OpenVPN server is fairly easy to setup. However OpenVPN traffic signature can be detected using deep packet inspection and be blocked.
The tor network offers a transport called
ofbsproxy that can help mask the OpenVPN traffic and prevent it from being blocked.
obfsproxy can be used independently of tor.
This post gives a quick overview of the steps needed to enable OpenVPN tunneling over (through)
Getting OpenVPN working over
obfsproxy assumes that you or someone you know has access to the VPN server itself to set up the proxy. This is a bit of a bummer if you don't. In that case, there are
obfsproxy services offered by NordVPN and proxy.sh among others. If you use these services, they will provide you with the instructions to connect (ports, passwords, etc.).
Assuming that you have access to the OpenVPN server and client machine, the steps needed to get OpenVPN working with
- Working installation of OpenVPN server and client
obfsproxyon both client and VPN server
obfsproxyon client and server
- Configure VPN client and server to use
obfsproxyas daemon on client and server
- Start VPN server and have client connect to it via
- Enjoy tunneling through most restrictive zones!
These instructions assume a Linux client but users have reported being able to do this on Windows too. But YMMV.
Install and run obfsproxy
python 2.7 and
pip are installed.
pip install –-upgrade pip pip install obfsproxy obfsproxy --log-min-severity=info obfs2 --shared-secret=<random string up to 32 bytes> socks 127.0.0.1:11194
obfsproxy command running in a terminal. The
shared-secret must be the same on client and server. Keep it safe. If using a pre-configured server from a VPN provider, this password (shared secret) will be provided by them.
The local port number
11194 can be changed as long as the same number is used in the VPN client configuration.
Configure VPN client
We assume that you have a working VPN client configuration. Make a copy of your currently working configuration file
xxx.ovpn and edit it to have the following lines:
remote <VPN server IP> 21194 route <VPN server IP> 255.255.255.255 net_gateway socks-proxy-retry socks-proxy 127.0.0.1 11194
- Comment out or delete any earlier
- The port number 21194 is configurable as long as the same port number is used on the server. This is the port on which the
obfsproxyon the server side is listening for connections
routecommand may be optional. Other have reported being able to use
obfsproxywithout it. But I needed it because without it the DNS resolution would not succeed when connected to the VPN. More explanation about this can be found here.
- One side effect of the
routecommand is that sometimes the route does not get deleted automatically when the VPN is torn down and has to be deleted manually. The solution may be to use the scripts mentioned in the link. However this introduces further complications because the script has to be run as root while we prefer to downgrade the privileges to user
nobodyafter initialization of the tunnel.
- The two
socks-proxycommands are where all the magic happens. Essentially the
obfsproxyacts as a local socks proxy redirecting all VPN traffic through it.
socksport number (11194 here) has to match the port number used in the
Once edited, add the new client configuration to your favorite VPN client.
The best part here is that the VPN server itself needs no configuration. It can be started as usual. The only possible change could be to use port 443 instead of the default port 1194 for the VPN server. But if you have a running VPN server configuration without
obfsproxy, it is safe to use the existing port. Make a note of the port number that is being used as it will be needed below.
Install and run obfsproxy
pip install –-upgrade pip pip install obfsproxy obfsproxy --log-min-severity=info obfs2 --dest=127.0.0.1:1194 --shared-secret=<random string up to 32 bytes> server 0.0.0.0:21194
obfsproxyis started in server mode listening for connections on port 21194
- The destination port 1194 is the VPN server port.
obfsproxyredirects the connections received on port 21194 to this port
- The shared secret is the same string that is used to start
obfsproxyon the client machine
Open ports and enable IP forwarding
- Ensure that the server machine is able to receive TCP connections on ports 21194 and 1194 (or whatever ports you chose for the
obfsproxyand VPN server above)
- Ensure that outbound traffic is not restricted
- Ensure that IP forwarding and masquerading is enabled on the server. If you have a working VPN server, this should already be done.
Start the Tunnel
- Ensure that the
- Add the new client configuration to the VPN client
- Click connect and if all goes well, the tunnel should be established
- Open a browser and enjoy your new protected experience!
Some troubleshooting tips.
Some applications may need an additional SOCKS5 proxy configuration to use the tunnel. Usually such applications provide a UI to add the proxy configuration. If needed add server as
localhost and port as 11194 (or the port you chose for the
obfsproxy client) to the SOCKS5 proxy configuration menu.
Unable to add VPN client
When trying to add the client configuration to the NetworkManager in Gnome, you may receive an error like this:
Apparently this is a known bug in Gnome, please refer to the discussion here for some possible solutions.
This is a quick and easy way to use OpenVPN over a secure transport to avoid firewall restrictions that identify and block OpenVPN traffic.