Penetrating Firewalls Using OpenVPN

[mpfrench]

Ref: Server Running OpenVPN-2.5.4-I602-amd64.msi on Windows 10 x64 version 21H1.

Problem: I had the unfortunate experience of spending several days in a hospital behind their very restrictive wifi firewall. The only access they granted to their public wifi was web browsing using HTTP (TCP port 80) and HTTPS (TCP port 443). My IMAP-based e-mail client was blocked as was my OpenVPN client which was set to use UDP port 80.

This began my search for a way to penetrate this very restrictive firewall. I first discovered the OpenVPN option port-share which sounded as though it would help OpenVPN penetrate a restrictive firewall by setting the OpenVPN server to listen on TCP port 443 and forward legitimate HTTPS traffic to a web server running on a different, nonstandard TCP port, e.g., TCP port 4443.

The manual for OpenVPN 2.4 states that this port-share option is not implemented in the Windows version but since the manual for 2.5 is not yet online, I tried it anyway and found that it is not implemented in 2.5 either.

After thinking about this port-share option, it may fool some firewalls but likely not the most sophisticated ones that can tell the difference between OpenVPN encrypted traffic and HTTPS encrypted traffic. So a more robust solution is required.

The most obvious solution is to design OpenVPN to use HTTPS and avoid all traffic differences between OpenVPN and plain web browsers while making the port-share option work in Windows as well as the other operating systems.

Does anyone have a better solution to my problem? Come to think of it, people in China, North Korea, and other similar restrictive environments would benefit from a solution like this as well.

[TinCanTech]

I had the unfortunate experience of spending several days in a hospital behind their very restrictive wifi firewall

Was it a military hospital ?

A decent hospital might allow their clients VPN access in these modern times. Perhaps suggest that to them.

As for the rest of your question, there is no solution.

The reason: It is an arms race.

No matter what openvpn does, the source code is open and free.

vs

Various governments around the planet do not like people using VPNs.
They have all the money, power and time it takes to find a way to win the arms race.
All governments want to stop us using crypto for everything, except what they sanction.

[Stephanie_Sy]

I think that people in non-free countries could be be easily identified by the fact that the use crypted communications.

[mpfrench]

I still have not found a solution to the problem I posed quite a long time ago but would like to do so. First, a brief restatement of the problem --

I would like to use my laptop computer, running an OpenVPN client, in remote situations where the remote firewall allows traffic using HTTP (TCP port 80) and HTTPS (TCP port 443). No other ports will pass anything. Also, running OpenVPN on TCP port 443 is blocked by the remote firewall.

The only solution that I can imagine is to convert the OpenVPN traffic on the laptop to standard HTTPS then on the OpenVPN server at home, convert the HTTPS to OpenVPN traffic. In other words, the laptop would run an OpenVPN-to-HTTPS converter while the home server would run an HTTPS-to-OpenVPN converter.

This solution will work unless the server IP address is blocked.

Does anyone know of such a solution?

[mpfrench]

I am re-posting the problem. I recently traveled to several countries in Europe and every WIFI system blocked all the ports except for TCP 80 and 443. So getting e-mail on the ports traditionally used is impossible over WIFI. The only solution that I can see is to use an instance of OpenVPN that uses HTTPS on TCP port 443 on a client (e.g. a laptop) to communicate with an OpenVPN server that handles the HTTPS traffic in addition to the classic OpenVPN protocols. I realize that this double encryption (HTTPS & OpenVPN) will cause a decrease in throughput but at least it would allow OpenVPN to penetrate the WIFI firewall.

Does anybody know how to accomplish this?

[eva78mason]

I'm sorry to hear about the difficulties you faced with the restrictive firewall. It sounds like you've already explored several options, including the port-share feature of OpenVPN, which unfortunately isn't implemented in the Windows version.

One potential solution could be to use a proxy server that supports HTTPS traffic. By routing your OpenVPN traffic through the proxy, you might be able to bypass the firewall restrictions. Here's a general approach:

Set up a proxy server that can handle HTTPS traffic. You can use software like Squid or Tinyproxy Liteblue login portal

Configure your OpenVPN server to route traffic through the proxy server. This might involve modifying the OpenVPN configuration file to use the proxy server's IP address and port.

Test the setup in a controlled environment to ensure that it works as expected and that the firewall restrictions are bypassed.

This approach should help you maintain a secure connection while avoiding the firewall restrictions.