How to bypass DPI for OpenVPN

Bob Kfir
Bob Kfir
May 18, 2018 · 2 min read

If you’ve ever been on a network that blocks OpenVPN, even when running on TCP 443, you might think you’r e out of options.

Well, you’re not, because you can hide OpenVPN traffic behind an SSH tunnel. This makes all traffic appear to be SSH, which has a lower likelihood of being blocked.


DPI, or Deep Packet Inspection, is a method of filtering packets that can determine the type of packet it is(i.e. HTTPS, OpenVPN,SSH, etc.). This is often used to restrict access to certain services, making it harder to bypass the firewall. However, if one protocol is not blocked, it can sometimes be used to mask another protocol that is blocked, such as SSH encapsulating OpenVPN traffic.

Creating the SSH tunnel

Creating the SSH tunnel is quite simple. All you need to do is make sure you have OpenVPN running on a TCP port(such as TCP 443), and run the following command:

ssh -L 1194:localhost:1194 server

Replace server with what you usually use to log in(i.e. This will create a tunnel listening on localhost 1194/tcp and forward it to the remote server on port 1194/tcp.

Setting up OpenVPN

Next, you’ll need to configure OpenVPN to actually use the SSH tunnel instead of connecting directly to the external server. Simply edit your .ovpn file, and replace the remote line(s) with:

proto tcp 
remote localhost 1194

This will tell OpenVPN to send all traffic through the SSH tunnel.

Why not just an SSH tunnel?

Well, one reason is that when using OpenVPN through SSH, all traffic is sent through the VPN, instead of just the applications you’ve configured to go through the SSH tunnel. Another reason is mobile support; there are many SSH apps that support setting up SSH tunnels, but very few(or no) iOS apps support using a SOCKS proxy.

Setting this up on iOS

I needed to set this up on iOS a few days ago, so here’s how I did it:

  1. Install the Termius app, and set up local port forwarding with the following settings:
  • Host: your server
  • Port from: 1194
  • Destination: your server’s IP address/hostname
  • Port to: 1194

2. Edit the .ovpn file and email it to your phone, then import it into the OpenVPN app

3. Click on the port forwarding setting you just created in Termius to enable it

4. Try to connect to your VPN

You should now be able to bypass firewalls on both your iPhone/iPad/iPod touch and any Linux-based operating system. If you’re on Windows, then I guess you can use , but you should really switch to Linux 🙂


Bob Kfir’s Tech Blog

The predecessor of

Bob Kfir

Written by

Bob Kfir

I’m a writer and a programmer who likes writing about technology and writing. My tech content is available @

Bob Kfir’s Tech Blog

The predecessor of

More From Medium

More from Bob Kfir’s Tech Blog

More from Bob Kfir’s Tech Blog

How Secure is iMessage?

More from Bob Kfir’s Tech Blog

More from Bob Kfir’s Tech Blog

Why Your VPN Is Useless

More from Bob Kfir’s Tech Blog

More from Bob Kfir’s Tech Blog

Will VPNs Become Obsolete In 2019?

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade