Skip to content

How to bypass Government Censorship in China and Syria – OpenVPN Sheathing


OpenVPN is secure, Open Source, and extremely easy to use. Unfortunately, many censoring ISP’s are determined to prevent and block OpenVPN. Possibly the only sure way to block OpenVPN tunnels is a method called DPI (Deep packet inspection). What is troubling for many individuals is the fact the DPI works and is now widely used.

OpenVPN Sheathing is a method to hide OpenVPN tunnels from DPI. There are two major ways to accomplish sheathing:

sTunnel: A GPL Open Source SSL encryption wrapper created by Michal Trojnara. sTunnel creates a full-blown HTTPS tunnel to disguise traffic as what is normally seen on a network. If an ISP were to block HTTPS every user would be severely crippled, thusly not normally done. Unfortunately, there is a performance penalty due to the HTTPS tunnel.

Obfsproxy: A Tor subproject. This method will make any traffic unrecognisable. This is a lighter method then sTunnel, but may be more easily detected. Rather than blending into normal traffic, Obfsproxy will appear completely different – via plugins. If an ISP were to whitelist allowed protocols rather than blacklist – Obfsproxy may be blocked.

For technical details on how to setup your own systems to bypass Government censorship – see this

If you are using OpenVPN in China, even on port 443, you may find that your connections are unstable. The problem is that Chinese government can detect the difference between “normal” SSL encryption and VPN encryption.

The solution is to mask your OpenVPN connection, and make it look like a regular HTTPS connection.

You can do this using one of these methods:

  • Using OpenVPN through an SSL tunnel
  • Using OpenVPN through an SSH tunnel
  • Using a tool called Obsfsproxy

Using OpenVPN through a SSL tunnel

You can make you OpenVPN traffic virtually indistinguishable from regular SSL traffic by tunnelling it through SSL, because Deep Packet Inspection cannot penetrate this addition layer of encryption.

Typically, you’ll want to install the stunnel application, and also install stunnel on your VPN server. Here are some more instructions for setting up stunnel, see also this discussion.

Note that using a SSL tunnel will slow down your internet connections.

UDP is better for any kind of tunnel because it’s lower overhead and doesn’t try to retransmit packets unnecessarily. In certain instances retransmitting packets could be counterproductive. Basically, anything that needs to either have a stateful connection or a connection that is “reliable” (i.e. TCP) already has packet retransmission built into the protocol. If you run two of these protocols on top of each other (such as TCP over a TCP tunnel), then bad things start to happen as now you have more than one layer trying to retransmit packets. So really you should use UDP unless there’s a very specific reason you need to use TCP, such as a firewall restriction or something.

OpenVPN through an SSH tunnel

Using OpenVPN with a SSH tunnel is very similar to using it with a SSL tunnel. The difference is that you wrap your OpenVPN traffic with SSH encryption instead of SSL encryption. SSH is the “secure shell” software used to make connections to shell accounts in Unix. You can find SSH clients for most operating systems — see PuTTY for example.

When using SSH tunnels, note that:

  • There is evidence that the Chinese government is slowing down SSH connections
  • SSH is much more than just encryption, therefore you will see more overhead with SSH tunnels
  • SSH is difficult to set up on Windows whereas stunnel  is cross platform

Using Obsfsproxy

Obfsproxy is a tool designed to make VPN connections difficult to detect. It was created by the Tor network when China started blocking Tor nodes — but it can be used outside of the Tor network to mask VPN connections.

There are instruction for setting up Obsfproxy with OpenVPN on this page.

Obfsproxy does not encrypt your traffic, but it also does not require much overhead, so if it is useful in countries where bandwidth is limited (e.g. Syria or Ethiopia).

  1. Reblogged this on TheFlippinTruth.


  2. Very good article there are no easy solutions for VPN in China and the game is always changing. Methods that used to work often stop working etc…traffic obfuscation methods will also keep evolving.


    • Hi Rtt,
      China did block the UDP in private homes for a while, and that may still be the situation. Next, they blocked known ports for VPN’s, luckily the obfuscation trick kept the VPN’s running in China.
      I agree totally with your point that it’s like a game of cat and mouse. But the privacy geeks will win the day, (me, biased?).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: