Obfuscating VPN Traffic JJF Derksen August 22, 2018 Supervisor: dr. ir. Marc X. Makkes Universiteit van Amsterdam Rogier Spoor SURFnet Host organisation: SURFnet, https://www.surf.nl Universiteit van Amsterdam Faculteit der Natuurwetenschappen, Wiskunde en Informatica Master Software Engineering http://www.software-engineering-amsterdam.nl Contents Abstract 3 1 Introduction 4 2 Related work 6 3 Background 7 3.1 Network traffic ........................................ 7 3.2 Virtual private network ................................... 8 4 Experiment setup 11 4.1 Setups............................................. 11 4.2 Experiments.......................................... 12 4.2.1 Experiment one: OpenVPN server detection.................... 12 4.2.2 Experiment two: network traffic monitoring.................... 12 4.3 OpenVPN configurations .................................. 13 4.3.1 OpenVPN standard configuration.......................... 13 4.3.2 OpenVPN secure configuration........................... 15 4.3.3 OpenVPN obfuscation configuration........................ 15 4.3.4 OpenVPN TLS 1.3 configuration.......................... 16 5 Results and analysis 17 5.1 Active detection OpenVPN server ............................. 17 5.1.1 Port scanning..................................... 17 5.1.2 Connection request.................................. 17 5.1.3 TCP three way handshake.............................. 18 5.2 Monitoring network traffic.................................. 18 5.2.1 Handshake ...................................... 18 5.2.2 Client hello...................................... 18 5.2.3 Server hello...................................... 20 5.3 Network traffic from server to client ............................ 21 5.4 Network traffic from client to server ............................ 21 5.5 Analysis............................................ 22 5.5.1 Active detection OpenVPN server ......................... 22 5.5.2 Network traffic.................................... 22 5.5.3 TCP three way handshake.............................. 22 5.5.4 OpenVPN setups compared............................. 22 5.5.5 TLS compared to OpenVPN ............................ 23 6 Conclusion 24 7 Future work 26 Bibliography 27 1 A Abbreviations 31 B OpenVPN Headerinfo 32 C Listing results 34 2 Abstract Virtual private network (VPN) connections ensure privacy as well as security between two connected computers on the Internet. However some countries and companies do not allow the use of VPN connections and use a firewall to prevent the use of VPN. Header information of network traffic from VPN connections contains recognisable characters. Firewalls can use these recognisable characters to detect VPN connections. To avoid VPN connections being actively used, firewall setups can limit these connections in different ways, for example: connections can be down throttled, disconnect by sending termination packets or blocked completely. When VPN connections can no longer be used, users would lose privacy and security of the internet connection. To prevent detection, VPN traffic could be obfuscated to mimic the same patterns as Transport Layer Security (TLS) traffic.This thesis investigates various OpenVPN solutions created. The solutions obfuscate the VPN related header information characters of a connection. In addition, we show that VPN servers can be configured such that they are undetectable, except for authorized users. The results of this thesis show that VPN servers can remain undetected for any unauthorised user when recognisable header information characters of VPN connections are obfuscated. Despite this obfuscation there are still vulnerabilities making it is still possible to detect VPN connections. The detection of VPN connections is accom- plished by monitoring network traffic on various OpenVPN servers. The Thesis results on the various OpenVPN servers are compared to the network traffic of TLS connections. 3 Chapter 1 Introduction Internet traffic is subject to monitoring. Monitoring of network traffic happens when using the internet in a company with strict firewall rules or in a country that enforces strict firewall rules, such as China [NS14] or Iran [AAH13]. All network traffic passing the firewall will be initially monitored on header information. When creating an internet connection within a network with firewall rules, these rules determine which network traffic is passed through and which network traffic will be throttled, disconnect or blocked [SB14]. In addition, the network enclosed by the firewall can determine your geographical location by using the internet protocol (IP) address of a client request. To protect against firewalls throttling, disconnecting or blocking network traffic, a virtual private network (VPN) connection can be used when exchanging network traffic. A VPN connection provides secure communication over an unsecured internet connection. This is done by creating a virtual tunnel between the source, the client device, and the endpoint, the VPN server. The endpoint will act as the origin of the traffic request. This masks the true origin of a user request. This makes it impossible to determine the origin of a traffic request made from a VPN end- point. The network traffic between client and VPN server is encrypted. Therefore, firewalls are not able to distinguish network traffic as anything other than VPN network traffic. When users want to create a VPN connection, they can choose among multiple VPN protocols. The most common proto- cols are internet protocol security (IPSec) [Ken05], point-to-point protocol (PPTP) [HPV+99], layer 2 tunnel protocol (L2TP) [TVR+99] and VPN solutions that use a hybrid form of the aforementioned procols, like OpenVPN [Kei17]. A VPN client can initiate a VPN connection by starting a handshake. This handshake is an in- teractive agreement to use a specific protocol and parameters. On completion a secure cryptographic communication channel is established. VPN network traffic has VPN related characters, which makes it distinguishable from other network traffic. Firewalls monitoring network traffic can pick up on these characters when analysing network traffic, thereby making it possible for a firewall to detect VPN connections [PBUK07, GLMG16, PJL+12]. If the encryption algorithm is secure, the payload remains secret. However, since the initiating of a VPN connection or an existing connection can be detected, firewalls that disallow the use of a VPN can throttle, disconnect or block the VPN server. This makes it impossible for users to freely interact with the internet in a secure and anonymous way on any network. Therefore, we aim to present a solution to prevent a VPN server from being detected as well as the network traffic of the VPN server. As long as the VPN server and its connections will not be detected there is no reason to block or destroy any connection to the VPN server. This thesis will therefore investigate the obfuscation of an OpenVPN connection, making it possible for user to always create a private internet connection. The OpenVPN connection will be obfuscated by encrypt- ing VPN related characters and converting the network traffic to resemble a transport layer security (TLS) connection. TLS uses the transmission control protocol (TCP) [Pos81] to transport network traffic; therefore, we obfuscate the OpenVPN network traffic using the TCP protocol in OpenVPN. The differences in protocols will be described and a solution to obfuscate the OpenVPN network traffic will be presented. In this thesis, we make the following contributions • Creating VPN servers that are undetectable by any unauthorised users (Section 4.3). Various 4 VPN server setups are tested on their detectability (Section 5.2). • Monitoring the network traffic of various OpenVPN servers. The differences in network traffic are shown. • Analysing VPN network traffic and TLS network traffic. The differences in network traffic are compared using the various OpenVPN servers connections and a TLS connection. We aim to configure a VPN server that will not be detected, when it is running on a server and the server is exchanging network traffic with a client. The VPN server will not be blocked and connections will not be destroyed. Users will alway be able to create a private and secure internet connection using the VPN server. Through the contributions and by creating an undetectable VPN server we aim to answer the following research question: How can one hide a VPN connection to prevent a third party from detecting, destroying or blocking the connection between a client and a VPN server? To help answer this research question, these sub-questions have been formulated: • How can an OpenVPN server be detected? • How can a VPN connection be detected? • Which criteria should hold to improve obfuscation of an OpenVPN connection? The rest of the paper is organised as follows. The related work is presented in Chapter2, followed by the protocols of the technologies used presented in Chapter3. Chapter4 describes the experiments designed to explore the OpenVPN configuration to be tested. Chapter5 presents the results of the experiments conducted. An analysis of these results is then conducted and discussed. Chapter6 answers the research question and sub-questions. Suggestions for future work to obfuscated VPN connections are discussed in Chapter7. 5 Chapter 2 Related work To ensure that a VPN connection will not be detected, a VPN server, as well as the connection, should be indistinguishable from a TLS connection. The detection of a VPN server is performed using "active probing". Ensafi et al. [EFW+15] describe