How to disguise VPN traffic as HTTPS traffic over TCP/443?

VPN
1

Hello fellow homelabers! I currently have 1194/UDP for OpenVPN to access my home network and devices. It works great. I get great comfort knowing that everything is encrypted and safely tunneled back home, when I am accessing an open wifi location outside.

Some more restrictive public wifi locations block all ports but 80/443 over TCP for obvious reasons. I tried tunneling a SoftEther connection over 443/TCP, but I presume they run some form of DPI system, since my connection gets dropped for the night within a few minutes. I am unable to access the server for the rest of the night, since I assume that IP gets blacklisted for that period.

However, if I run Guacamole over HTTPS, my connection doesn’t get flagged. So that’s what I currently do, I run a jump machine back home.

My question is, is there anyway to tunnel some type of VPN encapsulated over HTTPS, (with a legit Let’s Encrypt Cert) so I can continue to access my home network and devices? If I open the host/port with a regular web browser, it’d automatically serve up a dummy website.

I tried google’ing for this, and the closest I’ve seen was to create some form of Socks5 proxy server using something called ShadowSocks and ShadowSocksR. This is close, but I need to access my homelab not just using Socks5/web browser. I’d love to have a proper network tunnel back home, so even apps and systems that don’t use Socks can easily access my VPN.

Thanks in advance!

Update:

I think I’m making this much too complicated. Apparently, OpenVPN has provisions for this exact situation!

reference:
https://www.netgate.com/docs/pfsense/vpn/openvpn/sharing-a-port-between-openvpn-and-a-web-server.html

https://davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/

I shall try this later this week when I have some time, and report back.

2

You can run OpenVPN on port 443. Just run it as 443/tcp, but understand for OpenVPN, TCP will slow things down a little.

3

Try using 53(dns) instead

4

I’ve had success encapsulating the OpenVPN tunnel using stunnel

5

You should run TCP OpenVPN on port 1194 and setup sTunnel to wrap that traffic in a true SSL/TLS tunnel. DPI only see’s it as a large HTTPS transfer :). It’s what I use at work.

6

What I do is I run a socks5 proxy on top of a OpenVPN connection, that usually does the trick since it goes to the proxy server first then the VPN server. I also heard you can change tls-auth to tls-crypt in both server and client config to make it harder to detect. But overall DPI firewalls are getting very good at detecting VPN connections in general and that is starting to be a problem for many of us.

7

Use SSTP. It is a VPN over SSL. It was developed by Microsoft, but I think there are linux packages now for it.

8

I use openconnect to do this and haven’t had any problems with the traffic being marked as mismatched protocol and port yet. Look up ocserv for Linux if interested.

9

A problem I’ve been meaning to tackle, but haven’t had the time for 3 months now due to work being hectic.

In theory, using SSLH to serve a web page over SSL to DPI probes + wrapping the non-encrypted VPN connection into mutual SSL stunnel socket on the same port should do the trick. In practice, I expect there to be a plethora of problems with this and the configuration won’t be straightforward. First problem that comes to mind is that OpenVPN on Android won’t work out of the box with this approach, as it will be unable to talk to the stunnel socket.

10

I run openvpn on a pi zero on top 443. Works great.

11

Try ocserv https://ocserv.gitlab.io/. You can use it with its own Openconnect client or Cisco’s AnyConnect client.

12

from a security perspective; layer 7 vs protocol mismatch is an elementary DPI rule, i wouldn’t spend too much effort trying to subvert that -

rather stick with guac in your DMZ and use that jumpbox to SSH or VPN (if you dont trust DMZ) and then SSH inside the network

13

DPI will pick it up. OpenVPN handshake is not the same as your typical HTTPS, plus some DPIs check if the server behind 443 is sending valid HTTP responses.

14

can I run tht behind a reverse nginx proxy?

15

I’ve tried that actually. Both TCP and UDP. It just flakes out without any success using SoftEther and OpenVPN.

16

My apologies. I meant to say Apache/Guacamole https://guacamole.apache.org/ lol

17

I totally forgot the OpenVPN client has the ability to use socks connection!

18

Give OpenVPN combined with sTunnel a go. We have some pretty hefty DPI and Firewall rules at work but wrapping OpenVPN TCP traffic with sTunnel results in the Traffic just showing as a large HTTPS transfer. Work’s wonderfully :slight_smile:

19

https://forum.nginx.org/read.php?11,260587

So, finally can give feedback. Stream works very well for the OpenVPN (using TCP).

There is even an example config.

20

Hey I know this post is a whopping 6 years old but could you describe your setup?

I have a home router running openwrt and openvpn. I see there is an sTunnel add on on the openwrt repo. I’m curious how you set yours up.

Worked blocked VPN connections over the guest network at port 1194.

Right now I have openvpn running on udp 443. Id like to up my game and make sure their firewall can’t get to crazy .

Should I switch to tcp 443? I am aware of the risks on doing this.