People who risk getting caught by their ISPs using VPN can turn to VPN obfuscation. It provides an excellent solution for overcoming censorship when governments enforce laws against the use of VPN.
However, not all virtual private network services can disguise Internet traffic. Therefore, we are discussing this topic today to find out how obfuscated VPN works, how many methods to mask VPN data are there, who is in charge of setting VPN blocks, and more.
Check out today’s menu below (click to jump to topic):
- What is VPN obfuscation?
- How it works
- Types of VPN obfuscation methods
- Who blocks VPN traffic
- How can VPN traffic be detected
- Why you should use VPN obfuscation
- Why you should not use VPN obfuscation
- Our picks for unblocking VPN traffic
- Tips to improve VPN obfuscation performance
- In conclusion
What is VPN obfuscation?
When it comes to software, obfuscation refers to creating code that cannot be deciphered using conventional tools. Generally, programmers use obfuscators as a security method. By preventing others from figuring out its purpose, the object is protected from hackers. Therefore, obfuscation hinders any attempts at tampering or reverse engineering.
As far as VPN services go, obfuscating means to conceal VPN traffic. Because virtual private network tools are useful for bypassing firewalls and getting around various Internet filters, third parties might be interested in intercepting and obstructing VPN traffic. For example, China and Russia block VPN data to stop users from sidestepping government censorship.
How it works
An obfuscator takes all data packets sent and received via VPN and disguises them in typical HTTPS traffic. Thus, outside observers will not be able to tell that you stay connected to the web through the VPN. Instead, all they see is that you use HTTPS to secure your connections – just like everybody else. What we can draw from this is that obfuscation tools help you get lost in the crowd.
Pluggable transport (PT) technology lends a hand to VPN obfuscation to make sure that users can establish Internet connections even when they are being watched. To this end, the PT acts like a proxy server which reroutes your VPN data to its obfuscated tunnels. And these tunnels are perfect for fending off censorship laws.
How it hides VPN traffic
To better explain how VPN obfuscation works, we must go over the fact that each data packet in an IPv4 packet structure comprises two parts: header and data (payload). The header has addressing details, including the protocol used, together with the source and destination IP address (with port).
If a third party notices that the protocol used is OpenVPN, for example, it can prevent you from reaching the destination IP since it also knows which port is being used. For this reason, a VPN obfuscator removes all addressing details related to VPN from the packet header. In the first part, it cloaks the OpenVPN section.
Now, for the second part: HTTPS uses port 443 over TCP to establish secure Internet connections, all thanks to SSL/TLS. The obfuscator enfolds the OpenVPN data packet in another encryption layer using the same protocol as HTTPS: SSL/TLS. Subsequently, it becomes impossible to tell apart OpenVPN data from HTTPS traffic.
Types of VPN obfuscation methods
Not all protocols can benefit from VPN obfuscation. But most virtual private network operators use OpenVPN, thus implementing OpenVPN obfuscation. Here are the most popular types of VPN obfuscation that work with OpenVPN:
OpenVPN Scramble (XOR obfuscation)
It is highly resistant against Deep Packet Inspection (DPI) sniffers and brilliant for bypassing firewalls. OpenVPN Scramble takes advantage of XOR. Specifically, the XOR cipher is an elementary encryption algorithm that uses a predefined key to apply the bitwise XOR operator to every character in the string. It eliminates the VPN metadata from the header of each data packet so that the VPN protocol cannot be identified.
OpenVPN Scramble does not guarantee that your government will not be able to detect and block your VPN data. But it sets up a challenge. Software developers can implement it using the openvpn_xor scramble patch. In spite of this, the OpenVPN developers recommend switching to Obfsproxy because it is a safer option.
The Tor Project created Obfsproxy to overcome censorship issues that prevent Tor users from connecting to sites using bridges. And it started in 2012 when Iran began filtering SSL connections, which determined the Tor team to come up with obfuscated bridges to avoid government surveillance.
However, Obfsproxy does not depend on the Tor anonymous network. As a result, it can be fitted for OpenVPN. It supports a series of pluggable transports, such as obfs3 and obfs4.
Another way to obfuscate VPN data is by using Stunnel. It is a proxy server that redirects traffic to a TLS/SSL tunnel. Consequentially, it makes it difficult for sniffers to tell apart VPN connections from regular HTTPS. The information that passes through OpenVPN is enfolded in an extra layer using an SSL wrapper. The method is effective against DPI because it cannot peel off the extra layer to see the OpenVPN traffic.
SSTP (Secure Socket Tunneling Protocol) is a VPN protocol that conceals VPN traffic by design. It natively uses SSL encryption and port 443 over TCP. The HTTPS protocol uses the same combination for secure browsing. Therefore, a monitoring party would have serious difficulties trying to tell if your traffic is VPN or regular HTTPS.
Unfortunately, SSTP is only available for Windows. It means that you cannot mask your VPN activity through SSTP while using another platform, like macOS, Linux, Android, or iOS.
Who blocks VPN traffic
VPN applications are targets in countries that ban or restrict the use of virtual private network services. These nations have strict laws on Internet censorship. Subsequently, their governments block access to websites which promote illegal content, such as gambling or pornography. They might also cut off access to social media networks or messaging utilities while stating national security concerns.
In more extreme cases, political agencies try to prevent people from reading news articles written by the opposition party. Those countries go to great lengths to limit the knowledge of their citizens. By keeping only one political party in control of everything, they take one step closer toward repelling democracy. And VPNs are tools which help defeat those bans. It is why VPN traffic is marked and obstructed.
Governmental groups can force ISPs to detect and block VPN traffic. Besides, since the net neutrality law was repealed, ISPs can ban VPN connections at will, without being enforced. For example, ISPs can prohibit VPN traffic if they suspect you are using these services to get around content-based bandwidth throttling (some ISPs slow down your Internet connection if you are torrenting or streaming).
Examples of governmental blocks
In 2011, Chinese Internet users started suspecting government interference after experiencing unsteady VPN connections while trying to reach foreign sites. Then, in 2017, the Chinese government demanded telecom providers to block all VPN traffic.
In 2014, Iraq banned VPN services and access to particular sites like Facebook or YouTube, citing anti-terrorism measures. Later in 2019, Iraqi citizens resorted to VPNs after an official ban to stop mass protests.
In 2017, the government approved a law that forbids the use of VPN and other technologies (like Tor). It stopped users from reaching banned sites. Later, in 2019, the official telecom regulator of the country contacted ten VPN services. It demanded that they agree to a new federal law about cutting off user access to certain sites (including LinkedIn and Telegram).
How can VPN traffic be detected
- Banning IP ranges. If a provider divulges the IP addresses associated with their VPN servers, a third party can easily get hold of this information and block the entire range of IPs. The challenging part is keeping the blacklist updated. It is because VPN services constantly employ new IP addresses.
- Banning access control lists (ACLs). These lists contain rules and permissions applicable to IP addresses or port numbers. Depending on the protocol, a VPN service can use port 1723 over TCP (PPTP), ports 500 or 4500 over UDP (L2TP/IPsec, IKEv2) or port 443 over TCP (SSTP), among others. If your ISP suspects this, they might block access to the ports to restrict VPN usage.
- Lack of DNS resolutions. When you try to connect to a site by typing its domain name, your DNS resolver searches its database for the domain name and loads the site by IP. However, when using a VPN, the provider may skip DNS resolvers to access the site by IP address directly. Unfortunately, this info shows up in the network monitoring tool used by your ISP because no hostnames are associated with the external IP addresses.
- Amount of data traffic. Your ISP cannot see what you do online while connected to the VPN. However, they are aware of the amount of traffic that passes through their servers. If they assume that you are using a VPN service to bypass the Netflix proxy error or to view streaming content on BBC iPlayer, they might ban your VPN connections.
- Deep Packet Inspection. Many governments and ISPs have started using DPI technology to be able to analyze all Internet traffic. The groups can tell that you connect through VPN but not what you are actually doing. As a result, it is possible to block VPN traffic.
Why you should use VPN obfuscation
Here are the most famous cases why people resort to VPN applications that support obfuscation:
- Indispensable for countries with harsh censorship laws, whether you are living or planning to travel there. If you risk getting fined for using a virtual private network application, then you should hide the fact that you are using VPN from the ISP and government.
- Crucial for P2P. If you frequently download or upload torrents with questionable copyright protection, you might want to add a new security level to make sure you cannot be identified in the torrent swarm. VPN obfuscation eliminates this issue altogether.
- Effective against ISPs that throttle your bandwidth. Some Internet service providers intentionally slow down your Internet speed when they notice you are streaming or torrenting because it takes up a lot of bandwidth. If they suspect you are using VPN to hide these activities, they might block VPN traffic but not if you turn on obfuscation.
- Excellent for getting past school firewalls. Many school administrators block VPN traffic to prevent students from accessing sites that would distract their attention, such as Facebook, Twitter, and YouTube. But you can overcome this by activating cloaked VPN.
- Equally vital for privacy-conscious users. You do not need a good reason to consider stealth VPN. Anyone concerned about their online privacy can switch on the obfuscator to boost their security.
Why you should not use VPN obfuscation
There are two main downsides that you must take into account before choosing a VPN service with obfuscation features:
- Resource-demanding compared to regular VPN traffic. As such, it can cripple your online activities if you do not have a high-speed connection. For example, you might not be able to browse the web through obfuscated OpenVPN when connecting to public Wi-Fi.
- Only as secure as its weakest link. If you use a VPN service that features OpenVPN Scramble, there is a small chance that your government might be able to tell that you are using VPN. In addition to this, you must rely on other VPN security features, like DNS leak protection and kill switch. What we are saying is that you need a top-notch VPN app that has more than just obfuscation.
Our picks for unblocking VPN traffic
Not all virtual private network services have the technology necessary for concealing VPN traffic. If you think it is challenging to pick a reliable VPN service with obfuscation features, you can take our advice. We have tested and reviewed over 50 applications to determine the best VPN applications.
The following tools are our top 3 picks for unblocking VPN traffic. They have obfuscation features to ensure that you can circumvent online censorship set by your government. But they also have settings to strengthen the obfuscator’s efficiency, as well as to counter the Internet speed issues we mentioned. Click their names to check out their in-depth reviews with speed and leak tests, along with ratings.
- Obfuscation protocol: OpenVPN
- Number of obfuscated servers: +600 (14 locations)
- Other security features: Internet Kill Switch, App Kill Switch, Custom DNS
- Total simultaneous connections: 6
- Company location (jurisdiction): Panama (safe)
- Live support: Yes (24/7)
How to use VPN obfuscation in NordVPN
- In the main window, click Settings, and go to the Advanced tab
- Find the Obfuscated Servers option and click its associated slider to set it to On
- Go back to the Servers area in the main window, find the Specialty servers group on the left side, and click Obfuscated Servers
- By default, NordVPN connects you to the fastest server (depending on your location). However, you can explore the list of countries and servers to pick another option by clicking the … button (three dots) next to Obfuscated Servers. After selecting a server, click Connect
- Enjoy secure browsing, knowing the fact that third parties cannot tell that you are using VPN
- Obfuscation protocol: OpenVPN
- Number of obfuscated servers: 14 (9 locations)
- Other security features: Block when disconnected
- Total simultaneous connections: 5
- Company location (jurisdiction): Sweden (part of the 14 Eyes)
- Live support: No (email only)
How to use VPN obfuscation in Mullvad VPN
- Click the Settings button on the upper-right corner of the main window
- Click Advanced to open a new area and scroll down until you spot Bridge mode
- Set Bridge mode to On, then set TCP port to 443
- Return to the main window and click Secure my connection
- Mullvad VPN automatically selects the nearest location by default. However, you can click the button above Secure my connection to open the list of servers and explore your options.
- Once you are connected, you can safely surf the Internet while keeping in mind that no one will be able to tell that you are using VPN.
- Obfuscation protocol: Shadowsocks
- Number of obfuscated servers: +800 (+50 locations)
- Other security features: Kill switch, MultiHop, NoBorders, private DNS
- Total simultaneous connections: Unlimited
- Company location (jurisdiction): British Virgin Islands (safe)
- Live support: Yes (24/7)
How to use VPN obfuscation in Surfshark
- Once you reach the main window of Surfshark, go to Settings
- Scroll down until you find and click Advanced to open a new section
- Open the Protocol menu, select Shadowsocks, and click Change to confirm. Keep in mind that the Shadowsocks protocol protects only your browser traffic
- Without leaving the Advanced area, make sure that NoBorders is enabled
- Go back to the central window and click Connect to connect to the fastest server (based on your current location). Alternatively, go to Locations to explore all available servers and pick your favorite one
- Take advantage of secure browsing while hiding the fact that you are using VPN
Tips to improve VPN obfuscation performance
We previously discussed that the VPN obfuscator slows down Internet speed and that it is only as strong as its weakest link. Here are our tips to help you improve speed and security when you are hiding the fact that you are using a VPN:
- Connect to the nearest server. It guarantees the best possible speed because data packets take a faster route through fewer nodes to reach the VPN server. It is the reason why most VPN providers connect you to the nearest server by default.
- Go with optimal DNS settings. If you are using the default DNS configuration set by your ISP, then Internet performance issues should not surprise you. However, most VPN services come with private DNS servers, so you should go with that option. Otherwise, search the web for public DNS, like Google Public DNS, OpenDNS and Cloudflare.
- Enable split tunneling. A VPN service that uses an obfuscator typically encrypts all data traffic coming out from your computer. However, you can use split tunneling to isolate VPN applications (like your web browser) from non-VPN traffic (like the Java update scheduler). It is an excellent method for improving Internet speed.
- Switch on kill switch, IP and DNS leak protection. The VPN obfuscation feature will not protect your anonymity if the VPN service spills your IP during unexpected Internet drops. But you can enable the kill switch to cut off Internet access during sudden disconnects. Similarly, you can activate IP and DNS leak protection to keep your identity safe no matter what happens.
VPN obfuscation is indispensable for people who live in countries where the government controls the Internet. It is particularly useful for those who risk getting fined for using VPN. The technique hides the fact that you are using a VPN, so you can use it to get around VPN blocks safely.
What are your favorite VPN services with obfuscation features? Have we reviewed them yet? Let us know in the comment section below.