If you’ve ever been on a network that blocks OpenVPN, even when running on TCP 443, you might think you’r e out of options.
Well, you’re not, because you can hide OpenVPN traffic behind an SSH tunnel. This makes all traffic appear to be SSH, which has a lower likelihood of being blocked.
DPI, or Deep Packet Inspection, is a method of filtering packets that can determine the type of packet it is(i.e. HTTPS, OpenVPN,SSH, etc.). This is often used to restrict access to certain services, making it harder to bypass the firewall. However, if one protocol is not blocked, it can sometimes be used to mask another protocol that is blocked, such as SSH encapsulating OpenVPN traffic.
Creating the SSH tunnel
Creating the SSH tunnel is quite simple. All you need to do is make sure you have OpenVPN running on a TCP port(such as TCP 443), and run the following command:
ssh -L 1194:localhost:1194 server
Replace server with what you usually use to log in(i.e.
firstname.lastname@example.org). This will create a tunnel listening on localhost 1194/tcp and forward it to the remote server on port 1194/tcp.
Setting up OpenVPN
Next, you’ll need to configure OpenVPN to actually use the SSH tunnel instead of connecting directly to the external server. Simply edit your
.ovpn file, and replace the remote line(s) with:
remote localhost 1194
This will tell OpenVPN to send all traffic through the SSH tunnel.
Why not just an SSH tunnel?
Well, one reason is that when using OpenVPN through SSH, all traffic is sent through the VPN, instead of just the applications you’ve configured to go through the SSH tunnel. Another reason is mobile support; there are many SSH apps that support setting up SSH tunnels, but very few(or no) iOS apps support using a SOCKS proxy.
Setting this up on iOS
I needed to set this up on iOS a few days ago, so here’s how I did it:
- Install the Termius app, and set up local port forwarding with the following settings:
- Host: your server
- Port from: 1194
- Destination: your server’s IP address/hostname
- Port to: 1194
2. Edit the .ovpn file and email it to your phone, then import it into the OpenVPN app
3. Click on the port forwarding setting you just created in Termius to enable it
4. Try to connect to your VPN
You should now be able to bypass firewalls on both your iPhone/iPad/iPod touch and any Linux-based operating system. If you’re on Windows, then I guess you can use Putty, but you should really switch to Linux 🙂