How to Guides

How to hide OpenVPN traffic – an introduction

These days most of the countries are looking forward to restricting or banning the use of VPN. This is happening due to an increase in internet censorship. China and Egypt are actively discovering and blocking VPN. China has implemented a tough firewall to impose censorship on a great level, known as the Great Firewall of China (GFW). It won’t be odd to compare it with the Great Wall of China. China keeps on blacklisting known VPN IPs. Also, they use an advance technology known as DPI (deep packet inspection) that can detect data packets related to VPN protocols and can block them accordingly. China has also forced Apple to remove VPN apps from the China app store. Egypt also has DPI technology for the same purpose.

When we say VPN, we mean data going in encrypted form via any private tunnel on the public network, which is almost impossible to detect. But, using DPI ( Deep Packet Inspection) technology, they are able to discover that encryption is being used and if it resembles VPN traffic.

If you are living in a country like China or Egypt or if you want to hide your VPN traffic for your own personal reasons then you are on the right page. There are many ways to conceal your traffic from the government. But, there is a bottleneck to these solutions, most of these solutions need high technical expertise and also VPN server needs to be tweaked. Most of the time we do not have direct access to the VPN server.

Time to check out the solutions which you can perform yourself or you can ask your respective VPN providers depending on your skills and access.

OpenVPN implemented with TCP on port 443.

OpenVPN normally or you can say by default runs on port 1194. Changing the port to 443 helps most of the time. This method of changing the default port to 443 can be performed from the client side itself and this is the simplest workaround so far to conceal your VPN traffic.

The next question will be why 443? Why not 300, 202, 569 or any other possible port out of 65535 ports? The simple answer to this question is that almost all of the websites on the internet is running on HTTPS (Hypertext Transfer Protocol Secure ) protocol safeguarded by SSL which runs on TCP port 443. Our ultimate aim is to make the VPN traffic similar to the normal internet traffic so that it doesn’t get discovered by the government.

The government cannot remove SSL, as it is necessary for the functioning of the websites. This is a great help for us to continue using OpenVPN

But, still this plan is not foolproof,  if the traffic is diagnosed using advanced Deep Packet Inspection(DPI), they will get to know that the traffic is not a real HTTPS traffic. In that case, you need to try other methods which are discussed in the below topics.

Obfuscation technique

Giving a tough competition to China DPI technology Obfsproxy was launched and has been largely used by the platform like TOR. It can be configured with OpenVPN as well. It is difficult for the DPI to detect that OpenVPN (or other VPN protocols) are being used.

Steps to configure Obfsproxy:-

  1. Install Obfsproxy on your computer as well as on the VPN server.
  2. Run the below command on the VPN server.

“obfsproxy obfs2 –dest= server x.x.x.x:5536”

  1. Please replace x.x.x.x with your IP address or to listen on all network interfaces(It will be better to get a static IP from your ISP).

Unfortunately, Obfsproxy is not secure enough, as it does not encrypt data. At the same time, it requires low bandwidth as it does not have to carry encryption overhead. Making it a God for users in places such as Syria or Ethiopia, where bandwidth is rarely available.

OpenVPN and SSL tunnel combo technique.

SSL(Secure Socket Layer) can be used along with OpenVPN to effectively cover your OpenVPN traffic. OpenVPN uses a TLS/SSL encryption protocol that is somewhat different from ‘true’ SSL, and which could be, and which are being discovered by advanced DPI’s. Now it is practically possible to conceal the OpenVPN traffic in a secured layer of SSL encryption (DPI’s are not able to intercept the inner OpenVPN traffic) to prevent your OpenVPN traffic from getting detected by DPI’s.

It is better to discuss this with your selected VPN provider beforehand whether they provide these services or if they are ready for the tweaks. As it has to be configured collectively on both your computer as well as VPN server.

Since it is using a dual encryption channel so it will be a bit slower than normal OpenVPN traffic.

OpenVPN and SSH tunnel combo technique.

This technique is very similar to the above-described technique. The only difference is that it uses SSH(Secure Shell) tunnel instead of SSL. SSH is used basically for taking remote logins on Unix servers and it is not as famous as SSL.

Again as in the case of SSL. It is better to discuss this with your selected VPN provider beforehand whether they provide these services or if they are ready for the tweaks. As it has to be configured collectively on both your computer as well as VPN server.


Now you are in a position to decide which method you are going to use.Based on a few factors like level of encryption and security you need. The strictness of the country’s law in which you are. The VPN provider is agreeing to make the changes or not.

We strongly suggest our customers go forward with a foolproof plan in the countries where use of VPN is extremely illegal and where the use of VPN may lead to fine or jail.


VPN Benefits

Get privacy protection, Wi-Fi security, unrestricted access to content, and much more.

Don’t let the internet browse you!