13

How To Hide OpenVPN Connections In China

by Grey One •

If you are using OpenVPN in China, even on port 443, you may find that your connections are unstable. The problem is that Chinese government can detect the difference between “normal” SSL encryption and VPN encryption.

The solution is to mask your OpenVPN connection, and make it look like a regular HTTPS connection.

You can do this using one of these methods:

  • Using OpenVPN through an SSL tunnel
  • Using OpenVPN through an SSH tunnel
  • Using a tool called Obsfsproxy
  • Masking the OpenVPN packets in other ways

Here are three VPN providers that support obfuscation:

  • VPN.AC uses TLS-authentication to mask OpenVPN handshake packets (thus hiding it from Deep Packet Inspection)
  • AirVPN supports SSH tunneling and SSL tunneling by default
  • ExpressVPN uses a confidential method of packet obfuscation

Note that OpenVPN obfuscation techniques will not work on Android devices or iPhones/iPad (yet).

anon-660x495

Hosting Your Own VPN on a VPS

You may want to create your own VPS with an OpenVPN installation and obfuscation. I recommend using a reliable VPS like Digital Ocean. You can purchase their $5 per month plan, choose the server in Singapore, and see my article How To Set Your Own VPN.

Once you have the VPN set-up, you can then install a SSL tunnel:

Using OpenVPN through a SSL tunnel

You can make you OpenVPN traffic virtually indistinguishable from regular SSL traffic by tunnelling it through SSL, because Deep Packet Inspection cannot penetrate this addition layer of encryption.

Typically, you’ll want to install the stunnel application, and also install stunnel on your VPN server. Here are some more instructions for setting up stunnel, see also this discussion.

Note that using a SSL tunnel will slow down your internet connections.

UDP is better for any kind of tunnel because it’s lower overhead and doesn’t try to retransmit packets unnecessarily. In certain instances retransmitting packets could be counterproductive. Basically, anything that needs to either have a stateful connection or a connection that is “reliable” (i.e. TCP) already has packet retransmission built into the protocol. If you run two of these protocols on top of each other (such as TCP over a TCP tunnel), then bad things start to happen as now you have more than one layer trying to retransmit packets. So really you should use UDP unless there’s a very specific reason you need to use TCP, such as a firewall restriction or something.

OpenVPN through an SSH tunnel

Using OpenVPN with a SSH tunnel is very similar to using it with a SSL tunnel. The difference is that you wrap your OpenVPN traffic with SSH encryption instead of SSL encryption. SSH is the “secure shell” software used to make connections to shell accounts in Unix. You can find SSH clients for most operating systems — see PuTTY for example.

When using SSH tunnels, note that:

  • There is evidence that the Chinese government is slowing down SSH connections
  • SSH is much more than just encryption, therefore you will see more overhead with SSH tunnels
  • SSH is difficult to set up on Windows whereas stunnel  is cross platform

Using Obsfsproxy

Obfsproxy is a tool designed to make VPN connections difficult to detect. It was created by the Tor network when China started blocking Tor nodes — but it can be used outside of the Tor network to mask VPN connections.

There are instruction for setting up Obsfproxy with OpenVPN on this page.

Obfsproxy does not encrypt your traffic, but it also does not require much overhead, so if it is useful in countries where bandwidth is limited (e.g. Syria or Ethiopia).

Comments 13

  1. I just returned from a trip to China (Nanjing and Shanghai) for the whole month of April 2016. I had set up a virtual server on Digital Ocean with OpenVPN with STunnel. Nanjing is usually a much tougher place to get a good VPN connection. But it worked flawlessly. I had better performance than any commercial VPN service I ever used.Not the fastest (but faster than the commercial services I used) but good enough to stream youtube It was just a bit tricky to get it set up right but once I did it was great. The only thing I noticed was after the first connection from China, every time I tried to log into my DO server through their terminal I was greeted with the message that there were thousands of unsuccessful login attempts from an IP behind the Great Firewall. So the GFW people were also interested in logging into my server. Make sure you have a nice big secure Password and set up your firewall. From the graphs it looked like some program was trying to login every 30 minutes to an hour. Most of my setup time was spent debugging performance before going, until I figured out (and verified online) that FIOS was throttling my VPN over UDP. Once I switched to TCP things went faster (I needed to do that anyway for the STunnel setup).

  2. NC, the problem is – your server software and client software MUST also be specially coded for such strictly banned environment.
    Who would like to do this instead of subscribing a ready-made plan? Time is Money, right?

  3. If I have access to homes in other countries, can I setup a vpn server using raspberry pi? What would I have to do to go around the gfw? I wanted to use openwrt as my client at home. But also hoping to access the vpn on my ios device using china Unicom.

  4. I am actually using Greenvpn right now, it works really well, my internet connection reaches 44M at download bandwidth, but only 2M at around the upload bandwidth, fairly enough for me.

  5. A good combination of VPN and SSH(obfuscated of course) may fool GFW as the wall in BattleField 4– completely destroyed. LOL. What’s more, don’t forget both Tor and I2P.

  6. hello, I am Chinese, and we Chinese love dnsmasq on OpenWRT router very much. Dnsmasq with an obfuscated SSH can make a better performance against GFW.

  7. Is it a must to combine OpenVPN with an SSL/SSH tunnel?

    It is possible to let’s say create a SSL/SSH tunnel and send the communication through this tunnel to a proxy server set up in your VPS? What I’m probably wrongly supposing is that as long as you have an encrypted tunnel you don’t actually need to encrypt the data passing through it… or in other words why double encryption (i.e. OpenVPN + SSH/SSL) is necessary to circumvent the firewall?

    1. The SSL tunnel is ued to camoflague your VPN connection, so it is indeed a redundant layer of encryption, and it does slow down your VPN connections. It’s for the sake of obfuscation.

  8. My experience running openvpn connections through both stunnel and ssh is that the connections are good for about 10-15 minutes. The connections are not terminated, but after about 15 minutes the speeds get throttled down to unusably slow. Of course YMMV depending on where you live in China, but these types connections are certainly not undetected. On the other hand, these methods are nice in a pinch one needs short term connectivity and nothing else works.
    Additionally on:
    “ExpressVPN uses a confidential method of packet obfuscation”
    I find ExpressVPN to be a reliable provider, but its implied that openvpn connections through their service are undetectable. That’s not my experience — inability to connect and broken connections are a daily experience. Don’t interpret that negatively, I have yet to find a provider that is trouble free, ExpressVPN is fine and offers quite a bit of connection choices, and, again, ones experience depends on where one is connecting from.
    Lastly, my experience setting up vpn servers on DigitalOcean is that they work great for a time until they are tracked down, after which one will never connect to that DO ip again. If I do another setup there I would probably additionally setup a firewall so that the server only responds to connections from my home ip. The intent there being to make it more difficult for automated probing to identify much about the server, and so less likely to clobber connections to it and risk collateral damage. Ultimately, though, I have not done the experiment yet to find out what happens and how to counter it…. ;(

    1. I finally got around to experimenting a bit with external servers and the great firewall. What I notice is that as soon as ssh connections are initiated to my external server. The server starts getting probed, approximately every two minutes, by servers owned by China Telecom in JiangXi and China Unicom in HeBei. The probes cant find out anything out about the server, as all connections except those from my home address are being dropped. The resulting connection is stable but interestingly enough seems to be, none the less, rate limited. The connection speed is fine for command line based server managment but not suitable for higher bandwith usage scenarios.

      In view of the real time response of the firewall to encypted connections to end points outside of the country, I am not terribly optimistic about some of the “do it yourself” suggestions above. I suspect that while we can encrypt our connections or disguise them as something else, those connections are likely to be fragile in the medium to long term. Its perhaps less hassle and a longer term more successful strategy to just hire the full time, private vpn companies fight this battle against what is a very capable, and well funded, adversary.

Leave a Reply

Your email address will not be published.