VPN Obfuscation (Full Guide for Beginners)

VPN obfuscation normally goes hand in hand with OpenVPN since it’s one of the most popular protocols. It’s also pretty easy to detect since it has a unique signature. Some obfuscation methods might work with other VPN protocols, but you’re gonna have to talk with your provider about that.

And to avoid any confusion, keep in mind that VPN providers can also call obfuscation “stealth mode”, “stealth VPN,” or “VPN cloaking.”

Wait – Can VPN Traffic Be Detected?

Yep, like we just said OpenVPN actually has a recognizable signature. And ISPs and governments can detect OpenVPN traffic by using DPI (Deep Packet Inspection) – a way to control network traffic. 

And DPI can actually use advanced packet filtering to block OpenVPN traffic once it spots data packets with OpenVPN payload.

If you’d like to learn more about DPI, follow this link.

To avoid confusion, VPN providers will normally mark obfuscated servers as a separate category so that users who really need them can access them quickly.

What Stealth Methods Does an Obfuscated VPN Use?

VPN obfuscation isn’t just some random feature providers offer. They actually have to set it up, and they can do that in different ways. Here are the main methods VPN providers equip their services with obfuscation technology:

OpenVPN Over SSL/SSH

This works by adding a layer of SSL/SSH encryption to the VPN data to make sure DPI can’t break through it to spot the VPN protocol traffic.

It’s true that OpenVPN already uses SSL for encryption, but few people know it’s actually a modified version of it. In fact, it’s because of those modifications that DPI can spot OpenVPN traffic.

Just keep in mind that not many VPNs support built-in OpenVPN over SSL. It’s not surprising why seeing as how the setup process is pretty complex. The provider has to configure open-source software called stunnel on their servers, and you need to do the same on your device.

As for SSH, it’s reliable encryption, but it’s more suitable for corporations than average online users. You can use it, of course, but there really aren’t many services that offer OpenVPN over SSH out of the box. So, you need to talk with your provider about it. And yes, the setup process can be as difficult as it is for OpenVPN over SSL.

OpenVPN Scramble

This is a patch for the OpenVPN protocol which adds obfuscation features to it. It does that by using the XOR cipher, a substitution-based algorithm. That basically means it will replace every alphanumerical in a data string with another numerical to mask OpenVPN traffic.

On its own, XOR is pretty bad since it uses weak encryption keys and it can’t really bypass government firewalls. What’s more, with the right frequency analysis tools, any government or hacker could break XOR. Hackers also like to use XOR to hide malware, so it’s not the most trustworthy cipher.

But if you pair up XOR with OpenVPN, you get decent encryption that more than makes up for XOR’s weak security. At the same time, OpenVPN traffic is fully masked. Normally, packet sniffers like Wireshark won’t detect your VPN connection as OpenVPN, but as UDP.

Still, there are some problems:

• Just because a VPN uses OpenVPN Scramble doesn’t mean governments can’t block it at all. It just makes it much harder for them to do that.
• Despite how useful it is, the OpenVPN devs refused to implement it into the official version. Also, they don’t really approve of the patch.

Obfsproxy

Obfsproxy is a subproject of Tor, and it uses an obfuscation layer to wrap VPN protocol data to hide it from DPI. The method relies on PT (Pluggable Transports) to change the way traffic flows between the VPN client and the VPN server.

Besides that, Obfsproxy also uses a handshake with no recognizable byte patterns. What that means is that it makes OpenVPN traffic look like simple HTTP traffic.

Since Obfsproxy is pretty lightweight, it doesn’t consume a great deal of bandwidth. That can be very useful if you live in or travel through a country with limited bandwidth.

While Obfsproxy can successfully hide VPN traffic, it does have some drawbacks:

• Unlike OpenVPN Scramble and OpenVPN over SSL/SSH, Obfsproxy doesn’t use encryption, making it less secure.
• Entropy tests can actually spot a problem with Obfsproxy’s handshake – namely that it’s too random.
• Setting up Obfsproxy is difficult for both you and the VPN provider.

If you want to learn more about Obfsproxy, we already have an in-depth article about it.

Shadowsocks

Created by a Chinese programmer back in 2012, Shadowsocks is an open-source obfuscation method based on the SOCKS5 proxy. The project had one goal – to help people in China get around government censorship in an undetectable way.

Shadowsocks hides VPN traffic by making it look like regular HTTPS traffic. And while it doesn’t have strong encryption, pairing it up with OpenVPN solves that problem.

Once again, the setup process can be pretty tough.

Why Do You Need VPN Obfuscation?

Alright, so VPN obfuscation can help you hide the fact that you use a VPN.

But why exactly should you use it since it’s so hard to set up, and not a lot of providers offer it?

Well, here are some reasons it could be useful:

1. ISPs Throttle VPN Traffic

ISPs can throttle user bandwidth, but did you know they can also throttle your VPN traffic?

Yep, if they have a problem with you using a VPN, they can slow down your speeds to discourage you from using it. And that’s a pretty effective method since your original speeds will already take a hit when you use a VPN.

But if you hide your traffic with an obfuscated VPN, your ISP will just think you’re browsing random websites.

2. Some Countries Make VPNs Illegal/Block VPNs

If you look up “VPN illegal” on the web, you’ll see tons of articles showing lists of countries where VPNs are illegal.

Well, the information isn’t actually 100% accurate since not all countries with oppressive regimes enforce laws against VPN usage.

However, there are places where you can get in trouble with the law or face serious fines for using VPNs – like a region in China, Turkmenistan, or – recently – Jammu and Kashmir in India.

If you live in places like that or are traveling through them, VPN obfuscation is pretty much mandatory. It’s the only way to get around VPN blocks and avoid getting in legal trouble.

3. Workplace/School Networks Block VPNs

Really skilled network admins can actually detect VPN traffic on school or workplace networks. And they can configure firewalls to block the traffic automatically once they spot it.

Plus, you might also face penalties for using a VPN to get around the firewall.

With VPN obfuscation, though, you can bypass firewalls without worrying too much since the admins will have a really, really hard time spotting your traffic.

4. Some Streaming Platforms Successfully Block VPNs

Some content platforms actually manage to block VPN traffic. Netflix is a good example of that, and so is BBC iPlayer since it managed to block a lot of UK VPN servers.

How are they able to detect the traffic? It varies from streaming platform to streaming platform, but they normally use these methods:

• DPI;
• IP blacklisting;
• Port blocking.

Luckily, using an obfuscated VPN is a good way of bypassing these issues. Or, you know, just using a VPN that big streaming websites don’t target.

5. You Want an Extra Layer of Privacy

If you’re in a situation that requires a great deal of privacy, VPN obfuscation will really come in handy. 

For example, if you’re a journalist who needs complete privacy to talk with sources (who might get in trouble for answering your questions) securely. Or, if you’re a whistleblower who is about to blow the lid off a huge scandal. Or, why not, if you’re an average online user who really cares about their privacy.

Whichever the case, using an obfuscated VPN will make sure ISPs, government surveillance agencies, and network admins don’t become suspicious because they see you using a VPN.

Useful Tips for Better VPN Obfuscation Performance/Security

To make sure VPN obfuscation doesn’t slow down your speeds too much, or that it doesn’t suddenly leak your data if the connection goes down, do the following:

• Use a VPN server that’s close to your country – ideally one that’s in a neighbouring country. It’ll take less time for data packets to travel between your device and the server this way.
• If the VPN doesn’t already do this, change your default DNS address with the provider’s own address, or with Google Public DNS or OpenDNS.
• If the VPN has split-tunneling, use it to make your traffic more lightweight by routing non-VPN traffic (like app updates) through a separate unencrypted tunnel.
• Only use a VPN with a Kill Switch, and keep it on at all times. That way, if your connection goes down, the Kill Switch automatically shuts down all your web traffic until the VPN is up and running again to prevent any leaks.

Is VPN Obfuscation 100% Foolproof?

It might be very useful and offer extra privacy, but it isn’t without it’s faults. Being difficult to set up aside, governments and network admins have ways of stopping VPN obfuscation. Basically, they can:

Block VPN Servers

They could either block well-known VPN server IP addresses, or force ISPs to monitor user connections and block the VPN server addresses they see. Don’t forget – VPN obfuscation will only hide VPN traffic, not the fact that you connect to a VPN IP address.

And ISPs (or surveillance agencies or network admins) can guess that you’re connecting to an IP address that belongs to a VPN provider because it won’t have a hostname associated with the DNS server, or there won’t be any DNS resolutions for client-server communications.

If they also notice you’re using port TCP or UDP port 443, they’ll know for sure you’re using a VPN.

Block VPN Websites

Another thing governments and admins can do is just use firewalls to block access to VPN providers that offer obfuscation. There aren’t too many of them, so it wouldn’t be hard to add them to a list of blacklisted websites.

True, you could use a VPN or proxy that isn’t blocked to access the website. But your ISP or network admin will know you’re doing that if they use DPI.

You might also think you’re safe if you downloaded the VPN client before the website got blocked, but you’ll still deal with issues. After all, you won’t be able to update the app, and you won’t have access to the website where you can renew or change your subscription.

Block/Intercept HTTPS Traffic

Since most obfuscation methods mask the traffic as HTTPS, governments or network admins could block all HTTPS traffic country-wide/network-wide to stop stealth VPN connections.

Of course, that’s just in theory. We have yet to hear of that happening. Though, if you use Obfsproxy which masks the VPN traffic as HTTP, firewalls could block the traffic. Not a lot of websites use HTTP, so it wouldn’t be a huge loss from the authorities’ perspective.

If not, they could just intercept your HTTPS traffic, decrypt it, and find out you’re using a VPN. It sounds like an unlikely scenario, but it’s actually already happening – in Kazakhstan to be precise. Local ISPs force users to install government-issued certificates on their devices which allow surveillance agencies to decrypt HTTPS traffic.

If other countries with oppressive regimes will do the same, VPN obfuscation won’t be as useful when it comes to online censorship.

Block the Ports VPN Protocols Use

Normally, this isn’t an issue if the provider uses OpenVPN since it can use port 443, which is the HTTPS traffic port. Blocking that means blocking HTTPS all over the country or network.

However, if the VPN provider didn’t properly configure the OpenVPN protocol, it might use TCP/UDP port 1194 – the port OpenVPN uses by default. In that case, governments/network admins could stop OpenVPN obfuscation by blocking that port.

The Bottom Line

VPN obfuscation is a way to hide VPN traffic – specifically OpenVPN traffic. It’s useful in countries that block VPNs or make them illegal, or when:

• Your ISP throttles VPN traffic.
• You want extra privacy.
• Streaming platforms block VPN connections.
• School/Workplace networks block VPNs.

However, an obfuscated VPN is hard to set up. Also, governments and network admins can find ways to block it. All in all, you should use an obfuscated VPN if you’re dealing with severe government censorship. But if you just want to enjoy better privacy, a VPN with high-end security features will work just as well.