Patch: Fix for Iran and China users

How to customize and extend your OpenVPN installation.
haggismn
OpenVPN User
Posts: 15
Joined: Tue Dec 20, 2011 8:04 pm

Patch: Fix for Iran and China users

Post by haggismn » Fri Apr 05, 2013 3:20 pm

I have created a patch which introduces some forms of scrambling to the packet payload of any OpenVPN connection. I have been successfully using the patch with Iranian and Chinese users for some time now. To use it you need to introduce one of the following options to your config files, both on clients and server. The option must also match on both for it to work. For clients, the option will work as a global setting, or can also be applied to specific servers, utilising the <connection> format.

The possible options are, currently (all of them work in Iran and China). The options are currently under test to see what works best.

"scramble" is the leftmost option name. This can be followed by a string which will be used to perform a simple xor operation the packet payload.

However if the following are used instead, a different action will occur.
"scramble reverse" - This simply reverses all the data in the packet. This is enough to get past the regular expression detection in both China and Iran.
"scramble xorptrpos" - This performs a xor operation, utilising the current position in the packet payload.
"scramble obfuscate password" - This method is more secure. It utilises the 3 types of scrambling mentioned above. "password" is the string which you want to use.

With this obfuscate option, I think that it is ok to use "cipher none", because working out the method used would take a lot of cryptoanalysis. The obfuscate option is also much easier on the CPU than any cipher options This is incase you are using ddwrt or openwrt or have a low speed cpu.

Here are some examples of how to use it.

Code: Select all

<connection>
server 127.0.0.1 1194
scramble obfuscate lol
</connection>
<connection>
server 127.0.0.1 1195
scramble password
</connection>
<connection>
server 127.0.0.1 443
scramble reverse
</connection>
<connection>
server 127.0.0.1 80
proto tcp-client
scramble xorptrpos
</connection>
Oh, and TCP or UDP are ok, it doesn't matter what you use.

The patch is for openvpn 2.3.0 and is located here. It is ok to use in the last few previous versions too.

Enjoy!
Bitcoin donations welcome: 1KLuGeTyyffB4F5bv6bi4hYm16PfmMuS8X

rollingscissors
OpenVpn Newbie
Posts: 5
Joined: Tue Mar 12, 2013 5:01 am

Re: Patch: Fix for Iran and China users

Post by rollingscissors » Mon Apr 22, 2013 10:12 pm

Very nice work, Haggismn!

I currently reside in China, and can't begin to describe how disruptive the current anti-vpn policies are. It is difficult to do anything involving foreign servers. Email is difficult, commerce is difficult, reading my favorite newspaper is difficult - all because of the GFW. Here, I have been on an OpenVPN server helped with obfsproxy, and it works about 75% of the time. Sometimes the Chinese simply break the connection or choke it down to 4 or 5 kbps.

An elegant solution within OpenVPN is what we all really need to decisively beat the GFW. It would be great to see this included in an upcoming release and applied by the commercial vendors. A bunch of us expats are using OpenVPN on our phones and PCs, and this surely helps.

amv
OpenVpn Newbie
Posts: 1
Joined: Thu Apr 25, 2013 7:26 pm

Re: Patch: Fix for Iran and China users

Post by amv » Thu Apr 25, 2013 9:09 pm

Is this still working? How could I use this patch?

john56477
OpenVPN User
Posts: 24
Joined: Tue Nov 06, 2012 12:02 am

Re: Patch: Fix for Iran and China users

Post by john56477 » Sun Apr 28, 2013 11:27 am

how to load this patch on linux server and windows 7 client ?

haggismn
OpenVPN User
Posts: 15
Joined: Tue Dec 20, 2011 8:04 pm

Re: Patch: Fix for Iran and China users

Post by haggismn » Mon May 06, 2013 7:18 pm

rollingscissors wrote:Very nice work, Haggismn!

I currently reside in China, and can't begin to describe how disruptive the current anti-vpn policies are. It is difficult to do anything involving foreign servers. Email is difficult, commerce is difficult, reading my favorite newspaper is difficult - all because of the GFW. Here, I have been on an OpenVPN server helped with obfsproxy, and it works about 75% of the time. Sometimes the Chinese simply break the connection or choke it down to 4 or 5 kbps.

An elegant solution within OpenVPN is what we all really need to decisively beat the GFW. It would be great to see this included in an upcoming release and applied by the commercial vendors. A bunch of us expats are using OpenVPN on our phones and PCs, and this surely helps.
I am surprised that you are having such problems! I have 2 clients in China. Both utilise this patched version of openvpn, and also ssh tunneling and stunnel at random, controlled by scripts on a router using dd-wrt. I normally have them using a server located in Los Angeles. They are consistently able to get around 2.5Mb/s on speedtest, ping <200, even <150 at times, and have no problems using hulu and other streaming sites.

For an elegant solution, there has been an ideal application in existence for many years, called GNU httptunnel. The distinct advantages of this application are that all of the connections made by it conform to being identifiable as HTTP, as well as there being options to allow the TCP connection to be reinitialised after short periods, without affecting the tunnelled application. Therefore this application will pass any regular expression whitelisting that may be implemented in the future, and will also not be affected by connection time restrictions, which may be used to identify encrypted tunnels. Last year I wrote a small patch for httptunnel that xor'ed the payload that came after the forged http data that worked quite well. However, httptunnel is very old, and has several bugs that prevent it from being fully usable. I have not the time these days to look at it, but I believe this application is potentially very useful.
Bitcoin donations welcome: 1KLuGeTyyffB4F5bv6bi4hYm16PfmMuS8X

rollingscissors
OpenVpn Newbie
Posts: 5
Joined: Tue Mar 12, 2013 5:01 am

Re: Patch: Fix for Iran and China users

Post by rollingscissors » Fri May 24, 2013 11:57 am

Your clients are indeed connecting well. I can get bandwidths a bit wider than that when in the clear (from apartments, wireless hotspots, etc), on some foreign servers. There are times when the Chinese "tighten the screws" and encrypted traffic gets especially slow.

Part of the slowdown seems to be due to the obfsproxy link not having great bandwidth. I can change the IP of my OpenVPN server and things are fast for an hour or so, then the GFW starts probing the connection. I've seen my server get a lot of connection attempts from strange IPs, then several hours to a day later it is blocked. Obfsproxy keeps the GFW from finding the server but it is so slow much of the time - not good for streaming video.

I'll have a go at it with the patch and see how things are. <grin>Hulu just isn't much fun without my fast VPN connection.

chrispersson
OpenVpn Newbie
Posts: 9
Joined: Mon May 27, 2013 3:18 am

Re: Patch: Fix for Iran and China users

Post by chrispersson » Mon May 27, 2013 3:28 am

I can't get this patch to work!

I've patched the openvpn source code and compiled both a the openvpn server for linux and the openvpn client for windows.

Then I tried to test it out so I added "scramble obfuscate lol" to /etc/openvpn/openvpn.conf and on windows I added the same line to the C:\Program Files\OpenVPN\config\openvpn.ovpn


When trying to connect using the client it fails and the status box that is normally full of information is empty.

john56477
OpenVPN User
Posts: 24
Joined: Tue Nov 06, 2012 12:02 am

Re: Patch: Fix for Iran and China users

Post by john56477 » Sat Jun 08, 2013 2:02 pm

works perfect from China
and using UDP !!

bit a messing compiling the tarball or github
will write up a lazy guide.

But some issues (nothing to do with patch)
on the linux server side, the compiled and installed openvpn does not create /etc/openvpn
and does not start automatically, and no /etc/init.d/openvpn deamon

How to get compiled and installed tarball install the same as normal installed via apt-get install openvpn

pupie
OpenVpn Newbie
Posts: 4
Joined: Sat Jun 08, 2013 9:00 am

Re: Patch: Fix for Iran and China users

Post by pupie » Mon Jun 10, 2013 3:05 pm

Hi haggismn,

thanks for your great patch, generally i got it works for me. I compiled it with openwrt router server and a windows client.
but i got a problem.
it seems to me that the options:

scramble password doesn't work to me.
case1:
client with option 'scramble password', server with option 'scramble password', the client can connet to server.

case2:
client WITHOUT option 'scramble password', server with option scramble password, the client can connet to server. (it is a bug?)

however, the other three works well:
scramble reverse
scramble xorptrpos
scramble obfuscate password.

chrispersson
OpenVpn Newbie
Posts: 9
Joined: Mon May 27, 2013 3:18 am

Re: Patch: Fix for Iran and China users

Post by chrispersson » Thu Jun 13, 2013 3:06 am

In the end I got the patch working and everything was working great here in China until yesterday. Since yesterday it does not work and it doesn't matter which scramble option I choose or if I use TCP or UPD :cry:

The openvpn client still connects and remains connected but can't access any webpage or ping any server.

Are others having the same problem?

chrispersson
OpenVpn Newbie
Posts: 9
Joined: Mon May 27, 2013 3:18 am

Re: Patch: Fix for Iran and China users

Post by chrispersson » Thu Jun 13, 2013 3:14 am

chrispersson wrote:In the end I got the patch working and everything was working great here in China until yesterday. Since yesterday it does not work and it doesn't matter which scramble option I choose or if I use TCP or UPD :cry:

The openvpn client still connects and remains connected but can't access any webpage or ping any server.

Are others having the same problem?

Stupid me. iptables had just been reset on the server. Everything works again

nobody00
OpenVpn Newbie
Posts: 4
Joined: Fri Jul 05, 2013 4:45 am

Re: Patch: Fix for Iran and China users

Post by nobody00 » Tue Jul 16, 2013 7:50 am

Hi all

I'm having difficulty building the openvpn for 32-bit windows. The python build method keeps complaining about the missing c:\\openvpn-build\\tainstall\\7600\\sources. I did a full Windows 7.1 DDK installation on my XP and there isn't a subdirectory under 7600 that is named sources. There is a src subdirectory. If I rename src to sources and start the build_all.py, it would error out with Permission denied: c:\\openvpn-build\\tapinstall\\7600\\sources. I would like to receive some help in building this version to hide from the Chinese censors.

Also, the latest 2.3.2 doesn't have the win directory. I'm building the 2.2.2 that does. I follow this article in the build: https://community.openvpn.net/openvpn/w ... gOnWindows.

If someone has already built an 32-bit Windows installer with this patch, I would like to receive it if it's not too much trouble.

Please help.

nobody00
OpenVpn Newbie
Posts: 4
Joined: Fri Jul 05, 2013 4:45 am

Re: Patch: Fix for Iran and China users

Post by nobody00 » Thu Jul 18, 2013 5:36 pm

Hi, looking at this fragment of code, I'm wondering if the second for loop starts b on a wrong address. b = BPTR(buf) + len looks to be one position past the end of the buffer. I could be badly wrong as my C knowledge is very limited.

int buffer_reverse (struct buffer *buf) {
+ int i;
+ int len=BLEN(buf);
+ uint8_t *b;
+ unsigned char cpy[len];
+ for (i = 0, b = BPTR (buf); i < len; i++, b++) {
+ cpy=*b ;
+ }
+ for (i = 0, b = BPTR (buf)+len; i < len; i++, b--) {
+ *b=cpy ;
+ }
+ return BLEN (buf);
+}

haggismn
OpenVPN User
Posts: 15
Joined: Tue Dec 20, 2011 8:04 pm

Re: Patch: Fix for Iran and China users

Post by haggismn » Fri Jul 26, 2013 9:48 pm

nobody00 wrote:Hi all

I'm having difficulty building the openvpn for 32-bit windows. The python build method keeps complaining about the missing c:\\openvpn-build\\tainstall\\7600\\sources. I did a full Windows 7.1 DDK installation on my XP and there isn't a subdirectory under 7600 that is named sources. There is a src subdirectory. If I rename src to sources and start the build_all.py, it would error out with Permission denied: c:\\openvpn-build\\tapinstall\\7600\\sources. I would like to receive some help in building this version to hide from the Chinese censors.

Also, the latest 2.3.2 doesn't have the win directory. I'm building the 2.2.2 that does. I follow this article in the build: https://community.openvpn.net/openvpn/w ... gOnWindows.

If someone has already built an 32-bit Windows installer with this patch, I would like to receive it if it's not too much trouble.

Please help.
Hi nobody,

PM me your email and ill send you the working exe file. Also the beffer_reverse function works fine.
Bitcoin donations welcome: 1KLuGeTyyffB4F5bv6bi4hYm16PfmMuS8X

nobody00
OpenVpn Newbie
Posts: 4
Joined: Fri Jul 05, 2013 4:45 am

Re: Patch: Fix for Iran and China users

Post by nobody00 » Wed Jul 31, 2013 3:42 am

Hi, I don't seem to be able to PM you. I sent two but both were stuck in Outbox.

Here is my email address terryhwt@gmail.com. Thanks.

bpmee31
OpenVpn Newbie
Posts: 3
Joined: Fri Aug 09, 2013 4:44 am

Re: Patch: Fix for Iran and China users

Post by bpmee31 » Fri Aug 09, 2013 5:21 am

Thanks very much for this patch!

I applied it and have installed it on a server. I can stop and restart it successfully. I can also connect normally without specifying a xor method.

What is the syntax for "scramble reverse" option for the client file and server file? Each time I try to connect, OpenVPN reports "scramble is unknown". If I comment out "scramble reverse" I can connect, but is my connection still using scramble reverse if the server config file has it listed? Here is my client file:

CLIENT

remote x.x.x.x 443
scramble reverse
dev tun
comp-lzo
ca ca.crt
cert user.crt
key user.key
auth-user-pass
auth-retry interact
ns-cert-type server
script-security 3
route-delay 2
route-method exe
redirect-gateway def1
dhcp-option DNS 10.10.10.1
verb 6

In my server file I have:

port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
server 10.8.0.0 255.255.255.0
dh dh2048.pem
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/login
ifconfig-pool-persist ipp.txt
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
verb 6
mute 10
push "route 10.8.0.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
push "redirect-gateway def1 bypass-dhcp"
ping-timer-rem
status xxx.log
daemon
scramble reverse


Thanks in advance for your help!

User avatar
taiwanmobileservices
OpenVPN User
Posts: 38
Joined: Sun Jun 30, 2013 2:34 am
Location: Taiwan
Contact:

Re: Patch: Fix for Iran and China users

Post by taiwanmobileservices » Fri Aug 09, 2013 5:47 am

Hi! Haggismn,

Have sent you PM but not sure able to reach you.

Could you please send me the said patch with instructions/documents to me at birdman_hsu@icould.com?

Thanks/Br,

Birdman
May the Forces be with you!

Thanks/Br,

Birdman Hsu
Taiwan Mobile Services

john56477
OpenVPN User
Posts: 24
Joined: Tue Nov 06, 2012 12:02 am

Re: Patch: Fix for Iran and China users

Post by john56477 » Mon Sep 16, 2013 1:38 am

Here are instructions to install patched openvpn server on Raspberry PI,

http://scramblevpn.wordpress.com/2013/0 ... -blocking/

Could be improved, missing
e.g. install as service, package as deb,
detailed instructions to cross compile to windows

haggismn
OpenVPN User
Posts: 15
Joined: Tue Dec 20, 2011 8:04 pm

Re: Patch: Fix for Iran and China users

Post by haggismn » Mon Sep 16, 2013 9:00 pm

Sorry for the delay. Here is the patched openvpn.exe. Simply replace the openvpn.exe file in the openvpn\bin directory of OpenVPN version 2.2.2

I will take some time to apply this patch to the latest version of OpenVPN

Again, apologies for the delay.
Cheers
Bitcoin donations welcome: 1KLuGeTyyffB4F5bv6bi4hYm16PfmMuS8X

rainbow6
OpenVPN Power User
Posts: 55
Joined: Mon Aug 29, 2011 1:01 pm

Re: Patch: Fix for Iran and China users

Post by rainbow6 » Thu Sep 19, 2013 8:23 am

Hello haggism,
I've successfully build windows and linux with no issues using the latest 2.3.2 source and its working correctly but I'm having issues in running OSX version. Do you have a working osx version that I can test?

Thanks

Locked