Knowledgebase: Securing VPN & DNS
How to bypass DPI (Deep Packet Inspection)
Posted by Max Biggavelli on 12 March 2015 08:52

In order to bypass DPI (Deep Packet Inspection) something that very often occurs in Countries like China with its Great Firewall, or Iran or any other Country for that matter with highly restrictive regimes, it could be more and more required to do additional steps of traffic obfuscation to bypass DPI in the future.

Quote: "As internet censorship tightens across the world, governments are becoming more and more concerned about preventing the use of VPN to circumvent their restrictions. China, with its Great Firewall, has been particularly active in this regard and there have been many reports of VPN into and out of China being blocked.

Quote: "A new internet traffic monitoring technology known as Deep Packet Inspection (DPI) has been proven to successfully block OpenVPN traffic regardless of the port used being 80, 443 or even 53. To sum up: everyone who uses the internet needs to be aware of Deep Packet Inspection. DPI is a next-generation technology capable of inspecting every byte of every traffic packet that passes through a DPI device, that means packet headers, types of applications and actual packet content in real time which were previously impossible to do using advanced proxies, or stateful firewalls systems.

There are now many Deep Packet Inspection products that can tell that you are trying to use OpenVPN over port 443 instead of normal HTTPS and drop the traffic. For example if your OpenVPN connection works for a few seconds or minutes and then stops when the cause is not server related then there is the possibility that your ISP is using DPI. OpenVPN does not "hide" itself from firewalls, modern firewalls with deep packet inspection can easily see that it's OpenVPN traffic flowing over the port instead of real HTTPS traffic. It is important to understand that OpenVPN doesn't use the SSL wire protocol directly, like the majority of SSL applications does. All SSL packets are encapsulated within a kind of an OpenVPN container, which is why some deep packet inspection firewalls might not allow OpenVPN traffic. So a DPI device can correctly identify OpenVPN packet and block it because OpenVPN traffic is different from real HTTPS traffic. 

One possible solution is to tunnel OpenVPN traffic over a HTTPS tunnel. Using this method, many users on networks using DPI have been able to bypass it. The method works in most cases because the OpenVPN traffic which is tunneled over HTTPS is recognized by the DPI device as being “True HTTPS” traffic thereby allowing it to bypass. OpenVPN over SSL tunneling can be extremely useful for users who are behind strong firewalls/proxy/DPI devices/countries which only allow real HTTPS traffic on TCP port 443."

That said we have now decided to add two additional approaches which will help bypassing DPI in thus explained circumstances.

But before we proceed its important to understand that both methods are doing completely different things (and should not - though, can be used together) and that each of them requires its own different setup procedure, the setup procedure is not the easiest and takes a bit of time and motivation, so only use it if you really NEED it, or are really interested to try it :)

Some background details on what we will be doing as next, have a good read from the links to grasp a decent general understanding of everything what happens next:

1). OpenVPN over SSL

The so called "OpenVPN over SSL" method is established in combination with stunnel software and is setup on all VPN countries by default! This method is only possible over TCP protocol, hence the peformance will be even slower than the "normal" TCP, but the point is to bypass DPI and not to win a performance contest.

How to:

1. Inside members area click on "I need a :443 IP" (remember that this method only works on TCP, so speed will be slower). In the next page click on "Yes, I want a OpenVPN over SSL TCP IP.."

2. As next edit your OpenVPN config file ("YourUsername.ovpn") with a text edtor, the remote & proto paramaters must be like below, save the config when finished editing:

proto tcp
remote 1194

*2.1* Alternatively and easier, simply re-download your config file from the members area now, it will contain the adjusted correct details.

3. If not already done, go ahead and install "stunnel" now, pick your version:

4. We need to do some changes in the stunnel config file, start stunnel and right click its icon located in the taskbar, click on "Edit Configuration" and place following at the bottom:


client = yes
accept =
connect =

(the connect hostname you find in the OpenVPN config file ("YourUsername.ovpn") it looks like

*4.1* Incase you dont want to edit the file yourself, or have troubles doing so, click on this link to automatically generate it on the fly for you:
After clicking the link (its possible you need to log in first) and inside the members area you will then find a Download link for your "stunnel.conf" file!

5. IMPORTANT: After editing the stunnel config it needs to be reloaded to get activated, right click on the stunnel icon again and click on "Reload stunnel.conf"

6. To verify your data flow you can activate the "Show Log window"

7. Thats it, now you can connect with OpenVPN!

Conclusion is that OpenVPN will now connect locally to stunnel first and stunnel redirects the traffic to the VPN server, thus making it an OpenVPN over SSL connection which is sufficient to bypass DPI in almost all known cases. 


2). xorpatch'ed OpenVPN

Additionally as second alternative approach we have setup a Scrambled OpenVPN version (officially known as the "xorpatch") on the following locations:

Israel - "IL"
France3 - "FR3"
Kaliningrad - "KGD"

We will not install the xorpatch as a standard on all countries, not now and neither in the future, since we dont like patching original code along with a few other facts that speak against it, not to forget that the client (you) must be using a patched OpenVPN version as well otherwise it will not work, all in all it can be seen as a really time consuming setup, therefore is the xorpatch'ed OpenVPN version at the moment only installed on the Israel, France3, Albania. Possibly from time to time a setup of more xorpatch'ed VPN locations in the future could be the case, but it will never become a default setup and decided on a country to country basis.

How to:

1. If available for your country log into the members area and click on "I need a :443 IP" (remember that this method only works on TCP, so speed will be slower). In the next page click on "Yes, I want a Scrambled TCP IP.."

2. Re-download your config file from the members area now, it will contain the adjusted correct details.

3. As aforementioned in the introduction in order for this method to work not only the OpenVPN server side must be patched, but the client version (yours) must be patched as well!

To do this you need to download the proper "openvpn.exe", we do always expect you to use the latest OpenVPN version at the moment when writing this tutorial it is version "2.3.6" and only for this 2.3.6 version the patched "openvpn.exe" below is appropriate! If you dont have the 2.3.6 version then download it here first and once installed choose your patched "openvpn.exe" below:

32 Bit:


64 Bit:

Download and overwrite the "openvpn.exe" inside the /bin folder of OpenVPN, on windows the /bin folder is typically located at "C:\Program Files (x86)\OpenVPN\bin" or "C:\Program Files\OpenVPN\bin"

4. Thats basically it, connect now with OpenVPN and enjoy. 

A quick look into the config file reveals a new parameter which is "scramble obfuscate nVpnNetScrambled" and this parameter commands OpenVPN to use a scrambled obfuscated traffic payload, which will bypass DPI :)

(25 vote(s))
Not helpful