blocking Tor nodes — but it can be used outside of the Tor network to mask VPN connections.
There are instructions for setting up Obsfproxy with OpenVPN on this page.
Obfsproxy does not encrypt your traffic, but it also does not require much overhead, so if it is useful in countries where bandwidth is limited (e.g., Syria or Ethiopia).