We’ve all been there. You’re on a network that blocks everything. Solution? Use OpenVPN. That’s blocked too?
Even though this won’t really matter if DPI is actually being used, it’s always worth a try. If you can, try using OpenVPN over TCP Port 443. Since this is the same port used for HTTPS, many firewalls will let the traffic through. Should TCP 443 not work, or if you need TCP 443 for something else on your server, try UDP port 53. UDP 53 is used for DNS queries, and I found out that it actually gets around a lot of firewalls. Sometimes, you can even use a VPN on UDP 53 without logging in to WiFi(you have to be connected, but not log in through the web portal). 9/10 times, changing the port will let you through the firewall. Should all else fail, time to move on to SSH tunnel magic.
Many firewalls simply block ports, hostnames, and/or IP addresses. However, DPI, or Deep Packet Inspection, can be used to determine the actual type of packet being sent and/or received(e.g. HTTPS, OpenVPN, SSH, etc.). This is often used to restrict access to certain services, often VPN’s, essentially making it near impossible to bypass the firewall. Luckily for you, SSH tunnels exist! The easiest work-around is to send all OpenVPN traffic through a SSH tunnel, which will add another layer of encryption over OpenVPN. This makes it near impossible to figure out that the packets are actually OpenVPN packets, and not just SSH. Even if this does not work, there are other options that are beyond the scope of this post, such as SSL encapsulation.
Creating the SSH tunnel
Creating the SSH tunnel is quite simple. All you need to do is make sure you have OpenVPN running on a TCP port(such as TCP 443), because there is no easy way I’m aware of to do this with UDP, and run the following command on the OpenVPN client:
ssh -L 1194:localhost:1194 server
Replace “server” with what you usually use to log in(i.e.
email@example.com) to your VPS/dedicated server. This command will create a tunnel listening on localhost 1194/tcp and forward it to the remote server on port 1194/tcp. Change the ports to fit your configuration.
Setting up OpenVPN
Next, you’ll need to configure OpenVPN to actually use the SSH tunnel instead of connecting directly to the external server. To do this, simply edit your
.ovpn file, and replace the remote line(s) with:
proto tcp remote localhost 1194
This will tell OpenVPN to send all traffic through “localhost” on TCP port 1194, which is the SSH tunnel(change the port to match the SSH command). The SSH tunnel will then encrypt the traffic before sending it to the server, making it pretty much impossible to figure out that you’re using a VPN.
Why not just an SSH tunnel?
You actually can use just the SSH tunnel without OpenVPN to encrypt your web traffic. So, why shouldn’t you? Well, one reason is that when using OpenVPN through SSH, all traffic is sent through the VPN, instead of just the applications you’ve configured to go through the SSH tunnel(such as your browser). Another reason is mobile support; there are many SSH apps that support setting up SSH tunnels, but very few(or no) iOS apps support using a SOCKS proxy.
Setting this up on iOS
I needed to set this up on iOS a few days ago, so here’s how I did it:
- Install the Termius app, and set up local port forwarding with the following settings:
* Host: your server * Port from: 1194 * Destination: your server's IP address/hostname * Port to: 1194
Edit the .ovpn file and email it to your phone, then import it into the OpenVPN app
Click on the port forwarding setting you just created in Termius to enable it
Try to connect to your VPN
You should now be able to bypass firewalls on both your iPhone/iPad/iPod touch and any Linux-based operating system. If you’re on Windows, then I guess you can use Putty, but you should really switch to Linux :)
Now that you have your VPN set up, read about why they don’t magically make you invisible online.