Setting up an Obfuscation server with Obfsproxy and Viscosity
Obfuscation can be used to prevent your VPN connection being detected and/or blocked. Some administrators (such as wireless hot spots in cafes) choose to block VPN traffic on their network. By obfuscating your VPN connection, you can securely connect to your remote network resources or browse the internet privately while connected to such restricted networks.
Network administrators can use tools like Deep Packet Inspection (DPI) to classify and restrict traffic by protocol, such as HTTP, SSL, VPN, etc. Viscosity uses Obfsproxy to obfuscate its VPN traffic. Obfsproxy transforms the VPN traffic coming from your computer to make it look like whatever you choose, so that it is more difficult to restrict via DPI methods. There are a number of different methods Obfsproxy can use to disguise your traffic, including obfs2 which adds an encryption wrapper around your VPN traffic to stop it looking like any protocol in particular.
For this guide, we assume:
- You have already installed the latest version of Ubuntu (16.04 at time of writing)
- You have root access to this installation of Ubuntu via terminal or ssh
- You have already setup a TCP (not UDP) OpenVPN server
- You already have a copy of Viscosity installed on your client device
The OpenVPN server can be on this installation of Ubuntu, or another machine, it doesn't matter. If you haven't already setup an OpenVPN server, please check out our setup guides. Make sure to set the OpenVPN server protocol to TCP, not UDP. We also assume that this installation of Ubuntu is a fresh install, possibly with an OpenVPN server installed as well.
This guide will walk you through setting up one of the following obfuscation protocols:
To begin, log in to the command line as root. Once logged in, we need to ensure that Ubuntu's repository list is up to date by typing the following:
sudo apt-get update
For obfs2, obfs3 and obfs4 we will use obfs4proxy. To install obfs4proxy, run the following:
sudo apt install -y obfs4proxy
For scramblesuit, you will need obfsproxy instead, install this with the following and then skip to the scramblesuit section further down:
sudo apt install -y obfsproxy
Obfs4proxy Server Configuration
To get started setting up obfs4proxy, for if you want to use the obfs2, obfs3 or obfs4 protocol, we first setup the config. Create a directory for the obfs4proxy configuration with the following:
sudo mkdir -p /var/lib/tor/pt_state/obfs4
Next, create the config:
sudo nano /var/lib/tor/pt_state/obfs4/obfs4.config
And paste in the following:
TOR_PT_MANAGED_TRANSPORT_VER=1 TOR_PT_STATE_LOCATION=/var/lib/tor/pt_state/obfs4 TOR_PT_SERVER_TRANSPORTS=obfs4 TOR_PT_SERVER_BINDADDR=obfs4-0.0.0.0:12345 TOR_PT_ORPORT=127.0.0.1:443
You can make the following changes as necessary:
- TOR_PT_SERVER_TRANSPORTS - This is the protocol to use, change this to obfs2 or obfs3 if you wish to use a different protocol.
- TOR_PT_SERVER_BINDADDR - Again, change obfs4 to obfs2 or obfs3 if you wish to use a different protocol. 12345 is the port obfs4proxy is listening on, you may also change this as you wish.
- TOR_PT_ORPORT - This is the address of your OpenVPN server. If you are running the obfs4proxy server on the same system as your OpenVPN server, nothing needs to change, otherwise change this address and port as needed.
Save the configuration and exit nano.
Next we need to setup a service for obfs4proxy. To do this, create a new file and open it in the nano editor with the following:
sudo nano /etc/systemd/system/obfs4proxy.service
And paste in the following, save and close nano:
[Unit] Description=obfs4proxy Server [Service] EnvironmentFile=/var/lib/tor/pt_state/obfs4/obfs4.config ExecStart=/usr/bin/obfs4proxy -enableLogging true -logLevelStr INFO [Install] WantedBy=multi-user.target
Next, start the service and enable it to automatically start after rebooting:
sudo systemctl start obfs4proxy.service
sudo systemctl enable obfs4proxy.service
You can check it started succesfully with:
sudo systemctl status obfs4proxy.service
Finally, if you are using the obfs4 protocol, when you start the server for the first time a password key will be generated which you will need to paste into Viscosity. Print it out with:
sudo cat /var/lib/tor/pt_state/obfs4/obfs4_bridgeline.txt | grep 'Bridge obfs4' | sed -e 's/^.*cert=\(.*\) .*$/\1/'t
Scramblesuit Server Setup
Scramblesuit requires a different configuration using the older obfsproxy program. To get started, create an empty directory for obfsproxy with:
sudo mkdir -p /var/lib/tor/pt_state/scramblesuit
Next, we need to generate a password to use. To do this, type the following into terminal:
python -c 'import os,base64; print base64.b32encode(os.urandom(20))'
This will output a line of numbers and letters, make a copy of this, this is your password key for scramblesuit which we will need below and for Viscosity later.
Next, create a service configuration and open it with nano:
sudo nano /etc/systemd/system/obfsproxy.service
And paste in the following:
[Unit] Description=Obfsproxy Server [Service] ExecStart=/usr/bin/obfsproxy --log-min-severity=info --data-dir=/var/lib/tor/pt_state scramblesuit --password=YOURPASSWORD --dest=127.0.0.1:443 server 0.0.0.0:12345 [Install] WantedBy=multi-user.target
Make the following changes as necessary:
- YOURPASSWORD - Replace this with the password key we generated above.
- 127.0.0.1:443 - This is the address to your OpenVPN server. This is valid if your OpenVPN server is running on the same system as obfsproxy and is listening on port 443, otherwise change this as required.
- 0.0.0.0:12345 - This where obfsproxy is listening for connections. You can change 12345 to a different port as required.
Save the service configuration and exit nano. We can then start the service and enable it to start automatically after reboot with:
sudo systemctl start obfsproxy.service
sudo systemctl enable obfsproxy.service
You can check it started succesfully with:
sudo systemctl status obfsproxy.service
Setting Up Viscosity
The interface provided by the Mac and Windows versions of Viscosity are intentionally very similar. As such, we will focus our guide on the Mac version, pointing out any differences with the Windows version as they arise.
If you do not have Viscosity already running, start Viscosity now. In the Mac version you will see the Viscosity icon appear in the menu bar. In the Windows version you will see the Viscosity icon appear in the system tray.
Click the Viscosity icon in the menu bar (Windows: system tray) and select 'Preferences...':
This shows you the list of available VPN connections. We assume you have already created a connection to your OpenVPN server. If you haven't set created a Viscosity connection to your OpenVPN server, please check out our OpenVPN server guides. Select your previously configured connection and click "Edit":
Configuring the Connection
You will now need to modify the connection parameters as outlined below:
- In the General tab, replace the server address with the IP address of your Obfsproxy server. This will be unchanged if your Obfsproxy server is running on the same machine as your OpenVPN server.
- Update the port to the Obfsproxy port set in the configuration above (12345 in our example).
- The protocol must be set to TCP.
- Click the Transport tab.
- Set the obfuscation method to the obfuscation method selected in the Obfsproxy server configuration.
- You cannot use a proxy when using obfuscation, so make sure the "Connect using proxy" option is unchecked.
- If you are using obfs4 or scramblesuit, paste the password key in the "Key" field.
- Click the
Connecting and Using Your VPN Connection
You are now ready to connect. Click on the Viscosity icon in the menu bar (Windows: system tray) and select 'Connect DemoConnection'. That's it, you should see a notification that you're now connected!
To check that the VPN is up and running, you can use the Viscosity details window. Click the Viscosity menu bar (Windows: system tray) icon and select 'Details...'. This will bring up the details window.
This window will show you the traffic passing through the VPN connection.