December 18, 2023
VPN obfuscation is a feature that masks your Web traffic and hides the fact that you’re using a VPN. As such, this feature is useful if you live in a country that actively restricts VPN usage and has strict government censorship.
For example, Internet users in China often want to bypass the Great Firewall. However, Chinese firewalls are known to be extremely tough, and even if you circumvent them with a regular VPN, the government will find out. This is just one of the many situations in which obfuscation can come in handy.
In this article, we’ll explain what’s VPN obfuscation, how it works, when you should use an obfuscated VPN, and what to expect realistically, and we’ll also provide some recommendations. So, let’s jump right in.
VPN obfuscation is a technique that prevents your ISP (Internet service provider) and spy organizations from finding out that you’re connected to a VPN. It consists of different features that make your VPN traffic look like regular Web traffic.
Using an obfuscation VPN can help you bypass blockers and firewalls in countries that have strict censorship. However, keep in mind that only some VPNs offer obfuscation.
It’s also important to note that obfuscation can be achieved by different technologies and tools that don’t necessarily work in a similar way. Some of the most common tools include OpenVPN, OpenVPN Scramble, Shadowsocks proxies, SSTP, and OpenVPN over SSL/TLS.
VPN obfuscation works by changing your VPN data packets to look like regular Internet traffic. This prevents ISPs from knowing that you’re a VPN user. On the flip side, if you’re using a regular VPN, your ISP can detect it, but they still cannot see your activities (here’s what your ISP sees when you use a VPN).
In the first stage, the obfuscated server will remove your VPN signature. To understand this better, let’s consider the example of an OpenVPN data packet.
Typically, a single data packet is divided into two parts: the header and the payload. The header contains metadata, which classifies the data as VPN traffic. The payload contains the actual contents of the data packet. Obfuscation removes information from the data packet’s header and prevents firewalls from recognizing it as VPN traffic.
In the next stage, obfuscation assigns the port number 443 to the data packet. This is the port number that regular HTTPS traffic uses. As a result, VPN traffic starts to resemble normal Web traffic. Hence, it becomes easier to pass through firewalls without getting detected.
VPN obfuscation is necessary to hide the fact that you’re using a VPN from government agencies, ISPs, and firewalls. There are many use cases for obfuscation, so let’s take a look at some common ones.
It is best to avoid using VPN obfuscation when you want maximum speed. This feature will slow down your Internet speed due to the usage of extra layers of encryption and algorithms. So, data packets have to travel through longer routes.
VPNs use a range of techniques for obfuscation, like OpenVPN Scramble, Shadowsocks, obfsproxy, and more. Let’s take a look at some of the most prominent ones.
OpenVPN Scramble is a patch for the OpenVPN protocol, which uses the XOR cipher to add an extra obfuscation layer. To keep things simple, the XOR cipher is a substitution cipher that replaces every letter/number in a text with something different. For example, the word “HELLO” may become “YISSN” by simply substituting Y for H, I for E, S for L, and N for O.
It is the simplest form of a cipher that can exist. However, there's a problem with XOR - it’s not the most secure cipher. It's also pretty terrible at bypassing government blocks. In fact, the authorities or even ISPs can break XOR with the right analysis tools and techniques.
There's also the fact that a lot of hackers use XOR to disguise malware, so it doesn't have the best reputation.
Based on our tests, OpenVPN Scramble isn’t very reliable and provides a low level of security. It can be useful for bypassing weak firewalls but should not be used in countries that have strict rules against VPN usage.
A subproject of the Tor project, Obfsproxy offers stealth by wrapping protocol data in an obfuscation layer to prevent ISPs and governments from noticing it.
Obfsproxy uses Pluggable Transports (PT) to alter how Internet traffic flows between the client and the server. Obfs2 and obfs3 used to be the standard modules, but the best one for VPN obfuscation right now is obfs4.
To really hide OpenVPN traffic, Obfsproxy uses a handshake process that has no recognizable byte patterns. Simply put, it makes OpenVPN traffic look like nothing more than basic HTTP traffic.
If you want to manually set up your own OpenVPN server and Obfsproxy, there's a lot of work involved. Luckily, VPN providers who offer Obfsproxy can give you pre-configured OpenVPN config files to save you time.
Unlike the previous VPN obfuscation techniques, this one involves adding an SSL (Secure Socket Layer) layer of encryption to the OpenVPN data. True, OpenVPN already uses a type of SSL encryption, but it has been tweaked, so it's different. And that is exactly why DPI (deep packet inspection) can easily reveal OpenVPN traffic.
When you wrap OpenVPN data in a layer of SSL encryption, DPI can no longer recognize it as VPN data. While this is a pretty efficient VPN obfuscation method, the setup process can be pretty difficult if you're not tech-savvy.
This is pretty similar to OpenVPN over SSL. The only difference is that it uses SSH (Secure Shell) to hide VPN traffic.
There's really not much to say here. SSH is pretty secure since it has strong encryption. The only drawback is that it's more of a corporate protocol since businesses use it to securely access shell accounts. You might still be able to use it as an average online user, but you'll need to talk with your VPN provider about that.
Shadowsocks is an open-source project based on the SOCKS5 proxy. A Chinese programmer using the pseudonym "clowwindy" created it back in 2012 to help people in the country bypass censorship, and also hide the fact that they're doing it.
On its own, Shadowsocks just masks online traffic, making it look like HTTPS so that you can bypass firewalls. It doesn't have much encryption to secure your data, though. However, a VPN provider can use their service together with Shadowsocks to hide OpenVPN traffic.
This is a multi-protocol software that was developed by Daiyuu Nobori. One notable aspect of SoftEther is that it’s fully open-source and helps create low-latency connections after its implementation. Furthermore, it runs on platforms like Windows, Linux, Solaris, macOS, and FreeBSD.
SoftEther has a proprietary protocol to create a secure tunnel. This helps bypass firewalls and create obfuscation because HTTPs handles regular internet traffic as well. Other than that, SoftEther also supports OpenVPN, L2TPv3, L2TP/IPSec, and EtherIP.
Unfortunately, SoftEther is not as secure because vulnerabilities have been found in its implementation in 2019. You can read more about Hide.me’s vulnerabilities with SoftEther.
Secure Socket Tunnel Protocol is a popular and secure VPN protocol that was developed by Microsoft. Hence, it supports major platforms like Windows, Android, and Linux, along with many routers. This was designed as a replacement for the PPTP protocol in 2007.
Back then, SSTP was vulnerable to POODLE attacks (also known as a man-in-the-middle). However, it’s considered to be secure nowadays because TLS 1.3 and 1.2 are used to implement it instead of SSL3.
A number of trusted VPNs like Hide.me and IPVanish offer SSTP. However, censorship-friendly VPNs prefer using more sophisticated technologies.
Despite its secure nature, it may still have hidden vulnerabilities. According to the documents revealed by Edward Snowden in 2013, Microsoft and NSA have collaborated in mass spying activities in the past. This makes SSTP less reliable regardless of how good the technology is.
This is an open-source VPN obfuscation technology primarily designed to help users in China bypass their Great Firewall. It’s a part of Project V, which allows developers to use VMess for proxy software development purposes.
VPN.AC is one of the VPNs that use V2Ray tunneling but it’s available on its Windows app only. Other than that, most VPNs do not implement this technology due to the fact that it’s not very reliable.
One of the biggest drawbacks of V2Ray is that it’s quite difficult to configure. This can be a hassle for users who are not very tech-savvy.
ExpressVPN is the best obfuscation VPN based on our rich experience of testing multiple providers. However, you do have more options. Let’s take a look at the prominent examples.
Yes, governments can indirectly stop VPN obfuscation by going out of their way and blocking VPN websites, server IP addresses, blocking ports, and intercepting HTTPs traffic. Let’s take a look at these techniques:
If they want to stop people in the country from using obfuscated VPN services, they can just block the websites of the providers that offer this feature. That stops people from subscribing to the service or downloading apps.
Sure, if you downloaded the VPN client before the government blocked the website, you would be fine - but not forever. In the end, you wouldn't have access to updates this way, and you wouldn't be able to change your subscription or renew it on the provider's website.
True, you can use a lesser-known VPN service or an online proxy to unblock the provider's website. But the government will know you're doing it if they use DPI. Also, they can block those services too.
If blocking a provider’s website isn't efficient for some reason, governments can just force ISPs to block the IP addresses of well-known VPN servers.
Not only that, but they can also order them to monitor your connections, flag suspicious IP addresses (those with no hostnames associated with the server), check if they belong to VPN servers, and block them. Remember - VPN obfuscation will hide the VPN traffic, not the VPN server's address.
ISPs can also just block the ports VPN protocols need to function. Without them, you can't run a VPN connection. For example, they could block UDP port 500 to stop IKEv2 or L2TP traffic. ISPs could also block UDP port 1194 to block OpenVPN traffic.
However, that's the port OpenVPN uses by default. If you or the provider configure it to use port 443, there's not much a government can do. If they block it, they would block HTTPS traffic country-wide. Until now, we have yet to hear of a country doing that.
Most obfuscation methods make VPN traffic look like regular HTTPS traffic. Well, if a country's ISPs or surveillance agencies were to intercept that traffic, and decrypt it, the government would easily find out who is using VPNs.
Sounds like it might never happen? After all, you can't really break HTTPS, right?
Well, not exactly. Kazakhstan actually started intercepting HTTPS traffic back in 2019. Basically, the authorities made ISPs force their users to install government-issued certificates on their devices. Those certificates allow government surveillance agencies to decrypt users' HTTPS traffic.
To get the best out of VPN obfuscation, you can use split tunneling, change DNS settings, and combine it with other preventive measures. That is because obfuscation can cause a massive speed drop-off. Let’s take a look at ways to optimize it.
Split tunneling means you can decide which traffic goes through the VPN tunnel, and which doesn't. For instance, you can use split-tunneling to separate VPN traffic (like Web browsers) from non-VPN traffic (like gaming clients). If you do that, you might increase your speed since you're making your traffic more lightweight.
The default DNS settings you get from your ISP may not be ideal - especially when you're using a VPN.So, you should change them with your VPN provider's own DNS configuration. Alternatively, try using Google Public DNS or OpenDNS configurations.
This doesn't have much to do with speed, but it's a useful thing to keep in mind when using VPN obfuscation. The idea is that hiding your VPN traffic won't do much for your privacy if the VPN connection suddenly goes down or suffers leaks. So, to make sure you're safe, you should enable the kill switch feature. It'll shut off your Web access if your VPN connection goes down. Also, turn on IP and DNS leak protection.
If obfuscation is not working for you, you should reach out to the VPN’s support team and ask for help. However, customer support can sometimes be slow. To help you fix obfuscation, we have compiled a list of common troubleshooting methods below.
VPNs normally lower your Internet speed by a certain factor. Obfuscation on top can further slow it down due to the extra hoops that data packets have to jump through. If your chosen obfuscated server is far away, your Web activities can fully crash. In this case, try choosing the nearest obfuscated server and re-establish your VPN session again.
Some VPNs offer multiple features for obfuscation, including cloaking protocols, proxies, and multiple stealth options. We recommend using the latest obfuscation features available in the app because these usually come with fixed bugs and updated technology.
It is also possible that your VPN may have recently received a new patch. If that is true, the VPN app will most likely nudge you to install the latest update. However, you should still double-check it by visiting your VPN’s official website.
In the end, if nothing works, you should consider a reliable and capable obfuscation VPN that is known for its obfuscation technology. We recommend ExpressVPN due to its high-speed obfuscated servers.
Using OpenVPN with obfuscation is the safest because not all protocols offer advanced encryption like OpenVPN. So, there’s a chance with other protocols (albeit a small one) that your ISP could tell you're using a VPN.
In fact, if they check your outbound connections and see that you're connecting to an IP address with no hostname over UDP/TCP port 443, they'll likely realize you're using a VPN server. If you get caught doing that in a country where it's illegal or at work/school where it's against the rules, you can end up in a lot of trouble.
So, it's just safer to use OpenVPN with VPN obfuscation in that case.
VPN obfuscation is useful because it hides the fact that you’re using a VPN, which allows you to bypass firewalls and prevent spying. Not even your ISP can tell that you’re connected to a VPN. However, it also has some drawbacks like potentially complicated setup and low speeds.
Most of the capable VPNs provide built-in obfuscated servers that are also optimized for high speed. This removes the hassle of having to set up obfuscation manually.
We recommend ExpressVPN due to its built-in high-speed obfuscated servers. This VPN has 3,000+ servers in 90+ countries, all of which are obfuscated. That means you get a ready-to-use VPN, without any extra configuration needed.
Obfuscated VPN servers camouflage your traffic and make it look like you’re connected to a regular Internet connection. This prevents your ISP from finding out about your VPN usage.
Yes, obfuscated VPN servers can be slow. However, capable VPNs have servers that are optimized for both speed and obfuscation.
Yes, obfuscation is totally safe. However, it’s only reliable when you’re using a reliable VPN provider that has good obfuscation technology.
Governments cannot detect obfuscation for as long as it is done right. That is why we recommend using capable VPN providers like ExpressVPN.
Yes, VPN obfuscation is legal in countries where VPN usage is legal. However, if your country penalizes its citizens for using a VPN, you can potentially get in trouble due to obfuscation.
Yes, NordVPN has obfuscated servers that you can enable from its settings under the “Advanced tab”.
Finally, we hope that you found this article very valuable and it answered all your questions about VPN obfuscation. Feel free to comment below or to reach out to us if you have any queries. Thanks for reading!