Patch: Fix for Iran and China users

[haggismn]

I have created a patch which introduces some forms of scrambling to the packet payload of any OpenVPN connection. I have been successfully using the patch with Iranian and Chinese users for some time now. To use it you need to introduce one of the following options to your config files, both on clients and server. The option must also match on both for it to work. For clients, the option will work as a global setting, or can also be applied to specific servers, utilising the <connection> format.

The possible options are, currently (all of them work in Iran and China). The options are currently under test to see what works best.

"scramble" is the leftmost option name. This can be followed by a string which will be used to perform a simple xor operation the packet payload.

However if the following are used instead, a different action will occur.
"scramble reverse" - This simply reverses all the data in the packet. This is enough to get past the regular expression detection in both China and Iran.
"scramble xorptrpos" - This performs a xor operation, utilising the current position in the packet payload.
"scramble obfuscate password" - This method is more secure. It utilises the 3 types of scrambling mentioned above. "password" is the string which you want to use.

With this obfuscate option, I think that it is ok to use "cipher none", because working out the method used would take a lot of cryptoanalysis. The obfuscate option is also much easier on the CPU than any cipher options This is incase you are using ddwrt or openwrt or have a low speed cpu.

Here are some examples of how to use it.

Code: Select all

<connection>
server 127.0.0.1 1194
scramble obfuscate lol
</connection>
<connection>
server 127.0.0.1 1195
scramble password
</connection>
<connection>
server 127.0.0.1 443
scramble reverse
</connection>
<connection>
server 127.0.0.1 80
proto tcp-client
scramble xorptrpos
</connection>

Oh, and TCP or UDP are ok, it doesn't matter what you use.

The patch is for openvpn 2.3.0 and is located here. It is ok to use in the last few previous versions too.

Enjoy!

[rollingscissors]

Very nice work, Haggismn!

I currently reside in China, and can't begin to describe how disruptive the current anti-vpn policies are. It is difficult to do anything involving foreign servers. Email is difficult, commerce is difficult, reading my favorite newspaper is difficult - all because of the GFW. Here, I have been on an OpenVPN server helped with obfsproxy, and it works about 75% of the time. Sometimes the Chinese simply break the connection or choke it down to 4 or 5 kbps.

An elegant solution within OpenVPN is what we all really need to decisively beat the GFW. It would be great to see this included in an upcoming release and applied by the commercial vendors. A bunch of us expats are using OpenVPN on our phones and PCs, and this surely helps.

[amv]

Is this still working? How could I use this patch?

[john56477]

how to load this patch on linux server and windows 7 client ?

[haggismn]

Very nice work, Haggismn!

I currently reside in China, and can't begin to describe how disruptive the current anti-vpn policies are. It is difficult to do anything involving foreign servers. Email is difficult, commerce is difficult, reading my favorite newspaper is difficult - all because of the GFW. Here, I have been on an OpenVPN server helped with obfsproxy, and it works about 75% of the time. Sometimes the Chinese simply break the connection or choke it down to 4 or 5 kbps.

An elegant solution within OpenVPN is what we all really need to decisively beat the GFW. It would be great to see this included in an upcoming release and applied by the commercial vendors. A bunch of us expats are using OpenVPN on our phones and PCs, and this surely helps.

I am surprised that you are having such problems! I have 2 clients in China. Both utilise this patched version of openvpn, and also ssh tunneling and stunnel at random, controlled by scripts on a router using dd-wrt. I normally have them using a server located in Los Angeles. They are consistently able to get around 2.5Mb/s on speedtest, ping <200, even <150 at times, and have no problems using hulu and other streaming sites.

For an elegant solution, there has been an ideal application in existence for many years, called GNU httptunnel. The distinct advantages of this application are that all of the connections made by it conform to being identifiable as HTTP, as well as there being options to allow the TCP connection to be reinitialised after short periods, without affecting the tunnelled application. Therefore this application will pass any regular expression whitelisting that may be implemented in the future, and will also not be affected by connection time restrictions, which may be used to identify encrypted tunnels. Last year I wrote a small patch for httptunnel that xor'ed the payload that came after the forged http data that worked quite well. However, httptunnel is very old, and has several bugs that prevent it from being fully usable. I have not the time these days to look at it, but I believe this application is potentially very useful.

[rollingscissors]

Your clients are indeed connecting well. I can get bandwidths a bit wider than that when in the clear (from apartments, wireless hotspots, etc), on some foreign servers. There are times when the Chinese "tighten the screws" and encrypted traffic gets especially slow.

Part of the slowdown seems to be due to the obfsproxy link not having great bandwidth. I can change the IP of my OpenVPN server and things are fast for an hour or so, then the GFW starts probing the connection. I've seen my server get a lot of connection attempts from strange IPs, then several hours to a day later it is blocked. Obfsproxy keeps the GFW from finding the server but it is so slow much of the time - not good for streaming video.

I'll have a go at it with the patch and see how things are. <grin>Hulu just isn't much fun without my fast VPN connection.

[chrispersson]

I can't get this patch to work!

I've patched the openvpn source code and compiled both a the openvpn server for linux and the openvpn client for windows.

Then I tried to test it out so I added "scramble obfuscate lol" to /etc/openvpn/openvpn.conf and on windows I added the same line to the C:\Program Files\OpenVPN\config\openvpn.ovpn


When trying to connect using the client it fails and the status box that is normally full of information is empty.

[john56477]

works perfect from China
and using UDP !!

bit a messing compiling the tarball or github
will write up a lazy guide.

But some issues (nothing to do with patch)
on the linux server side, the compiled and installed openvpn does not create /etc/openvpn
and does not start automatically, and no /etc/init.d/openvpn deamon

How to get compiled and installed tarball install the same as normal installed via apt-get install openvpn

[pupie]

Hi haggismn,

thanks for your great patch, generally i got it works for me. I compiled it with openwrt router server and a windows client.
but i got a problem.
it seems to me that the options:

scramble password doesn't work to me.
case1:
client with option 'scramble password', server with option 'scramble password', the client can connet to server.

case2:
client WITHOUT option 'scramble password', server with option scramble password, the client can connet to server. (it is a bug?)

however, the other three works well:
scramble reverse
scramble xorptrpos
scramble obfuscate password.

[chrispersson]

In the end I got the patch working and everything was working great here in China until yesterday. Since yesterday it does not work and it doesn't matter which scramble option I choose or if I use TCP or UPD

The openvpn client still connects and remains connected but can't access any webpage or ping any server.

Are others having the same problem?

[chrispersson]

In the end I got the patch working and everything was working great here in China until yesterday. Since yesterday it does not work and it doesn't matter which scramble option I choose or if I use TCP or UPD

The openvpn client still connects and remains connected but can't access any webpage or ping any server.

Are others having the same problem?

Stupid me. iptables had just been reset on the server. Everything works again

[nobody00]

Hi all

I'm having difficulty building the openvpn for 32-bit windows. The python build method keeps complaining about the missing c:\\openvpn-build\\tainstall\\7600\\sources. I did a full Windows 7.1 DDK installation on my XP and there isn't a subdirectory under 7600 that is named sources. There is a src subdirectory. If I rename src to sources and start the build_all.py, it would error out with Permission denied: c:\\openvpn-build\\tapinstall\\7600\\sources. I would like to receive some help in building this version to hide from the Chinese censors.

Also, the latest 2.3.2 doesn't have the win directory. I'm building the 2.2.2 that does. I follow this article in the build: https://community.openvpn.net/openvpn/w ... gOnWindows.

If someone has already built an 32-bit Windows installer with this patch, I would like to receive it if it's not too much trouble.

Please help.

[nobody00]

Hi, looking at this fragment of code, I'm wondering if the second for loop starts b on a wrong address. b = BPTR(buf) + len looks to be one position past the end of the buffer. I could be badly wrong as my C knowledge is very limited.

int buffer_reverse (struct buffer *buf) {
+ int i;
+ int len=BLEN(buf);
+ uint8_t *b;
+ unsigned char cpy[len];
+ for (i = 0, b = BPTR (buf); i < len; i++, b++) {
+ cpy=*b ;
+ }
+ for (i = 0, b = BPTR (buf)+len; i < len; i++, b--) {
+ *b=cpy ;
+ }
+ return BLEN (buf);
+}

[haggismn]

Hi all

I'm having difficulty building the openvpn for 32-bit windows. The python build method keeps complaining about the missing c:\\openvpn-build\\tainstall\\7600\\sources. I did a full Windows 7.1 DDK installation on my XP and there isn't a subdirectory under 7600 that is named sources. There is a src subdirectory. If I rename src to sources and start the build_all.py, it would error out with Permission denied: c:\\openvpn-build\\tapinstall\\7600\\sources. I would like to receive some help in building this version to hide from the Chinese censors.

Also, the latest 2.3.2 doesn't have the win directory. I'm building the 2.2.2 that does. I follow this article in the build: https://community.openvpn.net/openvpn/w ... gOnWindows.

If someone has already built an 32-bit Windows installer with this patch, I would like to receive it if it's not too much trouble.

Please help.

Hi nobody,

PM me your email and ill send you the working exe file. Also the beffer_reverse function works fine.

[nobody00]

Hi, I don't seem to be able to PM you. I sent two but both were stuck in Outbox.

Here is my email address terryhwt@gmail.com. Thanks.

[bpmee31]

Thanks very much for this patch!

I applied it and have installed it on a server. I can stop and restart it successfully. I can also connect normally without specifying a xor method.

What is the syntax for "scramble reverse" option for the client file and server file? Each time I try to connect, OpenVPN reports "scramble is unknown". If I comment out "scramble reverse" I can connect, but is my connection still using scramble reverse if the server config file has it listed? Here is my client file:

CLIENT

remote x.x.x.x 443
scramble reverse
dev tun
comp-lzo
ca ca.crt
cert user.crt
key user.key
auth-user-pass
auth-retry interact
ns-cert-type server
script-security 3
route-delay 2
route-method exe
redirect-gateway def1
dhcp-option DNS 10.10.10.1
verb 6

In my server file I have:

port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
server 10.8.0.0 255.255.255.0
dh dh2048.pem
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/login
ifconfig-pool-persist ipp.txt
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
verb 6
mute 10
push "route 10.8.0.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
push "redirect-gateway def1 bypass-dhcp"
ping-timer-rem
status xxx.log
daemon
scramble reverse


Thanks in advance for your help!

[taiwanmobileservices]

Hi! Haggismn,

Have sent you PM but not sure able to reach you.

Could you please send me the said patch with instructions/documents to me at birdman_hsu@icould.com?

Thanks/Br,

Birdman

[john56477]

Here are instructions to install patched openvpn server on Raspberry PI,

http://scramblevpn.wordpress.com/2013/0 ... -blocking/

Could be improved, missing
e.g. install as service, package as deb,
detailed instructions to cross compile to windows

[haggismn]

Sorry for the delay. Here is the patched openvpn.exe. Simply replace the openvpn.exe file in the openvpn\bin directory of OpenVPN version 2.2.2

I will take some time to apply this patch to the latest version of OpenVPN

Again, apologies for the delay.
Cheers

[rainbow6]

Hello haggism,
I've successfully build windows and linux with no issues using the latest 2.3.2 source and its working correctly but I'm having issues in running OSX version. Do you have a working osx version that I can test?

Thanks