ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    OpenVPN Server with SSL Tunnel

    IT Discussion
    7
    23
    6.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dafyreD
      dafyre
      last edited by

      Remote Desktop Gateway or SSH Jump box?

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @wrx7m
        last edited by

        @wrx7m said:

        How would you get around the VPN thing to let certain users access documents in the US from China?

        Actually I have no idea what the laws of China actually are. I know journalist break them all the time so they can get their stories out. I'd say that you have some work ahead of you to discover what Chinese law is, and then work from there.

        For example, if Chinese law says you can't use encrypted traffic that they can't decrypt, well that more or less you can't use SSL or VPN that they themselves don't have the keys to, otherwise you're breaking the law.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @RamblingBiped
          last edited by

          @RamblingBiped said:

          The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.

          That's weird as OpenVPN already obfuscates the traffic identically. You must be using different settings for them, like using stunnel on common ports and OpenVPN on uncommon. But the two are literally identical on the wire, there is no way to identify one from the other, their obfuscation is exactly the same.

          RamblingBipedR 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @RamblingBiped
            last edited by

            @RamblingBiped said:

            So just changing OpenVPN configuration to use TCP port 443 should do the same thing? From what I had previously read they still have some way of detecting and shutting down OpenVPN traffic.

            Yes, no idea how they could identify it. OpenVPN, stunnel or any SSL tunnel are all the same thing. Literally the same thing. They are just management systems for the same SSL connector. They actually leverage the same library to do the actual VPN.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @wrx7m
              last edited by

              @wrx7m said:

              How would you get around the VPN thing to let certain users access documents in the US from China?

              You would turn off all security. That's why doing business in China isn't that great.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @dafyre
                last edited by

                @dafyre said:

                Remote Desktop Gateway or SSH Jump box?

                Those use VPNs to be secured. SSH goes over an SSL VPN tunnel. RDS needs that too for security. All HTTPS sites are VPNs under the hood. We don't call them that, but they are and they violate Chinese Internet rules.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said:

                  @wrx7m said:

                  How would you get around the VPN thing to let certain users access documents in the US from China?

                  Actually I have no idea what the laws of China actually are. I know journalist break them all the time so they can get their stories out. I'd say that you have some work ahead of you to discover what Chinese law is, and then work from there.

                  For example, if Chinese law says you can't use encrypted traffic that they can't decrypt, well that more or less you can't use SSL or VPN that they themselves don't have the keys to, otherwise you're breaking the law.

                  Correct, you cannot use SSL whatsoever legally.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller
                    last edited by

                    To be clear... you CAN use VPNs in China, there is paperwork for this. All encrypted traffic is illegal if you don't have permits for it.

                    1 Reply Last reply Reply Quote 0
                    • RamblingBipedR
                      RamblingBiped @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      @RamblingBiped said:

                      The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.

                      That's weird as OpenVPN already obfuscates the traffic identically. You must be using different settings for them, like using stunnel on common ports and OpenVPN on uncommon. But the two are literally identical on the wire, there is no way to identify one from the other, their obfuscation is exactly the same.

                      I agree, and I have found articles like this one, that seem to think they can detect patterns in the traffic that identify it as being associated with a VPN connection: http://www.vpnanswers.com/bypass-great-firewall-hide-openvpn-in-china-2015/

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @RamblingBiped
                        last edited by

                        @RamblingBiped said:

                        @scottalanmiller said:

                        @RamblingBiped said:

                        The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.

                        That's weird as OpenVPN already obfuscates the traffic identically. You must be using different settings for them, like using stunnel on common ports and OpenVPN on uncommon. But the two are literally identical on the wire, there is no way to identify one from the other, their obfuscation is exactly the same.

                        I agree, and I have found articles like this one, that seem to think they can detect patterns in the traffic that identify it as being associated with a VPN connection: http://www.vpnanswers.com/bypass-great-firewall-hide-openvpn-in-china-2015/

                        Yes, traffic patterns can certainly identify VPNs. However, that's based on the traffic inside the tunnel and not the VPN itself. And the real question is... what are they detecting? They know it is a VPN, they can see the SSL. That it is a VPN isn't hidden.

                        1 Reply Last reply Reply Quote 0
                        • 1
                        • 2
                        • 2 / 2
                        • First post
                          Last post