Mullvad's udp-over-tcp layer

[dnmaster 0]

Mullvad provides a useful "obfuscation" layer that tunnels the UDP VPN packets through a TCP connection to their server. I still use mullvad largely because of this feature, as it gets through many firewalls that TCP OpenVPN or shadowsocks fail to bypass. It is implemented in rust and is open-sourced on github: https://github.com/mullvad/udp-over-tcp/
I realize this is a big wish and probably not feasible but having this feature in AirVPN would make it even more useful for me
Has anyone else had experience using this layer?

[go558a83nk 362]

I've found that tls-crypt TCP 443 allows me to connect when tls-auth openvpn requires me to use stunnel.

Are you sure that this UDP in TCP is required for your location?

[dnmaster 0]

I'll try tls-crypt next time I need to, thank you for the advice.

[dnmaster 0]

I used the automatic protocol selector in eddie and it worked perfectly first try! Thank you for the advice.

[ss11 15]

On 9/8/2023 at 6:24 AM, go558a83nk said:

I've found that tls-crypt TCP 443 allows me to connect when tls-auth openvpn requires me to use stunnel.

Are you sure that this UDP in TCP is required for your location?

This is a very good question, I think there is a high probability udp-over-tcp is not actually the solution, it's the tls-crypt that also alters the handshake.
It's unclear what the obfuscation mechanism is, as from what it can be read on github it's just a forwarder from tcp to udp.
 

[Air4141841 24]

On 9/8/2023 at 9:24 AM, go558a83nk said:

I've found that tls-crypt TCP 443 allows me to connect when tls-auth openvpn requires me to use stunnel.

Are you sure that this UDP in TCP is required for your location?

this is great for us Airvpn users.

since mullvad doesn’t even use tls auth, let alone crypt 
it’s no wonder they have so many issues it’s connectivity 
 

[go558a83nk 362]

16 minutes ago, Air4141841 said:

this is great for us Airvpn users.

since mullvad doesn’t even use tls auth, let alone crypt 
it’s no wonder they have so many issues it’s connectivity 
 

mullvad doesn't use a TLS key?

[Air4141841 24]

4 hours ago, go558a83nk said:

mullvad doesn't use a TLS key?

use tls key = unchecked

Why I stopped using them 

https://mullvad.net/en/help/using-pfsense-mullvad/

[fsy 34]

Holy Moly, lemme get it straight, so the "whoa amazing'" Mullvad "always on the bleeding edge": doesn't offer remote port forwarding, doesn't run OpenVPN with TLS key, provides a lame traffic splitting app with built-in dns leaks "in"... I wouldn't go so far as to say that as North and Express it is a syphilitic little sidewalk whore passed off as a high-class escort, but ... good thing I left it.

[Air4141841 24]

8 minutes ago, fsy said:

Holy Moly, lemme get it straight, so the "whoa amazing'" Mullvad "always on the bleeding edge": doesn't offer remote port forwarding, doesn't run OpenVPN with TLS key, provides a lame traffic splitting app with built-in dns leaks "in"... I wouldn't go so far as to say that as North and Express it is a syphilitic little sidewalk whore passed off as a high-class escort, but ... good thing I left it.

we are very limited….. still thankful Airvpn is included in one of the top tier providers with tls crypt option 

[ss11 15]

This is because AirVPN, at its core, does not employ random sysadmins. The Core team seams to be specialized in and understand very well cryptography, network / systems security, threat models and various attacks and looks to do diligence research for every feature or option deployed. I was able to tell this by how a ticket that sent to professional support was processed. It's the main reason I'm here and referring this service.

Also: can anyone here read Go lang better? Is there actually any obfuscation algorithm in that tcp2udp tool because to me it looks like a lightweight forwarder that wraps and unwraps udp in tcp transparently to the daemon listening on the UDP port. I am not saying it's not good, tools like this should be encouraged to exist as I am sure many users will find valid use cases for them, but I saw it's advertised as an "obfuscation" solution and I want to understand if it technically is (for example like Tor's obfsproxy tool).

[OpenSourcerer 1435]

14 hours ago, ss11 said:

Also: can anyone here read Go lang better? Is there actually any obfuscation algorithm in that tcp2udp tool because to me it looks like a lightweight forwarder that wraps and unwraps udp in tcp transparently to the daemon listening on the UDP port. I am not saying it's not good, tools like this should be encouraged to exist as I am sure many users will find valid use cases for them, but I saw it's advertised as an "obfuscation" solution and I want to understand if it technically is (for example like Tor's obfsproxy tool).

Quick note: It's not Go, it's Rust, and no, there are no crate dependencies or code samples suggesting any obfuscation going on. Where did you saw it advertised as such, though?

It's basically the forward_traffic.rs file: The "glue" is process_udp_over_tcp which taps into process_tcp2udp or process_udp2tcp depending on the direction, along with a few helper functions. udp2tcp wraps a datagram into a TCP packet and simply appends the length of the datagram to the header. In the other direction tcp2udp simply writes into a UDP buffer and forwards complete datagrams to the UDP socket address specified until the TCP stream is closed.

[Stalinium 44]

On 9/17/2023 at 9:23 PM, ss11 said:

Is there actually any obfuscation algorithm in that tcp2udp tool

It does not need to be sophisticated to break simple traffic pattern matching, which is 99% of all common firewalls you are going to see. Yes I would still call it obfuscation.