Would Merlin possible to support obfsproxy

[byyuan]

I really loved using Asus Merlin with my VPN provider. But my ISP blocked OVPN recently, and it seems that obfsproxy/stealth/wise would help to bypass such blocking. Is there any add-on or possible development on obfsproxy for ASUS-Merlin? thanks!!

 

[Val D.]

But my ISP blocked OVPN recently

What about if you switch to TCP on port 443?

 

[RMerlin]

Also if you control both end of the tunnel, implement tls-crypt. It makes it much harder to detect the use of OpenVPN, it even bypasses the Chinese firewall.

 

[Maverickcdn]

Also if you control both end of the tunnel, implement tls-crypt. It makes it much harder to detect the use of OpenVPN, it even bypasses the Chinese firewall.

Ill just clarify...

Only if its on port 443 Might get away with 993 aswell

 

[RMerlin]

Ill just clarify...

Only if its on port 443 Might get away with 993 aswell

Ya, anything that's expected to get TLS traffic, since tls-crypt will make the traffic indistinguishable from other TLS-encrypted traffic. 465 might be another possibility, but that could be blocked ISP-side.

 

[netware5]

Also if you control both end of the tunnel, implement tls-crypt. It makes it much harder to detect the use of OpenVPN, it even bypasses the Chinese firewall.

The last statement is incorrect. As a road warrior I am using my home OVPN servers regularly. No way to bypass GFWC by just applying tls-crypt! Confirmed many times. It even does not bypass the Egypt FW as well. My OVPN servers are listening on 443 TCP, 443 UDP, and 37 TCP Tls-crypt has no aim and is not able to mask the OVPN session. The GFWC uses very sophisticated AI backed DPI tools to analyze the traffic. Usually it detects my tunnel within 10-40 minutes and then cuts the connection.

Regarding OPs situation I don't know where he/she lives, but if it is in a democratic country I would change that ISP immediately.

 

[SheikhSheikha]

The last statement is incorrect. As a road warrior I am using my home OVPN servers regularly. No way to bypass GFWC by just applying tls-crypt! Confirmed many times. It even does not bypass the Egypt FW as well. My OVPN servers are listening on 443 TCP, 443 UDP, and 37 TCP Tls-crypt has no aim and is not able to mask the OVPN session. The GFWC uses very sophisticated AI backed DPI tools to analyze the traffic. Usually it detects my tunnel within 10-40 minutes and then cuts the connection.

Regarding OPs situation I don't know where he/she lives, but if it is in a democratic country I would change that ISP immediately.

I can only concur - many countries with camels have very advanced Proxies/Firewalls that only allow limited port usage and they have as described AI based DPI tools that sniff and analyze. OVPN is blocked by default and in the unlikely event that you make it work it will only have a very short life, as they will swiftly shovel a heap of sand in your connection

 

[netware5]

I can only concur - many countries with camels have very advanced Proxies/Firewalls that only allow limited port usage and they have as described AI based DPI tools that sniff and analyze. OVPN is blocked by default and in the unlikely event that you make it work it will only have a very short life, as they will swiftly shovel a heap of sand in your connection

Yes, I know My previous statement is based also on my own experience while traveling in Egypt.

 

[RMerlin]

The last statement is incorrect. As a road warrior I am using my home OVPN servers regularly. No way to bypass GFWC by just applying tls-crypt! Confirmed many times. It even does not bypass the Egypt FW as well. My OVPN servers are listening on 443 TCP, 443 UDP, and 37 TCP Tls-crypt has no aim and is not able to mask the OVPN session. The GFWC uses very sophisticated AI backed DPI tools to analyze the traffic. Usually it detects my tunnel within 10-40 minutes and then cuts the connection.

Regarding OPs situation I don't know where he/she lives, but if it is in a democratic country I would change that ISP immediately.

I've had Chinese users telling me they were able to bypass the firewall using tls-crypt, so I guess your mileage may vary depending on what you are connecting to. For instance if you use a VPN tunnel provider, then most likely their entire ASN is being blocked.

 

[Maverickcdn]

I knew tls-crypt worked at launch but I guess the pesky governments and their dpi tools ixnay'd that....

I've been running OBFS3 over 993 (my 443 is occupied) for a couple years and never had any issues.... but I also havent traveled outside Canada in that time. But Ive had zero issues with OBFS3 on government public wifi that used to give me grief.

You could probably run OBFS on the router but would require entware/python to be installed.... I havent seen anybody around here attempting it yet but havent searched either

 

[RMerlin]

I knew tls-crypt worked at launch but I guess the pesky governments and their dpi tools ixnay'd that....

That might explain then why I received feedback that it was working back when it was first implemented - things could have changed since then.

There's a tls-crypt V2 coming in OpenVPN 2.5. I don't know however if it improves obfuscation in any way, or if they just streamlined the key handling.

 

[netware5]

I've had Chinese users telling me they were able to bypass the firewall using tls-crypt, so I guess your mileage may vary depending on what you are connecting to. For instance if you use a VPN tunnel provider, then most likely their entire ASN is being blocked.

I am speaking about connnection to my own OVPN server located at my home in Bulgaria when I am in China and using my laptop from public Wi-Fi at a hotel, an airport, etc. Connection is successfull for maximum 30-40 minutes. After that time the GFWC reveals my tunnel and kills the connection. So no blocking by ASN. There is a lot of information in the web regarding the sophisticated technologies used by GFWC. They normally does not have an immediate effect. The connection is killed after some time needed to securely detect the tunnel - 30 to 40 minutes, maximum an hour. After that IP address of the OVPN server is blacklisted for couple of days/weeks and any other connection attempts are blocked immediately. One of the technologies used I discovered experimentally is checking for the presence of normal https web site at the OVPN server's IP address. I observed a constant attemtps to establish standard https connection to my VPN server from Chinese IPs within about half an hour from the time my tunnel is established. As they fail (no web site there) the GFWC classifies the connection as VPN and kills it. But this is just one of the methods used.

I know that many commercial VPN providers advertise their services as "the only VPN service that works from within mainland China", but taking into account my own experience I am suspicious that even it is a correct statement, maybe they have some secret agreement with Chinese authorities allowing them to operate. The question is what is the price to have such agreement?

 

[RMerlin]

I know that many commercial VPN providers advertise their services as "the only VPN service that works from within mainland China", but taking into account my own experience I am suspicious that even it is a correct statement, maybe they have some secret agreement with Chinese authorities allowing them to operate. The question is what is the price to have such agreement?

I suspect those claiming that are the ones who run the XOR hack on their OpenVPN server, or they are starting to offer Shadowsocks support.

 

[byyuan]

Thank you all for the discussion.
I have tried different ports over TCP and TLS crypt.. unfortunately they didn't work. Noticed that the new embedded T*R works, might that be going through different ports??
interesting to see that many v p n service providers app are working through desktop / router apps, and i was explained that they are using stealth or wireguard, what are those? could they be adapted?

 

[byyuan]

What about if you switch to TCP on port 443?

for some reason, it stucks on connecting, and never showed either connected or failed.

 

[Val D.]

for some reason, it stucks on connecting, and never showed either connected or failed.

Most likely it's not going to work if someone is doing packet inspection and applying other blocking technologies. This works only with some ISPs simply blocking specific ports expected to be used by VPN connections. They can't block 443 because it basically breaks Internet. It was just the first suggestion that came in mind. Try to delete the VPN client and set it up again just to test if something in configuration is the issue, but I have some doubts about it.

 

[byyuan]

Most likely it's not going to work if someone is doing packet inspection and applying other blocking technologies. This works only with some ISPs simply blocking specific ports expected to be used by VPN connections. They can't block 443 because it basically breaks Internet. It was just the first suggestion that came in mind. Try to delete the VPN client and set it up again just to test if something in configuration is the issue, but I have some doubts about it.

Thanks Val D., tried quite a number of times now, but it doesn't seem to work.. i guess i'm stuck with T*r for now. it suppose to be secure, right? but might not be excellent for connecting me to Nintendo online server

 

[Val D.]

i guess i'm stuck with T*r for now.

Using it is detectable. It's like walking on the street with face covered with a mask. No one can see your face, but everyone can see the mask. It catches attention, why are you wearing the mask? I mean, don't get into trouble for no reason.

 

[ika]

I've had Chinese users telling me ........

ps.: Just a bad joke, please don't take it seriously :]

 

[Val D.]

This is what natural intelligence packet inspection looks like...
This is why they need 30-40min to detect and shut down a VPN tunnel.