Portal Home > Knowledgebase > Extra services > Obfsproxy (Stealth) > Combine OpenVPN with obfsproxy for stealth mode (Windows)

Combine OpenVPN with obfsproxy for stealth mode (Windows)

Proxy.sh is proud to offer to its customers who seek maximum privacy or are still limited by digital censorship, a method to connect in "stealth mode" to its VPN network.

This mode makes it extremely difficult for network administrators to detect OpenVPN/VPN traffic. It thus enables you to add yet another layer of security towards the respect of your privacy, or to bypass a firewall with deep package inspection capacity.

Several VPN providers claim to offer a similar method, but very rare are those who use techniques that are open source and well known to the security community. Here at Proxy.sh, we have decided to harness the power of TOR and particularly of its obfsproxy library, in order to build a stealth mode for OpenVPN.

Configuring your Windows environment to connect to the Proxy.sh VPN network using obfsproxy stealth mode is quite simple. All you need to do is to get TOR's obfsproxy for Windows.

To do so, you can download and use this installer that will set a socks server to listen on 127.0.0.1 port 1050, continuously, as a Windows service.

Alternatively, if installing a third-party service is uncool for you, you can opt for the binary itself, without the installer (in other words, the portable version). Extract it to a simple directory such as C:\obfsproxy and then run the following command in the Windows command prompt:

      obfsproxy.exe obfs2 socks 127.0.0.1:1050

If you wish to opt for obfs3 (running on port 898), please rather run the following command:

      obfsproxy obfs3 socks 127.0.0.1:1050

If you wish to opt for scramblesuit (running on port 988), please rather run the following command:

      obfsproxy scramblesuit --password=JNI3L3K2VZM3UY37WEA2JQ442V5YVZZS --dest XXX.XXX.XXX.XXX:988 socks 127.0.0.1:1050

With XXX.XXX.XXX.XXX being the IP of the server you wish to connect to.

Finally, simply edit the OpenVPN configuration file that you are going to use to connect to the Proxy.sh network, and add or alter the following lines to it:

      socks-proxy-retry
      socks-proxy 127.0.0.1 1050
      remote <VPN_SERVER_IP> 888
      route <VPN_SERVER_IP> 255.255.255.255 net_gateway

(Note that <VPN_SERVER_IP> must be replaced by the server IP and that the 'remote' line is most likely to already exist in your configuration file, so that is only the port - 888 - that must be updated.)

If you have run obfs3 command, please make sure to use port 898 and use the following configuration addition:

      socks-proxy-retry
      socks-proxy 127.0.0.1 1050
      remote <VPN_SERVER_IP> 898
      route <VPN_SERVER_IP> 255.255.255.255 net_gateway

If you have run scramblesuit command, please make sure to use port 988 and use the following configuration addition:

      socks-proxy-retry
      socks-proxy 127.0.0.1 1050
      remote <VPN_SERVER_IP> 988
      route <VPN_SERVER_IP> 255.255.255.255 net_gateway

Voila, that's pretty much it. Connect to the VPN network using this modified configuration file while keeping obfsproxy running and your traffic will be completely scrambled.

System administrators and government agencies alike will no longer be able to identify that you are using OpenVPN (and of course, still won't be able to decrypt the traffic it generates).

Enjoy!

 
Related Knowledgebase Articles