Knowledgebase: Securing VPN & DNS
How to bypass DPI (Deep Packet Inspection)
Posted by Max Biggavelli on 12 March 2015 08:52

In order to bypass DPI (Deep Packet Inspection) something that very often occurs in Countries like China with its Great Firewall, or Iran or any other Country for that matter with highly restrictive regimes, it could be more and more required to do additional steps of traffic obfuscation to bypass DPI in the future.

Quote: "As internet censorship tightens across the world, governments are becoming more and more concerned about preventing the use of VPN to circumvent their restrictions. China, with its Great Firewall, has been particularly active in this regard and there have been many reports of VPN into and out of China being blocked.

Quote: "A new internet traffic monitoring technology known as Deep Packet Inspection (DPI) has been proven to successfully block OpenVPN traffic regardless of the port used being 80, 443 or even 53. To sum up: everyone who uses the internet needs to be aware of Deep Packet Inspection. DPI is a next-generation technology capable of inspecting every byte of every traffic packet that passes through a DPI device, that means packet headers, types of applications and actual packet content in real time which were previously impossible to do using advanced proxies, or stateful firewalls systems.

There are now many Deep Packet Inspection products that can tell that you are trying to use OpenVPN over port 443 instead of normal HTTPS and drop the traffic. For example if your OpenVPN connection works for a few seconds or minutes and then stops when the cause is not server related then there is the possibility that your ISP is using DPI. OpenVPN does not "hide" itself from firewalls, modern firewalls with deep packet inspection can easily see that it's OpenVPN traffic flowing over the port instead of real HTTPS traffic. It is important to understand that OpenVPN doesn't use the SSL wire protocol directly, like the majority of SSL applications does. All SSL packets are encapsulated within a kind of an OpenVPN container, which is why some deep packet inspection firewalls might not allow OpenVPN traffic. So a DPI device can correctly identify OpenVPN packet and block it because OpenVPN traffic is different from real HTTPS traffic. 

One possible solution is to tunnel OpenVPN traffic over a HTTPS tunnel. Using this method, many users on networks using DPI have been able to bypass it. The method works in most cases because the OpenVPN traffic which is tunneled over HTTPS is recognized by the DPI device as being “True HTTPS” traffic thereby allowing it to bypass. OpenVPN over SSL tunneling can be extremely useful for users who are behind strong firewalls/proxy/DPI devices/countries which only allow real HTTPS traffic on TCP port 443."

That said we have now decided to add two additional approaches which will help bypassing DPI in thus explained circumstances.

But before we proceed its important to understand that both methods are doing completely different things (and should not - though, can be used together) and that each of them requires its own different setup procedure, the setup procedure is not the easiest and takes a bit of time and motivation, so only use it if you really NEED it, or are really interested to try it :)

Some background details on what we will be doing as next, have a good read from the links to grasp a decent general understanding of everything what happens next:

https://www.bestvpn.com/blog/5919/how-to-hide-openvpn-traffic-an-introduction
http://en.wikipedia.org/wiki/Deep_packet_inspection
http://www.theguardian.com/technology/2012/dec/14/china-tightens-great-firewall-internet-control

1). OpenVPN over SSL

The so called "OpenVPN over SSL" method is established in combination with stunnel software and is setup on all VPN countries by default! This method is only possible over TCP protocol, hence the peformance will be even slower than the "normal" TCP, but the point is to bypass DPI and not to win a performance contest.


How to:

1. Inside members area click on "I need a :443 IP" (remember that this method only works on TCP, so speed will be slower). In the next page click on "Yes, I want a OpenVPN over SSL TCP IP.."

2. As next edit your OpenVPN config file ("YourUsername.ovpn") with a text edtor, the remote & proto parameters must be as below, save the config when finished editing:

proto tcp
remote 127.0.0.1 1194

*2.1* Alternatively (and easier) simply re-download your config file from the members area now, it will contain the adjusted correct details.

3. If not already done, go ahead and install "stunnel" now, pick your version: https://www.stunnel.org/downloads.html

4. We need to do some changes in the stunnel config file, start stunnel and right click its icon located in the taskbar, click on "Edit Configuration" and place following at the bottom:

[openvpn-over-ssl]

client = yes
accept = 127.0.0.1:1194
connect = uXXXXX.nvpn.so:443


(the connect hostname you find in the OpenVPN config file ("YourUsername.ovpn") it looks like uXXXXX.nvpn.so)


*4.1* Incase you dont want to edit the file yourself, or have troubles doing so, click on this link to automatically generate it on the fly for you: https://nvpn.net/memberss/stunnel.php?generate=true
After clicking the link (its possible you need to log in first) and inside the members area you will then find a Download link for your "stunnel.conf" file!

5. IMPORTANT: After editing the stunnel config it needs to be reloaded to get activated, right click on the stunnel icon again and click on "Reload stunnel.conf"

6. To verify your data flow you can activate the "Show Log window"

7. Thats it, now you can connect with OpenVPN!

Conclusion is that OpenVPN will now connect locally to stunnel first and stunnel redirects the traffic to the VPN server, thus making it an OpenVPN over SSL connection which is sufficient to bypass DPI in almost all known cases. 


2). OpenVPN with "tls-crypt"

Since the 2.4 OpenVPN version, a new feature named "tls-crypt" was added. Control channel encryption uses a pre-shared static key to encrypt control channel packets.

Encrypting control channel packets has three main advantages:

  • It provides more privacy by hiding the certificate used for the TLS connection.
  • It is harder to identify OpenVPN traffic as such.
  • It provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy)

Some more info you can find here: here
A comparison between the OpenVPN over SSL and using tls-crypt, you can read about it: here

tls-crypt modes are available for following locations: 

"GER3" - Germany
"GER4" - Germany
"NL2"   - Netherlands
"NL4"   - Netherlands
"FR3"   - France
"FR4"   - France
"KGD"  - Kaliningrad
"MOL" - Moldova
"IL"      - Israel
"UA"    - Ukraine
"UK"    - United Kingdom
"RU"    - Russia

How to:

1. If available for your country log into the members area and click on "I need a :443 IP" (remember that this method only works on TCP, so speed will be slower). In the next page click on "Yes, I want a tls-crypt TCP IP.."

2. Re-download your config file from the members area now, it will contain all the adjusted correct details.

3. Thats basically it, connect now with OpenVPN and enjoy.


3). OpenVPN through "obfsproxy"

Obfsproxy is a connection approach, which can be used to obfuscate (any) traffic so that it becomes unrecognizable. Keep in mind this approach is a few years old already now (came out around 2012) and it is unclear how effective it is still by today, but its still a nice-to-have option and surely one more chance to bypass DPI.

What "obfsproxy" is and how it works you can read here: 

https://news.ycombinator.com/item?id=11759170
https://blog.torproject.org/obfsproxy-next-step-censorship-arms-race

How to:

1. Click on "I need a :443 IP" (remember that this method only works on TCP, so speed will be slower). In the next page click on "Yes, I want a obfsproxy TCP IP.."

2. Re-download your config file from the members area now, it will contain all the adjusted correct details.

3. Install Obfsproxy:

-- Windows --

First of all you would need to install the latest python 2.7.15 version and then run the following commands in in your command line, open cmd.exe

cd C:\Python27\Scripts

pip install --upgrade pip

pip install obfsproxy

obfsproxy.exe --log-min-severity debug obfs3 socks 127.0.0.1:1050

After starting the proxy, your cmd line window should look like this now: here

Now you can launch OpenVPN and connect to your VPN.

Important: before connecting to this server you always need to enter the following commands in the Command Prompt:

obfsproxy.exe --log-min-severity debug obfs3 socks 127.0.0.1:1050

And the Command Prompt window needs remain open, or else your VPN connection will be disconnected.

-- Linux --

You would need to install latest python 2.7.15 and then run the following commands

pip install --upgrade pip

pip install obfsproxy

obfsproxy --log-min-severity info obfs3 socks 127.0.0.1:1050

4. Thats basically it, if you did everything properly, the VPN connection will be established and there will be an ongoing busy traffic flow visible in the cmd line window, it will look similar to this

(39 vote(s))
Helpful
Not helpful