Penetrating Firewalls Using OpenVPN

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
mpfrench
OpenVpn Newbie
Posts: 13
Joined: Mon Feb 20, 2012 3:13 pm

Penetrating Firewalls Using OpenVPN

Post by mpfrench » Wed Oct 13, 2021 2:08 pm

Ref: Server Running OpenVPN-2.5.4-I602-amd64.msi on Windows 10 x64 version 21H1.

Problem: I had the unfortunate experience of spending several days in a hospital behind their very restrictive wifi firewall. The only access they granted to their public wifi was web browsing using HTTP (TCP port 80) and HTTPS (TCP port 443). My IMAP-based e-mail client was blocked as was my OpenVPN client which was set to use UDP port 80.

This began my search for a way to penetrate this very restrictive firewall. I first discovered the OpenVPN option port-share which sounded as though it would help OpenVPN penetrate a restrictive firewall by setting the OpenVPN server to listen on TCP port 443 and forward legitimate HTTPS traffic to a web server running on a different, nonstandard TCP port, e.g., TCP port 4443.

The manual for OpenVPN 2.4 states that this port-share option is not implemented in the Windows version but since the manual for 2.5 is not yet online, I tried it anyway and found that it is not implemented in 2.5 either.

After thinking about this port-share option, it may fool some firewalls but likely not the most sophisticated ones that can tell the difference between OpenVPN encrypted traffic and HTTPS encrypted traffic. So a more robust solution is required.

The most obvious solution is to design OpenVPN to use HTTPS and avoid all traffic differences between OpenVPN and plain web browsers while making the port-share option work in Windows as well as the other operating systems.

Does anyone have a better solution to my problem? Come to think of it, people in China, North Korea, and other similar restrictive environments would benefit from a solution like this as well.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Penetrating Firewalls Using OpenVPN

Post by TinCanTech » Wed Oct 13, 2021 4:20 pm

mpfrench wrote:
Wed Oct 13, 2021 2:08 pm
I had the unfortunate experience of spending several days in a hospital behind their very restrictive wifi firewall
Was it a military hospital ?

A decent hospital might allow their clients VPN access in these modern times. Perhaps suggest that to them.

As for the rest of your question, there is no solution.

The reason: It is an arms race.

No matter what openvpn does, the source code is open and free.

vs

Various governments around the planet do not like people using VPNs.
They have all the money, power and time it takes to find a way to win the arms race.
All governments want to stop us using crypto for everything, except what they sanction.

Stephanie_Sy
OpenVPN User
Posts: 20
Joined: Mon May 31, 2021 4:51 pm

Re: Penetrating Firewalls Using OpenVPN

Post by Stephanie_Sy » Wed Oct 20, 2021 1:33 am

I think that people in non-free countries could be be easily identified by the fact that the use crypted communications.

mpfrench
OpenVpn Newbie
Posts: 13
Joined: Mon Feb 20, 2012 3:13 pm

Re: Penetrating Firewalls Using OpenVPN

Post by mpfrench » Tue Jan 16, 2024 7:00 pm

I still have not found a solution to the problem I posed quite a long time ago but would like to do so. First, a brief restatement of the problem --

I would like to use my laptop computer, running an OpenVPN client, in remote situations where the remote firewall allows traffic using HTTP (TCP port 80) and HTTPS (TCP port 443). No other ports will pass anything. Also, running OpenVPN on TCP port 443 is blocked by the remote firewall.

The only solution that I can imagine is to convert the OpenVPN traffic on the laptop to standard HTTPS then on the OpenVPN server at home, convert the HTTPS to OpenVPN traffic. In other words, the laptop would run an OpenVPN-to-HTTPS converter while the home server would run an HTTPS-to-OpenVPN converter.

This solution will work unless the server IP address is blocked.

Does anyone know of such a solution?

Post Reply