Traffic Obfuscation to escape Deep Paket Inspection

This is where we can discuss what we would like to see added or changed in OpenVPN.
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Tue Sep 11, 2012 10:03 am

Traffic Obfuscation to escape Deep Paket Inspection

Post by florixyz » Tue Sep 11, 2012 10:14 am

Hi there,

some companies like T-mobile and Kabel Deutschland, use Deep Paket Inspection to filter traffic and apply traffic shaping to certain types of traffic - thereby interfering even with traffic over a VPN and disturbing proper VPN operation for some sorts of traffic. So I thought it was time for some nice features for traffic obfuscation in openVPN.
Look at the following scenario: You have a VOIP connection through a VPN. You have constant and probably equal upload and download paket rates over the VPN connection, so the DPI identifies the connection as some kind of symmetric stream. We could escape this, if openVPN would provide some support to
a) add random junk payload to the pakets or insert random junk pakets (at the expense of more traffic though),
b) run the up- and download streams over two different tcp connections or over two different udp ports (if in udp mode).
c) use even more than two connections, and randomly distribute the traffic over these connections, thereby making sure that the data is not uniformly distributed.
I suppose, in case b) for the DPI, the two separate connections would not look like a symmetrical stream anymore (unless they assume this from the fact, that they both end at the same peer address... But this could be normal traffic, like downloading from a webserver, and uploading to an ftp at the same host, so they would heavily interfere with users internet access, if they would block or interfere with this.)
Of course, case c) would add some latency and jitter issues for use cases like voip.. But tools like skype can cope with this pretty well and might work quite well over such a connection.

Does anybody have an idea if such or similar features are already implemented, or where to start and integrate such features? I would first like to go for the independent up-/down-stream stuff (at two different ports), then for adding junk packets - if needed, and last for the multi-connection random distribution.

User avatar
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam

Re: Traffic Obfuscation to escape Deep Paket Inspection

Post by janjust » Wed Sep 26, 2012 12:15 pm

obfuscating won't help - I'd sooner look at something like httptunnel and run OpenVPN over that.

OpenVpn Newbie
Posts: 5
Joined: Tue Mar 12, 2013 5:01 am

Re: Traffic Obfuscation to escape Deep Paket Inspection

Post by rollingscissors » Tue Mar 12, 2013 5:06 am

Stunnel and Obfsproxy can be used to hide OpenVPN from deep packet inspection. Here is a VPN cloaking tutorial for setting up a server and client to run either software. Even with the packets no longer advertising themselves as "OpenVPN" they are eventually going to be blocked because they are encrypted and not open for censors to check.

The same games apply - changing IP addresses and ports on a frequent basis.

OpenVpn Newbie
Posts: 7
Joined: Fri Oct 26, 2018 10:12 am

Re: Traffic Obfuscation to escape Deep Paket Inspection

Post by thorfix » Sat Oct 27, 2018 3:50 am

Unfortunately your "VPN cloaking tutorial" doesn't work. There is some mirror for that ?

OpenVpn Newbie
Posts: 1
Joined: Fri Sep 14, 2018 3:15 pm

Re: Traffic Obfuscation to escape Deep Paket Inspection

Post by vpnif » Mon Nov 26, 2018 2:13 pm

The technical content is too high, so I can't understand it. Is there any direct use?

Post Reply