VPN Obfuscation — All You Need to Know

Updated on: 12 July 2020
Updated on:12 July 2020

In general usage, obfuscation is done to hide or obscure a message’s intended meaning, making it difficult to understand. In the context of VPNs, obfuscation is done to hide VPN traffic, and hence bypass VPN blocks.

Internet Service Providers (ISPs) and governments love to spy on user traffic and use that info for data analytics. The goal, ultimately, may be to filter for or block out content. But obviously, not everyone appreciates this, so users may employ VPNs to prevent other parties from spying on their data.

Unfortunately, the battle doesn’t end here. Sometimes, governments block VPNs or the standard ports through which VPN traffic passes. So then as a countermeasure, users employ VPN obfuscation (also known as “cloaking technology” or “stealth VPN”).

How does VPN obfuscation work? By scanning for non-blocked ports and pushing VPN traffic through them or disguising that traffic as unencrypted normal internet traffic. A VPN protocol has unique metadata that can be used to diagnose its identity — obfuscation removes such metadata.

In short, obfuscation ultimately makes VPN traffic look like normal traffic to VPN blockers.

VPN Obfuscation

Why Use VPN Obfuscation?

Obfuscation techniques help you achieve five primary goals:

#1. Bypass censorship by the government

The governments of countries like China, North Korea, Egypt, and Iran implement many measures to stop their citizens from accessing blocked or filtered websites. For example, the “Great Firewall” of China blocks Facebook, WhatsApp, and even Twitter.

In response, some users implement a VPN and make their content unreadable. However, ISPs can detect traffic from a VPN server, and they block this traffic in different ways:

  • By blocking the traffic going to a particular VPN server (if it’s known by the ISP or government).
  • By blocking the ports that VPN traffic enters through (this port is usually 1194).
  • By detecting the nature of the traffic and labelling it as VPN traffic. This is an advanced method that uses Deep Packet Inspection to identify the signature of the OpenVPN protocol.

To avoid the first two blocking types, VPNs can simply pass the traffic from different servers and through different ports. But to counter advanced detection mechanisms such as DPI, VPNs need obfuscation to disguise their traffic as normal traffic.

#2. Avoid network blocks

Even if your government doesn’t restrict internet access, you may not be completely out of the woods yet. Your workplace or university, for example, might employ special detection techniques to render even your VPN obsolete. Fortunately, VPN obfuscation can help you here, too.

#3. Increase privacy and anonymity

VPN obfuscation provides you with more security, privacy, and anonymity over your data. You’ll be safer not only from the prying eyes of governments and ISPs but also from those of cybercriminals.

#4. Unblock streaming websites

Unfortunately, a VPN won’t unblock popular platforms like Netflix in countries where it’s unavailable. These platforms block VPN traffic visiting their sites through the various means previously discussed in this article. VPN obfuscation is your only hope to access these sites.

#5. Avoid ISP throttling

ISP throttling is when your ISP halts or meddles with speed when you either stream or download large files. A VPN can stop this from happening, but only to the extent that it isn’t detected as VPN traffic. Obfuscation is a practical solution to this problem, too.

How DoesVPN Obfuscation Work?

There are several ways to obfuscate your VPN traffic. Note that for any obfuscation to work, both the client and server need to be set up.

Obfsproxy

This works in parallel to the Tor Project and was originally designed as a countermeasure for the block on the Tor browser in countries like China, Iran, and Syria.
However, this can also be used with OpenVPN.

How does Obfsproxy work? As previously discussed, DPI algorithms can detect traffic as belonging to a particular type, such as HTTP, BitTorrent, SSL, and VPN. Obfsproxy allows Tor traffic or VPN traffic to flow through while taking on a more preferable appearance. It adds a wrapper around your traffic, and it also uses a handshake that consists of unrecognizable byte patterns.

Stunnel

This proxy server adds an extra layer to user VPN traffic so it’s seen as TLS/SSL traffic. This way, DPI algorithms can’t detect it as VPN traffic. TLS/SSL is an encryption type used by HTTPS. So, snooping ISPs and governments can’t tell the difference between real HTTP traffic and one masked by the Stunnel software.

SSTP protocol

Secure Socket Tunneling Protocol (SSTP) changes VPN traffic to look like HTTPS traffic. This VPN protocol uses SSL encryption and port 443 instead of TCP. Sniffers would have difficulty distinguishing between normal HTTPS traffic and VPN traffic, as HTTPS protocol also uses SSL for secure browsing.

The only drawback with SSTP protocol is that it can be used only on Windows platforms, not Linux or macOS platforms.

SOCKS5 Proxy or ShadowSocks

This was first introduced by a Chinese programmer as a solution to the VPN block in China. The Socket Secure 5 (SOCKS5) protocol is at play here, and it’s secure enough to use this. ShadowSocks delivers fast and reliable service while adding an extra layer of protection so that unauthorized persons are given no access to the data shared.

OpenVPN Scramble or XOR Obfuscation

OpenVPN traffic is disguised so that it can’t be detected as generated from an OpenVPN server. This has been proven to effectively defy DPI algorithms, as it can bypass even the strongest VPN blocks implemented by many ISPs.

OpenVPN Scramble is also known as “XOR Obfuscation” because it’s implemented by using the XOR encryption algorithm. The XOR algorithm is a very simple additive cipher. Although this may not sound very secure, it’s not this cipher’s duty to worry about security. That’s done by OpenVPN itself. This algorithm simply scrambles the data in the OpenVPN traffic so that DPI algorithms can’t identify the added signature.

Concerns About VPN Obfuscation

Traffic encryption

There’s a misconception that obfuscation decrypts VPN traffic. But VPN traffic is always protected with a reliable VPN, and obfuscation only masks the VPN traffic so that it can’t be detected by ISPs as such.

Network neutrality

Network neutrality is the concept that ISPs should treat all internet communications equally — regardless of the content, user, website, destination IP, and more. ISPs can’t charge differently or slow down connections for different users. But in reality, they don’t follow this principle.

So the advantages of net neutrality in regard to obfuscation also depend on the ISPs. If they decide to charge differently for specific services used by their customers, a VPN can’t help.

Drawbacks of using VPN obfuscation

  • Obfuscation demands more resources than your regular VPN traffic to introduce extra layers of protection.
  • If you don’t have a high-speed internet connection, obfuscation can crash your online activities.
  • VPN obfuscation may slow down your connection due to extra encryptions.

Obfuscation and the Best VPN Providers

Many VPNs claim that they offer the best obfuscation techniques. But beware, because unless it’s a reliable VPN, it may fail even to bypass government firewalls. And even if it works, it might still be annoyingly slow.

Let’s take a look at some of the best obfuscated VPN providers whose services live up to the quality they claim.

ExpressVPN

So far, ExpressVPN is rated as the best VPN to provide obfuscation in countries like China. This is impressive, considering that China has an advanced online censorship system in place — known as the Great Firewall.

Although ExpressVPN may not be as cheap as other VPN vendors, it has a wide range of server locations and offers 24/7 service. It’s available almost 100% of the time and truly offers the best security.

You can try ExpressVPN risk-free. So even if it ends up not being for you, it’s easy enough to avail of the 30-day money-back guarantee and switch to a different vendor.

How to set up Obfuscation in ExpressVPN

1. Download the ExpressVPN application.

Download ExpressVPN

2. Log in to your account.

ExpressVPN Login

3. Activate ExpressVPN by entering the activation code.

ExpressVPN Activation Code

4. Obfuscation is a built-in feature available for some servers. Therefore, if you reside in a country like China, you’ll have to use the designated servers for China users. If you don’t know the exact servers, just ask the support team.

5. Navigate to “All Locations” and search for the Hong Kong server.

ExpressVPN Locations

Then:

ExpressVPN Hong Kong

And finally:

ExpressVPN Hong Kong 2

NordVPN

What’s great about NordVPN is its affordable prices. With unlimited bandwidth covering more than 60 countries, it allows for fast streaming, and specialized security and privacy optimizations.

How to set up Obfuscation in NordVPN

  • Download the NordVPN application, and enter the login details.
  • Navigate to the settings.
  • Click on Advanced Settings.
  • Tick the “I know what I am doing” checkbox.
  • Enable the “Obfuscated Servers” option.

SurfShark

The next best option to consider if you’re in an internet-censored country is SurfShark. What’s unique about SurfShark is that it allows you to connect with an unlimited number of devices with a single subscription. It unblocks the most restricted servers and keeps no logs of user traffic.

How to set up Obfuscation in SurfShark

You need to enable NoBorders, the feature that allows VPN obfuscation in SurfShark.

  • Open SurfShark and go to the settings.
  • Select “Advanced.”
  • Enable NoBorders.

VyprVPN

VyprVPN provides a well-optimized encryption service with high-speed servers.

Chameleon Protocol is the Obfuscation mechanism used in VyprVPN. This code scrambles the metadata created in the OpenVPN and makes the signature unrecognizable to the Deep Packet Inspection algorithms.

How to Optimize Your VPN Obfuscation

There are several things you can do to improve the performance of your VPN obfuscation.

  • Use the nearest VPN server. This can speed up your connection, as it takes less time for the data packets to travel.
  • Change the default DNS address to the provider’s address. This is normally done by most VPN vendors.
  • Use split-tunnelling so that other traffic apart from VPN traffic flows through an unencrypted separate tunnel. This can make your internet traffic less weighty. Here’s how to use split-tunnelling with ExpressVPN:

1. Select “Preferences” from the menu.

ExpressVPN Preferences

2. The “General” tab has an option for split-tunnelling. Enable it and click on Settings.

ExpressVPN Split Tunelling

3. Now you can select how you want your internet traffic to use the VPN services.

To prevent leaks, employ a Kill Switch when using a VPN. If it’s always on, you can be sure that your internet traffic won’t be sent if the VPN goes down.
In ExpressVPN, Network Lock is the Kill Switch. You can enable it in the “General” tab under the “Options” window.

Not only can implementing all these measures help avoid slow connections, but it can also improve security.

Conclusion

VPN obfuscation is great for bypassing government- and ISP-deployed firewalls, and for improving your internet traffic’s privacy and anonymity.

But have you really won? Aren’t there ways for the government to block VPN obfuscation, too? Well, not directly. But they can, of course, block the VPN providers’ official websites. Then you’ll have no access to a reliable VPN. So if you live in a country where government censorship is a serious thing, and if you’ve actually spotted a VPN that hasn’t been blocked yet, get your hands on it ASAP.

But if you live in a country that gives you the freedom to browse and shop online as you wish, our VPN recommendations above are yours for the taking. As you know by now, VPN obfuscation is fairly straightforward. All you have to do is take your pick from among the reliable vendors available.

Written by: Shanika W.

Connect with him:

Shanika Wickramasinghe is a software engineer by profession. She works for WSO2, one of the leading open-source software companies in the world. One of the biggest projects she has worked on is building the WSO2 identity server which has helped her gain insight on security issues. She is keen to share her knowledge and considers writing as the best medium to do so. Cybersecurity is one of her favorite topics to write about. Being a graduate in Information Technology, she has gained expertise in Cybersecurity, Python, and Web Development. She is passionate about everything she does, but apart from her busy schedule she always finds time to travel and enjoy nature.

Leave a Reply

Your email address will not be published. Required fields are marked *