OpenVPN Support Forum

VPN access in undemocratic repressive regimes is an absolute must for democracy. Unfortunately China has, for a while been using deep packet inspection and seems to be able to tell the difference between OpenVPN SSL traffic and normal SSL traffic. Surly the geniuses out there who write Open VPN can do something to make this impossible. L2TP/IPSec VPNs work ok but OpenVPN does not. I cannot think of a more worthy cause for you guys to work on.

There is one post out there of a patch but this is far too complicated for most people and does not cover mobile clients (Android Phones) that are the norm for access in these countries.

Let’s get the community behind a fix in the core product

I would really appreciate a fix for this as well. China has shut me down every time I set up a new server.

jeff.tutin@ntlworld.com wrote:VPN access in undemocratic repressive regimes is an absolute must for democracy. Unfortunately China has, for a while been using deep packet inspection and seems to be able to tell the difference between OpenVPN SSL traffic and normal SSL traffic. Surly the geniuses out there who write Open VPN can do something to make this impossible. L2TP/IPSec VPNs work ok but OpenVPN does not. I cannot think of a more worthy cause for you guys to work on.

There is one post out there of a patch but this is far too complicated for most people and does not cover mobile clients (Android Phones) that are the norm for access in these countries.

Let’s get the community behind a fix in the core product

I think this would be a worthy cause. Good idea. Not sure it is feasible, though.

Worthy cause .. Yes !

Possible .. No

Consider this:

A packet transmitted over the internet is structured (more or less) like so:

[Some data]:: not relevant
[IP Destination Address]:: Very Relevant ! << This is the problem.
[IP Source Address]:: Quite Relevant
[Payload]:: Could be anything ..

The destination address of your packet reveals, to the Powers that Be, the means by which they can choose to filter. If that destination is something they don't like they drop it. Otherwise known as "The Great Firewall" ..

I think a more viable solution, for people enslaved by undemocratic governments, would be to dig secret tunnels (in the ground) out of your countries and link up to the rest of the world that way. Either with signals or on foot.

My deepest sympathy .. fight the power .. don't believe the hype ..

Tor network might be of more use in this situation.

Traffic wrote:Possible .. No

Consider this:

A packet transmitted over the internet is structured (more or less) like so:

[Some data]:: not relevant
[IP Destination Address]:: Very Relevant ! << This is the problem.
[IP Source Address]:: Quite Relevant
[Payload]:: Could be anything ..

The destination address of your packet reveals, to the Powers that Be, the means by which they can choose to filter. If that destination is something they don't like they drop it. Otherwise known as "The Great Firewall" ..

I think a more viable solution, for people enslaved by undemocratic governments, would be to dig secret tunnels (in the ground) out of your countries and link up to the rest of the world that way. Either with signals or on foot.

My deepest sympathy .. fight the power .. don't believe the hype ..

Tor network might be of more use in this situation.

It's not completely impossible, and Tor has exactly the same problem in these countries with the basic configuration.

Actually, Tor has a component named "obfsproxy", he obfuscate the traffic (using protocols as obfs3, scramblesuit, ...).
With Tor you need to configure the transport bridge server to use (you can get their IP here: https://bridges.torproject.org/ ) and then the traffic can pass "the great firewall" and others DPI systems.

There is some tutorials on the web who speak about accessing to an OpenVPN Server with an obfsproxy access, but this add some constraint (udp protocol unsupported, ...).

So I don't think it's impossible to implement directly the obfsproxy functionnalities into OpenVPN, that could at least protect users using their own VPN on an external server, ... (because even if a big VPN is banned because his IP is known, I guess they can't detect a VPN Server if his traffic is obfuscate).

(sorry if my english isn't very good, not my mothertongue)

Unless you can bypass TGFW completely, they are in control of what you can send and receive .. no matter what encryption you use.