Please do not top-post. Answer: Because it turns the discussion up-side-down. Question: Why should I not top-post?
On 10/07/18 07:05, James Peng via Openvpn-users wrote: > I am just wondering how easy a third-party want to find a connection is a > VPN connection or not? For example, If I connect to my home VPN server from > Japan, is it easy/possible for an agent to find my internet connection is a > VPN connection and also find the server ip? It is fairly easy, unless you play games with obfuscation (which comes in addition to OpenVPN). If there is a continuous stream of data between two IP addresses and the same port numbers over a shorter time, that is one indication. Secondly, using tcpdump to grab packets on the link between the server and client, you can soon enough detect the OpenVPN protocol. The first byte of each packet carries what is called an OP code. Certain values here indicates if it is a data channel packet (encrypted VPN traffic) or if it is a control channel packet (managing the connection). Further, some control channel packets contains TLS packets. And you can do even more protocol fingerprinting once you have access to a packet stream between client and server. So by combining these techniques, it is easy to detect OpenVPN. Which is something Wireshark can do for you as well. There is one operation mode which makes it close to impossible to detect OpenVPN. But this mode carries other security challenges, such as lacking PFS (Perfect Forward Secrecy). If running a tunnel with static keys, the stream between each OpenVPN end-point will be pure encrypted data. But this kind of configuration uses the same encryption throughout the whole runtime of the connection as well as only one connection can be made against the "server" side. If you only need one connection to be established against your "server" and all the traffic you run inside this tunnel is encrypted, well, then this might be a reasonable solution. -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
