OpenVPN server is fairly easy to setup. However OpenVPN traffic signature can be detected using deep packet inspection and be blocked.

The tor network offers a transport called ofbsproxy that can help mask the OpenVPN traffic and prevent it from being blocked. obfsproxy can be used independently of tor.

This post gives a quick overview of the steps needed to enable OpenVPN tunneling over (through) obfsproxy.

Getting OpenVPN working over obfsproxy assumes that you or someone you know has access to the VPN server itself to set up the proxy. This is a bit of a bummer if you don't. In that case, there are obfsproxy services offered by NordVPN and among others. If you use these services, they will provide you with the instructions to connect (ports, passwords, etc.).

Assuming that you have access to the OpenVPN server and client machine, the steps needed to get OpenVPN working with obfsproxy are:

  • Working installation of OpenVPN server and client
  • Install obfsproxy on both client and VPN server
  • Configure obfsproxy on client and server
  • Configure VPN client and server to use obfsproxy as socks proxy
  • Start obfsproxy as daemon on client and server
  • Start VPN server and have client connect to it via obfsproxy
  • Enjoy tunneling through most restrictive zones!

Client Side

These instructions assume a Linux client but users have reported being able to do this on Windows too. But YMMV.

Install and run obfsproxy

Ensure that python 2.7 and pip are installed.

pip install –-upgrade pip
pip install obfsproxy
obfsproxy --log-min-severity=info obfs2 --shared-secret=<random string up to 32 bytes> socks

Keep the obfsproxy command running in a terminal. The shared-secret must be the same on client and server. Keep it safe. If using a pre-configured server from a VPN provider, this password (shared secret) will be provided by them.

The local port number 11194 can be changed as long as the same number is used in the VPN client configuration.

Configure VPN client

We assume that you have a working VPN client configuration. Make a copy of your currently working configuration file xxx.ovpn and edit it to have the following lines:

remote <VPN server IP> 21194
route <VPN server IP> net_gateway
socks-proxy 11194
  • Comment out or delete any earlier remote directives
  • The port number 21194 is configurable as long as the same port number is used on the server. This is the port on which the obfsproxy on the server side is listening for connections
  • The route command may be optional. Other have reported being able to use obfsproxy without it. But I needed it because without it the DNS resolution would not succeed when connected to the VPN. More explanation about this can be found here.
  • One side effect of the route command is that sometimes the route does not get deleted automatically when the VPN is torn down and has to be deleted manually. The solution may be to use the scripts mentioned in the link. However this introduces further complications because the script has to be run as root while we prefer to downgrade the privileges to user nobody after initialization of the tunnel.
  • The two socks-proxy commands are where all the magic happens. Essentially the obfsproxy acts as a local socks proxy redirecting all VPN traffic through it.
  • The socks port number (11194 here) has to match the port number used in the obfsproxy command above.

Once edited, add the new client configuration to your favorite VPN client.

Server Side

The best part here is that the VPN server itself needs no configuration. It can be started as usual. The only possible change could be to use port 443 instead of the default port 1194 for the VPN server. But if you have a running VPN server configuration without obfsproxy, it is safe to use the existing port. Make a note of the port number that is being used as it will be needed below.

Install and run obfsproxy

pip install –-upgrade pip
pip install obfsproxy
obfsproxy --log-min-severity=info obfs2 --dest= --shared-secret=<random string up to 32 bytes> server
  • obfsproxy is started in server mode listening for connections on port 21194
  • The destination port 1194 is the VPN server port. obfsproxy redirects the connections received on port 21194 to this port
  • The shared secret is the same string that is used to start obfsproxy on the client machine

Open ports and enable IP forwarding

  • Ensure that the server machine is able to receive TCP connections on ports 21194 and 1194 (or whatever ports you chose for the obfsproxy and VPN server above)
  • Ensure that outbound traffic is not restricted
  • Ensure that IP forwarding and masquerading is enabled on the server. If you have a working VPN server, this should already be done.

Start the Tunnel

  • Ensure that the obfsproxy is running
  • Add the new client configuration to the VPN client
  • Click connect and if all goes well, the tunnel should be established
  • Open a browser and enjoy your new protected experience!


Some troubleshooting tips.

SOCKS5 proxy

Some applications may need an additional SOCKS5 proxy configuration to use the tunnel. Usually such applications provide a UI to add the proxy configuration. If needed add server as localhost and port as 11194 (or the port you chose for the obfsproxy client) to the SOCKS5 proxy configuration menu.

Unable to add VPN client

When trying to add the client configuration to the NetworkManager in Gnome, you may receive an error like this:

VPN client add error

Apparently this is a known bug in Gnome, please refer to the discussion here for some possible solutions.


This is a quick and easy way to use OpenVPN over a secure transport to avoid firewall restrictions that identify and block OpenVPN traffic.

Blog Comments powered by Disqus.

Next Post Previous Post