0

I'm currently visiting China, so I have some options for VPNs set up. However, my VPN servers have a habit of suddenly disappearing from the network after I've used them for a while.

I thought it might be an option to use an SSH tunnel to another server, and to connect the VPN through that, to prevent the VPN traffic from being detected. That way, presumbly, the traffic just reads as an SSH connection to the provider.

So, I connect to a server like this:

ssh peter@some-server -L 4444:vpn-server:1194 -N

And then add this to my openvpn client configuration:

remote localhost 1194

Sadly, this doesn't work. The connection authenticates, but afterwards, I can't connect to either the inside of the VPN (ping 10.8.0.1) or the outside (ping 8.8.8.8). Should this work, or am I misunderstanding something?

Is there some iptables nat rule I should add? The only nat rule I've added so far is:

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  • The VPN´s servers disappear because the Chinese Government's servers identify that you're using a VPN. The question is, do you REALLY need this VPN? In spite of the technical challenges, is there a sufficient reason for doing something that can be illegal? If they track your VPN usage and get to you, they can arrest you for using a VPN. China is not the kind of foreign country where you would like to be arrested. They can jail you for months for almost nothing. Would it be worth? – mguima Feb 18 at 18:38
  • @mguima I think you've seen too many movies. – Peter Feb 19 at 9:59
  • Maybe. Remember, they're not Westerns. It's link another kind of world. – mguima Feb 20 at 1:58
1

The simplistic approach to setting up your VPN connection through an SSH tunnel will not work. First problem: you are only tunneling the connection to the VPN server itself, which does not then allow all other traffic to be routed through the VPN server OVER the ssh connection (thus obfuscating the connection). The fix for this is to use a dynamic SOCKS[5] proxy and tell OpenVPN to connect via that proxy. Add to your OpenVPN config file:

socks-proxy localhost 6886
socks-proxy-retry

Then, start your ssh session with a dynamic SOCKS proxy:

ssh -D 6886 -N REMOTE

Then you can start your OpenVPN connection. However, this still has one more failing, at least assuming you want to redirect all traffic through the VPN (OpenVPN directive redirect-gateway def1). For that to work, you need to maintain a route to the SOCKS proxy end point that does not get masked by the routes added by the OpenVPN client. To do this, add another directive to your OpenVPN config that looks like this:

route REMOTE-IP 255.255.255.255 net_gateway default

You might be able to to use the hostname REMOTE in that directive, but you might need to resolve it to an IP address manually.

That should work, at least for ipv4 traffic. A quick google search turns up this blog post which does essentially the same thing, has good descriptions of what's going on, but seems to be more complicated in the solution (using a connection script)

Alternatively, you might also look at using obfs4proxy (e.g. this and this or packaged for ubuntu)

Your Answer

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.