TLS handshake failed

[asaba90]

Hi,
I'm living in a controlled environment and recently my ISP have blocked all vpn connections (PPTP, L2TP, SSTP and OpenVPN).
I have found out that It is possible to distinguish OpenVPN from normal SSL connections, and with a good DPI it can be blocked.
But my question is how can I change OpenVPN to act like a normal SSL connection (HTTPS, SSH, etc.). Is there a patch?
Any help would be much appriciated.


And I should point out that I can connect with OpenVPN from my iPod. Is there any difference between original OpenVPN and OpenVPN Connect on iOS other than PolarSSL?

Thanks in advance.

[patriciatoney]

You have to use DHCP server so that openVPN can behave like normal SSL.As such there is no difference between original OpenVPN and OpenVPN Connect on iOS but you require DD-WRT router to access your IOS device from openVPN.

Poly L Glutamic Acid

[asaba90]

Thanks for your reply but I still don't understand why iPod can connect to my OpenVPN server but my PC cannot (If there isn't any difference).
And I think you have misunderstood me. I don't want to access my iPod from OpenVPN. I have no problem with my iPod.
My problem is on PC, I cannot connect to my OpenVPN server from PC (but my iPod can).

My question is what is the difference between OpenVPN on desktop and OpenVPN on iPod? There must be one, because PC cannot connect to OpenVPN but iPod can; and how can I change OpenVPN on desktop to behave like OpenVPN on iPod?

And as the subject implies I know that they are interrupting TLS handshake if that helps.

[asaba90]

http://sourceforge.net/mailarchive/mess ... d=30362473
It seems that OpenVPN client is iOS and Android has a completely different code base and is not the original OpenVPN at all, and it has not been open sourced.

But I still appriciate any help on how to modify OpenVPN to act like normal SSL.

[janjust]

it won't be possible to opensource all of the iOS client (if I understand correctly) , as Apple forbids this.
Making OpenVPN act "like normal SSL" is asking to rewrite the entire OpenVPN protocol : won't happen any time soon and you'd be much better off writing your own code/spin-off/fork.

[asaba90]

Can someone tell what might be the difference between them?
If my iPod can connect to my OpenVPN server then it is probably using normal SSL or something other than OpenVPN protocol.
But what might be the difference?

[janjust]

it isn't any different - your ipod or ipad could only connect to the openvpn server if it's running the openvpn ios client; this client talks the OpenVPN proprietary protocol . If you can connect to the (openvpn) server without this client s/w then your connection is NOT encrypted by OpenVPN (but then what *ARE* you using?).

[asaba90]

I think you misunderstood me.
Here's the situation:
I have an OpenVPN server running on Ubuntu server 12.04. I installed it with apt-get (from Ubuntu repositories). It is the original open source OpenVPN and my connection is encrypted with Blowfish (BF-CBC) algorithm, UDP port 25000.
I was able to connect to my server from Windows, Linux, Mac and iOS. But then my ISP blocked all kinds of VPN connections including OpenVPN. Now I CANNOT connect to my server from Windows, Linux and Mac with original OpenVPN but I CAN connect to my server from iOS.
If iOS talks OpenVPN proprietary protocol then original OpenVPN should be able to talk this potocol too, because my iPod is connecting to the original OpenVPN (they should talk the same protocol, am I right?). So whatever protocol iOS OpenVPN client is using, it should be implemented in the original OpenVPN; and I just want to know what is it, so I can change my config files on the client to behave like iOS OpenVPN client.

[janjust]

in principe, an iOS client uses the same protocol to talk to a "regular" OpenVPN server as the other OpenVPN clients. As it's a different codebase, the precise details of the traffic might vary slightly, but the basics remain the same.
The fact that your ISP does not seem to catch the iOS-generated traffic merely shows that their filtering rules are not perfect, not that iOS uses a different protocol. It would be interesting to see what the actual (minor, technical) differences between an iOS client and the opensource client are, but on a *protocol* level they are the same.