Bypassing censorship by using obfsproxy and openVPN or SSH

of 14

Please download to get full document.

View again

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
14 pages
1 downs
Bypassing censorship by using obfsproxy and openVPN or SSH
   Bypassing censorship by using obfsproxy and openVPN or SSH     Dlshad Othman@dlshadothman Syrian ISP installed sophisticated technologies to monitor and filter traffic. These boxesareDPI (Deep Packet Inspection)and what they do is sniff out every little packetflowing through them to find specific patterns and then they provide their administratorwith the option to block traffic that matches these patterns. These boxes are verysophisticated and they don’t just filter traffic by src, dst or port, they filter traffic by thecontent the packets carry.Since August 2011 Syrin regime applied the DPI and they start blocking OpenVPN – L2TP/IPSec connection , in order to not allow any user has a secure connections. Tor Action : Tor as one of the main anonymity providers , DPI was able to block its traffic over the“Digital fingerprint of it's traffic “ Tor said “  An increasing number of censoring countries are using Deep Packet Inspection (DPI) toclassify Internet traffic flows by protocol. While Tor usesbridge relaysto get around a censor that blocks by IP address, the censor can use DPI to recognize and filter Tor traffic flows even when theyconnect to unexpected IP addresses.   “In response to that, Tor deployed a technology calledPluggable Transportswhich it canobfuscate the traffic to looks like “nothing!” that will drive the DPI evil boxes to goCrazy! The traffic is not easy recognizable! :D  Digram 1 ( DBI Box allows http traffic to pass , and blocks openvpn )     How can we use it? In Syria for the last 2 years , people were able to use ( openvpn and SSH ) connectionsin order to encrypt their traffic , and now only SSH connection is working ,and otherencrypted connections “through obfsproxy” I don't think they will block ssh , because(SEA) need it to do their operations -_- also the government has servers around! needto be managed!The best way to use it is to have obfsproxy with open vpn or with SSHThis example is a secure connection - OpenVPN covers by obfsproxy were able to passthe DPI filtering system. The Scenario :  End user  : A regular user before the Syrian Firewall has ( Obfsproxy + OpenVPN client)  ISP DPI Box : The DPI filtering system OpenVPN Server: OpenVPN Server configured to receive OpenVPN requests from theobfsproxy Server. Obfsproxy Server  : obfsproxy server configured to receive obfsproxy connection fromoutside world and uncover it then send regular openvpn requests to openvpn Server.OpenVPN client (Local) ---> obfsproxy client (Local) ----> obfsproxy server --->openVPN Server  Note: you can use one server running obfsproxy and openvpn Server    Install openvpn Server Ubuntu – Debian server: Personally , I would prefer to use Ubuntu or Debian server ,they have greatdocumentation online. Step 1 you need root access to your server SSH it and let's rock & roll :)Install openVPNrun the following command in the terminal sudo apt-get install openvpnThen , you have to answer by yes then press enter - Generate the certificatesStep 2 You need to generate Server Certificates:run the following command to copy the standards cert , configuration ..etc samples andtools. sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa2  Then access to the openvpn Easy RSA folder (run this command ) cd /etc/openvpn/easy-rsa2 First you need to edit variables from the standards to your own , like your email ,name ..etcRun the following command : sudo nano vars “ Maybe you don't have nano editor , you can install it by running the following command  sudo apt-get installnano “ export KEY_COUNTRY="XX"export KEY_PROVINCE="YY"export KEY_CITY="City"export KEY_ORG="My VPN Service"export KEY_EMAIL=""Run the following commands , one by one :  sudo mkdir keyssource ./varssudo -E ./clean-allsudo -E ./build-casudo -E ./build-key-server serversudo -E ./build-dhsudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpnsudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpnsudo cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpnsudo cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpnsudo cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn After that you need to restart the OpenVPN Server:run the following command: sudo service openvpn restart- Generate Client Certificatescd /etc/openvpn/easy-rsa2source ./varssudo -E ./build-key user1 user1 ( is the user nick name you can change it to whatever) Then copy the following files (user certificates)ca.crtuser1.crtuser1.keyfrom the server side to the client side over secure connection like ssh of SFTP  - Configure OpenVPN Run the following commands , first we need to add user to the system called openVPNwith no privileges to SSH the server sudo adduser --system --no-create-home --disabled-login openvpnsudo addgroup --system --no-create-home --disabled-login openvpn then we need to copy the standards openVPN configuration files by running thefollowing commands sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/  then sudo gunzip /etc/openvpn/server.conf.gz then cd /etc/openvpn Edit the Server configuration file by running the following command sudo nano server.conf  change user and group: user openvpngroup openvpn Then restart openVPN by running the following command : sudo service openvpn restart To make sure that it's working , run the following command ifconfig You should have tun0 interface in the network interfaces list  Note : Installing and configuring openVPN Server will not allow you to routing the webtraffic to the client , you should enable that  to do it : Run the following commands: cd /etc/openvpnsudo nano server.conf 
Related Search
Similar documents
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks