What's new

Is there any easy solution in Merlin for a VPN server that is hard to block/detect?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Catalinus

Occasional Visitor
Is there already any easy solution in Merlin for a VPN server that is hard to block? From the preliminary tests that I saw - encrypted OpenVPN over TCP:443 is still easy to block and so is wireguard :(

Do I need to install on the router something like vpn over websockets or wstunnel or similar?

EDIT:

Sorry if that was not clear - on the Merlin router a form of VPN server is running and the client is on various phones and notebooks that need back access to the LAN behind the Merlin.
 
Last edited:
Who is the one providing the OpenVPN server here? YOU (i.e., on your Merlin router) or some commercial OpenVPN provider (e.g., NordVPN)? Because if it's the latter, it's easy to block NOT because of deep packet inspection (which would be the case for the former), but simply because the public IP servers of the provider are well-known. And in that case there's not much you can do about it other than find another provider that's being less scrutinized.
 
Who is the one providing the OpenVPN server here? YOU (i.e., on your Merlin router) or some commercial OpenVPN provider (e.g., NordVPN)? Because if it's the latter, it's easy to block NOT because of deep packet inspection (which would be the case for the former), but simply because the public IP servers of the provider are well-known. And in that case there's not much you can do about it other than find another provider that's being less scrutinized.

Sorry if that was not clear - on the Merlin router a form of VPN server is running and the client is on various phones and notebooks that need back access to the LAN behind the Merlin.

Normally OpenVPN works well over something like TCP:443 but in certain places (meaning both in places like China or some Arabic countries but also some western companies offices) it gets blocked. In those places most https traffic still seems to work hence my question about vpn over websockets or wstunnel.
 
Is there already any easy solution in Merlin for a VPN server that is hard to block? From the preliminary tests that I saw - encrypted OpenVPN over TCP:443 is still easy to block and so is wireguard :(

Do I need to install on the router something like vpn over websockets or wstunnel or similar?

EDIT:

Sorry if that was not clear - on the Merlin router a form of VPN server is running and the client is on various phones and notebooks that need back access to the LAN behind the Merlin.

TL;DR: try wireguard on 443. Or “IP over DNS tunneling”. Issue is likely firewall not whitelisting your destination as corporate approved or a conflict with the ToS of cellular internet use, or deep packet inspection detecting and blocking openvpn.


Well I have no personal gripe with anyone bypassing the so called great firewall of china, or others I would caution you as it might land you in legal trouble. Even bypassing a corporate network security can be very risky. I’m sure it doesn’t need to be said, but with todays world you never know.

Anyways. Masking as https would probably normally work, but with packet inspection, DCCP markers, SNI plain text, plain text dns leaks among other thing, your operating system itself including time zone, time servers, country locations, language, browser agent, etc could pose problems as they are identifiable markers depending on if they are fully encrypted within the tunnel and the security types used in openvpn. Compression of a vpn tunnel could also leak. You could maybe try another vpn server like wireguard and have it running as a backup it may or may not make a difference.

Like others have said known ip providers that host vpn’s could identify and be blocked as well. But that’s for general vpn internet access not to tunnel into LAN. Proxy’s don’t carry fully encapsulated encryption except for https traffic (I think) so it would be easily detected if http/other traffic leaks. Websockets like https over TLS 443, can be detected as suspicious if packets leave the country or its destination isn’t whitelisted as corporate approved (assuming on wifi or eth).

Http/3 uses TLS/QUIC udp and basically could ignore most firewalls on port 443, but if the destination is blacklisted by firewall your SoL. QUIC in theory could be used in a vpn. Not sure their are any that use it yet.

These encryption technologies only pass on the trust to another party, so in a county that locks down their internets packets and if the packets are subjected to leave a country it would be identifiable as a possible vpn provider/server, and if it isn’t a provider subject to their laws it can easily be blocked. No if few vpn providers will risk legal liability. Working within the country through it’s probable your just running into deep packet inspection or a firewall on enterprise level networks assuming your using wifi. If cellular it’s same thing just a bit different, ie carrier or government ToS for internet use.

Coming from the old ddwrt community I do remember something called “IP over DNS Tunneling” this tunnels traffic through dns packets. If paired with a vpn it probably would bypass most things, but be unbearably slow. Certainly not a native feature to Asus, and certainly not something I know much about.

Anyways I’m not an expert of IT security so I have little in the way of real advice on what you’re looking to accomplish.

Edit: Somewhat misunderstood the question reframed what I said, could still be spewing nonsense.
 
Last edited:
Did you try OpenVPN but with TLS Control set to "Encrypt channel"? This adds another layer of encryption intended to make it harder to distinguish OpenVPN traffic from other TLS types of traffic.
 
Did you try OpenVPN but with TLS Control set to "Encrypt channel"? This adds another layer of encryption intended to make it harder to distinguish OpenVPN traffic from other TLS types of traffic.

Yes, that one was one of the first things that I used long time ago and it certainly made a difference but more recently it seems it can still be blocked.

Since it is now looking like there is no simple solution I will try testing a little with wstunnel (and wireguard over wstunnel - https://kirill888.github.io/notes/wireguard-via-websocket/ ) - the real issue that I see is that the router end is probably reasonably easy to implement but the client end other than notebooks (for instance iOS or Android) might be very hard or complex to implement.
 
For bypassing country/university censorship blocks, there are some options that I've been able to implement on my Asus router, but not directly within the Merlin firmware. I don't know of any "VPN" solutions that work, so you will want to use an encrypted proxy with obfuscation.

V2Ray (https://www.v2ray.com/en/) solutions are probably the most robust, with many different sub-flavors. The learning curve can be a little high, and would require finding pre-built binaries, or compiling them yourself. Some of the most popular options to use V2Ray are via VMess and VLESS. there is also Xray/XTLS (https://github.com/XTLS/Xray-core), but I haven't tried this myself yet.

Shadowsocks was the golden child for a hot minute, but is only applicable today if also using the V2Ray plugin with a websocket, and setting up an nginx reverse proxy on port 443. This method ensures that active probes will not flag the endpoint as there would be some sort of legitimate web site there, along with making the SSL handshake respond exactly as an https endpoint would, tricking DPI (Deep Packet Inspection). You can go a step further and bounce this endpoint thru Cloudflare, so if the IP gets blocked, you can just change it. This has worked for me, tested in China, but that was just over 4 years ago.

Some downsides to V2Ray-based solutions is that you have TCP-only. UDP connections are separate, and the V2Ray obfuscation is easily detected on UDP. (Solutions to this are to setup OpenVPN or Wireguard on TCP, then tunnel the VPN connection over the Shadowsocks/Vless/VMESS TCP port. This however is difficult if some clients are phones/tablets.)

The only real somewhat built-in solution is to use "trojan", which is easiy installed via Entware (opkg install trojan). This version does not have websocket capabilities, so it may be detected more easily. However, the "trojan-go" version has binaries at https://github.com/p4gefau1t/trojan-go/releases that include websocket configurations. (I use the armv7 binary on my RT-AX86u with success.) If truly trying to bypass censorship and need plausible deniability, I'd suggest this route. Annnnd, trojan/trojan-go supports UDP over TCP, allowing gaming/VOIP/etc over the TCP tunnel. Most documentation for these solutions are in Chinese, so Google Translate is your friend.

Now as far as clients, trojan-go has binaries for Windows/Mac, and will work on the client side even if the server side is Entware's trojan. (Just don't configure a websocket.) I know some apps exist on Android, but not sure which are good. On iOS, the Shadowrocket app (https://apps.apple.com/us/app/shadowrocket/id932747118) is fantastic, and worth every penny of that $2.99 USD. It essentially installs itself as a VPN profile, and will redirect all TCP/UDP exactly as a VPN would, but all on layer 7. Shadorocket works with all that I've mentioned here (Shadowsocks, VLess, VMESS, XTLS, etc).

If interested, I could post a step-by-step of installing and configuring trojan on the Asus, but don't have time just at the moment. LMK and I can make some time this weekend to do so.
 
I use wireguard, works fine from workplace and school which blocks many others.
 
~~~~
If interested, I could post a step-by-step of installing and configuring trojan on the Asus, but don't have time just at the moment. LMK and I can make some time this weekend to do so.
This could / would be useful for many, so when you do have time, yes, please post the config steps.
 
Is there already any easy solution in Merlin for a VPN server that is hard to block? From the preliminary tests that I saw - encrypted OpenVPN over TCP:443 is still easy to block and so is wireguard :(

Do I need to install on the router something like vpn over websockets or wstunnel or similar?

EDIT:

Sorry if that was not clear - on the Merlin router a form of VPN server is running and the client is on various phones and notebooks that need back access to the LAN behind the Merlin.
Not in Merlin that I know of. However something that used to work years back if you desperately needed a connection and were ok with the risks if detected was vpn over DNS or vpn over ICMP. Required setting up a separate server. You would need to experiment with this open source university stuff to see if it works with today's more modern packet inspection etc. https://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity
 
Did you try OpenVPN but with TLS Control set to "Encrypt channel"? This adds another layer of encryption intended to make it harder to distinguish OpenVPN traffic from other TLS types of traffic.
This used to work way back when. Gets blocked pretty well every where that wants to block us nowadays unfortunately.
 
OpenWRT has a few methods/packages that can help with folks that have state-managed internets.
 
Did you try OpenVPN but with TLS Control set to "Encrypt channel"? This adds another layer of encryption intended to make it harder to distinguish OpenVPN traffic from other TLS types of traffic.

I think the challenge there is the source/destination fields are still in the clear - so that can be one of the big challenges still - if the destination is a known VPN endpoint...

For unknown endpoints - it's really around access attempts and amount of traffic, discovery is trivial - don't even need to do Deep Packet Inspection there...
 
If interested, I could post a step-by-step of installing and configuring trojan on the Asus, but don't have time just at the moment. LMK and I can make some time this weekend to do so.
Making a new post here because I would love for you to at least explain how to get trojan-go configured. I have the armv8 version copied to my entware usb drive, and it seems to start fine with the example config. However, the configuration is very confusing to me and google translate isn't clear enough for the chinese wiki.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top