OpenVPN + Obfs4

August 23, 2023

In this post you obfuscate OpenVPN using the Tor Project's obfs4 obfuscator.

References:

Ubuntu server

It is assumed that you are using Ubuntu 22.04 and logged in as root.

1. Open firewall

Choose a port on which obfs4 will accept input. We will use 8443 in our examples.

Open this port (e.g. tcp/8443) in your server firewall.

2. Install and configure OpenVPN

Install OpenVPN:

apt update && apt upgrade -y

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

chmod +x openvpn-install.sh

./openvpn-install.sh

The script prompts you to answer various questions. You can accept the defaults except:

When you are asked for the IP address, enter the public IP address of your server.
You can use port 1194 for OpenVPN, since traffic will pass through obfs4 before it reaches the OpenVPN server.
Use TCP mode.

At the end of the script's run, you are prompted to choose a name for the client, e.g. xxxxxxxx. The script then generates a client configuration file named, for example, xxxxxxxx.ovpn.

3. Install obfs4

Install the prerequisite package for obfs4:

apt install -y apt-transport-https

Create a new file /etc/apt/sources.list.d/tor.list. Since Ubuntu 22.04 is jammy, insert these entries:

deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main

deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main

Download the gpg key used to sign the packages:

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

Install the package for obfs4:

apt update

apt install -y obfs4proxy

The program is installed to /usr/bin/obfs4proxy.

4. Set environment variables

mkdir /root/pt_state

export TOR_PT_MANAGED_TRANSPORT_VER="1"

export TOR_PT_STATE_LOCATION="/root/pt_state"

export TOR_PT_SERVER_TRANSPORTS="obfs4"

export TOR_PT_SERVER_TRANSPORT_OPTIONS="obfs4:iat-mode=0"

export TOR_PT_SERVER_BINDADDR="obfs4-0.0.0.0:8443"

export TOR_PT_ORPORT="127.0.0.1:1194"

5. Launch obfs4

screen -S obfs4

printenv | grep TOR

obfs4proxy

The cert and iat-mode are displayed, but we will redisplay them in a moment.

Do Ctrl+a then d to detach from the screen session. You can reattach the screen session at any time by issuing the command screen -r obfs4.

6. Redisplay bridge line

cat /root/pt_state/obfs4_bridgeline.txt

Make a note of the value of cert, as you will need it on the client. Example:

Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=KQ7p0ARAzAx0Rm+5PhvxRrPWHS7ekk7IDXmtkBnnpe2A9Fl/rK5d2e08cfAiS1UsfFFVbQ iat-mode=0

This is the end of the server work for now:

exit

Windows client

Our client in this tutorial runs Windows.

1. Install OpenVPN

Install the OpenVPN client from https://openvpn.net/community-downloads. For Windows you get an installer named OpenVPN-2.6.6-I001-amd64.msi, which you must run to install the Windows OpenVPN GUI client. There is no problem if you get a warning at the end to say that there are no connection profiles (configuration files) yet.

2. Download client configuration

Download the OpenVPN client configuration file that you generated on the server with the PowerShell command:

scp root@YOUR.SERVER.IP.ADDRESS:xxxxxxxx.ovpn Downloads

Do not import the client configuration file into the Windows OpenVPN GUI client just yet. You have to make a few changes to it. We will do that toward the end of the client set-up.

3. Download obfs

Download Tor Expert Bundle for Windows from https://www.torproject.org/download/tor.

Use 7-Zip to extract tor-expert-bundle-12.5.2-windows-x86_64.tar.gz to tor-expert-bundle-12.5.2-windows-x86_64.tar.

Then extract the .tar file to give data and tor folders.

Inside tor\pluggable_transports you will see lyrebird.exe, which is the new name for the obfs4 program.

To make it easier to find, copy lyrebird.exe up to your Downloads folder (C:\Users\YOURUSERNAME\Downloads).

4. Start obfs4

Open a Command Prompt window.

Issue these commands, replacing YOURUSERNAME by your actual Windows username.

set TOR_PT_MANAGED_TRANSPORT_VER=1

set TOR_PT_STATE_LOCATION=C:\Users\YOURUSERNAME\Downloads\pt_state

set TOR_PT_CLIENT_TRANSPORTS=obfs4

cd Downloads

set | findstr TOR

lyrebird.exe -enableLogging -logLevel WARN

Keep it running (i.e. do not close the terminal window).

Make a note of the randomly generated listening port number. We'll designate it by YYYYY. You will need it in a moment for the OpenVPN configuration. Example:

VERSION 1
CMETHOD obfs4 socks5 127.0.0.1:51045
CMETHODS DONE

5. Create socks5_auth file

Use Notepad to create a new file. It has precisely two lines. Example:

cert=KQ7p0ARAzAx0Rm+5PhvxRrPWHS7ekk7IDXmtkBnnpe2A9Fl/rK5d2e08cfAiS1UsfFFVbQ;
iat-mode=0

Save the file as C:\Users\YOURUSERNAME\Downloads\socks5_auth. Make sure Notepad does not add an extraneous .txt at the end of the file name.

6. Edit OpenVPN configuration

Edit your downloaded OpenVPN client configuration file xxxxxxxx.ovpn to include the following. Replace YYYYY by your actual obfs4 (lyrebird.exe) local listening port number. Replace YOURUSERNAME by your actual Windows username.

socks-proxy 127.0.0.1 YYYYY C:\\Users\\YOURUSERNAME\\Downloads\\socks5_auth

Change the apparent destination port on the remote line to tcp/8443, replacing XX.XX.XX.XX by your server's public IP address:

remote XX.XX.XX.XX 8443

Also add this line, replacing XX.XX.XX.XX by your server's public IP address:

route XX.XX.XX.XX 255.255.255.255 net_gateway

And add these lines:

tls-timeout 4

connect-retry-max 3

Save the revised file xxxxxxxx.ovpn.

7. Import OpenVPN configuration

In the OpenVPN GUI, Import the OpenVPN client configuration file xxxxxxxx.ovpn.

8. End-to-end connect

In the OpenVPN GUI, Connect the client to the server.

Open a browser and test your connection.