Stealth OpenVPN and SSH Tunneling Over HTTPS

Contents Tunneling OpenVPN and SSH via HTTPS for Windows,MAC and Linux ....................................................... 1

Benefits of HTTPS Tunneling: ................................................................................................................. 2

Pre-Requisites: .............................................................................................................................................. 3

Part A: Step by Step Instructions for OpenVPN Tunneling Over HTTPS ....................................................... 3

Switching OpenVPN Servers: ........................................................................................................................ 9

Part B: Step by Step Instructions for SSH Tunneling Over HTTPS ............................................................... 12

Agent Timeout and Re-launching the Agent: .............................................................................................. 17

Deleting all Traces of the Tunneling Agent ................................................................................................. 18

Getting Support: ......................................................................................................................................... 18

Tunneling OpenVPN and SSH via HTTPS for Windows,MAC and Linux This guide explains how to tunnel OpenVPN or SSH over HTTPS for subscribers of Anonyproz OpenVPN services. Tunneling OpenVPN or SSH over HTTPS is useful for users who are behind a restrictive firewall or Deep Packet Inspection device (DPI) which is blocking OpenVPN or SSH traffic. Note that although OpenVPN is already a VPN solution based on SSL/TLS and can fake HTTPS traffic by listening on TCP port 443 (HTTPS port) it is not the same as HTTPS. This is why some advanced DPI devices, proxy servers and firewalls are able to detect that you are using an OpenVPN connection and can block it. In addition, some firewalls and DPI are also able to detect SSH traffic and can block or throttle it.

In this guide, we present to you a stealth method to tunnel OpenVPN or SSH over HTTPS via an SSL tunnel based on the open source OpenVPN ALS (Adito) which can bypass restrictive firewalls and DPI devices. With this tunneling protocol, our HTTPS server receives the HTTPS packets directed to the HTTPS server and redirects the incoming TCP port 443 traffic to the remote OpenVPN or SSH server for tunneling. The method is easy to use and uses a light weight JAVA agent client which you have to run on your computer. Our rule of thump is “ if you can connect to any https site such as your bank website or Paypal.com, then you can use our HTTPS tunneling solution”.

In addtion, this tunneling method involves a multi-layer tunneling consisting of a strong trusted 2048 bit SSL certificate, SSH and OpenVPN SSL/TLS protocol with a smart SSH and OpenVPN protocol automatic detection and will intelligently route your OpenVPN or SSH traffic to the approriate remote server. By using a multi-layer encryption, the tunneling is extremely secure and can be regarded as “double tunneling” or tunneling a tunnel over a tunnel at the price of a slight performance hit. The figure below illustrates the concept:

To use the JAVA based agent client for tunneling OpenVPN or SSH over HTTPS, you do not need to install any additional SSH tunnel client such as OpenVPN GUI or Putty software on your computer. After you run the agent client, a pre-configured Putty SSH tunneling for all our SSH servers is automatically launched on your computer from our HTTPS tunneling server. Hence, you are not required to have a putty software on your computer. Since Putty does not require any Administrative rights to run, you can easily setup a secure SSH tunnel using this technique on any PC in which you cannot install software such as public computer due to lack of admin rights.

In addition if tunneling OpenVPN over HTTPS, you can use a portable version of OpenVPN to connect which can be loaded directly from the agent GUI. You do not need to install our OpenVPN GUI.

Benefits of HTTPS Tunneling: The following benefits can be derived when using this system:

• Stealth Tunneling: All OpenVPN or SSH traffic is nicely hidden in SSL/HTTPS traffic which makes it very difficult to block and is completely indistinguishable from real HTTPS traffic.

• Portability and Ease of Use: With this system you are not required to manually download and install

any additional program or client on your computer. In addition, the agent can be run from removable media such as USB stick or memory cards. The required programs is automatically loaded and started on your computer with the executable java agent.

• Zero Configuration: This system requires no configuration from you. All you have to do is install the client program and select your server and connect with few steps.

• Tunnel OpenVPN or SSH over HTTPS Using a Single Client: With the single java based agent client,

you can use either tunnel OpenVPN or SSH securely over HTTPS from the same user interface thereby eliminating the need to use separate clients. However, please note that you can only use one of the tunneling protocol at the same time on a single computer.

To setup the system, please follow the setup instructions below depending your use case and operating system. Part A explains the steps to take for tunneling OpenVPN over HTTPS while part B explains the steps for tunneling SSH over HTTPS :

Pre-Requisites: • First you need to subscribe for any of our OpenVPN or SSH packages. If you do not have an active

account, please go to our order page to signup at: https://www.anonyproz.com/member/signup.php • Make sure you have the latest version of JAVA installed on your computer. You can use the link

below to check if your system has JAVA installed. If it is not installed, please download and install JAVA.

http://www.java.com/en/download/testjava.jsp

Part A: Step by Step Instructions for OpenVPN Tunneling Over HTTPS Step 1: First ensure that JAVA is installed on your computer and then proceed to download the JAVA-based agent client in the link below: http://www.anonyproz.com/agent.jar

The agent is a light weight JAVA program that provides functionality for tunneling your OpenVPN traffic over HTTPS. It is based on the open source OpenVPN ALS (Adito) SSL-VPN software.

After download, to run it, just double click on it to launch the agent. Wait for a few seconds for the agent to load. When launching, it should appear as shown below:

The agent is a light weight JAVA program that provides functionality for tunneling your OpenVPN traffic over HTTPS.It should appear as a man wearing a black hat in your taskbar as shown below:

Step 2: Proceed to start the OpenVPN GUI client for your operating system:

For Windows Users:

If using Windows, tunneling OpenVPN over HTTPS with the agent is very easy. You do not need to install our OpenVPN GUI client. A portable version of OpenVPN will be automatically downloaded and executed on your computer. To begin, simply navigate to the “Applications” menu in the agent GUI and click on “OpenVPN over HTTPS”.

By default, once this is clicked, an HTTPS tunnel to USA server will be started and you are now ready to connect. If you wish to connect to a different server, please click here to learn how to switch to a different server.

Next, wait a few seconds for the portable OpenVPN GUI to automatically load and initialize:

The OpenVPN GUI is a system-tray applet, so a red icon for the GUI will appear in the lower-right corner of the screen as shown below:

Finally right click on the OpenVPN GUI and click on “connect” and enter your username and password to authenticate:

After successfully authenticating to the server, the red portable OpenVPN GUI icon will change to green

indicating that a successful authentication has been made.

Alternatively, you may also use the “Connect over HTTPS” connection in our standard OpenVPN GUI if you do not want to use the automatic loadable version from the agent.

To confirm that the tunnel was successfully initialized, go to the Agent icon on your taskbar and click on “Tunnel Monitor”. There you will see the tunnel server that was successfully initialized and active for tunneling.

To confirm if your traffic is being routed via HTTPS, go to the Tunnel Monitor icon and make sure that it is flashing as shown below:

Switching OpenVPN Servers: By default, when the HTTPS agent is run, a tunnel to USA server 1 will be started and you are now ready to connect. If you wish to use a different server, first exit the active OpenVPN connection from the

OpenVPN GUI and then proceed to terminate the active default USA server connection from the agent tunnel monitor panel by navigating to the “Tunnels” menu and select the USA server to highlight it and and click on “Stop”. click on your desired server to start the HTTPS tunnel.

After terminating the tunnel, a confirmation balloon will pop-up from the agent as illustrated below:

Then go to the Tunnels menu and select the new server you wish to switch to and click on it to activate the new tunnel. The finally go to the OpenVPN GUI and click on “Connect” to initiate the connection.

For MAC and Linux Users:

If you are using a MAC based OpenVPN GUI client such as Tunnelblick or Viscosity, you should download our “Connect over HTTPS” config file from this link and place it into the OpenVPN config folder in OpenVPN installation directory. This config file will enable you to utilize the HTTPS tunnel. Alternatively, if you already have one of our current server config file, simply edit it to connect to : localhost on port 8080.

Next right click on the Agent icon and navigate to the “Tunnels” menu and click on your desired OpenVPN server location. At this time, the agent is now active and ready to transmit your OpenVPN traffic over HTTPS.

Finally, connect to the OpenVPN server from the Viscosity or Tunnelblick

Part B: Step by Step Instructions for SSH Tunneling Over HTTPS I: For Windows Users:

Step 1: Follow the same steps as explained above to download the HTTP tunnel agent and ensure that you have JAVA installed on your computer. Then launch the agent by running the file.

Step 2: Right click on the Agent icon and navigate to the “Applications” menu and click on your desired SSH server location. At this time, the agent is now active and ready to transmit your SSH traffic over HTTPS.

Once clicked, the SSH tunnel will be initialized and a Putty window will automatically open in your computer. You do not have to install or download Putty on your local computer as the HTTPS server will automatically download and start the Putty.

Accept the security warning and click on Yes.

Then finally you will be presented Putty window for Authentication. Simply authenticate using your SSH username and password which corresponds to your member username and password.

Note: You must leave the Putty window open. Do not close it or attempt to enter any command. You must leave the window open throughout your tunnel session.

This will connect to your local Agent first, which negotiates with the remote server, and finally the ssh<=>sshd communication will begin and after authentication you will be dropped to a shell and have a SOCKS proxy running on port 8080.

To confirm that the SSH tunnel that was successfully initialized, go to the Agent icon on your taskbar and click on “Tunnel Monitor”. There you will see the tunnel server that was successfully initialized and active for tunneling.

Step 3: That’s all you need to do to open the tunnel. Now you're ready to configure your web browser or any other application with the Socks 5 proxy details shown below:

Host: localhost Port: 8080 Proxy Type: Socks 5 (Requires no authentication)

Important: Make sure that only one Putty tunnel window is open in your system at a time. If you attempt to start a new tunnel while another Putty tunnel window is open, the connection will be refused!

II: For MAC Users:

Step 1: Follow the same steps as explained above to download the HTTP tunnel agent and ensure that you have JAVA installed on your computer. Then launch the agent by running the file.

Step 2: Right click on the Agent icon and navigate to the “SSL Tunnels” menu and click on your desired server location. At this time, the agent is now active and ready to transmit your SSH traffic over HTTPS.

You can also verify that necessary connection was established in Terminal window. Open Terminal from menu Applications – Utilities - Terminal

and run command ”netstat –na |grep LISTEN”. You will see all listened ports on you desktop.

Finally you can connect to 8080 local port with the appropriate command: ssh -D 8080 user@127.0.0.1 -p 8080

Leave this window opened during all time you work through ssh tunnel. Now you need to configure your application with the Socks proxy.

Host: 127.0.0.1 Port: 8080 Proxy Type: Socks 5 (Requires no authentication)

III: For Linux Users:

Step 1: Follow the same steps as explained above to download the HTTP tunnel agent and ensure that you have JAVA installed on your computer. Then launch the agent by running the file.

Step 2: Right click on the Agent icon and navigate to the “SSL Tunnels” menu and click on your desired server location. At this time, the agent is now active and ready to transmit your SSH traffic over HTTPS.

To setup the tunnel, you must issue the tunnel command via your SSH client. Using Terminal Console type the command below replacing “user” with your member username: ssh -D 8080 user@127.0.0.1 -p 8080 Note: In the commands above, replace “user” with your SSH username which by default is your member username. Enter your member login credentials for the SSH connection

That’s all. Now you can configure your application with the Socks 5 proxy:

Host: 127.0.0.1 Port: 8080 Proxy Type: Socks 5 (Requires no authentication)

Agent Timeout and Re-launching the Agent: If the Agent encounters any connection issues or session timeout after some period of inactivity, it will become inactive and will display with an error mark as shown below. In this state, no tunnel can be started. You must re-launch the agent in order to start any further tunnel. To reactivate the agent simply

double click the agent file again and this will re-launch the agent. Thereafter, follow the same procedure to select a server and connect as described in the step by step instructions above.

Please note that when you re-launch the agent, a new agent icon in your computer taskbar will be created. Any previous agent icon or instances used for previous tunnels will remain in your taskbar and cannot be exited.

If you wish to terminate all the agent processes running on your computer and remove all the agent icons, simply run the following command on your windows command prompt:

taskkill /IM java.exe /F

Deleting all Traces of the Tunneling Agent As a stealth tunneling method, it is possible to completely delete all traces of your footprints for your tunneling activity while using the HTTPS agent. This is especially useful if the computer is a shared PC and you wish to completely erase all traces of the agent from the computer. To do this simply go to Start and type : C:/Users/%username% in the Search Programs and files box. Then locate the folder with the name of the computer account you have used and look for the any of the following files and delete them completely from the system:

.adito

.sslexplorer

Getting Support: If you have any questions or encounter any issues while using the client, please do contact us by submitting a ticket at : https://www.anonyproz.com/supportsuite/