encrypt handshake and control channel

[spxspx]

Hi,
The problem I am facing is that our government has installed a sophisticated layer 7 firewall which is able to filter packets based on regex rules. it seems that they have managed to find regex patterns which matches with openvpn handshake or control packets and they are dropping such packets. I am not sure exactly which packets are being dropped as I am not an openvpn expert , but using their firewall openvpn can not connect and gives a timeout error.
is there anyway to encrypt the preliminary openvpn handshake and control packets so they can not identify them ?
Regards

[janjust]

the short answer is "no". I guess the long answer is also "no"

Sniffing out openvpn traffic using stateful packet inspection is quite common these days. OpenVPN does not hide itself from firewalls (nor should it, in my opinion). there are plenty of tools out there that can be used to duck firewalls, such as socat, stunnel and a few others.

[spxspx]

Dear janjust ;
Thank you for your prompt response. I believe it should be pretty easy to implement such a feature. we only need another layer of udp data encryption before packet is sent to the network , the complexity of encryption doesn't matter , it can be a simple XOR method with a shared key which can be passed to client and server through config file , we only need to bypass those firewalls. and we are ready to pay for a custom build. do you know anyone in openvpn dev team, who might be interested to get paid and implement this feature ?
Best Regards

[janjust]

Don't know anybody off the top of my head.
Join the IRC channel #openvpn or #openvpn-devel on freenode IRC and ask...

[krzee]

they surely dont block all ssh traffic out of their firewall...
use an ssh tunnel and then use openvpn's socks support to tunnel openvpn over that

[spxspx]

they have already blocked all PPTP L2TP OPENVPN traffic , we do u think they will not block SSH traffic ? thats pretty easy.
also SSH is TCP , tunneling openvpn inside TCP tunnel can cause TCP meltdown.
I checked socat , but seems it can not encrypt UDP packets. it only has SSL option for TCP tunnels.
do you know any tunnel program which can encrypt and forward UDP packets ?

[krzee]

yes, i do believe they will *not* block ssh traffic. it is needed for all unix techs... unless they also outlawed being a tech...
you are right about tcp meltdown, but you seem to be in the situation where you have no choice. you can try tcp-nodelay and disable nagles algorithm, which may help.
dns tunneling (iodine) may or may not also work, although that would give you such bad MTU that you would be better off trying your luck with tcp

[krzee]

oh and on irc waiting 3 minutes for a response is not considered enough to get a response usually
(but i had already entered the thread before you came in...)

[spxspx]

you don't know what are these f... dictators capable of ! being a linux tech is their least concern , they do not even honor human lives when it comes to struggle their political power. nowadays internet has become their biggest enemy as it connects people and informs people. so they are doing what they can to limit people access to free flow of information. even we are hearing about international internet inside Iran now ! by international internet they mean a local intranet inside country which has no access or very limited controlled connectivity to outside world. so it is even possible that they disconnect the whole internet inside Iran. we are going towards another north korea here.
they want to isolate the country from the world.
anyway thx for your tips , I will try them