If you are using OpenVPN in China, even on port 443, you may find that your connections are unstable. The problem is that Chinese government can detect the difference between “normal” SSL encryption and VPN encryption.
The solution is to mask your OpenVPN connection, and make it look like a regular HTTPS connection.
You can do this using one of these methods:
- Using OpenVPN through an SSL tunnel
- Using OpenVPN through an SSH tunnel
- Using a tool called Obsfsproxy
- Masking the OpenVPN packets in other ways
Here are three VPN providers that support obfuscation:
- VPN.AC uses TLS-authentication to mask OpenVPN handshake packets (thus hiding it from Deep Packet Inspection)
- AirVPN supports SSH tunneling and SSL tunneling by default
- ExpressVPN uses a confidential method of packet obfuscation
Note that OpenVPN obfuscation techniques will not work on Android devices or iPhones/iPad (yet).
Hosting Your Own VPN on a VPS
You may want to create your own VPS with an OpenVPN installation and obfuscation. I recommend using a reliable VPS like Digital Ocean. You can purchase their $5 per month plan, choose the server in Singapore, and see my article How To Set Your Own VPN.
Once you have the VPN set-up, you can then install a SSL tunnel:
Using OpenVPN through a SSL tunnel
You can make you OpenVPN traffic virtually indistinguishable from regular SSL traffic by tunnelling it through SSL, because Deep Packet Inspection cannot penetrate this addition layer of encryption.
Note that using a SSL tunnel will slow down your internet connections.
UDP is better for any kind of tunnel because it’s lower overhead and doesn’t try to retransmit packets unnecessarily. In certain instances retransmitting packets could be counterproductive. Basically, anything that needs to either have a stateful connection or a connection that is “reliable” (i.e. TCP) already has packet retransmission built into the protocol. If you run two of these protocols on top of each other (such as TCP over a TCP tunnel), then bad things start to happen as now you have more than one layer trying to retransmit packets. So really you should use UDP unless there’s a very specific reason you need to use TCP, such as a firewall restriction or something.
OpenVPN through an SSH tunnel
Using OpenVPN with a SSH tunnel is very similar to using it with a SSL tunnel. The difference is that you wrap your OpenVPN traffic with SSH encryption instead of SSL encryption. SSH is the “secure shell” software used to make connections to shell accounts in Unix. You can find SSH clients for most operating systems — see PuTTY for example.
When using SSH tunnels, note that:
- There is evidence that the Chinese government is slowing down SSH connections
- SSH is much more than just encryption, therefore you will see more overhead with SSH tunnels
- SSH is difficult to set up on Windows whereas stunnel is cross platform
Obfsproxy is a tool designed to make VPN connections difficult to detect. It was created by the Tor network when China started blocking Tor nodes — but it can be used outside of the Tor network to mask VPN connections.
There are instruction for setting up Obsfproxy with OpenVPN on this page.
Obfsproxy does not encrypt your traffic, but it also does not require much overhead, so if it is useful in countries where bandwidth is limited (e.g. Syria or Ethiopia).