Request to Reintroduce OpenVPN Obfuscation Feature in OPNsense

[hdmanit]

Important notices

• [ X] I have read the contributing guidelines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [ X] I have checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue and am convinced that my issue is new.

Is your feature request related to a problem? Please describe.

Yes, the removal of the "scramble obfuscate" option from OpenVPN in OPNsense has significantly impacted my ability to upgrade to newer versions of OPNsense. My network is heavily censored, and obfuscation is the only viable method to bypass such restrictions. The absence of this feature is forcing users like me to consider alternatives, despite our preference for OPNsense.

Describe the solution you'd like

I would like the "scramble obfuscate" feature to be reintroduced in the latest versions of OPNsense. Alternatively, providing an option to install older versions of OpenVPN, such as "openvpn 2.5.8", on the newer releases of OPNsense would be greatly appreciated.

Describe alternatives you've considered

I have considered using other solutions that offer traffic obfuscation, but none match the integration and ease of use provided by OPNsense. Additionally, setting up an internal Obfsproxy server is a more complex solution that I'd like to avoid.

Additional context

The "scramble obfuscate" feature is crucial for users in regions with heavy network censorship. Its reintroduction would not only benefit current users but also attract new ones who require this functionality. I am currently using "Opnsense 23.1.11_2" solely because of the lack of this feature in the latest versions. Your attention to this matter is highly appreciated.

[Monviech]

Some additional information: https://forum.opnsense.org/index.php?topic=41106

Imo, offering something like wstunnel instead would be the better choice since it would work for any traffic instead of just openvpn. https://github.com/erebe/wstunnel

Though I think that's community plugin scope?

[AdSchellevis]

I'm not aware of the removal of a feature when it comes to OpenVPN in this case, the only obfuscation feature I'm aware of is obfsproxy as documented in https://community.openvpn.net/openvpn/wiki/TrafficObfuscation, which by my knowledge has never been part of our distribution.

[fichtner]

The XOR patches were included once but removed for 2.6 when they broke again due to upstream changes. OpenVPN developers never took it in and FreeBSD removed the extra patch. I have no more intention of carrying the torch for a patch nobody of the relevant people helping to keep it alive is interested in. Sorry.

[AdSchellevis]

@fichtner my mistake, missed that particular thing, we're certainly not going to carry custom patches around. Alternatives exist, they just need more work from the interested parties (also not a core priority)

[hdmanit]

Some additional information: https://forum.opnsense.org/index.php?topic=41106

Imo, offering something like wstunnel instead would be the better choice since it would work for any traffic instead of just openvpn. https://github.com/erebe/wstunnel

Though I think that's community plugin scope?

thank you I should try this as well

Some additional information: https://forum.opnsense.org/index.php?topic=41106

Imo, offering something like wstunnel instead would be the better choice since it would work for any traffic instead of just openvpn. https://github.com/erebe/wstunnel

Though I think that's community plugin scope?

Thank you. I should try this as well. However, the VPN services I'm using offer obfuscated options, not WSTunnel, like Surfshark and PureVPN. Thank you for your reply

[hdmanit]

I'm not aware of the removal of a feature when it comes to OpenVPN in this case, the only obfuscation feature I'm aware of is obfsproxy as documented in https://community.openvpn.net/openvpn/wiki/TrafficObfuscation, which by my knowledge has never been part of our distribution.

The XOR patches were included once but removed for 2.6 when they broke again due to upstream changes. OpenVPN developers never took it in and FreeBSD removed the extra patch. I have no more intention of carrying the torch for a patch nobody of the relevant people helping to keep it alive is interested in. Sorry.

Yes, what I was looking for were the XOR patches. It's unfortunate my bad luck that there are no extra or custom patches available anymore. Thank you for the explanation

[hdmanit]

I'm not aware of the removal of a feature when it comes to OpenVPN in this case, the only obfuscation feature I'm aware of is obfsproxy as documented in https://community.openvpn.net/openvpn/wiki/TrafficObfuscation, which by my knowledge has never been part of our distribution.

I'm not aware of the removal of a feature when it comes to OpenVPN in this case, the only obfuscation feature I'm aware of is obfsproxy as documented in https://community.openvpn.net/openvpn/wiki/TrafficObfuscation, which by my knowledge has never been part of our distribution.

I'm not aware of the removal of a feature when it comes to OpenVPN in this case, the only obfuscation feature I'm aware of is obfsproxy as documented in https://community.openvpn.net/openvpn/wiki/TrafficObfuscation, which by my knowledge has never been part of our distribution.

Yeah, my mistake. You're right; you're not the one who removed that obfuscation option from OpenVPN. Here's the link to the announcement (https://forum.opnsense.org/index.php?topic=33836.msg163658#msg163658). Based on this announcement, I mistakenly thought OPNsense had removed the option and was no longer supporting it. However, upon reading it again, I see that the XOR feature is no longer supported in OpenVPN, unfortunately

[hdmanit]

@fichtner my mistake, missed that particular thing, we're certainly not going to carry custom patches around. Alternatives exist, they just need more work from the interested parties (also not a core priority)

So, isn't there any way I can upgrade my OPNsense to the latest version but still install an older version of OpenVPN (specifically, OpenVPN 2.5.8, which I am currently using) on the latest version? If there is a solution for this, my problem will be solved

[Monviech]

I would rather reach out to the VPN Provider support. The obfsproxy was last updated 2018. https://www.freshports.org/security/obfsproxy

So they (The VPN provider you pay for) should offer something new, like the solution I have stated above. Wireguard + wstunnel looks rather nifty.

Since the obfuscation option has been removed so long ago, they really have to offer a new solution to keep their customers who want to avoid the DPI without using old - potentially insecure - software versions.

[hdmanit]

I would rather reach out to the VPN Provider support. The obfsproxy was last updated 2018. https://www.freshports.org/security/obfsproxy

So they (The VPN provider you pay for) should offer something new, like the solution I have stated above. Wireguard + wstunnel looks rather nifty.

Since the obfuscation option has been removed so long ago, they really have to offer a new solution to keep their customers who want to avoid the DPI without using old - potentially insecure - software versions.

Yes, I agree with you; they should definitely offer something new, 100%. But you know, the problem is that in countries with highly restricted and censored internet :/, sometimes the only option that works is obfuscation. Although it’s outdated, they really should develop a new method

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.