Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
Despite the ban on certain services, VPN protocols are still widely used in corporate environments and by individuals.
Recently, their use has become difficult due to the fact that encrypted traffic is recognized and lost on communication channels. A way out of this situation may be obfuscation, when traffic is made to look like regular HTTPS packets. Information security companies have introduced several new protocols designed for this purpose. According to the developers, the new protocols are more effective than old obfuscation methods.
For example, developers from Proton recently introduced a new protocol called Stealth. It uses obfuscation to hide the VPN connection. The general idea is to make VPN traffic look like “normal” traffic — or regular HTTPS connections. Stealth does this by using obfuscated TLS tunneling over TCP. This is different from most popular protocols, which typically use UDP, making them easier to detect. In addition, Stealth also establishes VPN connections in a special and unique way that allows it to bypass Internet filters.
Despite all the obfuscation features, the protocol shows higher performance than obfuscated VPN protocols of the past generation, which usually run on OpenVPN over TCP.
Stealth is also compatible with the Accelerator service, which increases connection speed on slow Internet channels by using the BBR protocol.
Stealth is made from scratch and is not based on any existing protocols, it is available to all of the company’s customers who use the proprietary application. The only complaint may be the proprietary nature of this development.
Another development in this area is the Cloak program, which attempts to disguise proxied traffic as regular browser activity using steganography. It is an addition to other proxy tools such as OpenVPN or Shadowsocks.
Unlike traditional tools with obvious traffic fingerprints, Cloak is very difficult to accurately recognize in the packet stream, and this is fraught with a large number of false positives, the developers explain.
For any third-party observer, a host with a Cloak server is indistinguishable from a regular web server. This is true both for passive monitoring of the traffic flow to and from the server, and for active research of the server's behavior, which is achieved through the use of a number of cryptographic steganography methods.
Cloak can be used in conjunction with any proxy program that tunnels traffic through TCP or UDP, such as Shadowsocks or OpenVPN. Multiple proxy servers can be run on a single server, and the Cloak server will act as a reverse proxy, connecting clients to the proxy they need.
Cloak multiplexes traffic over multiple underlying TCP connections, which reduces the load on the underlying link and the overhead of the TCP handshake. It also makes the traffic structure more similar to real websites.
The protocol allows multiple clients to connect to the server on a single port (443 by default). It also provides traffic management features: usage limits and bandwidth control. This allows you to serve multiple users, even if the underlying proxy was not designed for multi-user operation.
Cloak also supports tunneling through an intermediate CDN, such as Amazon Cloudfront.
Another new development is WebTunnel, a new type of Tor bridge.
It is a pluggable transport for simulating HTTPS traffic, inspired by HTTPT. It wraps the payload connection in a WebSocket-like HTTPS connection, which looks like a regular HTTPS (WebSocket) connection to the outside, i.e. a regular connection to a web server.
WebTunnel is so similar to regular web traffic that it can coexist with a website on the same endpoint, i.e. with the same domain, IP address, and port. This coexistence allows a reverse proxy to route both regular web traffic and WebTunnel to the appropriate application servers.
For most users, WebTunnel can be used as an alternative to obfs4 bridges.
Traditional VPN protocols like OpenVPN, WireGuard, IKEv2, PPTP, and L2TP are relatively easy to spot on the network.
There have been various projects over the years to obfuscate existing protocols, but many of these are just reworks of existing protocols that no longer work very well.
A VPN protocol typically consists of two channels: a data channel and a control channel. The control channel is responsible for exchanging keys, authentication, and exchanging parameters (such as providing an IP address or routes and DNS servers). The data channel is responsible for transmitting traffic. Together, they maintain a secure tunnel. However, in order for your data to travel through that secure tunnel, it must be encapsulated.
Encapsulation is when the VPN protocol takes packets and places them inside another packet. This extra layer is necessary because the protocol configurations are not necessarily the same as the regular Internet. The extra layer allows information to pass through the tunnel. Once the VPN tunnel is established, the control channel’s job is to keep the connection stable.
As already mentioned, traditional protocols are relatively easy to recognize on the network. That is why improved modifications are created for them.
Source
Recently, their use has become difficult due to the fact that encrypted traffic is recognized and lost on communication channels. A way out of this situation may be obfuscation, when traffic is made to look like regular HTTPS packets. Information security companies have introduced several new protocols designed for this purpose. According to the developers, the new protocols are more effective than old obfuscation methods.
Stealth
For example, developers from Proton recently introduced a new protocol called Stealth. It uses obfuscation to hide the VPN connection. The general idea is to make VPN traffic look like “normal” traffic — or regular HTTPS connections. Stealth does this by using obfuscated TLS tunneling over TCP. This is different from most popular protocols, which typically use UDP, making them easier to detect. In addition, Stealth also establishes VPN connections in a special and unique way that allows it to bypass Internet filters.
Despite all the obfuscation features, the protocol shows higher performance than obfuscated VPN protocols of the past generation, which usually run on OpenVPN over TCP.
Stealth is also compatible with the Accelerator service, which increases connection speed on slow Internet channels by using the BBR protocol.
Stealth is made from scratch and is not based on any existing protocols, it is available to all of the company’s customers who use the proprietary application. The only complaint may be the proprietary nature of this development.
Cloak
Another development in this area is the Cloak program, which attempts to disguise proxied traffic as regular browser activity using steganography. It is an addition to other proxy tools such as OpenVPN or Shadowsocks.
Unlike traditional tools with obvious traffic fingerprints, Cloak is very difficult to accurately recognize in the packet stream, and this is fraught with a large number of false positives, the developers explain.
For any third-party observer, a host with a Cloak server is indistinguishable from a regular web server. This is true both for passive monitoring of the traffic flow to and from the server, and for active research of the server's behavior, which is achieved through the use of a number of cryptographic steganography methods.
Cloak can be used in conjunction with any proxy program that tunnels traffic through TCP or UDP, such as Shadowsocks or OpenVPN. Multiple proxy servers can be run on a single server, and the Cloak server will act as a reverse proxy, connecting clients to the proxy they need.
Cloak multiplexes traffic over multiple underlying TCP connections, which reduces the load on the underlying link and the overhead of the TCP handshake. It also makes the traffic structure more similar to real websites.
The protocol allows multiple clients to connect to the server on a single port (443 by default). It also provides traffic management features: usage limits and bandwidth control. This allows you to serve multiple users, even if the underlying proxy was not designed for multi-user operation.
Cloak also supports tunneling through an intermediate CDN, such as Amazon Cloudfront.
WebTunnel
Another new development is WebTunnel, a new type of Tor bridge.
It is a pluggable transport for simulating HTTPS traffic, inspired by HTTPT. It wraps the payload connection in a WebSocket-like HTTPS connection, which looks like a regular HTTPS (WebSocket) connection to the outside, i.e. a regular connection to a web server.
WebTunnel is so similar to regular web traffic that it can coexist with a website on the same endpoint, i.e. with the same domain, IP address, and port. This coexistence allows a reverse proxy to route both regular web traffic and WebTunnel to the appropriate application servers.
For most users, WebTunnel can be used as an alternative to obfs4 bridges.
Old protocols
Traditional VPN protocols like OpenVPN, WireGuard, IKEv2, PPTP, and L2TP are relatively easy to spot on the network.
There have been various projects over the years to obfuscate existing protocols, but many of these are just reworks of existing protocols that no longer work very well.
A VPN protocol typically consists of two channels: a data channel and a control channel. The control channel is responsible for exchanging keys, authentication, and exchanging parameters (such as providing an IP address or routes and DNS servers). The data channel is responsible for transmitting traffic. Together, they maintain a secure tunnel. However, in order for your data to travel through that secure tunnel, it must be encapsulated.
Encapsulation is when the VPN protocol takes packets and places them inside another packet. This extra layer is necessary because the protocol configurations are not necessarily the same as the regular Internet. The extra layer allows information to pass through the tunnel. Once the VPN tunnel is established, the control channel’s job is to keep the connection stable.
As already mentioned, traditional protocols are relatively easy to recognize on the network. That is why improved modifications are created for them.
Source
