Jump to content
Not connected, Your IP: 3.133.151.90
greenclaydog

Has obfuscation been implemented into OpenVPN?

Recommended Posts

According to this, a recent update to OpenVPN has introduced obfuscation support, with the introduction of the "tls-crypt" command for OpenVPN config files in OpenVPN 2.4.0

 

Is this effective? If so will AirVPN be implementing it as a new obfuscation option for mobile users when 2.4.0 is inevitably pushed to mobile devices via OpenVPN connect and OpenVPN for Android? 

 

https://www.reddit.com/r/VPN/comments/5pqxs8/china_announces_mass_shutdown_of_vpns_that_bypass/

 

Capture.png

 

Edit: It's mentioned in the main page for OpenVPN 2.4.0 here approx. 5 times 

Share this post


Link to post
Guest

Interesting

Share this post


Link to post

Hello!

 

Not yet. Unfortunately, OpenVPN doesn't implement any fallback method about tls-crypt.

 

This new directive must be used at both server-side and client-side, and if we do this we need to force customers to use OpenVPN 2.4 series and to re-download any profiles generated with Config Generator.

 

Currently, OpenVPN 2.4 is neither on a lot of routers, nor in official repository (for example Debian derivatives).

 

At change time zero, note that we would lose compatibility with 100% of our customers not using Eddie, and we would cut definitively out anybody who can't run OpenVPN 2.4. Needless to say that this would be a catastrophic scenario.

 

Maybe we can configure special-purpose servers for this, actually this is under consideration.

 

Kind regards

Share this post


Link to post

Hello!

 

Not yet. Unfortunately, OpenVPN doesn't implement any fallback method about tls-crypt.

 

This new directive must be used at both server-side and client-side, and if we do this we need to force customers to use OpenVPN 2.4 series and to re-download any profiles generated with Config Generator.

 

Currently, OpenVPN 2.4 is neither on a lot of routers, nor in official repository (for example Debian derivatives).

 

At change time zero, note that we would lose compatibility with 100% of our customers not using Eddie, and we would cut definitively out anybody who can't run OpenVPN 2.4. Needless to say that this would be a catastrophic scenario.

 

Maybe we can configure special-purpose servers for this, actually this is under consideration / brainstorming.

 

Kind regards

Wow, that would certainly pose serious immediate problems for many users.

 

In the future when 2.4 is eventually used on routers and such, will a switch be made at some point?

Share this post


Link to post

Hello!

 

Not yet. Unfortunately, OpenVPN doesn't implement any fallback method about tls-crypt.

 

This new directive must be used at both server-side and client-side, and if we do this we need to force customers to use OpenVPN 2.4 series and to re-download any profiles generated with Config Generator.

 

Currently, OpenVPN 2.4 is neither on a lot of routers, nor in official repository (for example Debian derivatives).

 

At change time zero, note that we would lose compatibility with 100% of our customers not using Eddie, and we would cut definitively out anybody who can't run OpenVPN 2.4. Needless to say that this would be a catastrophic scenario.

 

Maybe we can configure special-purpose servers for this, actually this is under consideration / brainstorming.

 

Kind regards

 

If you're brainstorming this I'm guessing it's not possible to implement this by connecting to a certain port/s on the current servers?  That would be way too easy.

Share this post


Link to post

If you're brainstorming this I'm guessing it's not possible to implement this by connecting to a certain port/s on the current servers?  That would be way too easy. :)

 

Hello,

 

it is of course possible running an additional OpenVPN daemon with tls-crypt directive (each OpenVPN daemon has a different configuration) and listening to some new port. The main issues we need to consider are how to make Configuration Generator and Eddie to make users not running OpenVPN 2.4 to NOT choose such options in a swift, friendly and clearly understandable way, and some other deployment problems. Nothing impossible or too difficult, but we need a careful plan, because anything wrong can lead to some serious troubles, considering that at any given time we have 13000 users connected, that Configuration Generator is used every hour by a remarkable amount of users, that a new Eddie is needed, and some other problems. Each and any of these problems must be analyzed. Anyway we confirm that we're interested in tls-crypt because we agree to repute that actually it can bypass some disruption techniques against OpenVPN.

 

Kind regards

Share this post


Link to post

Wow. thanks for these quick and in-detail answers.

I think this feature would be especially useful for customers in China. Thus a server in Singapore on the WestCoast of the US would make the most sense. Preferably the latter for Netflix use

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...