Open hdmanit opened 1 week ago
Monviech
commented
1 week ago Some additional information: https://forum.opnsense.org/index.php?topic=41106
Imo, offering something like wstunnel instead would be the better choice since it would work for any traffic instead of just openvpn. https://github.com/erebe/wstunnel
Though I think that's community plugin scope?
AdSchellevis
commented
1 week ago I'm not aware of the removal of a feature when it comes to OpenVPN in this case, the only obfuscation feature I'm aware of is obfsproxy as documented in https://community.openvpn.net/openvpn/wiki/TrafficObfuscation, which by my knowledge has never been part of our distribution.
fichtner
commented
1 week ago The XOR patches were included once but removed for 2.6 when they broke again due to upstream changes. OpenVPN developers never took it in and FreeBSD removed the extra patch. I have no more intention of carrying the torch for a patch nobody of the relevant people helping to keep it alive is interested in. Sorry.
AdSchellevis
commented
1 week ago @fichtner my mistake, missed that particular thing, we're certainly not going to carry custom patches around. Alternatives exist, they just need more work from the interested parties (also not a core priority)
hdmanit
commented
1 week ago Some additional information: https://forum.opnsense.org/index.php?topic=41106
Imo, offering something like wstunnel instead would be the better choice since it would work for any traffic instead of just openvpn. https://github.com/erebe/wstunnel
Though I think that's community plugin scope?
thank you I should try this as well
Some additional information: https://forum.opnsense.org/index.php?topic=41106
Imo, offering something like wstunnel instead would be the better choice since it would work for any traffic instead of just openvpn. https://github.com/erebe/wstunnel
Though I think that's community plugin scope?
Thank you. I should try this as well. However, the VPN services I'm using offer obfuscated options, not WSTunnel, like Surfshark and PureVPN. Thank you for your reply
hdmanit
commented
1 week ago I'm not aware of the removal of a feature when it comes to OpenVPN in this case, the only obfuscation feature I'm aware of is
obfsproxyas documented in https://community.openvpn.net/openvpn/wiki/TrafficObfuscation, which by my knowledge has never been part of our distribution.The XOR patches were included once but removed for 2.6 when they broke again due to upstream changes. OpenVPN developers never took it in and FreeBSD removed the extra patch. I have no more intention of carrying the torch for a patch nobody of the relevant people helping to keep it alive is interested in. Sorry.
Yes, what I was looking for were the XOR patches. It's unfortunate my bad luck that there are no extra or custom patches available anymore. Thank you for the explanation
hdmanit
commented
1 week ago I'm not aware of the removal of a feature when it comes to OpenVPN in this case, the only obfuscation feature I'm aware of is
obfsproxyas documented in https://community.openvpn.net/openvpn/wiki/TrafficObfuscation, which by my knowledge has never been part of our distribution.I'm not aware of the removal of a feature when it comes to OpenVPN in this case, the only obfuscation feature I'm aware of is
obfsproxyas documented in https://community.openvpn.net/openvpn/wiki/TrafficObfuscation, which by my knowledge has never been part of our distribution.I'm not aware of the removal of a feature when it comes to OpenVPN in this case, the only obfuscation feature I'm aware of is
obfsproxyas documented in https://community.openvpn.net/openvpn/wiki/TrafficObfuscation, which by my knowledge has never been part of our distribution.
Yeah, my mistake. You're right; you're not the one who removed that obfuscation option from OpenVPN. Here's the link to the announcement (https://forum.opnsense.org/index.php?topic=33836.msg163658#msg163658). Based on this announcement, I mistakenly thought OPNsense had removed the option and was no longer supporting it. However, upon reading it again, I see that the XOR feature is no longer supported in OpenVPN, unfortunately
hdmanit
commented
1 week ago @fichtner my mistake, missed that particular thing, we're certainly not going to carry custom patches around. Alternatives exist, they just need more work from the interested parties (also not a core priority)
So, isn't there any way I can upgrade my OPNsense to the latest version but still install an older version of OpenVPN (specifically, OpenVPN 2.5.8, which I am currently using) on the latest version? If there is a solution for this, my problem will be solved
Monviech
commented
1 week ago I would rather reach out to the VPN Provider support. The obfsproxy was last updated 2018. https://www.freshports.org/security/obfsproxy
So they (The VPN provider you pay for) should offer something new, like the solution I have stated above. Wireguard + wstunnel looks rather nifty.
Since the obfuscation option has been removed so long ago, they really have to offer a new solution to keep their customers who want to avoid the DPI without using old - potentially insecure - software versions.
hdmanit
commented
1 week ago I would rather reach out to the VPN Provider support. The obfsproxy was last updated 2018. https://www.freshports.org/security/obfsproxy
So they (The VPN provider you pay for) should offer something new, like the solution I have stated above. Wireguard + wstunnel looks rather nifty.
Since the obfuscation option has been removed so long ago, they really have to offer a new solution to keep their customers who want to avoid the DPI without using old - potentially insecure - software versions.
Yes, I agree with you; they should definitely offer something new, 100%. But you know, the problem is that in countries with highly restricted and censored internet :/, sometimes the only option that works is obfuscation. Although it’s outdated, they really should develop a new method
Important notices
Is your feature request related to a problem? Please describe.
Yes, the removal of the "scramble obfuscate" option from OpenVPN in OPNsense has significantly impacted my ability to upgrade to newer versions of OPNsense. My network is heavily censored, and obfuscation is the only viable method to bypass such restrictions. The absence of this feature is forcing users like me to consider alternatives, despite our preference for OPNsense.
Describe the solution you'd like
I would like the "scramble obfuscate" feature to be reintroduced in the latest versions of OPNsense. Alternatively, providing an option to install older versions of OpenVPN, such as "openvpn 2.5.8", on the newer releases of OPNsense would be greatly appreciated.
Describe alternatives you've considered
I have considered using other solutions that offer traffic obfuscation, but none match the integration and ease of use provided by OPNsense. Additionally, setting up an internal Obfsproxy server is a more complex solution that I'd like to avoid.
Additional context
The "scramble obfuscate" feature is crucial for users in regions with heavy network censorship. Its reintroduction would not only benefit current users but also attract new ones who require this functionality. I am currently using "Opnsense 23.1.11_2" solely because of the lack of this feature in the latest versions. Your attention to this matter is highly appreciated.