LEAP Docs
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Welcome to the LEAP documentation!
  2. /
  3. Tutorials
  4. /
  5. Setting Up An Obfuscated VPN Service (2/2)
Edit page

Setting Up An Obfuscated VPN Service (2/2)

Author

kikki

Last edited

25 Mar 2023

Hopping Mode

There are two types of hopping modes: one involves hopping between ports on the same IP address, while the other entails hopping between different IP addresses and ports.

In the previous part of this tutorial we had set up an OpenVPN gateway and one obfs4 bridge pointing to it, and checked that our setup was working fine.

Now let’s make the censors' heads spin with continuous switching from one bridge to next. That’s a new pluggable transport that, for now, we’re calling "Hopping PT".

Tip
 We’re open to suggestions for a better name! Here at LEAP we have a long history of naming things after animals that jump, so perhaps grasshopper?

Adjusting the Gateway

We will need to change the openvpn config to use udp, and add a few more tricks:

Open a shell in the gateway box:

cd /etc/openvpn
cp server.conf server-hopping.conf

Edit /etc/openvpn/server-hopping.conf to look like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

proto udp

push "ip link set mtu 48000 dev tun0"
float
tun-mtu 48000
fragment 0
mssfix 0

cipher AES-256-CBC
[...]

Restart the OpenVPN gateway with new settings

  • systemctl stop openvpn@server.service

  • systemctl start openvpn@server-hopping.service

Set up a bridge in port hopping mode

Make a new obfs4 bridge, following the instructions in the first part of the tutorial until it is time to start the bridge up.

Option 1: obfs4-hopping mode

./server --hop --addr ${LHOST} --remote {RHOST} --state test_data --config test_data/obfs4.json

Option 2: kcp-hopping mode

./server --kcp --hop --addr ${LHOST} --remote ${RHOST} --state test_data --config test_data/obfs4.json

Option 3: QUIC-hopping mode

QUIC requires a cert and key, you can generate one using openssl: 

openssl genpkey -algorithm Ed25519 -out quic.key
openssl req -x509 -new -key quic.key -out quic.crt -subj "/CN=quic"
./server --quic --udp --addr ${LHOST} --remote ${RHOST} --state test_data --config test_data/obfs4.json --quic-tls-key-file quic.key --quic-tls-cert-file quic.crt

While running the bridge in hopping-pt mode, you can adjust a few additional environment variables to specify the port range, the number of ports, and other related settings as follows:

export OBFSVPN_MIN_HOP_PORT=<lower limit of port range to use for port hopping>
export OBFSVPN_MAX_HOP_PORT=<upper limit of port range to use for port hopping>
export OBFSVPN_PORT_SEED=<seed to deduce randomized ports from for port hopping>
export OBFSVPN_PORT_COUNT=<number of ports to be allocated for port hopping>

Start the obfsvpn client in port hopping Mode

Back at your client machine, we will make adjustments to obfsvpn:

  • First, stop the client by pressing ctrl+c in the terminal with the running client.

  • Restart the client with new arguments:

Option 1: Connecting to server running on obfs4-hopping mode

./obfsvpn-client -c <certificate string from your statedir/obfs4_bridgeline.txt> -r <your bridge ip, LHOST> -h

Option 2: Connecting to server running on kcp-hopping mode

./obfsvpn-client -c <certificate string from your statedir/obfs4_bridgeline.txt> -r <your bridge ip, LHOST> -h -kcp

Option 3: Connecting to server running on QUIC-hopping mode

./obfsvpn-client -c <certificate string from your statedir/obfs4_bridgeline.txt> -r <your bridge ip, LHOST> -h -quic

While running the server in hopping-pt mode, if you have adjusted the port parameters, you can use the following flags on the client side to specify those settings:

./obfsvpn-client -h -c <bridge_cert> -r <bridge_ip> -min-port <OBFSVPN_MIN_HOP_PORT> -max-port <OBFSVPN_MAX_HOP_PORT> -ps <OBFSVPN_PORT_SEED> -pc <OBFSVPN_PORT_COUNT> -v

Now the client will hop between different ports of the same bridge.

Adjust Your OpenVPN Client

sudo su
cd /etc/openvpn
cp client.conf client-hopping.conf

And now edit client-hopping.conf like this:

1
2
3
4
5
6
7
8

proto udp 

replay-window 65535
tun-mtu 48000
fragment 0
mssfix 0

cipher AES-256-CBC

Run it!

Hopping mode is significantly different in a way that we do not use Socks between openvpn and obfsvpn client. Instead, we connect to obfsvpn client over udp like if this client was an openvpn server.

openvpn --config client-hopping.conf --remote 127.0.0.1:8080 --route <bridge_ip> 255.255.255.255 net_gateway

Hopefully, this ended up with a successful tunnel initialization. From the point of view of openvpn, using the hopping mode should not make any difference.

For Hopping between IP’s Adjust the first bridge too

  • Connect to your first bridge, and stop it if it is running

  • Then, restart the bridge following set up bridge in port hopping mode. as above to restart it.

  • Make sure both the bridges are setup to run in same mode and same port configurations.

  • After restarting the bridge, connect the client using the below command to hop between both the bridges(IP’s).

  • Add flags -kcp or -quic with respect to the server mode.

./obfsvpn-client -h -c <bridge_cert1,bridge_cert2> -r <bridge_ip1,bridge_ip2> -min-port <OBFSVPN_MIN_HOP_PORT> -max-port <OBFSVPN_MAX_HOP_PORT> -ps <OBFSVPN_PORT_SEED> -pc <OBFSVPN_PORT_COUNT> -v

Of course, you have to re-run the OpenVPN client command, but this time you need to ensure to add routes for both the bridges as below: 

openvpn --config client-hopping.conf --remote 127.0.0.1:8080 --route <bridge_ip1> 255.255.255.255 net_gateway --route <bridge_ip2> 255.255.255.255 net_gateway

This should result in a successful tunnel initialization.

Congrats!
 That’s all for now! You now have a way to connect to your own VPN gateway, and automatically splitting the traffic between two different obfuscated bridges. HAPPY CIRCUMVENTING! 🥳