OpenVPN in Tunnelblick Modifiable?

[Daniel Chan]

I was wondering if the OpenVPN in Tunnelblick is modifiable? Since China is undergoing some major upgrades on their GFW, I am now starting to utilize scrambled OpenVPN, an extension on the current OpenVPN by making it harder for DPI to block the traffic.

You can refer to the patch here: https://github.com/clayface/openvpn_xorpatch/blob/master/openvpn_xor.patch

[jkbull...gmail.com]

Tunnelblick is open source, free software, so you can certainly modify it. See Building from Source and Signing the Application.

To point you to the OpenVPN source in Tunnelblick, it is located in third_party/sources/openvpn. There is a folder there for each version of OpenVPN to be included, named with the OpenVPN version. Inside that folder is an optional "patches" folder that contains patches, and an "openvpn" folder that contains the source code for that version of OpenVPN. What you would basically do is put the patch file into the "patches" folder, renaming it so it ends in ".diff", and possibly modify it so the patch command used when building Tunnelblick works at the proper folder level, and rebuild Tunnelblick.

I should warn you that the xor patch on GitHub has several bugs, including null-pointer dereferences, and that the view of the OpenVPN developers is that it should not be used and that they recommend obfsproxy instead. The following is from the last post (by one of the OpenVPN developers) on an OpenVPN mailing list thread:

We (OpenVPN developers) do not encourage people building their own versions of OpenVPN changing the wire-protocol like this, without the patch being through a proper patch review and having evaluated possible security risks related to such a change.
And we especially discourage using such an approach when there exists a far better solution, used by the TOR community. It is called obfsproxy and can be used together with OpenVPN without needing any re-compilation of OpenVPN.

 

For more information, have a look at these URLs

 

http://community.openvpn.net/openvpn/wiki/TrafficObfuscation
https://www.torproject.org/projects/obfsproxy.html.en

That said, I am considering adding the xor patch to Tunnelblick (after fixing the bugs; I would contribute the bug fixes upstream), possibly by including it as an additional patched copy of OpenVPN. This would allow people who do not want the patch for security reasons to avoid it, but still make it available for those who want/need it.

I am also considering adding the ability to easily use obfsproxy (from the Tor project), by including it inside of Tunnelblick (similar to the way that OpenVPN is included) and starting it with arguments provided by specially marked comments in the OpenVPN configuration.

[Daniel Chan]

Would we see it anytime soon in the beta version of Tunnelblick? I think people in China will greatly benefit the "patched" OpenVPN as an option in Tunnelblick.

[jkbull...gmail.com]

I am hoping to release a beta version with the changes some time in the next couple of weeks. I may make a "snapshot" (pre-release version of Tunnelblick) available before then and will post to this thread if I do so.

Of course, putting it in Tunnelblick is only half of the work – it must be done on the VPN server, too.

[wcoolnet]

I just wanted to add my vote for this feature. This could be extremely useful!

[jkbull...gmail.com]

A snapshot (pre-release version of Tunnelblick) is available that includes a modified version of the openvpn_xorpatch. It can be downloaded from https://tunnelblick.net/snapshots.

See Tunnelblick openvpn_xorpatch for details.

On Tuesday, April 7, 2015 at 10:09:42 AM UTC-4, jkbull...gmail.com wrote:

[Daniel Chan]

Thanks, will give feedback as soon as I can! :)