How to hide OpenVPN traffic using Obfsproxy on a Windows PC and Linux EC2 server
In this tutorial, we will guide you through how to set up Obfsproxy with a homemade OpenVPN server and a Windows PC. This prevents censors and firewalls from using deep packet inspection to determine whether you are encrypting traffic, which you are by using OpenVPN.
This tutorial assumes you have a functioning OpenVPN server and Windows client already set up on an Amazon Web Services EC2 instance. Check out our previous OpenVPN server tutorial on how to do that.
Obfsproxy should prevent your VPN from being blocked by censors in countries like China. We have confirmed it also bypasses the VPN ban on Netflix.
Before we begin
Obfsproxy, short for obfuscation proxy, was adopted by the Tor community. In their words:
“Obfsproxy is a tool that attempts to circumvent censorship, by transforming the Tor traffic between the client and the bridge. This way, censors, who usually monitor traffic between the client and the bridge, will see innocent-looking transformed traffic instead of the actual Tor traffic.”
Obfsproxy, however, is actually independent of Tor, so it can also be used to obfuscate OpenVPN traffic.
For Obfsproxy to work with OpenVPN, we’ll need to configure it on both the client and server side. Some VPN providers, including NordVPN and AirVPN, offer pre-configured servers, so you only need to configure the client side. This tutorial will explain both.
Here’s a list of what you’ll need:
- A functional OpenVPN server on an Amazon Linux EC2 instance similar to the one in our previous tutorial
- The OpenVPN Connect GUI (client-side app)
- Python 2.7
- Microsoft C++ Compiler for Python 2.7
- OpenSSL Light for Windows
- ProxySwitchy Sharp or an equivalent proxy software
Client-side Obfsproxy configuration on Windows
We’ll start with the client-side configuration, because some people won’t need to do the server-side setup if their VPN provider already offers pre-configured servers.
Thankfully, NordVPN has already done you the courtesy of bundling most of the required dependencies together in a single .zip file. Download it here.
Start by installing Python 2.7 in the default directory with the default settings. Obfsproxy is a Python program, so you’ll need it to install. If you have a more recent version of Python, such as 3.3 or 3.4, we recommend you install 2.7 anyway. You can find the installation file in the Step 3 folder of NordVPN’s zip file (we’re skipping the step 1 and 2 folders).
Next we need to install the Microsoft C++ Compiler for Python 2.7 from the step 4 folder. There is no such compiler for later versions of Python. You might be able to find a workaround using MS Visual Studio or the Numby package, but we found it much less of a pain just to install Python 2.7.
Once you have installed the C++ compiler using the default settings and directory, move on to the step 5 folder. Install OpenSSL Light, again, using all the default settings. You might be prompted for a donation after installing. Hit Finish, then close the pop up window if you don’t wish to donate.
Bookmark this page, restart your computer, and open this page again.
Obfsproxy and OpenVPN setup
You now have everything you need to run Obfsproxy, but we still need to configure it so it can be used with OpenVPN. We’ll start by modifying our existing .ovpn files in the OpenVPN directory. If you haven’t set up OpenVPN yet, please refer to our previous tutorial. If you installed OpenVPN in the default directory, you’ll find the config files in C:/Program Files/OpenVPN/config.
Find Notepad or another text editor, right click it, and choose “Run as Administrator.” Open the config file you use to connect to your OpenVPN server normally. Click File > Save As and name it something else so we have a copy to work with without worrying about screwing up the original.
We’ll modify the config file to look like the following:
remote <your-server-IP> 8080
ifconfig 10.4.0.2 10.4.0.1
socks-proxy 127.0.0.1 10194
Notice the addition of two lines at the bottom, plus a port number on the end of the remote line. Replace <your-server-IP> with the IP address of your Amazon EC2 instance. Unless you’ve set up an elastic IP on Amazon, this address will change every time you stop and start your instance, so remember to change it if needed. On the remote line, the port number can be anything outside of the reserved range of ports. We use 8080 because it’s pretty compatible with almost all web servers, but 21194 is suggested on the OpenVPN wiki. Just remember that whatever you put here must match what we configure on the server side later on.
If you’re connecting to a pre-configured server owned by your VPN provider, the config files should be provided for you (the step 2 folder for NordVPN users).
Save your new config file, making sure not to overwrite the old one. Also make sure your text editor doesn’t automatically append the file name with .txt. It should be a .ovpn file.
Now that OpenVPN is configured, we need to install and run Obfsproxy. This is where your new Python installation comes in. In your Windows search bar, type “Command Prompt.” Right click the Command Prompt application and hit “Run as administrator.” In the terminal, type the following commands one line at a time, hitting Enter after each.
pip install –-upgrade pip
pip install obfsproxy
obfsproxy --log-min-severity=info obfs2 --shared-secret=<some-random-key> socks 127.0.0.1:10194
After the second command, you may see some errors or warnings. Ignore them for now.
Here you need to replace <some-random-key> with a password of your choice. Remember or write down this password, as you’ll need it later on. If you’re connecting to pre-configured servers provided by your VPN service, this command will be provided for you.
After the last line, your command prompt should tell you that it’s listening for obfsproxy traffic, as in the screenshot. Note in the screenshot I forgot to type in my own password on the first attempt.
You will have to navigate to the Scripts directory (first command), enter the Obfsproxy command (last command), and leave your command prompt open whenever you want to use Obfsproxy.
Proxy setup (optional)
Edit: This step is not necessary for Obfsproxy to function, but it is necessary if you want to use your Obfsproxy+VPN connection to watch Netflix and other streaming video sites from outside the US (or whatever country your VPN server is in). Otherwise, Netflix will be set to the incorrect region.
The last thing we need to do on the client side is set up a proxy connection. This differs for each application. You can set it up in the Windows Internet settings, but I prefer to do it on an app-by-app basis. On native apps that use the internet, you can usually set up a proxy somewhere in the settings. The fields are as follows:
- SOCKS host: 127.0.0.1
- Port: 8080 (or whatever you put in your OpenVPN config file on the remote line)
- SOCKS version 5 (SOCKS5)
On a browser, the easiest way to set this up is with a proxy extension. We’ll show you how to use Proxy Switchy Sharp on Chrome.
In the ProxySwitchy settings, create a new profile. With Manual Configuration selected, type in the above settings as pictured below. Name it whatever you like. We’re not going to turn this on until we’ve established a connection with the server, so hold tight.
Obfsproxy server configuration on Linux EC2 instance
Your PC is ready to connect, so now we need to prepare the server.
AWS Security Group
Before you install and run obfsproxy on the server, you may need to add a new rule to your server’s security group to make sure the EC2 instance’s firewall doesn’t block traffic. To do this, log into your AWS account, then click EC2. Under Network and Security, go to Security Groups.
Here you can choose to create a new security group and add it to your server or modify an existing one. Right click a rule and select “Edit inbound rules”. Under Type, select all TCP traffic (note: ignore the custom custom rule in the screenshot, as we’ve since updated this tutorial), then set source to “My IP” or the IP of whatever device(s) you plan to connect with. Then right click and go to “edit outbound rules.” Under type, simply select the dropdown option for “all traffic.”
If you made a new security group, click Instances in the left sidebar, right click your VPN instance, scroll down to Networking, and click Change Security Groups. Check your new security group and hit Save.
Obfsproxy server setup
Use PuTTy to connect to your server through SSH. If you don’t remember how to do this or you didn’t save a profile, please refer to our previous tutorial. Remember that in the Amazon Linux AMI server distribution, the username is “ec2-user”. Run OpenVPN using this command:
sudo service openvpn start
Make sure that your OpenVPN configuration file on the server (etc/openvpn/openvpn.conf) has port 1194 open, as per our previous tutorial.
Python should already be installed if you’re using the Linux 14.04 server distribution. In the PuTTy terminal, enter the following commands one line at a time, and hit enter after each:
sudo yum install gcc
sudo pip install obfsproxy
obfsproxy --log-min-severity=info obfs2 --dest=127.0.0.1:1194 --shared-secret=<some-random-key> server 0.0.0.0:8080
For the first command, older versions of Linux may use “apt-get” in lieu of “yum”.
Remember to replace <some-random-key> in the last command with the same password you used on the client side.
You should see a similar message on this terminal as on your command prompt, indicating that server is listening on port 8080 for obfsproxy traffic.
Connecting through Obfsproxy
You are set to connect. With Obfsproxy running on both your local machine (command prompt) and your server (PuTTy), run the OpenVPN GUI. Right click it and connect using your new config. The OpenVPN icon should turn green and a notification with your assigned IP should appear.
If you want to watch Netflix or some other geo-blocked content, enable the proxy settings in your applications. For Proxy Switchy on Chrome, click the icon in the top right corner and select the profile you created in the optional section above. You may also add the proxy in the Windows Internet settings.
Congratulations! Your OpenVPN traffic is now indistinguishable from normal HTTP traffic thanks to Obfsproxy.
Automating the process
As you might have concluded, running obfsproxy on the client-side every time you want to use it can get a bit tedious. To automate the process, one user has created a Windows installer that runs Obfsproxy as a service that starts on boot. You can download it and find instructions here.