LEAP Docs
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Welcome to the LEAP documentation!
  2. /
  3. Tutorials
  4. /
  5. Setting Up An Obfuscated VPN Service (2/2)
Edit page

Setting Up An Obfuscated VPN Service (2/2)

Author

kikki

Last edited

25 Mar 2023

Automatic Bridge Switching (aka Hopping)

In the previous part of this tutorial we had set up an OpenVPN gateway and one obfs4 bridge pointing to it, and checked that our setup was working fine.

Now let’s make the censors' heads spin with continuous switching from one bridge to next. That’s a new pluggable transport that, for now, we’re calling "Hopping PT".

Tip
 We’re open to suggestions for a better name! Here at LEAP we have a long history of naming things after animals that jump, so perhaps grasshopper?

Adjusting the Gateway

We will need to change the openvpn config to use udp, and add a few more tricks:

Open a shell in the gateway box:

cd /etc/openvpn
cp server.conf server-hopping.conf

Edit /etc/openvpn/server-hopping.conf to look like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

proto udp

push "ip link set mtu 48000 dev tun0"
float
tun-mtu 48000
fragment 0
mssfix 0

cipher AES-256-CBC
[...]

Restart the OpenVPN gateway with new settings

  • systemctl stop openvpn@server.service

  • systemctl start openvpn@server-hopping.service

Set up a second bridge

Make a new obfs4 bridge, following the instructions in the first part of the tutorial until it is time to start the bridge up.

./server -addr 0.0.0.0 -h -state test_data -c test_data/obfs4_state.json -v -vpn $RHOST

For hopping mode, we do not need to specify the port - ports are generated at random.

Adjust the first bridge too

  • Connect to your first bridge, and stop it if it is running

  • Then, use the same line as above to restart it.

Start the obfsvpn client in Hopping Mode

Back at your client machine, we will make adjustments to obfsvpn:

  • First, stop the client by pressing ctrl+c in the terminal with the running client.

  • Restart the client with new arguments:

./client -h -c <bridge1_cert>,<bridge2_cert> -r <bridge_ip_1>,<bridge_ip_2>

Adjust Your OpenVPN Client

sudo su
cd /etc/openvpn
cp client.conf client-hopping.conf

And now edit client-hopping.conf like this:

1
2
3
4
5
6
7
8

proto udp 

replay-window 65535
tun-mtu 48000
fragment 0
mssfix 0

cipher AES-256-CBC

Run it!

Hopping mode is significantly different in a way that we do not use Socks between openvpn and obfsvpn client. Instead, we connect to obfsvpn client over udp like if this client was an openvpn server.

openvpn --config client-hopping.conf --remote 127.0.0.1:8080

Hopefully, this ended up with a successful tunnel initialization. From the point of view of openvpn, using the hopping mode should not make any difference.

Congrats!
 That’s all for now! You now have a way to connect to your own VPN gateway, and automatically splitting the traffic between two different obfuscated bridges. HAPPY CIRCUMVENTING! 🥳