OpenVPN Server with SSL Tunnel
-
We do business in China and have a very small office there. We have 2 Chinese nationals and an American. I was not aware of the VPN legalities so that is interesting.
-
How would you get around the VPN thing to let certain users access documents in the US from China?
-
Remote Desktop Gateway or SSH Jump box?
-
@wrx7m said:
How would you get around the VPN thing to let certain users access documents in the US from China?
Actually I have no idea what the laws of China actually are. I know journalist break them all the time so they can get their stories out. I'd say that you have some work ahead of you to discover what Chinese law is, and then work from there.
For example, if Chinese law says you can't use encrypted traffic that they can't decrypt, well that more or less you can't use SSL or VPN that they themselves don't have the keys to, otherwise you're breaking the law.
-
@RamblingBiped said:
The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.
That's weird as OpenVPN already obfuscates the traffic identically. You must be using different settings for them, like using stunnel on common ports and OpenVPN on uncommon. But the two are literally identical on the wire, there is no way to identify one from the other, their obfuscation is exactly the same.
-
@RamblingBiped said:
So just changing OpenVPN configuration to use TCP port 443 should do the same thing? From what I had previously read they still have some way of detecting and shutting down OpenVPN traffic.
Yes, no idea how they could identify it. OpenVPN, stunnel or any SSL tunnel are all the same thing. Literally the same thing. They are just management systems for the same SSL connector. They actually leverage the same library to do the actual VPN.
-
@wrx7m said:
How would you get around the VPN thing to let certain users access documents in the US from China?
You would turn off all security. That's why doing business in China isn't that great.
-
@dafyre said:
Remote Desktop Gateway or SSH Jump box?
Those use VPNs to be secured. SSH goes over an SSL VPN tunnel. RDS needs that too for security. All HTTPS sites are VPNs under the hood. We don't call them that, but they are and they violate Chinese Internet rules.
-
@Dashrender said:
@wrx7m said:
How would you get around the VPN thing to let certain users access documents in the US from China?
Actually I have no idea what the laws of China actually are. I know journalist break them all the time so they can get their stories out. I'd say that you have some work ahead of you to discover what Chinese law is, and then work from there.
For example, if Chinese law says you can't use encrypted traffic that they can't decrypt, well that more or less you can't use SSL or VPN that they themselves don't have the keys to, otherwise you're breaking the law.
Correct, you cannot use SSL whatsoever legally.
-
To be clear... you CAN use VPNs in China, there is paperwork for this. All encrypted traffic is illegal if you don't have permits for it.
-
@scottalanmiller said:
@RamblingBiped said:
The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.
That's weird as OpenVPN already obfuscates the traffic identically. You must be using different settings for them, like using stunnel on common ports and OpenVPN on uncommon. But the two are literally identical on the wire, there is no way to identify one from the other, their obfuscation is exactly the same.
I agree, and I have found articles like this one, that seem to think they can detect patterns in the traffic that identify it as being associated with a VPN connection: http://www.vpnanswers.com/bypass-great-firewall-hide-openvpn-in-china-2015/
-
@RamblingBiped said:
@scottalanmiller said:
@RamblingBiped said:
The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.
That's weird as OpenVPN already obfuscates the traffic identically. You must be using different settings for them, like using stunnel on common ports and OpenVPN on uncommon. But the two are literally identical on the wire, there is no way to identify one from the other, their obfuscation is exactly the same.
I agree, and I have found articles like this one, that seem to think they can detect patterns in the traffic that identify it as being associated with a VPN connection: http://www.vpnanswers.com/bypass-great-firewall-hide-openvpn-in-china-2015/
Yes, traffic patterns can certainly identify VPNs. However, that's based on the traffic inside the tunnel and not the VPN itself. And the real question is... what are they detecting? They know it is a VPN, they can see the SSL. That it is a VPN isn't hidden.
