Portal Home > Knowledgebase > Extra services > Obfsproxy (Stealth) > Combine OpenVPN with obfsproxy for stealth mode (Mac)

Combine OpenVPN with obfsproxy for stealth mode (Mac)

Proxy.sh is proud to offer to its customers who seek maximum privacy or are still limited by digital censorship, a method to connect in "stealth mode" to its VPN network.

This mode makes it extremely difficult for network administrators to detect OpenVPN/VPN traffic. It thus enables you to add yet another layer of security towards the respect of your privacy, or to bypass a firewall with deep package inspection capacity.

Several VPN providers claim to offer a similar method, but very rare are those who use techniques that are open source and well known to the security community. Here at Proxy.sh, we have decided to harness the power of TOR and particularly of its obfsproxy library, in order to build a stealth mode for OpenVPN.

Configuring your Mac environment to connect to the Proxy.sh VPN network using obfsproxy stealth mode is quite simple. All you need to do is to get Python's pip tool.

To do so, you can use easy_install through the Terminal:

      sudo easy_install pip

Or you can use Brew, using the following command:

      brew install pip

Once you are done, please install obsproxy by running this command:

      pip install obfsproxy

Please note that the obsproxy package can also be installed directly from TOR's git.

Once you have obfsproxy installed, you need to start it by running this command:

      obfsproxy obfs2 socks

If you wish to opt for obfs3 (running on port 898), please rather run the following command:

      obfsproxy obfs3 socks

If you wish to opt for scramblesuit (running on port 988), please rather run the following command:

      obfsproxy scramblesuit --password=JNI3L3K2VZM3UY37WEA2JQ442V5YVZZS --dest XXX.XXX.XXX.XXX:988 socks

With XXX.XXX.XXX.XXX being the IP of the server you wish to connect to.

Finally, simply edit the OpenVPN configuration file that you are going to use to connect to the Proxy.sh network, and add or alter the following lines to it:

      socks-proxy 1050
      remote <VPN_SERVER_IP> 888
      route <VPN_SERVER_IP> net_gateway

(Note that <VPN_SERVER_IP> must be replaced by the server IP and that the 'remote' line is most likely to already exist in your configuration file, so that is only the port - 888 - that must be updated.)

If you have run obfs3 command, please make sure to use port 898 and use the following configuration addition:

      socks-proxy 1050
      remote <VPN_SERVER_IP> 898
      route <VPN_SERVER_IP> net_gateway

If you have run scramblesuit command, please make sure to use port 988 and use the following configuration addition:

      socks-proxy 1050
      remote <VPN_SERVER_IP> 988
      route <VPN_SERVER_IP> net_gateway

Voila, that's pretty much it. Connect to the VPN network using this modified configuration file while keeping obfsproxy running and your traffic will be completely scrambled.

System administrators and government agencies alike will no longer be able to identify that you are using OpenVPN (and of course, still won't be able to decrypt the traffic it generates).


P.S. Some of the commands may require sudo or root authentification depending on your user privileges level.

P.P.S. We recommend to advanced users to install obfsproxy in a virtual environment.

Related Knowledgebase Articles