Get CactusVPN for $3.5/mo!
The term “VPN obfuscation” is used so much on landing pages and VPN provider websites that it might start to feel like weird marketing lingo for many of you. In fact, a lot of you likely heard about it but don’t really know what it is or how it works - just that it can help you somehow.
Well, it’s not really such a complicated feature, though most online articles make it seem so. Here’s all you need to know about obfuscated VPN services in simple terms:
VPN obfuscation normally goes hand in hand with OpenVPN since it’s one of the most popular protocols. It’s also pretty easy to detect since it has a unique signature. Some obfuscation methods might work with other VPN protocols, but you’re gonna have to talk with your provider about that.
And to avoid any confusion, keep in mind that VPN providers can also call obfuscation “stealth mode”, “stealth VPN,” or “VPN cloaking.”
Yep, like we just said OpenVPN actually has a recognizable signature. And ISPs and governments can detect OpenVPN traffic by using DPI (Deep Packet Inspection) – a way to control network traffic.
And DPI can actually use advanced packet filtering to block OpenVPN traffic once it spots data packets with OpenVPN payload.
If you’d like to learn more about DPI, follow this link.
Some VPN providers might say they have obfuscated servers. That basically means they configured their VPN servers to support obfuscation technology.
To avoid confusion, VPN providers will normally mark obfuscated servers as a separate category so that users who really need them can access them quickly.
How an obfuscated VPN hides OpenVPN traffic really depends on what kind of obfuscation technique they use. You can read about that in the next section, but for now (to keep things simple), we’ll just give you a basic example of how this would work.
To get around firewalls that block OpenVPN and DPI, obfuscation would remove all VPN-related data from the OpenVPN data packet Header, making it very difficult for anyone to tell it’s a VPN data packet.
Besides that, VPN obfuscation would normally assign port number 443 to the data packet to further mask it. HTTPS traffic uses that port, so obfuscation would make VPN traffic resemble it that way.
VPN obfuscation isn’t just some random feature providers offer. They actually have to set it up, and they can do that in different ways. Here are the main methods VPN providers equip their services with obfuscation technology:
This works by adding a layer of SSL/SSH encryption to the VPN data to make sure DPI can’t break through it to spot the VPN protocol traffic.
It’s true that OpenVPN already uses SSL for encryption, but few people know it’s actually a modified version of it. In fact, it’s because of those modifications that DPI can spot OpenVPN traffic.
Just keep in mind that not many VPNs support built-in OpenVPN over SSL. It’s not surprising why seeing as how the setup process is pretty complex. The provider has to configure open-source software called stunnel on their servers, and you need to do the same on your device.
As for SSH, it’s reliable encryption, but it’s more suitable for corporations than average online users. You can use it, of course, but there really aren’t many services that offer OpenVPN over SSH out of the box. So, you need to talk with your provider about it. And yes, the setup process can be as difficult as it is for OpenVPN over SSL.
This is a patch for the OpenVPN protocol which adds obfuscation features to it. It does that by using the XOR cipher, a substitution-based algorithm. That basically means it will replace every alphanumerical in a data string with another numerical to mask OpenVPN traffic.
On its own, XOR is pretty bad since it uses weak encryption keys and it can’t really bypass government firewalls. What’s more, with the right frequency analysis tools, any government or hacker could break XOR. Hackers also like to use XOR to hide malware, so it’s not the most trustworthy cipher.
But if you pair up XOR with OpenVPN, you get decent encryption that more than makes up for XOR’s weak security. At the same time, OpenVPN traffic is fully masked. Normally, packet sniffers like Wireshark won’t detect your VPN connection as OpenVPN, but as UDP.
Still, there are some problems:
Obfsproxy is a subproject of Tor, and it uses an obfuscation layer to wrap VPN protocol data to hide it from DPI. The method relies on PT (Pluggable Transports) to change the way traffic flows between the VPN client and the VPN server.
Besides that, Obfsproxy also uses a handshake with no recognizable byte patterns. What that means is that it makes OpenVPN traffic look like simple HTTP traffic.
Since Obfsproxy is pretty lightweight, it doesn’t consume a great deal of bandwidth. That can be very useful if you live in or travel through a country with limited bandwidth.
While Obfsproxy can successfully hide VPN traffic, it does have some drawbacks:
If you want to learn more about Obfsproxy, we already have an in-depth article about it.
Created by a Chinese programmer back in 2012, Shadowsocks is an open-source obfuscation method based on the SOCKS5 proxy. The project had one goal – to help people in China get around government censorship in an undetectable way.
Shadowsocks hides VPN traffic by making it look like regular HTTPS traffic. And while it doesn’t have strong encryption, pairing it up with OpenVPN solves that problem.
Once again, the setup process can be pretty tough.
Alright, so VPN obfuscation can help you hide the fact that you use a VPN.
But why exactly should you use it since it’s so hard to set up, and not a lot of providers offer it?
Well, here are some reasons it could be useful:
ISPs can throttle user bandwidth, but did you know they can also throttle your VPN traffic?
Yep, if they have a problem with you using a VPN, they can slow down your speeds to discourage you from using it. And that’s a pretty effective method since your original speeds will already take a hit when you use a VPN.
But if you hide your traffic with an obfuscated VPN, your ISP will just think you’re browsing random websites.
If you look up “VPN illegal” on the web, you’ll see tons of articles showing lists of countries where VPNs are illegal.
Well, the information isn’t actually 100% accurate since not all countries with oppressive regimes enforce laws against VPN usage.
If you live in places like that or are traveling through them, VPN obfuscation is pretty much mandatory. It’s the only way to get around VPN blocks and avoid getting in legal trouble.
Plus, you might also face penalties for using a VPN to get around the firewall.
With VPN obfuscation, though, you can bypass firewalls without worrying too much since the admins will have a really, really hard time spotting your traffic.
How are they able to detect the traffic? It varies from streaming platform to streaming platform, but they normally use these methods:
Luckily, using an obfuscated VPN is a good way of bypassing these issues. Or, you know, just using a VPN that big streaming websites don’t target.
If you’re in a situation that requires a great deal of privacy, VPN obfuscation will really come in handy.
For example, if you’re a journalist who needs complete privacy to talk with sources (who might get in trouble for answering your questions) securely. Or, if you’re a whistleblower who is about to blow the lid off a huge scandal. Or, why not, if you’re an average online user who really cares about their privacy.
Whichever the case, using an obfuscated VPN will make sure ISPs, government surveillance agencies, and network admins don’t become suspicious because they see you using a VPN.
With CactusVPN, you can hide your OpenVPN traffic by using our obfsproxy support to defeat all VPN blocking methods.
Besides that, our service has all the features you need to keep your privacy intact.
We offer military-grade encryption, DNS leak protection, a Kill Switch, and a guaranteed zero-log policy.
Plus, we can currently unblock 300+ geo-restricted websites.
And once you do become a CactusVPN customer, we’ll still have your back with a 30-day money-back guarantee.
To make sure VPN obfuscation doesn’t slow down your speeds too much, or that it doesn’t suddenly leak your data if the connection goes down, do the following:
It might be very useful and offer extra privacy, but it isn’t without it’s faults. Being difficult to set up aside, governments and network admins have ways of stopping VPN obfuscation. Basically, they can:
They could either block well-known VPN server IP addresses, or force ISPs to monitor user connections and block the VPN server addresses they see. Don’t forget – VPN obfuscation will only hide VPN traffic, not the fact that you connect to a VPN IP address.
And ISPs (or surveillance agencies or network admins) can guess that you’re connecting to an IP address that belongs to a VPN provider because it won’t have a hostname associated with the DNS server, or there won’t be any DNS resolutions for client-server communications.
If they also notice you’re using port TCP or UDP port 443, they’ll know for sure you’re using a VPN.
Another thing governments and admins can do is just use firewalls to block access to VPN providers that offer obfuscation. There aren’t too many of them, so it wouldn’t be hard to add them to a list of blacklisted websites.
True, you could use a VPN or proxy that isn’t blocked to access the website. But your ISP or network admin will know you’re doing that if they use DPI.
You might also think you’re safe if you downloaded the VPN client before the website got blocked, but you’ll still deal with issues. After all, you won’t be able to update the app, and you won’t have access to the website where you can renew or change your subscription.
Since most obfuscation methods mask the traffic as HTTPS, governments or network admins could block all HTTPS traffic country-wide/network-wide to stop stealth VPN connections.
Of course, that’s just in theory. We have yet to hear of that happening. Though, if you use Obfsproxy which masks the VPN traffic as HTTP, firewalls could block the traffic. Not a lot of websites use HTTP, so it wouldn’t be a huge loss from the authorities’ perspective.
If not, they could just intercept your HTTPS traffic, decrypt it, and find out you’re using a VPN. It sounds like an unlikely scenario, but it’s actually already happening – in Kazakhstan to be precise. Local ISPs force users to install government-issued certificates on their devices which allow surveillance agencies to decrypt HTTPS traffic.
If other countries with oppressive regimes will do the same, VPN obfuscation won’t be as useful when it comes to online censorship.
Normally, this isn’t an issue if the provider uses OpenVPN since it can use port 443, which is the HTTPS traffic port. Blocking that means blocking HTTPS all over the country or network.
However, if the VPN provider didn’t properly configure the OpenVPN protocol, it might use TCP/UDP port 1194 – the port OpenVPN uses by default. In that case, governments/network admins could stop OpenVPN obfuscation by blocking that port.
Not really. There’s a lot of effort involved both on your part and the VPN provider’s part. They’ll have to install and set up software on their servers, and you’ll have to do the same thing on your device.
Some providers already offer built-in obfuscation, which is nice, but you’ll still need to do some work on your end. Also, if you want to use a different VPN obfuscation method than the one they use, you’ll need to convince them to configure it on their servers.
VPN obfuscation is a way to hide VPN traffic – specifically OpenVPN traffic. It’s useful in countries that block VPNs or make them illegal, or when:
However, an obfuscated VPN is hard to set up. Also, governments and network admins can find ways to block it. All in all, you should use an obfuscated VPN if you’re dealing with severe government censorship. But if you just want to enjoy better privacy, a VPN with high-end security features will work just as well.