It seems as though more and more places are blocking OpenVPN communication. I've tried running my OpenVPN server using TCP port 443 but this is blocked as well by sophisticated firewalls. Somehow they can tell the difference between https traffic and OpenVPN traffic.
Since these sites will pass http on TCP port 80 and https on TCP port 443, it would seem a viable solution to my problem to make OpenVPN use https to communicate to the OpenVPN server. If need be, various metadata that web browsers pass could also be added to fool firewalls into thinking that the traffic is just web browser traffic instead of OpenVPN traffic.
Have any of the OpenVPN developers tried this scheme?
OpenVPN Blocked -- Redesign Using HTTPS
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 17
- Joined: Mon Feb 20, 2012 3:13 pm
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Aug 14, 2024 5:12 am
Re: OpenVPN Blocked -- Redesign Using HTTPS
"More and more" is an understatement. In a large part of the world (China, Russia, North Korea, Turkiye...), internet is already locked down, and even in "free democratic" countries at least half of the networks in hotels, airports, corporate networks, Airbnb rentals, etc. are locked down and crippled.
This includes OpenVPN, since by it's current design, even tunneling SSL traffic over HTTPS port (443) can easily be intercepted by DPI firewalls. In such a situation, one can usually never know if OpenVPN will be allowed or not when you need it, or when the next day some admin will decide to block it. We're approaching a point where OpenVPN is quickly becoming pretty much useless and irrelevant. So this is no longer a nice-to-have, it's a must-have.
There is a simple solution: websockets. It's a RFC standard, universally supported, and it's layered on top of HTTP/HTTPS so it's indistinguishable from "plain web" traffic short of breaking SSL encryption. Libraries for websockets are universally available, and due to OpenVPN current design the implementation would be quite straightforward.
This includes OpenVPN, since by it's current design, even tunneling SSL traffic over HTTPS port (443) can easily be intercepted by DPI firewalls. In such a situation, one can usually never know if OpenVPN will be allowed or not when you need it, or when the next day some admin will decide to block it. We're approaching a point where OpenVPN is quickly becoming pretty much useless and irrelevant. So this is no longer a nice-to-have, it's a must-have.
There is a simple solution: websockets. It's a RFC standard, universally supported, and it's layered on top of HTTP/HTTPS so it's indistinguishable from "plain web" traffic short of breaking SSL encryption. Libraries for websockets are universally available, and due to OpenVPN current design the implementation would be quite straightforward.
-
- OpenVpn Newbie
- Posts: 17
- Joined: Mon Feb 20, 2012 3:13 pm
Re: OpenVPN Blocked -- Redesign Using HTTPS
Sybille, thanks for your reply. I think that you're on to something.
OpenVPN developers -- How about giving websockets a try? The current OpenVPN connection methods are too easily thwarted to be useful except in the most benign environments.
Further research:
"The WebSocket protocol was designed to accommodate bidirectional communication over a single TCP connection while maintaining compatibility with infrastructure for HTTP. It is not dependent on HTTP and can work independently, directly connecting to a port. A WebSocket connection can be established by upgrading an existing HTTP/1.1 connection or programmatically." From https://http.dev/ws
https://en.wikipedia.org/wiki/WebSocket
https://developer.mozilla.org/en-US/doc ... ockets_API
https://websocket.org/
OpenVPN developers -- How about giving websockets a try? The current OpenVPN connection methods are too easily thwarted to be useful except in the most benign environments.
Further research:
"The WebSocket protocol was designed to accommodate bidirectional communication over a single TCP connection while maintaining compatibility with infrastructure for HTTP. It is not dependent on HTTP and can work independently, directly connecting to a port. A WebSocket connection can be established by upgrading an existing HTTP/1.1 connection or programmatically." From https://http.dev/ws
https://en.wikipedia.org/wiki/WebSocket
https://developer.mozilla.org/en-US/doc ... ockets_API
https://websocket.org/
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Nov 20, 2024 8:04 am
Re: OpenVPN Blocked -- Redesign Using HTTPS
Wow.
Sounds great.
Sounds great.
-
- OpenVpn Newbie
- Posts: 17
- Joined: Mon Feb 20, 2012 3:13 pm
Re: OpenVPN Blocked -- Redesign Using HTTPS
Since my last post, I've found another server/client system that does implement a VPN using the HTTPS protocol on TCP port 443. See SoftEther.org.
I'm currently testing version 4.43 Build 9799. So far, it has successfully cut through a firewall that stopped OpenVPN set up using TCP port 443. However, it does need some further refinement since it will not pass the server test on ssslabs.com even when using valid Let's Encrypt certificates. Also, SoftEther provides me a higher network throughput than OpenVPN.
I realize that the OpenVPN developers don't want to get into the firewall arm race as the TOR Browser community has been forced to do, but OpenVPN is almost useless as it is now because it is blocked in most of the world.
I'm currently testing version 4.43 Build 9799. So far, it has successfully cut through a firewall that stopped OpenVPN set up using TCP port 443. However, it does need some further refinement since it will not pass the server test on ssslabs.com even when using valid Let's Encrypt certificates. Also, SoftEther provides me a higher network throughput than OpenVPN.
I realize that the OpenVPN developers don't want to get into the firewall arm race as the TOR Browser community has been forced to do, but OpenVPN is almost useless as it is now because it is blocked in most of the world.
-
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: OpenVPN Blocked -- Redesign Using HTTPS
Time to change The World then ..
-
- OpenVpn Newbie
- Posts: 17
- Joined: Mon Feb 20, 2012 3:13 pm
Re: OpenVPN Blocked -- Redesign Using HTTPS
TCT, if you have a suggestion on how to "change The World then", please tell us. Otherwise, your comment is not helpful.