人生在世，看得透，又看得远者prevail everywhere.

gg.gg/13nbnz gg.gg/13p5tj gg.gg/13p9s5 gg.gg/13tljl gg.gg/13xudz gg.gg/13xy3p gg.gg/143tqc linux.die.net linux.it.net.cn ostechnix.com unix.com gg.gg/19yv96 man.linuxde.net gg.gg/148erg bit.ly/2vsM34J bit.ly/2EzoUDo bit.ly/2wCsZSI bit.ly/2v6jGJi bit.ly/2tW6eYT bit.ly/2u2MMtm bit.ly/2X6vadl bit.ly/2viLpHU bit.ly/2fzzbEU linuxprobe.com linuxtechi.com ttlsa.com systutorials.com ghacks.net linuxopsys.com reurl.cc/8W1x3X reurl.cc/NpzMWe reurl.cc/WrgYdx reurl.cc/Yv4Yvo reurl.cc/Lmy90K reurl.cc/Rr5aeG

Tuesday 16 June 2020

obfs4proxy-openvpn

Obfuscating OpenVPN traffic using obfs4proxy.

A Bash script for obfuscating OpenVPN traffic using obfs4proxy

Overview

obfs4proxy developed by the Tor Project, is primarily written to obfuscate Tor traffic. But with a little effort, it can be used to obfuscate any other TCP traffic as well.

While there are couple of obfs4proxy general wrappers around, this Bash script is specifically designed to make obfs4proxy work with OpenVPN. It's more of a helper than a wrapper since it bootstraps the start of obfs4proxy/OpenVPN and then gets out of the way.

It is specifically written for obfs4 transport protocol. But it also supports older obfs3 and obfs2 transports. Unless you have a good reason, you should stick to obfs4.

Since the script uses standard Linux commands, it should work in most major distros but it's been specifically tested on:

Ubuntu 18.04
Debian 9, 10
CentOS 7
Fedora 29

If you believe that it doesn't work on your system, let me know.

Getting started

Prerequisites

Linux (obviously!)
Bash
OpenVPN
obfs4proxy
Standard Linux commands (e.g, sudo,grep,ps) which should be available on all distros.

OpenVPN and obfs4proxy can either be compiled from their source code or installed from your distros repository. Just don't forget to put them somewhere in your PATH if you decided to compile them yourself.

The script must be run as root to do its magic but it will use a dedicated account for running obfs4proxy by default. You can also make OpenVPN to drop its root privilege later on.

Installing

Download the obfs4proxy-openvpn script, give it +x permission and put it in a location in your PATH (e.g, /usr/local/bin/):
- wget https://raw.githubusercontent.com/HRomie/obfs4proxy-openvpn/master/obfs4proxy-openvpn
- mv obfs4proxy-openvpn /usr/local/bin
- chmod +x /usr/local/bin/obfs4proxy-openvpn
obfs4proxy-openvpn.conf.sample contains a sample of the needed config file. Edit it to your needs and save it as /etc/obfs4proxy-openvpn.conf .
- Use obfs4proxy-openvpn --export-cert - on the server to get the required obfs4 CERT for the client.
- openvpn_client.conf.obfs4.sample / openvpn_server.conf.obfs4.sample contain samples of OpenVPN client/server configurations.
obfs4proxy-openvpn.service.sample contains sample of a systemd unit for obfs4proxy-openvpn.
- By default, the provided OpenVPN configurations use pre-shared key. So the key should be created on the server and then be imported to the client as well.
  - Key creation on the server can be done using: openvpn --genkey --secret /etc/openvpn/secret.obfs4.key
  - Use the same location on the client (/etc/openvpn/secret.obfs4.key), to import the generated key

Usage

obfs4proxy-openvpn --help should give you some basic info on the command line arguments.

Most needed documentations are placed in the sample files in examples/ folder. That should be enough to get you started. But a more in-depth doc can be found here: obfs4proxy-openvpn: Obfuscating OpenVPN traffic using obfs4

After the initial startup, the execution is passed to openvpn and it stays in the foreground (just like the real openvpn execution). You may then use the provided systemd service sample file to run it as a service.

Feedback

I would love to know you thoughts on this project. Please share them with me here.

Author

Hamy - hamy.io

Acknowledgments

Tor Project developers
OpenVPN developers and other open source communities.

from https://github.com/HRomie/obfs4proxy-openvpn

----

openvpn TrafficObfuscation

Introduction

Sometimes it's useful to obfuscate the fact that your traffic is generated by OpenVPN. For example, if your ISP is blocking OpenVPN for some reason. This article describes various ways to obfuscate OpenVPN traffic so that it's not as easily detected and blocked. Most of the content here originates from this email thread. Additionally, for some reason this mail was not included in Gmane archives.

Use static keys

This was suggested here.

"My recent suggestion to someone regarding this was to use a 
static-key tunnel to encapsulate a second secure channel (either 
openvpn with TLS or ssh(1) as needed.) The static key tunnel looks 
like random junk to a sniffer. Nothing should identify it as being 
openvpn."One

"That said, it DOES look suspicious. Maintain a moving target if 
possible ... changing ports and IP addresses. Also, because of the 
potential weakness of static keys, you should rotate them on a 
timetable, such as weekly or monthly."

Use obfsproxy

Obfsproxy is a Tor subproject. It can be used to obfuscate (any) traffic so that it becomes unrecognizable. Obfuscating OpenVPN traffic using obfsproxy was suggested here, with one additional mail available here:

"However, the obfsproxy project sounds very interesting.  And it should be
possible to use obfsproxy (as it can talk like a SOCKS proxy) with
OpenVPN, by using the --socks-proxy argument.  But I'm not aware of any
openvpn services providing obfsproxy services in conjunction with OpenVPN."

A quick obfsproxy setup

This setup will start obfsproxy on your openvpn server, listening to the port 21194. On the client it will start a obfsproxy serving as a SOCKS proxy, listening on the client on port 10194. The part which says "<some-random-key>" needs to be the same value on both server and client. The key can be a longer text string, with just random letters. I'd recommend to keep it long (at least 32 characters, which is 256 bits).

Client side

Add the following lines to your existing openvpn config file:

socks-proxy-retry
socks-proxy 127.0.0.1 10194

and change the --remote option to be

remote <YOUR-VPN-SERVER> 21194

That is, changing the port number to match the port number the server side obfsproxy will listen to.

Then start the obfsproxy like this:

 [user@host: ~] $ obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs2 \
      --shared-secret=<some-random-key> socks 127.0.0.1:10194

Server side

Here we tell obfsproxy to listen to TCP port 21194 and to send any obfsproxy clients to the OpenVPN server, listening on 127.0.0.1, port 1194. And remember to allow TCP connections from the "outside" to port 21194 in your firewall config. Start obfsproxy like this:

 [user@host: ~] $ obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs2 \
      --dest=127.0.0.1:1194 --shared-secret=<some-random-key> server 0.0.0.0:21194

The OpenVPN server needs in this case just this line in the config:

port 1194

That's all the magic, and should be a complete working setup.

A user provided an OpenVPN installer which bundles OpenVPN with obfsproxy. Look here for downloads and instructions.

from https://community.openvpn.net/openvpn/wiki/TrafficObfuscation

------