Page 1 of 1

OpenVPN Blocked -- Redesign Using HTTPS

Posted: Thu Oct 05, 2023 3:05 am
by mpfrench
It seems as though more and more places are blocking OpenVPN communication. I've tried running my OpenVPN server using TCP port 443 but this is blocked as well by sophisticated firewalls. Somehow they can tell the difference between https traffic and OpenVPN traffic.

Since these sites will pass http on TCP port 80 and https on TCP port 443, it would seem a viable solution to my problem to make OpenVPN use https to communicate to the OpenVPN server. If need be, various metadata that web browsers pass could also be added to fool firewalls into thinking that the traffic is just web browser traffic instead of OpenVPN traffic.

Have any of the OpenVPN developers tried this scheme?

Re: OpenVPN Blocked -- Redesign Using HTTPS

Posted: Wed Aug 14, 2024 5:31 am
by sybille
"More and more" is an understatement. In a large part of the world (China, Russia, North Korea, Turkiye...), internet is already locked down, and even in "free democratic" countries at least half of the networks in hotels, airports, corporate networks, Airbnb rentals, etc. are locked down and crippled.

This includes OpenVPN, since by it's current design, even tunneling SSL traffic over HTTPS port (443) can easily be intercepted by DPI firewalls. In such a situation, one can usually never know if OpenVPN will be allowed or not when you need it, or when the next day some admin will decide to block it. We're approaching a point where OpenVPN is quickly becoming pretty much useless and irrelevant. So this is no longer a nice-to-have, it's a must-have.

There is a simple solution: websockets. It's a RFC standard, universally supported, and it's layered on top of HTTP/HTTPS so it's indistinguishable from "plain web" traffic short of breaking SSL encryption. Libraries for websockets are universally available, and due to OpenVPN current design the implementation would be quite straightforward.

Re: OpenVPN Blocked -- Redesign Using HTTPS

Posted: Wed Aug 14, 2024 5:41 pm
by mpfrench
Sybille, thanks for your reply. I think that you're on to something.

OpenVPN developers -- How about giving websockets a try? The current OpenVPN connection methods are too easily thwarted to be useful except in the most benign environments.

Further research:
"The WebSocket protocol was designed to accommodate bidirectional communication over a single TCP connection while maintaining compatibility with infrastructure for HTTP. It is not dependent on HTTP and can work independently, directly connecting to a port. A WebSocket connection can be established by upgrading an existing HTTP/1.1 connection or programmatically." From https://http.dev/ws

https://en.wikipedia.org/wiki/WebSocket

https://developer.mozilla.org/en-US/doc ... ockets_API

https://websocket.org/