Masking OpenVPN traffic with obfuscation

Hello my dear friend. Well, you are also puzzled by the issue of security and / or anonymity on the Internet in such a difficult high-tech time, where everyone really wants to spy on you or somehow restrict access to resources.

Also, this type of traffic masking is perfect for use in 4G / LTE networks or other networks where there is a restriction on the type of traffic in an attempt to limit access or speed.

Traffic obfuscation is not a new topic, but it is not very popular either. Therefore, there are very few really working and worthwhile articles.

And so, VDS on ubuntu 22.04 will be taken as a server. As a client, we will configure all the same ubuntu and Windows 10. (I think that most people will prefer the 2nd option for client settings.) To implement the traffic obfuscation itself, the server and client will use Shapeshifter Dispatcher The project is not bad. But they refused to support the obfs4 protocol and it is not possible to compile the beat from fresh sources. Special thanks to @fuccsoc for the old sources Working builds can be downloaded from the link at the end of the post.

Installing and configuring the server

So. Let’s update first. And install the necessary packages.

apt update
apt upgrade
apt install openvpn 
apt install easy-rsa

Setting up obfuscation

The assembled build for our OS is placed in a folder /usr/local/bin And we set the rights to execute.

chmod +x /usr/local/bin/shapeshifter-dispatcher

Then we perform a test run:

shapeshifter-dispatcher -transparent -server -state /var/lib/state -orport 127.0.0.1:1515 -transport obfs4 -bindaddr obfs4-0.0.0.0:1516  -logLevel DEBUG -enableLogging

In response, we should receive listening on 0.0.0.0:1516 — address and port to which our encrypted traffic will go. After that, you can stop the execution of this program. And we go to the /var/lib/state folder, 3 files were created there. dispatcher.log and 2 config files obfs4_bridgeline.txt + obfs4_state.json

In file obfs4_bridgeline.txt copy the key after the variable cert= It is generated automatically and will be needed for our clients.

In order for the shapeshifter-dispatcher to start at system startup, we will create our own service for it with the necessary arguments to start it. To do this, create a service file:

nano /etc/systemd/system/shapeshifter-dispatcher.service

With the following lines:

[Unit]
Description=shapeshifter-dispatcher service
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/shapeshifter-dispatcher -transparent -server -state /var/lib/state -orport 127.0.0.1:1515 -transport obfs4 -bindaddr obfs4-0.0.0.0:1516  -logLevel DEBUG -enableLogging
Restart=on-failure
RestartSec=30s

[Install]
WantedBy=multi-user.target

Restarting systemd

systemctl daemon-reload

Next, we start our service, and make it active for autostart

systemctl start shapeshifter-dispatcher.service 
systemctl enable  shapeshifter-dispatcher.service

Setting up OpenVPN

Since the obfs4 protocol has its own encryption, OpenVPN will be configured to work without encryption. This will reduce the load on our server and client machine.

But the certificate and keys still have to be created. I have version easy-rsa 3.0.8, which has minor changes in syntax and algorithms. Be careful, there are differences on earlier versions. Copy the necessary files and proceed to the settings:

mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa
cp -r ./vars.example ./vars
nano vars

Sample vars. The syntax has changed a bit. We edit at our discretion.

set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "California"
set_var EASYRSA_REQ_CITY        "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "me@example.net"
set_var EASYRSA_REQ_OU          "My Organizational Unit"

Then we generate keys and move them to the working folder. (initialization of the config file ./vars is no longer required.)

./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh
./easyrsa gen-req vpn-server nopass
./easyrsa sign-req server vpn-server
mkdir /etc/openvpn/keys
cp -r pki/* /etc/openvpn/keys/

Now the actual config for OpenVPN

nano /etc/openvpn/server.conf

Add the following lines:

mode            server

dev             tun_obfs4

#протокол всегда должен быть tcp 
proto           tcp

port 1515

# Optimizing TCP tunnel
#соберет мелкие пакеты в один,но более крупный
#уменьшит нагрузку на сервер и на клиент
#при отсутствии трафика незначительно увеличит пинг
socket-flags    TCP_NODELAY

persist-tun
persist-key

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/issued/vpn-server.crt
key /etc/openvpn/keys/private/vpn-server.key
dh /etc/openvpn/keys/dh.pem

topology subnet

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

push "redirect-gateway def1 bypass-dhcp"

client-to-client

keepalive 60 300

#отключаем шифрование
#openvpn клиент и сервер будут ругаться что весь трафик не зашифрован
data-ciphers none
cipher none

tun-mtu 1500

status /var/log/openvpn/openvpn-status.log
log  /var/log/openvpn/openvpn.log

verb 3

###########################################
#tls-server не указываем
#файл ta.key не генерируем
#
#comp-lzo не указываем
#не хочет дружить с обфускацией
###########################################

Restarting the service

service openvpn restart

Now when we enter the ifconfig command, we should see our tun_obfs4 interface. Great, the openvpn server has started.

We create a client

./easyrsa build-client-full client nopass

To connect the client to the server, copy the following files:

/etc/openvpn/easy-rsa/pki/ca.crt
/etc/openvpn/easy-rsa/pki/issued/client.crt
/etc/openvpn/easy-rsa/pki/private/client.key

IPables setup

If the use of the server involves only through obfs4, then we open port 1516. If it is supposed to use mobile phones and other devices where it is not possible to connect via obfs4, then we open an additional direct port 1515 to OpenVPN. And we allow the exchange of traffic for nat.

iptables -I INPUT -p tcp -m tcp --dport 1516 -j ACCEPT
iptables -t nat -A POSTROUTING -o ens3 -s 10.8.0.0/24 -j MASQUERADE

This completes the server setup.

Debug on the server

shapeshifter-dispatcher in the dispatcher.log log file will always write an error like:

2023/01/13 06:34:13 [INFO]: initializing transparent proxy
2023/01/13 06:34:13 [INFO]: initializing TCP transparent proxy
2023/01/13 06:34:13 [NOTICE]: dispatcher-0.0.7-dev - launched
2023/01/13 06:34:13 [INFO]: initializing server transport listeners
2023/01/13 06:34:13 [INFO]: shapeshifter-dispatcher - initializing server transport listeners
2023/01/13 06:34:13 [ERROR]: Error resolving Extended OR address "missing port in address"
2023/01/13 06:34:13 [INFO]: shapeshifter-dispatcher - accepting connections
2023/01/13 06:34:13 [INFO]: obfs4 - registered listener: [scrubbed]:1516

With what it is connected is not known. But it works stably.

Setting up the client for Windows

Download archive with builds. Place the appropriate shapeshifter-dispatcher-386.exe or shapeshifter-dispatcher-amd64.exe executable file in the C:\shapeshifter-dispatcher folder.

Create a .bat file with the content:

@echo off
cd C:\Program Files\OpenVPN\bin
openvpn-gui.exe --connect client.ovpn
cd C:\shapeshifter-dispatcher\
shapeshifter-dispatcher-amd64.exe -transparent -client -state state -target 45.45.45.45:1516     -transports obfs4     -proxylistenaddr 127.0.0.1:1515     -optionsFile obfs4.json     -logLevel DEBUG     -enableLogging

-target 45.45.45.45:1516 — change the IP to your own.

In the C:\shapeshifter-dispatcher\state folder, create the obfs4.json file with the content:

{"cert": "uXsRLSgnHHI0JwGE+uPFRVCnGLIZesduokAAbMGy7cTxdErirK8aYWcrFol7Nr6k/c6pAw", "iat-mode": "0"}

In the variable “cert”: “……..” we insert our key, which was generated by the server.

It remains to create a config file for the OpenVPN client C:\Users\client\OpenVPN\config\client.ovpn and push it there:

client

dev tun

remote 127.0.0.1 1515

socket-flags    TCP_NODELAY

proto tcp

persist-key

persist-tun

cipher none

data-ciphers none

tun-mtu 1500

ca C:\\Users\\client\\OpenVPN\\config\\keys\\ca.crt
cert C:\\Users\\client\\OpenVPN\\config\\keys\\client.crt
key C:\\Users\\client\\OpenVPN\\config\\keys\\client.key

And feed him the key files that we downloaded earlier from the server.

/etc/openvpn/easy-rsa/pki/ca.crt
/etc/openvpn/easy-rsa/pki/issued/client.crt
/etc/openvpn/easy-rsa/pki/private/client.key

The .bat file will launch the OpenVPN client followed by the obfuscator in one click.

We enjoy hidden traffic and a very simple setup for Windows.

Setting up a client for linux ubuntu 22.04

hidden text

Setting up the macOS client

The archive has a ready-made build that will allow you to run OpenVPN with obfuscation. But I have no experience with this OS. If there are those who wish, the article can be added.

Client setup for arm/mips/mipsle

I managed to compile builds for these architectures. I tried to run them on a budget router TL-WR841N running openwrt. But alas, it didn’t work out. Perhaps someone will be able to run on single-board systems like raspberry pi. Or will these builds come in handy in the future…

Loading

Ready builds

Sources

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *