Overview
- Ubuntu 18.04
- Debian 9, 10
- CentOS 7
- Fedora 29
Getting started
Prerequisites
- Linux (obviously!)
- Bash
- OpenVPN
- obfs4proxy
- Standard Linux commands (e.g, sudo,grep,ps) which should be available on all distros.
Installing
- Download the obfs4proxy-openvpn script, give it +x permission and put it in a location in your PATH (e.g, /usr/local/bin/):
wget https://raw.githubusercontent.com/HRomie/obfs4proxy-openvpn/master/obfs4proxy-openvpn
mv obfs4proxy-openvpn /usr/local/bin
chmod +x /usr/local/bin/obfs4proxy-openvpn
- obfs4proxy-openvpn.conf.sample contains a sample of the needed config file. Edit it to your needs and save it as /etc/obfs4proxy-openvpn.conf .
- Use
obfs4proxy-openvpn --export-cert -
on the server to get the required obfs4 CERT for the client. - openvpn_client.conf.obfs4.sample / openvpn_server.conf.obfs4.sample contain samples of OpenVPN client/server configurations.
- Use
- obfs4proxy-openvpn.service.sample contains sample of a systemd unit for obfs4proxy-openvpn.
- By default, the provided OpenVPN configurations use pre-shared key. So the key should be created on the server and then be imported to the client as well.
- Key creation on the server can be done using:
openvpn --genkey --secret /etc/openvpn/secret.obfs4.key
- Use the same location on the client (/etc/openvpn/secret.obfs4.key), to import the generated key
- Key creation on the server can be done using:
- By default, the provided OpenVPN configurations use pre-shared key. So the key should be created on the server and then be imported to the client as well.
Usage
obfs4proxy-openvpn --help
should give you some basic info on the command line arguments.Feedback
Author
- Hamy - hamy.io
Acknowledgments
- Tor Project developers
- OpenVPN developers and other open source communities.
Helpful links
- Project's dedicated blog post
- Tor Pluggable Transports
- pt-spec-v1
- obfs4-spec
- IAT-Mode (Inter-Arrival Time Mode) study by David Fifield
- How to hide (obfuscate) any traffic using obfs4
- PTProxy wrapper
- ptadapter wrapper
- Shapeshifter wrapper
- obfsproxy-openvpn (note that it doesn't support obfs4)
Introduction
Sometimes it's useful to obfuscate the fact that your traffic is generated by OpenVPN. For example, if your ISP is blocking OpenVPN for some reason. This article describes various ways to obfuscate OpenVPN traffic so that it's not as easily detected and blocked. Most of the content here originates from this email thread. Additionally, for some reason this mail was not included in Gmane archives.
Use static keys
This was suggested here.
"My recent suggestion to someone regarding this was to use a static-key tunnel to encapsulate a second secure channel (either openvpn with TLS or ssh(1) as needed.) The static key tunnel looks like random junk to a sniffer. Nothing should identify it as being openvpn."One "That said, it DOES look suspicious. Maintain a moving target if possible ... changing ports and IP addresses. Also, because of the potential weakness of static keys, you should rotate them on a timetable, such as weekly or monthly."
Use obfsproxy
Obfsproxy is a Tor subproject. It can be used to obfuscate (any) traffic so that it becomes unrecognizable. Obfuscating OpenVPN traffic using obfsproxy was suggested here, with one additional mail available here:
"However, the obfsproxy project sounds very interesting. And it should be possible to use obfsproxy (as it can talk like a SOCKS proxy) with OpenVPN, by using the --socks-proxy argument. But I'm not aware of any openvpn services providing obfsproxy services in conjunction with OpenVPN."
A quick obfsproxy setup
This setup will start obfsproxy on your openvpn server, listening to the port 21194. On the client it will start a obfsproxy serving as a SOCKS proxy, listening on the client on port 10194. The part which says "<some-random-key>" needs to be the same value on both server and client. The key can be a longer text string, with just random letters. I'd recommend to keep it long (at least 32 characters, which is 256 bits).
Client side
Add the following lines to your existing openvpn config file:
socks-proxy-retry socks-proxy 127.0.0.1 10194
and change the --remote option to be
remote <YOUR-VPN-SERVER> 21194
That is, changing the port number to match the port number the server side obfsproxy will listen to.
Then start the obfsproxy like this:
[user@host: ~] $ obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs2 \ --shared-secret=<some-random-key> socks 127.0.0.1:10194
Server side
Here we tell obfsproxy to listen to TCP port 21194 and to send any obfsproxy clients to the OpenVPN server, listening on 127.0.0.1, port 1194. And remember to allow TCP connections from the "outside" to port 21194 in your firewall config. Start obfsproxy like this:
[user@host: ~] $ obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs2 \ --dest=127.0.0.1:1194 --shared-secret=<some-random-key> server 0.0.0.0:21194
The OpenVPN server needs in this case just this line in the config:
port 1194
That's all the magic, and should be a complete working setup.
No comments:
Post a Comment