add obfuscate to openvpn connections ( very important for the users in china) #3

Closed
wants to merge 3 commits into
from

Projects

None yet

9 participants

sadan9 commented Apr 18, 2013

Chinese Government use GFW ( Great FireWall Of China .about it please look this:http://en.wikipedia.org/wiki/Great_Firewall_of_China) to block lot of website ,like Facebook , Twitter ,Youtube....

some chinese people use PPTP , L2TP ,OPENVPN , stunnel to bypassing GFW.
but after Dec 2012, GFW can block the connections of Openvpn. it's over looks like over Layer 7 because GFW can block the connections with any ports of TCP or UDP protocols.
some people think openvpn have feature codes in TLS handshake.

this change add obfuscate for openvpn connections to against the GFW.
there are tow parameter add to openvpn config file:
obfs-salt [secret]
-------this parameter is secret for obfuscate .
obfs-padlen [num]
------- this parameter optional. num=1~255. openvpn will add random data in the end of packages

Owner
sadan9 commented on e58fc99 Apr 18, 2013

add obfuscate to openvpn connections

Owner
sadan9 commented on 16122d4 Apr 18, 2013

add obfuscate to openvpn connections

Owner
sadan9 commented on 6077ebe Apr 18, 2013

add obfuscate to openvpn connections.
there are tow parameter to openvpn config file:
obfs-salt this parameter is secret for obfuscate
obfs-padlen this parameter optional. num=1~255. openvpn will add random data in the end of packages.

Any thoughts if this is going to be merged in ?

ngharo commented Aug 22, 2013

I kind of have a feeling patches like this will not be merged due to the constant changing DPI techniques used by firewalls. It seems like a never ending battle.

Not that this patch isn't GREAT for users that need it, I'm just afraid it'll create a burden on OpenVPN developers if they're maintaining support for it.

I will bring it up at the next OpenVPN developer meeting to get more official input.

Thanks!

@ngharo Was there a decision made at the developer meeting?

Contributor
cron2 commented Oct 13, 2015

Hi,

On Mon, Oct 12, 2015 at 03:41:07PM -0700, Ilya Lipnitskiy wrote:

@ngharo Was there a decision made at the developer meeting?

No, we ran out of time.

gert

USENET is not the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de

+1

Can't this better be done with something like obfsproxy?
Perhaps making it easier to configure OpenVPN with obfs4 would be a more ideal approach.

sadan9 commented May 17, 2016

some device can't run obfs4.
ext. openvpn for iOS…

Owner
mattock commented May 18, 2016

The OpenVPN development team has talked about adding obfuscation to OpenVPN many times in the past. We think obfuscation should be handled outside of OpenVPN by software that is designed for the job (e.g. obfsproxy). As mentioned above, it is a cat-and-mouse game, and we don't want to play that game. I believe obfsproxy does not need to be running locally (on the phone), so even if certain restricted platforms are unable to run it, there are workarounds. From what I've heard, commercial OpenVPN providers also tend to bundle obfsproxy instead of bundling obfuscation patches with OpenVPN.

I'll close this pull request soon unless somebody from the developer team objects.

Contributor
cron2 commented May 18, 2016

Hi,

On Tue, May 17, 2016 at 11:52:21PM -0700, Samuli Seppänen wrote:

I'll close this pull request soon unless somebody from the developer team objects.

We're not adding obfuscation code to OpenVPN - because, as you have mentioned,
it's an arm's race, so whenever we deploy something, the people that we want
to obfuscate from can see our commits and deploy countermeasures...

What I think would make sense is to add a plugin API for "packet mangling"
(so OpenVPN would create, encrypt and sign its outgoing packets and hand
it off to a plugin for obfuscation before sending, and incoming packets
would be de-obfuscated by the plugin before signature check / decryption).

I'm not going to implement this API any time soon, but I'm willing to
discuss and review, and potentially merge - provided the API is sane, and
does not add significant overhead to un-obfuscated packet flows.

gert

USENET is not the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de

Owner

Also see pull request #7 for similar arguments to why not use such static mangling/obfuscation methods into OpenVPN.

@dsommers dsommers closed this May 19, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment