We all likely heard about VPN obfuscation at this point. Over the past years, a pretty noticeable number of VPN providers started using the term on their web pages.
But what exactly is it? And why should you care about it?
Here’s all you need to know about VPN obfuscation – including how it works, how to optimize it, what VPN obfuscation techniques VPN providers use, and a whole list of providers who offer it.
What Is VPN Obfuscation?
VPN obfuscation is a technique that can hide VPN traffic. It won’t make any changes to the traffic, though – it will just use a “mask” to hide its patterns so that ISPs and governments can’t spot it.
Usually, obfuscation involves using an extra layer of encryption to hide the traffic. Also, VPN obfuscation normally works with the OpenVPN protocol. It’s the most popular protocol used by providers, and – unfortunately – it has a signature that can be detected with DPI (Deep Packet Inspection).
If you’re not familiar with DPI, think of it as a way to control network traffic. Basically, it uses advanced packet filtering to block data packets whose code payload reveals OpenVPN traffic.
How Does VPN Obfuscation Actually Hide VPN Traffic?
Obfuscation hides OpenVPN traffic differently based on the technique the provider uses. But to keep things simple, let’s use a generic example so that you understand how it works.
First, let’s take a look at how an OpenVPN data packet looks like. Basically, it has a Header and The Payload. The Header is the one that contains info that identifies the data packet as being OpenVPN traffic.
To bypass firewalls that use DPI, VPN obfuscation removes all the VPN metadata from the Header. Now, the firewall will have no idea that the data packet is OpenVPN traffic.
Afterward, obfuscation further encrypts the VPN traffic using SSL and also assigns a port number to the packet (443).
What you’re left with after all that is a VPN data packet that looks exactly like regular HTTPS traffic. So, firewalls will let it through – unless they’re programmed to block all HTTPS traffic, but I’ve never really heard of that happening.
When Is VPN Obfuscation Necessary?
You don’t really need to use obfuscation non-stop when you’re using a VPN. However, there are some specific scenarios when VPN obfuscation isn’t just convenient – it’s mandatory:
When You’re in a Country That Censors VPNs/Makes Them Illegal
Not all countries are VPN-friendly. Some of them actually make them illegal and force ISPs to use DPI to monitor and block VPN traffic.
In some places, you can even get in serious trouble if the government catches you trying to use a VPN. In Turkmenistan, for example, they’ll not only block your connection, but they’ll also hit you with administrative penalties, and will even invite you to the Ministry of National Security for “preventing conversations.”
So the best way to use a VPN in such places without risking huge fines or run-ins with the law is to use a service with VPN obfuscation.
When Your ISP Is Throttling Your VPN Traffic
Let’s get one thing straight first – not every ISP does this. More often than not, the slowdown VPN users experience comes from the VPN encryption itself.
However, in some cases, ISPs can use DPI to detect VPN traffic and throttle it to discourage their customers from using VPNs too often or at all.
They can do that because the government has anti-VPN laws, or because they have a problem with their clients using VPNs (they’re worried they’ll use them to do illegal stuff, for example).
If that happens to you, VPN obfuscation techniques are the only way to trick your ISP into thinking you’re just browsing HTTPS websites instead of using a VPN.
When You’re Dealing With VPN Blocks at School/Work
Many people use VPNs at work or school to get around annoying firewalls. The problem is the VPN might not work all the time because the admins might try to detect VPN traffic.
Doing that is pretty difficult, but it is achievable with the right skills. And once the firewall detects VPN traffic, it can just block it automatically.
With obfuscation though, the VPN can easily evade those blocks.
When You Want More Privacy
Whether you just want to enjoy a higher level of anonymity on the Internet, are a whistleblower, or are a journalist who needs 110% private interviews with your sources, VPN obfuscation will always come in handy.
It pretty much acts as an extra layer of security alongside the original VPN encryption since it makes sure government surveillance agencies, hackers, and ISPs can’t tell you’re using a VPN.
When You Want to Unblock Streaming Websites
You can’t always unblock content platforms like BBC iPlayer and Netflix. That’s because they use methods like IP blacklisting, port blocking, and DPI to detect and block VPN traffic to their services.
VPN obfuscation is pretty much the only way you can bypass those blocks to enjoy the content you want.
What VPN Obfuscation Techniques Do Providers Use?
Okay, so I mentioned how VPN obfuscation hides your VPN traffic, but things can get confusing fast because providers tend to use all sorts of terms to refer to obfuscation. Stealth mode, cloaking technology, stealth VPN are just some examples.
Well, here’s something you should know – while all those terms refer to obfuscation, VPN providers use different methods to achieve it.
Here’s a quick rundown of all the VPN obfuscation techniques VPN providers use:
1. OpenVPN Scramble
OpenVPN Scramble is basically a patch for the OpenVPN protocol which uses the XOR cipher.
To keep things simple, the XOR cipher is a substitution-based algorithm. So, it replaces every alphanumerical in a string with another number. You can also use XOR to decipher the newly-encrypted string – just feed it back into the algorithm.
However, there’s a problem with XOR – its not the most secure cipher out there. If it uses a weak key, it’s pretty terrible at bypassing government blocks. In fact, the authorities or even ISPs can break XOR with the right frequency analysis tools and techniques.
There’s also the fact that a lot of hackers use XOR to disguise malware, so it doesn’t have the best image.
Well, that’s where OpenVPN Scramble comes into play. It’s an open-source code that adds obfuscation abilities to the OpenVPN protocol using the XOR cipher. So, you get quality encryption securing your data alongside obfuscation features that hide OpenVPN traffic.
In my experience, it’s pretty effective. I even tried out Wireshark (a network packet analyzer), and it didn’t detect my OpenVPN connection as the OpenVPN protocol, but as the UDP protocol.
Despite this, OpenVPN scramble still has some controversy surrounding it. The OpenVPN devs don’t really approve of it, and they refused to implement it into the official OpenVPN version.
Also, you need to keep in mind that it’s not 100% guaranteed to prevent your government from blocking OpenVPN traffic. It just makes it much harder for them to do so.
A subproject of the Tor project, Obfsproxy offers stealth by wrapping protocol data in an obfuscation layer in an effort to prevent ISPs and governments from noticing it.
Obfsproxy uses Pluggable Transports (PT) to alter how traffic flows between the client and the server. obfs2 and obfs3 used to be the standard modules, but the best one for VPN obfuscation right now is obfs4.
To really hide OpenVPN traffic, Obfsproxy uses a handshake process that has no recognizable byte patterns. Simply put, it makes OpenVPN traffic look like nothing more than basic HTTP traffic.
While it has obvious ties to the Tor Project, it’s allegedly independent, and VPN providers can configure it for the OpenVPN protocol.
If you want to manually set up your own OpenVPN server and Obfsproxy, there’s a lot of work involved. Luckily, VPN providers who offer Obfsproxy can give you pre-configured OpenVPN config files to save you time. They’ll obviously handle the server-side setup too.
You’ll still have to install Obfsproxy using the OpenVPN GUI client on your device on an OpenVPN-compatible port (like 1997 or 8080), though. You might even have to ask your VPN provider for a static IP address so that their server can properly listen in on your port.
Even though it’s easy for VPN providers to set up Obfsproxy on their servers with a simple command, many don’t really do it because it has some problems:
- Obfsproxy doesn’t wrap the traffic in encryption, so it’s less secure than Stunnel and OpenVPN Scramble. Still, because of that, it eats up less bandwidth. At least that can come in handy in countries where bandwidth is very limited.
- ISPs/governments can use entropy tests to detect recognizable patterns (volume, packet size, timing) to see that Obfsproxy’s handshake is just too random. With that info, they can make sure only DPI-recognized protocols can pass through the firewall.
3. OpenVPN Over SSL
Unlike the previous VPN obfuscation techniques, this one involves adding an SSL (Secure Socket Layer) layer of encryption to the OpenVPN data. True, OpenVPN already uses a type of SSL, but it has tweaks, so it’s different. Actually, DPI detects it because of that.
Well, if you wrap OpenVPN data in a layer of SSL encryption, DPI can no longer spot it since it can’t penetrate the outer SSL layer.
While this is a pretty efficient VPN obfuscation method, the setup process can be pretty difficult if you’re not tech-savvy. Not only will the VPN provider have to configure open-source software called stunnel on their servers, but you’ll also have to install it on your device.
Really, the only thing you can do is talk with your provider to see if they’d agree to this. If they do, they’ll have to send you instructions on what to do. If you want to skip that, you should consider using AirVPN since they have built-in support for OpenVPN over SSL in their clients.
Also, keep in mind that encrypting OpenVPN traffic with SSL can cause a rather noticeable drop in speed.
4. OpenVPN Over SSH
This is pretty similar to OpenVPN over SSL. The only difference is that it uses SSH (Secure Shell) to hide VPN traffic.
There’s really not much to say here. SSH is pretty secure since it has strong encryption. The only drawback is that it’s more of a corporate protocol since businesses use it to securely access shell accounts. You might still be able to use it as an average online user, but you’ll need to talk with your VPN provider about that.
Right now, the only provider I know to offer out-of-the-box support for OpenVPN over SSH is once again AirVPN.
While it has a funny name, Shadowsocks is an open-source project based on the SOCKS5 proxy. A Chinese programmer using the pseudonym “clowwindy” created it back in 2012 to help people in the country bypass censorship, and also hide the fact that they’re doing it.
On its own, Shadowsocks just masks online traffic, making it look like HTTPS so that you can bypass firewalls. It doesn’t have much encryption to secure your data, though.
However, a VPN provider can use their service together with Shadowsocks to hide OpenVPN traffic.
Configuring everything can be a bit difficult, though. You have to install and set up OpenVPN, install and run Shadowsocks, and also add bridge servers (the server that redirects you to the VPN server) if the VPN provider uses them.
How to Get the Best Out of VPN Obfuscation
VPN obfuscation techniques are useful, but they can definitely take their toll on your online speed.
True, stuff like unlimited bandwidth and well-optimized VPN servers help. But, in the end, OpenVPN is not a lightweight protocol, and if your own ISP speeds aren’t too good, you’re gonna see slowdowns.
So, here’s what you can do to make sure your VPN speeds don’t take such a huge hit:
Connect to a Server That’s Near You
This is the best thing you can try to improve speeds. Since the physical distance between you and the VPN server will be smaller, it’ll take less time for data packets to travel between your device and the server.
If you have a chance to use a server in the same country as you, even better.
Use Split Tunneling If Possible
Split tunneling means you can decide which traffic goes through the VPN tunnel, and which doesn’t. For instance, you can use split-tunneling to separate VPN traffic (like the VPN client and your web browser) from non-VPN traffic (anti-virus updates or gaming clients like Steam).
If you do that, you might increase your speed since you’re making your traffic more lightweight.
Change Your ISP-Assigned DNS Settings
The default DNS settings you get from your ISP aren’t usually ideal – especially when you’re using a VPN.
So, you should change them with your VPN provider’s own DNS configuration. Alternatively, try using Google Public DNS or OpenDNS.
Bonus Tip for Better Privacy – Use Preventive Measures
This doesn’t have much to do with speed, but it’s a useful thing to keep in mind when using VPN obfuscation.
The idea is that hiding your VPN traffic won’t do much for your privacy if the VPN connection suddenly goes down or suffers leaks.
So, to make sure you’re safe, you should enable the Kill Switch feature. It’ll shut off your web access if your VPN connection goes down. Also, turn on IP and DNS leak protection.
Why Not Use a Different Protocol?
“Why do you really need VPN obfuscation when you can just use another protocol?” I can hear you asking.
Well, you can do that to try and defeat VPN blocking. But keep this in mind – not all protocols offer advanced encryption like OpenVPN. So, there is a chance (albeit a small one) that your ISP could tell you’re using a VPN.
In fact, if they check your outbound connections, and see that you’re connecting to an IP address with no hostname over UDP/TCP port 443, they’ll likely realize you’re using a VPN server.
If you get caught doing that in a country where it’s illegal or at work/school where it’s against the rules, you can end up in a lot of trouble.
So, it’s just safer to use OpenVPN with VPN obfuscation in that case.
What’s the Best Obfuscation VPN?
There are some VPN providers who use VPN obfuscation techniques, but it’s up to you to decide which one works best for you.
To make things simple, I’ll leave a list of the providers that offer VPN obfuscation, with some quick pros and cons, and a link to their reviews (or their websites if we haven’t reviewed them yet):
- NordVPN – One of the best VPN services out there. Zero logs, speedy double VPN servers for enhanced security, ad-blocking features, and reliable obfuscated servers.
- ExpressVPN – A stable and speedy VPN with top-notch security (high-end encryption, self-hosted DNS, servers run in RAM-disk mode to make logging impossible) and dozens of obfuscated servers.
- VyprVPN – Well optimized service with military-grade encryption, a decent selection of servers, and good speeds. The highlight includes their proprietary Chameleon protocol that gets around VPN blocking by scrambling OpenVPN packet metadata.
- IPVanish – A zero-log VPN service with 1,000+ speedy servers, and a built-in Scramble option that hides OpenVPN traffic. Unfortunately, it has limited streaming options since it can’t unblock US Netflix, Hulu, or BBC iPlayer.
- PrivateVPN – Decent VPN service with a clear no-log policy, fast servers, reliable encryption, and a Stealth VPN feature that hides traffic.
- Surfshark – The VPN has excellent jurisdiction for user privacy (British Virgin Islands), a Kill Switch, zero-knowledge DNS, and amazing security. Surfshark also has Camouflage Mode, an easy-to-use VPN obfuscation feature.
- Mullvad VPN – Great cost-efficient VPN with zero logs, physical servers, and an open-source app. Mullvad VPN also uses a combination of SSH tunneling, Shadowsocks, and stunnel to offer obfuscation.
- AirVPN – Doesn’t have the most user-friendly website, but the service is pretty decent. You get a no-log policy, decent security, built-in features for OpenVPN over SSL/SSH, and you don’t have to give out personal info when signing up.
- VPN.ac – A good service all around. Zero logs, decent server selection, and VPN obfuscation with the XOR cipher. The only thing you might not like is that they keep connection logs.
- VPNArea – While the service doesn’t have the best performance, it has great perks. It doesn’t keep any logs, unblocks popular streaming websites, has a Kill Switch, offers great security, and uses stunnel obfuscation to hide your traffic.
- Hotspot Shield – I saved this provider for last because it might not be the best option for your privacy. The service suffered a worrying number of leaks and privacy scandals and doesn’t unblock streaming platforms. While its Catapult Hydra Protocol offers obfuscation, it’s the only protocol you can use which isn’t too convenient.
Can Governments Stop VPN Obfuscation?
While this technology can be extremely useful, it’s not “invincible.” If a government really has it out for VPNs that obfuscate their traffic, they have ways of blocking access to the services. Here’s what they could do:
Block VPN Provider Websites
If they want to stop people in the country from using obfuscated VPN services, they can just block the websites of the providers that offer this feature. That stops people from subscribing to the service or downloading apps.
Sure, if you downloaded the VPN client before the government blocked the website you would be fine – but not forever. In the end, you wouldn’t have access to updates this way, and you wouldn’t be able to change your subscription or renew it on the provider’s website.
True, you can use a lesser-known VPN service or an online proxy to unblock the provider’s website. But the government will know you’re doing it if they use DPI. Also, they can block those services too.
Block VPN Server IP Addresses
If blocking providers’ websites isn’t efficient for some reason, governments can just force ISPs to block the IP addresses of well-known VPN servers.
Not only that, but they can also order them to monitor your connections, flag suspicious IP addresses (those with no hostnames associated with the server), check if they belong to VPN servers, and block them. Remember – VPN obfuscation will hide the VPN traffic, not the VPN server’s address.
Block the Ports VPN Protocols Use
ISPs can also just block the ports VPN protocols need to function. Without them, you can’t run a VPN connection. For example, they could block UDP port 500 to stop IKEv2 or L2TP traffic. ISPs could also block UDP port 1194 to block OpenVPN traffic.
However, that’s the port OpenVPN uses by default. If you or the provider configure it to use port 443, there’s not much a government can do. If they block it, they would block HTTPS traffic country-wide. Until now, we have yet to hear of a country doing that.
However, there still is something the authorities can do about HTTPS traffic, as you’ll see next.
Intercept HTTPS Traffic
Most obfuscation methods make VPN traffic look like regular HTTPS traffic. Well, if a country’s ISPs or surveillance agencies were to intercept that traffic, and decrypt it, the government would easily find out who is using VPNs.
Sounds like it might never happen? After all, you can’t really break HTTPS, right?
Well, not exactly. Kazakhstan actually started officially intercepting HTTPS traffic back in July 2019. Basically, the authorities made ISPs force their users to install government-issued certificates on their devices. Those certificates allow government surveillance agencies to decrypt users’ HTTPS traffic.
It’s hard to tell if other countries with similarly oppressive regimes will follow their example or not.
What Do You Think About VPN Obfuscation?
What’s your experience with it, and which VPN obfuscation techniques have you found to be the most efficient? Also, what other good VPN providers offer VPN obfuscation?
Go ahead and share your thoughts with all of us in the comment section. And if you found the article useful, go ahead and share it with your friends if you think it might help them.