tls-crypt and DPI bypass?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
User avatar
TinCanTech
Forum Team
Posts: 9211
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt and DPI bypass?

Post by TinCanTech » Fri Aug 28, 2020 11:56 am

Replay warning are not something to worry about. They are just a part of life with UDP.

If your connection fails then you have something to worry about ..

godaddy
OpenVpn Newbie
Posts: 11
Joined: Mon Dec 04, 2017 5:57 pm

Re: tls-crypt and DPI bypass?

Post by godaddy » Wed Oct 21, 2020 7:48 am

Anyone here able to get this to work on iOS in the Emirates? I mean the OpenVPN App.

kelleci
OpenVpn Newbie
Posts: 8
Joined: Sun Nov 22, 2015 7:00 pm

Re: tls-crypt and DPI bypass?

Post by kelleci » Sat Apr 24, 2021 8:34 pm

Sorry for very late response.I have never checked this topic bu here it is:

Client config:

Code: Select all

client
dev tun
proto udp
remote YOUR SERVER IP 443
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
CA CERT INPUT
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
USER CERT INPUT
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
USER KEY INPUT
-----END PRIVATE KEY-----
</key>
remote-cert-tls server
cipher AES-256-GCM
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
TLSCRYPT INPUT
-----END OpenVPN Static key V1-----
</tls-crypt>
verb 3
scramble obfuscate YOUR XOR SECRET CODE
Server Config:

Code: Select all

port 443
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server/SERVERIP.crt
key /etc/openvpn/server/SERVERIP.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
#push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
cipher AES-256-GCM
tls-crypt /etc/openvpn/tls-crypt.key
persist-key
persist-tun
status openvpn-status.log
verb 3
scramble obfuscate YOUR XOR SECRET CODE
#comp-lzo stub
You can use below tutorial to config both server and client side:
https://shenzhensuzy.wordpress.com/2019 ... xor-patch/

Of course you have to compile xorpatched version for server.For client side windows, mac and android are fine for xor.No clients for ios yet.

User avatar
TinCanTech
Forum Team
Posts: 9211
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt and DPI bypass?

Post by TinCanTech » Sat Apr 24, 2021 11:31 pm

@ kelleci -- Very nice article, thanks for your work 8-)

Otherwise, If the XOR patch does not work for you then you could also try Easy-TLS

Easy-TLS offers infinite client TLS-Crypt-V2 keys and some other tricks as well ;)

Post Reply