OpenVPN Support Forum

>OpenVPN running over port 443 is generally going to be using a CA that is not a public CA, and issues certificates directly rather than through an intermediate.

Openvpn china

It’s probably easier to just block all AWS/Azure/Linode/DigitalOcean/etc. blocks.

If you are just visiting, the Great Firewall is not really a problem, as foreign SIM cards route directly to the internet. Just make sure you have a reasonable international plan with your carrier before you go.

This is true. My phone connected to 4g when I turned it on but then upon my first search using google now it disconnected and then reconnected to an H+ network and completed the search. It was pretty cool how they made a completely separate network for it.

With the caveat that in some countries the way data roaming works is all the data is routed back to your home before actually being routed to its destination – for example, if I visit Canada with a US T-Mobile SIM, all my traffic first has to travel to the US, even if I’m pinging a Canadian server.

If you end up with this sort of data configuration in China, you’ll be having a bad time using it for anything performance-sensitive. Good enough for email though, I bet.

>OpenVPN running over port 443 is generally going to be using a CA that is not a public CA, and issues certificates directly rather than through an intermediate.

nothing preventing you from using letsencrypt.

>Even if you tunnel something over normal TLS, the type of traffic can potentially be determined by analyzing how much data flows in which direction and when.

true, but only if you’re doing packets-over-TCP. if you think beyond a VPN, like a https proxy (http proxy, but over TLS), it’s indistinguishable from regular https traffic.

that’s until tech-savvy people make a simple script/installer for the common folk. something like what happened with the LOIC. it’s a cat & mouse game and i’m willing to bet there are far more hackers outside of goverment than inside it.

How about a thought experiment, assuming you had multiple domains, obfsproxy and Let’s Encrypt going how are they going to be able to tell if everything is over 443?

> analyzing how much data flows in which direction and when

Encapsulated TCP SYN packets, for example, smaller than any HTTP request inside TLS would be.

Want to beat that by padding? Everything always being the same size is an anomaly too.

So then we randomize the padding, what’s next?

How else do they figure it out? My mind jumps directly to funny traffic patterns like a single person using the domain or maybe a non-normal looking website that doesn’t serve static assets to non-vpn users or other normal things, etc. Can they probe the server somehow and and figure out it’s a vpn?

Does the user need to visit other sites unrelated to the vpn in order to mask their own usage and appear normal?

It would be quite laborious to figure out “normal” user traffic patterns and then adjust to those. You would have to collect data on a bunch of users and then shape your own traffic to match.

Only makes sense if you are doing it for a bunch of people and at that point you are another VPN provider.

OpenVPN Support Forum

Would this software work in China if I install it on a US VPS? Would it be able to bypass the great firewall’s deep packet inspection? If so, what’s the correct configuration? How does it compare to 3rd party China vpn solutions, services like VyprVPN got customized obfuscation algorithm or sth. Is OpenVPN capable of doing the same?

If this proves to be a better solution for China users, I’d love to recommend it to them. 3rd party solutions can cost a lot.

novaflash OpenVPN Inc. Posts: 1073 Joined: Fri Apr 13, 2012 8:43 pm

Re: Work in China?

Post by novaflash » Wed May 15, 2019 10:12 am

The OpenVPN Access Server will work in China, if you yourself are in China. As soon as you try to cross the border with this traffic, you will run into the Great Chinese Firewall. Our OpenVPN Access Server product is not designed to defeat this firewall.

There are VPN providers out there that use OpenVPN open source project with obfuscation that tries to defeat this firewall, with varying degrees of success. But that is not what our OpenVPN Access Server product is about.

I’m still alive, just posting under the openvpn_inc alias now as part of a larger group.
Steve341 OpenVpn Newbie Posts: 1 Joined: Tue May 12, 2020 8:40 am

Re: Work in China?

Post by Steve341 » Tue May 12, 2020 8:46 am

Based on my personal experience, if you install an OpenVPN server on a US VPS and then try to connect it from China, it might work for a few days and then will get blocked by the Great Firewall of China and will never work again. I guess the Great Firewall is “smart” enough now to detect plain OpenVPN connections. Yes, some VPN services that still work in China has developed their special version of OpenVPN to bypass the Great Firewall, but as tested by myself, they don’t always work either.

john56477 OpenVPN User Posts: 27 Joined: Tue Nov 06, 2012 12:02 am

Re: Work in China?

Post by john56477 » Wed Jun 24, 2020 4:11 am

Openvpn has been blocked in China by GFW since Oct 2012.
There is a patch going around that scrambles openvpn. It works. But you need a patched client and server.

But other working solutions are
wireguard,
v2ray,
v2ray+ws+tls+cdn,
shadowsocks with cipher chacha20-ietf-poly1305

There are a multiude of different working solutions using envelopes, e.g. you create a stunnel or obfs4 envelope, and pass openvpn inside.
But it’s an absolute pain.

point455 OpenVpn Newbie Posts: 2 Joined: Tue Jul 14, 2020 10:14 am

Re: Work in China?

Post by point455 » Tue Jul 14, 2020 11:11 am

@john56477 would u be willing to help with this? willing to pay good since searching desperately for a working vpn solution. i know that there is a way to make it work flawlessly via openvpn