tls-crypt and DPI bypass?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 11
- Joined: Mon Dec 04, 2017 5:57 pm
tls-crypt and DPI bypass?
I live in a highly censored regime. I've heard TLS-Crypt can bypass the DPI on the ISP side. Is it true? I just setup openvpnas and the config contains tls-auth, not tls-crypt.
Is it possible to enable this? any other points that might help?
i've been looking at obfsproxy and xor patch - are they the only real solution here?
Is it possible to enable this? any other points that might help?
i've been looking at obfsproxy and xor patch - are they the only real solution here?
-
- OpenVpn Newbie
- Posts: 8
- Joined: Sun Nov 22, 2015 7:00 pm
Re: tls-crypt and DPI bypass?
Hi,
I have wildly tested on a country such as yours (around 5 years) SS, v2ray, obfs3, stunnel, wireguard and xor.I highly recommend xorpatch or tls-crypt. All other protocols are blocked in my case eventually.
You have to manually install openvpn tls-crypt or xor patch and compile.I am not sure but Ovpn-as is not supported by tls-crypt option i think.I have never used it since i am familiar with linux.
Since xorpatch is not supported many clients on both ios and android i recommend tls-crypt if you will use this profile on multiple platforms.
Please don't use tls-auth, in my case server ip banned in a eye blink. Also if you used ovpn-as once and tried to connect you might already blocked server ip, please check (ping it with bare internet connection) and buy a new vps if necessary.
If you are interested i can share my both server and client configs which are working just fine for me both xor and tls-crypt.
I have wildly tested on a country such as yours (around 5 years) SS, v2ray, obfs3, stunnel, wireguard and xor.I highly recommend xorpatch or tls-crypt. All other protocols are blocked in my case eventually.
You have to manually install openvpn tls-crypt or xor patch and compile.I am not sure but Ovpn-as is not supported by tls-crypt option i think.I have never used it since i am familiar with linux.
Since xorpatch is not supported many clients on both ios and android i recommend tls-crypt if you will use this profile on multiple platforms.
Please don't use tls-auth, in my case server ip banned in a eye blink. Also if you used ovpn-as once and tried to connect you might already blocked server ip, please check (ping it with bare internet connection) and buy a new vps if necessary.
If you are interested i can share my both server and client configs which are working just fine for me both xor and tls-crypt.
-
- OpenVPN Power User
- Posts: 72
- Joined: Wed Jul 22, 2020 7:46 pm
Re: tls-crypt and DPI bypass?
@kelleci Would you please share your configs with me? Did you XOR patch only the server or also the client? Thank you
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: tls-crypt and DPI bypass?
@houmie75, if you would like to test out TLS-Crypt-V2 see:
https://github.com/TinCanTech/easy-tls
https://github.com/TinCanTech/easy-tls
-
- OpenVPN Power User
- Posts: 72
- Joined: Wed Jul 22, 2020 7:46 pm
Re: tls-crypt and DPI bypass?
Thank you. Would you mind explaining what benefit this is adding compared to the version that comes with OpenVPN?TinCanTech wrote: ↑Thu Aug 20, 2020 7:54 pm@houmie75, if you would like to test out TLS-Crypt-V2 see:
https://github.com/TinCanTech/easy-tls
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: tls-crypt and DPI bypass?
The version of what which comes with openvpn exactly ?
-
- OpenVPN Power User
- Posts: 72
- Joined: Wed Jul 22, 2020 7:46 pm
Re: tls-crypt and DPI bypass?
I was looking for a way to obfusticate the VPN connection. The user Kelleci mentioned that he had established working configs for XOR or for tls-crypt that could hide the footprint. I was curious what these configs looked like. I'm using tls-crypt, but the DPI in Emirates can still see through it and block it.
Especially when he said:
Especially when he said:
Since xorpatch is not supported many clients on both ios and android i recommend tls-crypt if you will use this profile on multiple platforms.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: tls-crypt and DPI bypass?
If you want to try out TLS Crypt V2 then there are some advantages.
As for XOR, it is required on both client and server and you have to patch/build openvpn yourself.
XOR is also completely ineffective ..
Keep in mind, who ever owns the network makes the rules.
-
- OpenVPN Power User
- Posts: 72
- Joined: Wed Jul 22, 2020 7:46 pm
Re: tls-crypt and DPI bypass?
Thank you. I have been reading up on your repo this morning. Is there a step by step tutorial by any chance?
This is what I have done so far.
1) I have a prepared OpenVPN server already installed via Angritan script.
2) sudo cp ~/easy-tls/easytls /etc/openvpn/easy-rsa/
Now it gets confusing. Do I follow the steps here: https://github.com/OpenVPN/openvpn/blob ... ypt-v2.txt
or do I run this
It's not clear.
This is what I have done so far.
1) I have a prepared OpenVPN server already installed via Angritan script.
2) sudo cp ~/easy-tls/easytls /etc/openvpn/easy-rsa/
Now it gets confusing. Do I follow the steps here: https://github.com/OpenVPN/openvpn/blob ... ypt-v2.txt
or do I run this
Code: Select all
./easytls --tls-crypt-v2-genkey server
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: tls-crypt and DPI bypass?
Simple steps:
Download https://github.com/TinCanTech/easy-tls/ ... er/easytls
Save it into the same directory where you have easyrsa
Then run:
That will create TLS-Crypt-V2 keys.
Now you can try:Thanks for the star btw
Download https://github.com/TinCanTech/easy-tls/ ... er/easytls
Save it into the same directory where you have easyrsa
Then run:
Code: Select all
./easytls
# Read the instructions
./easytls init-tls
# Read the output
./easytls help build-tls-crypt-v2-server
# Read the instructions
./easytls build-tls-crypt-v2-server server-name
# Read the output
./easytls help build-tls-crypt-v2-client
# Read the instructions
./easytls build-tls-crypt-v2-client server-name client-name
# Read the output
Now you can try:
Code: Select all
./easytls inline-tls-crypt-v2 server-name
./easytls inline-tls-crypt-v2 client-name
ls -l pki/easytls
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: tls-crypt and DPI bypass?
I just realised, you will also need OpenVPN 2.5:
https://openvpn.net/community-downloads/
You need that on both server and client.
https://openvpn.net/community-downloads/
You need that on both server and client.
-
- OpenVPN Power User
- Posts: 72
- Joined: Wed Jul 22, 2020 7:46 pm
Re: tls-crypt and DPI bypass?
You're welcome.
Thank you so much for the excellent step by step commands.
Yeah when I ran this it complains about the version:
Code: Select all
# ./easytls build-tls-crypt-v2-server server2
Easy-TLS version: 1.27
Easy-TLS error:
Unsupported OpenVPN version 2.4
Ah you mean I need the beta version 2.5?OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2019
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
So I have to compile it.
No problem, let see what I can do. Have to create my own script out of Angristan script...
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: tls-crypt and DPI bypass?
Use git-master, it is easy to do.
https://github.com/OpenVPN/openvpn
Or use the OpenVPN repos here:
https://community.openvpn.net/openvpn/w ... twareRepos
-
- OpenVPN Power User
- Posts: 72
- Joined: Wed Jul 22, 2020 7:46 pm
Re: tls-crypt and DPI bypass?
Brilliant idea. With the repo I was able to add it first and then run the Angristan script, which ended up with the latest openVPN 2.5 to be installed.
I also managed to run your easy-tls, it is really easy once I followed your instructions. I recommend adding that to the main README on your github.
Now comes the best news. Not only it works, it also works in Emirates. So I like to understand this better. How comes their DPI was able to see through openVPN 2.4.7 and tls-crypt but not with openVPN 2.5 and tls-crypt-v2?
Is this only a matter of time until they catch up?
Thank you so much for you help
I also managed to run your easy-tls, it is really easy once I followed your instructions. I recommend adding that to the main README on your github.
Now comes the best news. Not only it works, it also works in Emirates. So I like to understand this better. How comes their DPI was able to see through openVPN 2.4.7 and tls-crypt but not with openVPN 2.5 and tls-crypt-v2?
Is this only a matter of time until they catch up?
Thank you so much for you help
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: tls-crypt and DPI bypass?
Thanks for testing -- I keep adding to the documentation slowly but surely.
I don't know how they scan the packets but i do know that --tls-auth and --tls-crypt are public keys.
--tls-crypt-v2 has completely private and unique keys.
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: tls-crypt and DPI bypass?
Yes, once they find out what it is and developed a DPI signature.Is this only a matter of time until they catch up?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: tls-crypt and DPI bypass?
Which may be more difficult than it sounds
DPI is only one of those rules.TinCanTech wrote: ↑Thu Aug 20, 2020 10:29 pmKeep in mind, who ever owns the network makes the rules
-
- OpenVPN Power User
- Posts: 72
- Joined: Wed Jul 22, 2020 7:46 pm
Re: tls-crypt and DPI bypass?
That's amazing. Let's the cross the fingers that it remains undetected.
I have another question:
The client cert begins usually with
But Angristan script skips everything above BEGIN CERTIFICATE. Is it recommended to keep it for the client or doesn't it matter?
Thanks,
I have another question:
The client cert begins usually with
Code: Select all
<cert>
Certificate:
Data:
Version: 3 (0x2)
....
-----BEGIN CERTIFICATE-----
MIIB2jCCAYCgAwIBAgIQfs1OXv6p7CzWqVUUX49rVDAKBggqhkjOPQQDAjAeMRww
-----END CERTIFICATE-----
</cert>
Thanks,
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVPN Power User
- Posts: 72
- Joined: Wed Jul 22, 2020 7:46 pm
Re: tls-crypt and DPI bypass?
Good morning TinCanTech,
I'm now seeing a new error shown for tls-crypt unwrap error.
I have OPENVPN 2.5, hence the first one should be deprecated.
Any idea what this could be?
Many Thanks
I'm now seeing a new error shown for tls-crypt unwrap error.
Code: Select all
tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1598593169) 2020-08-28 05:39:29 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Not quote sure why I should change replay-window.–no-replay
DEPRECATED This option will be removed in OpenVPN 2.5.(Advanced) Disable OpenVPN’s protection against replay attacks. Don’t use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less security.
Any idea what this could be?
Many Thanks