wiki:TrafficObfuscation

Version 2 (modified by Samuli Seppänen, 11 years ago) (diff)

--

Introduction

Sometimes it's useful to obfuscate the fact that your traffic is generated by OpenVPN. For example, if your ISP is blocking OpenVPN for some reason. This article describes various ways to obfuscate OpenVPN traffic so that it's not as easily detected and blocked. Most of the content here originates from this email thread. Additionally, for some reason this mail was not included in Gmane archives.

Use static keys

This was suggested here.

"My recent suggestion to someone regarding this was to use a 
static-key tunnel to encapsulate a second secure channel (either 
openvpn with TLS or ssh(1) as needed.) The static key tunnel looks 
like random junk to a sniffer. Nothing should identify it as being 
openvpn."One

"That said, it DOES look suspicious. Maintain a moving target if 
possible ... changing ports and IP addresses. Also, because of the 
potential weakness of static keys, you should rotate them on a 
timetable, such as weekly or monthly."

Use obfsproxy

Obfsproxy is a Tor subproject. It can be used to obfuscate (any) traffic so that it becomes unrecognizable. Obfuscating OpenVPN traffic using obfsproxy was suggested here, with one additional mail available here:

"However, the obfsproxy project sounds very interesting.  And it should be
possible to use obfsproxy (as it can talk like a SOCKS proxy) with
OpenVPN, by using the --socks-proxy argument.  But I'm not aware of any
openvpn services providing obfsproxy services in conjunction with OpenVPN."

A user provided an OpenVPN installer which bundles OpenVPN with obfsproxy. Look here for downloads and instructions.

Using a patched OpenVPN version

A patch is available for making OpenVPN handle traffic obfuscation internally.