So my VPN provider has an option for me to change my protocol to SSL port 443 and they stated that the OpenVPN connection is no longer detected if deep packet inspection is used.
My question is how true is this? I’ve got some questions:
Does SSL port 443 provide true anonymity?
What’s the different between connecting on TCP/UDP port 443 vs SSL 443?
If I do SSL port 443 is there really no way that my ISP can know I’m using a VPN at all and will just come across as normal HTTPS traffic?
EDIT my provider lets me use an stunnel connection to use OpenVPN over SSL. Would that completely hide my traffic usage?
OK, so there’s a bit of confusion in your question there.
So first here’s a quick explainer on what ports are
Now Port 443 is the default TCP port used for SSL “Secure Sockets Layer” connection when using https (hyper text transport protocol secure)
There’s nothing magical about using that particular port as opposed to any of the other 65535 ports you have available…
BUT
it can be a good idea because it will make the traffic look like https traffic (ie your internet banking for example) as opposed to being an obviously encrypted stream separate to the normal flow which can raise a flag if your ISP is doing traffic shaping.
Encryption is your key safeguard against DPI, in the simplest terms packet inspection looks at the packet data and headers and then acts on it based on that info. Generally in the real world that means your ISP deprioritising your bit torrent packets. Push them through a VPN they become encrypted and don’t get deprioritised.
So, does using port 443 mean your ISP doesn’t know you’re using a VPN - sort of - it disappears into “normal” traffic and doesn’t raise any alerts (if they have some based on unusual activities). However all they have to do is look at the destination IP address to determine it’s a VPN service provider. So, no, not fool proof.
Having said that, why would your ISP care if you’re using a VPN ? Is it illegal in your country or something ?
Nope, it does not protect it from DPI. DPI will see the initial handshake and know that it is an OpenVPN connection and not a HTTPS connection, which starts very differently. It will put encrypted traffic on a port and protocol that looks like https, but that is all. If you really need to hide OpenVPN traffic then you will need to wrap it in Stunnel or something that truly obfuscates the protocol and the traffic. Then your bits will not look like an OpenVPN session and actually will get past DPI.
So my VPN provider has an option for me to change my protocol to SSL port 443 and they stated that the OpenVPN connection is no longer detected if deep packet inspection is used.
So the answer is yes and no. It is more difficult to detect (via packet inspection) OpenVPN connecting on TCP/443 or UDP/443 - as these connections appear very similar to HTTPS and QUIC, but it’s not impossible. And certainly, the connection could be detected by statistical analysis of your destination activity. This technique, however, would probably only be used if 1) you utilize an abnormal amount of traffic, or 2) you are being specifically targeted. As to how well your encapsulated traffic is ‘hidden’ will depend upon the implantation of OpenVPN at the gateway. If configured properly, yes, your encapsulated traffic will be encrypted; however, other techniques (outside of DPI) exist to determine the destination of encapsulated traffic.
Thanks for this. A VPN isn’t illegal for me, I just use it at my university and I’ve heard some universities look down on Vpns so I wanted to obscure my usage.
Aah, well you may have a problem there, many unis control internet usage through a proxy. If they do you may find you can’t connect because they’ve blocked it by IP address
With OpenVPN, you can configure it to go through an HTTP proxy, as long as the protocol is TCP. Port 443 happens to be usually unblocked since that’s what HTTPS uses; blocking that port would break a lot of websites.
It’s not a well known features but works great in corporate environments that funnel traffic through things like IIS.
Look at this section in the OpenVPN documentation on how to do it.
Let’s say your in a restrictive network, one that performs DPI and can detect OpenVPN traffic from its handshake, but does not require a proxy, then stunnel may help you, since it’s traffic resembles pure SSL/TLS traffic.
In another scenario, let’s say you’re at work in a company and you join their network, but require you to configure their proxy for the Internet to work, stunnel won’t you do much good, but OpenVPN’s directive to route traffic through a proxy would help.
If you’re trying to hide the fact that you’re using a VPN from by using either; I’m afraid both options won’t do you any good; whoever is in control of your network gateway will ultimately see that you’re connecting with your VPN provider’s IP address (but not your traffic). VPNs can provide you security, but not necessarily anonymity.
Also keep in mind that if you use stunnel, you’re traffic will encapsulated in one additional tunnel, and degrade performance.
My advice is, use UDP whenever possible, since it’s much faster. TCP is a fallback for locked down networks.