How to bypass DPI for OpenVPN

We’ve all been there. You’re on a network that blocks everything. Solution? OpenVPN. Wait, that’s blocked? On TCP 443?

Don’t panic! There are still ways you can get OpenVPN to work behind even the most restrictive firewalls. Most places just let OpenVPN on TCP 443 through, but I’ve been at a few places that block that. The easiest work-around is to send all OpenVPN traffic through a SSH tunnel, which will add another layer of encryption over OpenVPN. This makes it near impossible to figure out that the packets are actually OpenVPN. Even if this does not work, there are other options that are beyond the scope of this post.

DPI

Many firewalls simply block ports, hostnames, and/or IP addresses. However, DPI, or Deep Packet Inspection,  can be used to determine the actual type of packet being sent and/or received(i.e. HTTPS, OpenVPN,SSH, etc.). This is often used to restrict access to certain services, often VPN’s, essentially making it harder to bypass the firewall. Luckily for you, SSH tunnels exist!

Creating the SSH tunnel

Creating the SSH tunnel is quite simple. All you need to do is make sure you have OpenVPN running on a TCP port(such as TCP 443), because there is no easy way I’m aware of to do this with UDP, and run the following command on the OpenVPN client:

ssh -L 1194:localhost:1194 server 

Replace “server” with what you usually use to log in(i.e. [email protected]) to your VPS/dedicated server. This command will create a tunnel listening on localhost 1194/tcp and forward it to the remote server on port 1194/tcp. Change the ports to fit your configuration.

Setting up OpenVPN

Next, you’ll need to configure OpenVPN to actually use the SSH tunnel instead of connecting directly to the external server. To do this, simply edit your .ovpn file, and replace the remote line(s) with:

proto tcp
remote localhost 1194

This will tell OpenVPN to send all traffic through “localhost” on TCP port 1194, which is the SSH tunnel(change the port to match the SSH command).

Why not just an SSH tunnel?

You actually can use just the SSH tunnel without OpenVPN to encrypt your web traffic. So, why shouldn’t you? Well, one reason is that when using OpenVPN through SSH, all traffic is sent through the VPN, instead of just the applications you’ve configured to go through the SSH tunnel(such as your browser). Another reason is mobile support; there are many SSH apps that support setting up SSH tunnels, but very few(or no) iOS apps support using a SOCKS proxy.

Setting this up on iOS

I needed to set this up on iOS a few days ago, so here’s how I did it:

  1. Install the Termius app, and set up local port forwarding with the following settings:
    • Host: your server
    • Port from: 1194
    • Destination: your server’s IP address/hostname
    • Port to: 1194
  2. Edit the .ovpn file and email it to your phone, then import it into the OpenVPN app
  3. Click on the port forwarding setting you just created in Termius to enable it
  4. Try to connect to your VPN

You should now be able to bypass firewalls on both your iPhone/iPad/iPod touch and any Linux-based operating system. If you’re on Windows, then I guess you can use Putty, but you should really switch to Linux 🙂

Sources: redfern.me