So who actually uses obfuscated VPN that passes standard DPI? I know of Astrill StealthVPN, TorGuard stealth and VyprVPN Chameleon. There must be more than this, right? These technologies basically just use the OpenVPN xor/obfuscation patch (GitHub - clayface/openvpn_xorpatch: OpenVPN xor scramble patch it can also be found in the DD-WRT repo last I checked) or similar idea to mask the data stream for every use with a unique xor key. They work in China. This is important, as that is the main place that everyone really does need a VPN!
I also like VPN solutions that keep the tunnel itself wrapped in another SSL or SSH tunnel. Solutions like AirVPN uses. Just looks like standard https traffic over say port 80, 53, or 443.
All VPN providers really need to offer pluggable transports for their OpenVPN connections. Obfsproxy for example will work for most uses most of the time. They don’t need to keep rolling their own solutions.
Tunnel in tunnel usually results in pretty bad performance though, as any packet dropped will double request a resend and it causes a cascading effect. Using UDP is actually ideal for performance, as any time you send TCP over a TCP you can get the cascading effect, wrapping yet another TCP tunnel will make things even worse. This technique can be good for obfuscation, but the protocol level obfuscation can achieve similar results with better performance.
I’d be interested to see if the AirVPN solution still works in China though.
Yup, the TCP black hole issue is a problem for OpenVPN obfuscation. It is even worse because OpenVPN over TCP will do double requests for the VPN layer, and then do a third re-request on the obfuscation layer as well.
As far as I know, yes it should.
It does. And it doesn’t have the black hole effects of the OpenVPN obfuscation.
I don’t understand, if it is OpenVPN tunnel tunneled through another protocol wouldn’t it have the black hole effect? The XOR patch I’m talking about does not have the black hole effect at all (it just scrambles packets before sending and works with UDP), although I can’t say I’m exactly sure how each provider implements it on their end.