Tuesday, July 12, 2011

OpenVPN vs. DPI

Someone posted to the Anonyproz site a knowledgebase item on "Deep Packet Inspection and OpenVPN".

"A new internet traffic monitoring technology known as Deep Packet Inspection (DPI) has been proven to successfully block OpenVPN traffic regardless of the port used whether 80 or 443. Anyone who uses the Internet needs to be aware of Deep Packet Inspection .. It is important to understand that OpenVPN doesn't use the SSL wire protocol directly, like the majority of SSL applications does. So all the SSL packets from OpenVPN are encapsulated in a kind of OpenVPN container. Which is why some deep packet inspection firewalls might not allow OpenVPN traffic"

"One possible solution is to tunnel OpenVPN traffic over SSH. Using this method, some users on networks using DPI have been able to bypass. The method works in most cases because the initial SSH traffic is recognized by the DPI device as being “True HTTPS” traffic thereby allowing you to bypass and tunnel through".

See "Deep Packet Inspection and OpenVPN" - here.

1 comment: