tls-crypt and DPI bypass?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
godaddy
OpenVpn Newbie
Posts: 10
Joined: Mon Dec 04, 2017 5:57 pm

tls-crypt and DPI bypass?

Post by godaddy » Mon Apr 13, 2020 2:56 pm

I live in a highly censored regime. I've heard TLS-Crypt can bypass the DPI on the ISP side. Is it true? I just setup openvpnas and the config contains tls-auth, not tls-crypt.

Is it possible to enable this? any other points that might help?

i've been looking at obfsproxy and xor patch - are they the only real solution here?

kelleci
OpenVpn Newbie
Posts: 7
Joined: Sun Nov 22, 2015 7:00 pm

Re: tls-crypt and DPI bypass?

Post by kelleci » Tue Apr 21, 2020 7:12 pm

Hi,
I have wildly tested on a country such as yours (around 5 years) SS, v2ray, obfs3, stunnel, wireguard and xor.I highly recommend xorpatch or tls-crypt. All other protocols are blocked in my case eventually. :mrgreen:
You have to manually install openvpn tls-crypt or xor patch and compile.I am not sure but Ovpn-as is not supported by tls-crypt option i think.I have never used it since i am familiar with linux.
Since xorpatch is not supported many clients on both ios and android i recommend tls-crypt if you will use this profile on multiple platforms.
Please don't use tls-auth, in my case server ip banned in a eye blink. :shock: Also if you used ovpn-as once and tried to connect you might already blocked server ip, please check (ping it with bare internet connection) and buy a new vps if necessary.
If you are interested i can share my both server and client configs which are working just fine for me both xor and tls-crypt.

houmie75
OpenVPN User
Posts: 44
Joined: Wed Jul 22, 2020 7:46 pm

Re: tls-crypt and DPI bypass?

Post by houmie75 » Thu Aug 20, 2020 6:35 pm

@kelleci Would you please share your configs with me? Did you XOR patch only the server or also the client? Thank you

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt and DPI bypass?

Post by TinCanTech » Thu Aug 20, 2020 7:54 pm

@houmie75, if you would like to test out TLS-Crypt-V2 see:
https://github.com/TinCanTech/easy-tls

houmie75
OpenVPN User
Posts: 44
Joined: Wed Jul 22, 2020 7:46 pm

Re: tls-crypt and DPI bypass?

Post by houmie75 » Thu Aug 20, 2020 9:31 pm

TinCanTech wrote:
Thu Aug 20, 2020 7:54 pm
@houmie75, if you would like to test out TLS-Crypt-V2 see:
https://github.com/TinCanTech/easy-tls
Thank you. Would you mind explaining what benefit this is adding compared to the version that comes with OpenVPN?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt and DPI bypass?

Post by TinCanTech » Thu Aug 20, 2020 9:47 pm

The version of what which comes with openvpn exactly ?

houmie75
OpenVPN User
Posts: 44
Joined: Wed Jul 22, 2020 7:46 pm

Re: tls-crypt and DPI bypass?

Post by houmie75 » Thu Aug 20, 2020 10:10 pm

I was looking for a way to obfusticate the VPN connection. The user Kelleci mentioned that he had established working configs for XOR or for tls-crypt that could hide the footprint. I was curious what these configs looked like. I'm using tls-crypt, but the DPI in Emirates can still see through it and block it.

Especially when he said:
Since xorpatch is not supported many clients on both ios and android i recommend tls-crypt if you will use this profile on multiple platforms.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt and DPI bypass?

Post by TinCanTech » Thu Aug 20, 2020 10:29 pm

houmie75 wrote:
Thu Aug 20, 2020 10:10 pm
I'm using tls-crypt, but the DPI in Emirates can still see through it and block it
If you want to try out TLS Crypt V2 then there are some advantages.

As for XOR, it is required on both client and server and you have to patch/build openvpn yourself.

XOR is also completely ineffective ..

Keep in mind, who ever owns the network makes the rules.

houmie75
OpenVPN User
Posts: 44
Joined: Wed Jul 22, 2020 7:46 pm

Re: tls-crypt and DPI bypass?

Post by houmie75 » Fri Aug 21, 2020 7:28 am

Thank you. I have been reading up on your repo this morning. Is there a step by step tutorial by any chance?

This is what I have done so far.
1) I have a prepared OpenVPN server already installed via Angritan script.
2) sudo cp ~/easy-tls/easytls /etc/openvpn/easy-rsa/

Now it gets confusing. Do I follow the steps here: https://github.com/OpenVPN/openvpn/blob ... ypt-v2.txt

or do I run this

Code: Select all

./easytls --tls-crypt-v2-genkey server
It's not clear.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt and DPI bypass?

Post by TinCanTech » Fri Aug 21, 2020 10:06 am

Simple steps:

Download https://github.com/TinCanTech/easy-tls/ ... er/easytls
Save it into the same directory where you have easyrsa

Then run:

Code: Select all

./easytls
# Read the instructions
./easytls init-tls
# Read the output
./easytls help build-tls-crypt-v2-server
# Read the instructions
./easytls build-tls-crypt-v2-server server-name
# Read the output
./easytls help build-tls-crypt-v2-client
# Read the instructions
./easytls build-tls-crypt-v2-client server-name client-name
# Read the output
That will create TLS-Crypt-V2 keys.

Now you can try:

Code: Select all

./easytls inline-tls-crypt-v2 server-name
./easytls inline-tls-crypt-v2 client-name
ls -l pki/easytls
Thanks for the star btw 8-)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt and DPI bypass?

Post by TinCanTech » Fri Aug 21, 2020 11:12 am

I just realised, you will also need OpenVPN 2.5:
https://openvpn.net/community-downloads/

You need that on both server and client.

houmie75
OpenVPN User
Posts: 44
Joined: Wed Jul 22, 2020 7:46 pm

Re: tls-crypt and DPI bypass?

Post by houmie75 » Fri Aug 21, 2020 5:24 pm

TinCanTech wrote:
Fri Aug 21, 2020 10:06 am
Thanks for the star btw 8-)
You're welcome. :-)

Thank you so much for the excellent step by step commands.

Yeah when I ran this it complains about the version:

Code: Select all

# ./easytls build-tls-crypt-v2-server server2
Easy-TLS version: 1.27
Easy-TLS error:
Unsupported OpenVPN version 2.4
But I already have version 2.4
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2019
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Ah you mean I need the beta version 2.5?
So I have to compile it. :ugeek:

No problem, let see what I can do. Have to create my own script out of Angristan script...

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt and DPI bypass?

Post by TinCanTech » Fri Aug 21, 2020 5:38 pm

houmie75 wrote:
Fri Aug 21, 2020 5:24 pm
So I have to compile it
Use git-master, it is easy to do.
https://github.com/OpenVPN/openvpn

Or use the OpenVPN repos here:
https://community.openvpn.net/openvpn/w ... twareRepos

houmie75
OpenVPN User
Posts: 44
Joined: Wed Jul 22, 2020 7:46 pm

Re: tls-crypt and DPI bypass?

Post by houmie75 » Fri Aug 21, 2020 8:34 pm

Brilliant idea. With the repo I was able to add it first and then run the Angristan script, which ended up with the latest openVPN 2.5 to be installed.

I also managed to run your easy-tls, it is really easy once I followed your instructions. I recommend adding that to the main README on your github.

Now comes the best news. Not only it works, it also works in Emirates. So I like to understand this better. How comes their DPI was able to see through openVPN 2.4.7 and tls-crypt but not with openVPN 2.5 and tls-crypt-v2?

Is this only a matter of time until they catch up?

Thank you so much for you help

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt and DPI bypass?

Post by TinCanTech » Fri Aug 21, 2020 9:12 pm

houmie75 wrote:
Fri Aug 21, 2020 8:34 pm
I also managed to run your easy-tls, it is really easy once I followed your instructions. I recommend adding that to the main README on your github.
Thanks for testing 8-) -- I keep adding to the documentation slowly but surely.
houmie75 wrote:
Fri Aug 21, 2020 8:34 pm
Not only it works, it also works in Emirates. So I like to understand this better. How comes their DPI was able to see through openVPN 2.4.7 and tls-crypt but not with openVPN 2.5 and tls-crypt-v2?
I don't know how they scan the packets but i do know that --tls-auth and --tls-crypt are public keys.

--tls-crypt-v2 has completely private and unique keys. :ugeek:

User avatar
Pippin
Forum Team
Posts: 869
Joined: Wed Jul 01, 2015 8:03 am

Re: tls-crypt and DPI bypass?

Post by Pippin » Fri Aug 21, 2020 9:37 pm

Is this only a matter of time until they catch up?
Yes, once they find out what it is and developed a DPI signature.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt and DPI bypass?

Post by TinCanTech » Fri Aug 21, 2020 10:04 pm

Pippin wrote:
Fri Aug 21, 2020 9:37 pm
and developed a DPI signature
Which may be more difficult than it sounds :mrgreen:
TinCanTech wrote:
Thu Aug 20, 2020 10:29 pm
Keep in mind, who ever owns the network makes the rules
DPI is only one of those rules.

houmie75
OpenVPN User
Posts: 44
Joined: Wed Jul 22, 2020 7:46 pm

Re: tls-crypt and DPI bypass?

Post by houmie75 » Sat Aug 22, 2020 9:37 am

That's amazing. Let's the cross the fingers that it remains undetected. :mrgreen:

I have another question:
The client cert begins usually with

Code: Select all

<cert>
Certificate:
    Data:
        Version: 3 (0x2)
....
-----BEGIN CERTIFICATE-----
MIIB2jCCAYCgAwIBAgIQfs1OXv6p7CzWqVUUX49rVDAKBggqhkjOPQQDAjAeMRww
-----END CERTIFICATE-----
</cert>
But Angristan script skips everything above BEGIN CERTIFICATE. Is it recommended to keep it for the client or doesn't it matter?

Thanks,

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt and DPI bypass?

Post by TinCanTech » Sat Aug 22, 2020 11:31 am

houmie75 wrote:
Sat Aug 22, 2020 9:37 am
or doesn't it matter
It makes no difference.

houmie75
OpenVPN User
Posts: 44
Joined: Wed Jul 22, 2020 7:46 pm

Re: tls-crypt and DPI bypass?

Post by houmie75 » Fri Aug 28, 2020 5:47 am

Good morning TinCanTech,

I'm now seeing a new error shown for tls-crypt unwrap error.

Code: Select all

tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1598593169) 2020-08-28 05:39:29 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
I have OPENVPN 2.5, hence the first one should be deprecated.
–no-replay
DEPRECATED This option will be removed in OpenVPN 2.5.(Advanced) Disable OpenVPN’s protection against replay attacks. Don’t use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less security.
Not quote sure why I should change replay-window.

Any idea what this could be?
Many Thanks

Post Reply