Patch: Fix for Iran and China users

[bashywash]

Hello haggism,
I've successfully build windows and linux with no issues using the latest 2.3.2 source and its working correctly but I'm having issues in running OSX version. Do you have a working osx version that I can test?

Thanks

I'm having issues building this with 2.3.2, any chance someone can host a patched 2.3.2 windows version please. Thank you.

[lolex]

Hello haggism,
I've successfully build windows and linux with no issues using the latest 2.3.2 source and its working correctly but I'm having issues in running OSX version. Do you have a working osx version that I can test?

Thanks

Could you please share it?

[rainbow6]

I have successfully integrate this version into osx, windows, asuswrt-merlin for asus routers as well as dd-wrt based routers. Work is ongoing to build this into tomato-based firmware routers too.

However, this patch may no longer work on the latest development build as there is massive changes to the codes. You will probably be stuck in version 2.3.2 for quite awhile.

I'm running one of the top commercial personal vpn services and do not want to publish my company here for commercial purposes.

Please pm me if you or anyone else need the download link for any of those binaries.

[titanium]

Hi,I come from China.
I building a openvpn sever follow this post http://scramblevpn.wordpress.com/2013/0 ... -blocking/
and replace the openvpn.exe in windows side.
But connect to the server also too difficult,too.
there are my configure.
-------------------------------------------------------------------------------
server config
port 2101
proto udp
dev tun
#cipher AES-256-CBC
scramble obfuscate test
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt

server 10.16.254.0 255.255.255.0

push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

client-to-client
duplicate-cn
keepalive 10 60

comp-lzo
max-clients 50

persist-key
persist-tun

status openvpn-status.log
log-append openvpn.log

verb 3
mute 20
------------------------------------------------------------
client config
client
dev tun
proto udp
remote abc.com 2101
resolv-retry infinite
#cipher AES-256-CBC
scramble obfuscate test
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
ns-cert-type server
redirect-gateway
#route-nopull
script-security 3 system
keepalive 10 60
comp-lzo
verb 3
mute 20
route-method exe
route-delay 2
--------------------------------------------------------------------
log file
Sun Jan 26 23:48:14 2014 OpenVPN 2.2.2 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jan 29 2013
Sun Jan 26 23:48:14 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jan 26 23:48:14 2014 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
Sun Jan 26 23:48:14 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sun Jan 26 23:48:14 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 26 23:48:14 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 26 23:48:14 2014 LZO compression initialized
Sun Jan 26 23:48:14 2014 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sun Jan 26 23:48:14 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 26 23:48:14 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Jan 26 23:48:14 2014 Local Options hash (VER=V4): '504e774e'
Sun Jan 26 23:48:14 2014 Expected Remote Options hash (VER=V4): '14168603'
Sun Jan 26 23:48:14 2014 UDPv4 link local: [undef]
Sun Jan 26 23:48:14 2014 UDPv4 link remote: 1.1.1.1:2061
Sun Jan 26 23:48:14 2014 TLS: Initial packet from 1.1.1.1:2061, sid=f5e913d4 2fc2c7f0
Sun Jan 26 23:48:16 2014 VERIFY OK: depth=1, /C=US/ST=NY/L=NEWYORK/O=abc.com/OU=abc.com/CN=abc.com/name=abc/emailAddress=admin@abc.com
Sun Jan 26 23:48:16 2014 VERIFY OK: nsCertType=SERVER
Sun Jan 26 23:48:16 2014 VERIFY OK: depth=0, /C=US/ST=NY/L=NEWYORK/O=abc.com/OU=abc.com/CN=abc.com/name=abc/emailAddress=admin@abc.com
Sun Jan 26 23:49:14 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jan 26 23:49:14 2014 TLS Error: TLS handshake failed
Sun Jan 26 23:49:14 2014 TCP/UDP: Closing socket
Sun Jan 26 23:49:14 2014 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 26 23:49:14 2014 Restart pause, 2 second(s)
Sun Jan 26 23:49:16 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jan 26 23:49:16 2014 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
Sun Jan 26 23:49:16 2014 Re-using SSL/TLS context
Sun Jan 26 23:49:16 2014 LZO compression initialized
Sun Jan 26 23:49:16 2014 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sun Jan 26 23:49:16 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 26 23:49:16 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Jan 26 23:49:16 2014 Local Options hash (VER=V4): '504e774e'
Sun Jan 26 23:49:16 2014 Expected Remote Options hash (VER=V4): '14168603'
Sun Jan 26 23:49:16 2014 UDPv4 link local: [undef]
Sun Jan 26 23:49:16 2014 UDPv4 link remote: 1.1.1.1:2081
Sun Jan 26 23:49:16 2014 TLS: Initial packet from 1.1.1.1:2081, sid=414962ad 8b8c6e1d
Sun Jan 26 23:49:50 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib
Sun Jan 26 23:49:50 2014 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 26 23:49:50 2014 TLS Error: TLS handshake failed
Sun Jan 26 23:49:50 2014 TCP/UDP: Closing socket
Sun Jan 26 23:49:50 2014 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 26 23:49:50 2014 Restart pause, 2 second(s)

[titanium]

Hi,I come from China.
I building a openvpn sever follow this post http://scramblevpn.wordpress.com/2013/0 ... -blocking/
and replace the openvpn.exe in windows side.
But connect to the server also too difficult,too.
there are my configure.
-------------------------------------------------------------------------------
server config
port 2101
proto udp
dev tun
#cipher AES-256-CBC
scramble obfuscate test
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt

server 10.16.254.0 255.255.255.0

push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

client-to-client
duplicate-cn
keepalive 10 60

comp-lzo
max-clients 50

persist-key
persist-tun

status openvpn-status.log
log-append openvpn.log

verb 3
mute 20
------------------------------------------------------------
client config
client
dev tun
proto udp
remote abc.com 2101
resolv-retry infinite
#cipher AES-256-CBC
scramble obfuscate test
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
ns-cert-type server
redirect-gateway
#route-nopull
script-security 3 system
keepalive 10 60
comp-lzo
verb 3
mute 20
route-method exe
route-delay 2
--------------------------------------------------------------------
log file
Sun Jan 26 23:48:14 2014 OpenVPN 2.2.2 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jan 29 2013
Sun Jan 26 23:48:14 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jan 26 23:48:14 2014 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
Sun Jan 26 23:48:14 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sun Jan 26 23:48:14 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 26 23:48:14 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 26 23:48:14 2014 LZO compression initialized
Sun Jan 26 23:48:14 2014 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sun Jan 26 23:48:14 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 26 23:48:14 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Jan 26 23:48:14 2014 Local Options hash (VER=V4): '504e774e'
Sun Jan 26 23:48:14 2014 Expected Remote Options hash (VER=V4): '14168603'
Sun Jan 26 23:48:14 2014 UDPv4 link local: [undef]
Sun Jan 26 23:48:14 2014 UDPv4 link remote: 1.1.1.1:2061
Sun Jan 26 23:48:14 2014 TLS: Initial packet from 1.1.1.1:2061, sid=f5e913d4 2fc2c7f0
Sun Jan 26 23:48:16 2014 VERIFY OK: depth=1, /C=US/ST=NY/L=NEWYORK/O=abc.com/OU=abc.com/CN=abc.com/name=abc/emailAddress=admin@abc.com
Sun Jan 26 23:48:16 2014 VERIFY OK: nsCertType=SERVER
Sun Jan 26 23:48:16 2014 VERIFY OK: depth=0, /C=US/ST=NY/L=NEWYORK/O=abc.com/OU=abc.com/CN=abc.com/name=abc/emailAddress=admin@abc.com
Sun Jan 26 23:49:14 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jan 26 23:49:14 2014 TLS Error: TLS handshake failed
Sun Jan 26 23:49:14 2014 TCP/UDP: Closing socket
Sun Jan 26 23:49:14 2014 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 26 23:49:14 2014 Restart pause, 2 second(s)
Sun Jan 26 23:49:16 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jan 26 23:49:16 2014 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
Sun Jan 26 23:49:16 2014 Re-using SSL/TLS context
Sun Jan 26 23:49:16 2014 LZO compression initialized
Sun Jan 26 23:49:16 2014 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sun Jan 26 23:49:16 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 26 23:49:16 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Jan 26 23:49:16 2014 Local Options hash (VER=V4): '504e774e'
Sun Jan 26 23:49:16 2014 Expected Remote Options hash (VER=V4): '14168603'
Sun Jan 26 23:49:16 2014 UDPv4 link local: [undef]
Sun Jan 26 23:49:16 2014 UDPv4 link remote: 1.1.1.1:2081
Sun Jan 26 23:49:16 2014 TLS: Initial packet from 1.1.1.1:2081, sid=414962ad 8b8c6e1d
Sun Jan 26 23:49:50 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib
Sun Jan 26 23:49:50 2014 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 26 23:49:50 2014 TLS Error: TLS handshake failed
Sun Jan 26 23:49:50 2014 TCP/UDP: Closing socket
Sun Jan 26 23:49:50 2014 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 26 23:49:50 2014 Restart pause, 2 second(s)

Strange!Today it works again.

[rainbow6]

You should know that the Chinese Firewall works at random. You may get a connection now and lose the connection again in 3 hours later. No matter which obfuscation you use, once it detects you are running on different port or unknown protocol, it will block you temporarily.

[niels]

Nonsense. Properly obfuscated connections run for weeks on end. If you're being blocked every 3 hours you're either doing something wrong or encountering a different problem.

[rainbow6]

Those were the feedback that we get from users in China, sometimes the same obfs can last for days and sometimes just for few hours and sometime non obfs still works fine.
Good for you if you are not blocked.

[george5p1]

this worked great for me on windows.

can someone please help me apply this patch on the Mac OSX client?

[rainbow6]

this worked great for me on windows.

can someone please help me apply this patch on the Mac OSX client?

Just compiled it in osx to replace whatever you are using in osx.

[george5p1]

thanks, are there any instructions for compiling openvpn in osx? im new to this and just following tutorials in order to learn...

[rainbow6]

there's no exact tutorial for openvpn but you can do the following:

1. Install OSX developer command line tools, be careful to check the version that you need, SL, Lions, ML and mavericks needs a different libraries
2. Install the macports and read some guide while you there
3. then download the openvpn source

If you are not familiar with linux/bsd command line, you may find this super complicated.

[cstrife]

Anyone have any ideas on how to get the patch into an Android client? Are there instructions on building openvpn for android (I see for ics-openvpn, but prob. not the same thing?) ?

I have yet to find a way to get onto fb/youtube on my phone in China. SSH tunnels don't work because of DNS poisoning. Standard openvpn is blocked. Ideas?

Thanks

[rainbow6]

You can the patch version from our website, www.ke-yi.net, which still in beta mode. Openvpn-ics is still working out some issues with kit-kat. It should however work with JB and earlier.

[john56477]

I have yet to find a way to get onto fb/youtube on my phone in China. SSH tunnels don't work because of DNS poisoning. Standard openvpn is blocked. Ideas?

Thanks

When you use SSH tunnel, you must set browser to use socks proxy's DNS,
I used firefox on android and SSH tunnel from China

In firefox browser address bar type
about:config

Then change
network.proxy.socks_remote_dns = true

[silentmonk]

I've been using this patch since last year and it's been an absolute god send for me. Thank you so much haggismm. I dropped by to write this because i thought i should give something back. I just finished compiling this for Openwrt 12.09 attitude adjustment and can confirm its working for me.

Installation is as follows...
1. copy to /tmp in the router via scp or off a usb drive, etc, etc (windows users try winscp if you have ssh enabled on your router)

... from ssh (although telnet will work too)
2. type "opkg update" to get new package lists

3. install the dependancies required "opkg install kmod-tun liblzo libopenssl"

4. remove the opkg package lists (it has md5 checksums for packages in the repository and will block install of this package if you try) "rm /tmp/opkg-lists/attitude_adjustment"

5. install the modified package "opkg install /tmp/openvpn-devel-openssl*"

6. enjoy... i havent tested with the luci web interface yet, i just used screen myself.

I've included the patched source for review/self builds and the pre-compiled ar71xx package i'm using. Both links are the same, just different archive types.
https://www.dropbox.com/s/puq59s6vittbo ... penwrt.zip
https://www.dropbox.com/s/t0x7pdxwngryf ... wrt.tar.gz

[silentmonk]

There seems to be a time limit for being able to edit your posts. Since i cant edit my previous post i will write it here.

I missed a dependancy in step 3 thats needed to install the patched openvpn

'3. install the dependancies required "opkg install ip kmod-tun liblzo libopenssl"'

[teseospa]

Why the patch is not included in the latest official version?

[david001]

Anyone have any ideas on how to get the patch into an Android client? Are there instructions on building openvpn for android (I see for ics-openvpn, but prob. not the same thing?) ?

I have yet to find a way to get onto fb/youtube on my phone in China. SSH tunnels don't work because of DNS poisoning. Standard openvpn is blocked. Ideas?

Thanks

You can the patch version from our website, http://www.ke-yi.net, which still in beta mode. Openvpn-ics is still working out some issues with kit-kat. It should however work with JB and earlier.

I'm also trying to find a compatible Android client to work with the scrambled OpenVPN server. I tried going to http://www.ke-yi.net but it just redirects me to a paid vpn service. Can anyone please point me in the right direction on getting scrambled openvpn working on my android phone? Thank you.

[wenzhuo]

I just discovered that option "scramble [password]" does not work because xormethod is left at its default value 0 in this case. openvpn client can connect to the server with/without this option. See https://github.com/clayface/openvpn_xorpatch/issues/1 for details of this issue. So, gfw is not intercepting or is not able to intercept openvpn connections now?