Table of contents
Introduction
For those of you that don't know what obfs4 is, gitlab.com/yawning/obfs4/-/blob/master/README.md says:
[obfs4] is a look-like nothing obfuscation protocol that incorporates ideas and concepts from Philipp Winter's ScrambleSuit protocol
If you want to read the technical specification, it's at gitlab.com/yawning/obfs4/-/blob/master/doc/obfs4-spec.txt
Even though it's intended for obfuscating Tor traffic, obfs4 can also be used to obfuscate OpenVPN traffic (or any other T***** traffic). The main reason anyone would need to connect to cryptostorm using obfs4 is that they're behind a restrictive firewall that's doing DPI to block T***** OpenVPN, and our SSH or HTTPS tunnels are also being blocked.
obfs4 will only work on our ECC and RSA T***** configs.
It will NOT work on our Ed25519 or Ed448 configs, or the UDP ones.
But you should be able to connect with obfs4 on any of our servers on any T***** port (well, 1-29999).
Using obfs4 on Linux
First, you need to install obfs4proxy. Some distros' package managers include it, but if yours doesn't, there's building instructions on gitlab.com/yawning/obfs4/-/blob/master/README.md, under the "Installation" section.
We also have a precompiled static binary at cryptostorm.is/obfs4proxy for those of you who don't feel like building it yourself. Checksums for verifying the integrity of that file are at cryptostorm.is/obfs4proxy.txt
Once you've got obfs4proxy installed to /usr/bin/ or wherever, you would start it with the command:
TOR_PT_MANAGED_TRANSPORT_VER=1 TOR_PT_STATE_LOCATION=. TOR_PT_CLIENT_TRANSPORTS=obfs4 obfs4proxy
If everything went smoothly, you should see the output:
VERSION 1
CMETHOD obfs4 socks5 127.0.0.1:38785
CMETHODS DONE
Except that the 38785 port there will be different for you. Make a note of it since it's used in the next step.
Unfortunately, there's no option to specify the same port each time you run obfs4proxy since gitlab.com/yawning/obfs4/-/blob/master/obfs4proxy/obfs4proxy.go#L55 has the IP/port: 127.0.0.1:0 hardcoded.
That ":0" sets a dynamic port on each run.
So if you restart obfs4proxy, you'll also need to make changes to your OpenVPN config too.
Anyways, once obfs4proxy is up and running, you would next download one of our ECC T***** OpenVPN configs from cryptostorm.is/configs/ecc/ (or our GitHub).
Next, open the config in a text editor and add the following lines (at the top or bottom, doesn't matter):
socks-proxy 127.0.0.1 38785 socksauth.txt route denmark.cstorm.is 255.255.255.255 net_gateway
That 38785 would be the port number from earlier, from the obfs4proxy output, to the right of the "127.0.0.1:" text.
The "denmark.cstorm.is" part you would replace with whichever node you're connecting to (specified in the "remote" lines in the config).
Next, you'd create a socksauth.txt file with this as it's first line:
cert=JZHwkJuuOKmPuFiMyj5xjGRAqZ3jytorRmShi4L1OeQqVWDILTAfmf0s6CuBr7UCIFeCVA;iat-mode=
and on the second line, a single zero.
You could use a couple of commands like this to create the file:
echo "cert=JZHwkJuuOKmPuFiMyj5xjGRAqZ3jytorRmShi4L1OeQqVWDILTAfmf0s6CuBr7UCIFeCVA;iat-mode=" > socksauth.txt echo 0 >> socksauth.txt
Make sure you're running those commands in the same directory that your OpenVPN config is in.
Finally, just start OpenVPN like you normally would (`openvpn --config whatever_T*****.ovpn` etc.).
Your VPN traffic will now be obfuscated by obfs4.
Using obfs4 on Windows
Same as with the Linux steps, building instructions for obfs4proxy are on gitlab.com/yawning/obfs4/-/blob/master/README.md, under the "Installation" section.
But for those who don't want to install Go and all of the other dependencies, we also have a precompiled version at cryptostorm.is/obfs4win.zip. Checksums for it are at cryptostorm.is/obfs4win.zip.txt
Just download obfs4win.zip, unzip it to a folder, and double click the start_obfs4.bat file.
Some AV software will say there's a virus in obfs4win.zip
It's just a false positive.
obfs4proxy.exe is used by some malware to talk to C&C servers over Tor,
so some AVs will say that all Tor pluggable transports,
including obfs4proxy, are malware.
start_obfs4.bat will open a black window that says something like:
VERSION 1
CMETHOD obfs4 socks5 127.0.0.1:38785
CMETHODS DONE
Except that the 38785 port there will be different for you. Make a note of it since it's used in the next step.
And be sure to keep that window open. If you close it, the VPN session will terminate.
For widget users
To tell the widget to use the obfs4proxy you just started, open the widget then click the Options button, then the Advanced tab. On that screen, select the "Use SOCKS proxy" checkbox, and 127.0.0.1 should already be filled in for the IP, so in the port box you would type in the port from the previous step (38785 in my example, it'll be different for you). Next you'll uncheck the "No username/password needed" box, and in the username field you'll copy/paste:
cert=JZHwkJuuOKmPuFiMyj5xjGRAqZ3jytorRmShi4L1OeQqVWDILTAfmf0s6CuBr7UCIFeCVA;iat-mode=
Then in the password field just type a single zero. It should look something like this:
Before you press the Back button to go back to the widget's main window, click on the Security tab and make sure next to TLS cipher the "se*****521r1" option is selected, since obfs4 only works with that.
When you're done with that, just click the Back button to go to the main window, then connect to whichever server you want to connect to.
All of your traffic will now be obfuscated by obfs4
For OpenVPN GUI users
The obfs4win.zip file from above contains the socksauth.txt file that's needed to connect, so make note of the file's full path.
I.e., if your Windows username is john and you unzipped obfs4win.zip to a folder called "obfs4win" on your desktop, then the path to it would be c:\Users\john\Desktop\obfs4win\socksauth.txt
Next, download one of our T***** ECC OpenVPN configs from cryptostorm.is/configs/ecc/ (or our GitHub), if you haven't already.
Then open the config in Notepad or your favorite text editor and add the following line (at the top or bottom, doesn't matter):
socks-proxy 127.0.0.1 38785 c:\\Users\\john\\Desktop\\obfs4win\\socksauth.txt
That 38785 should be changed to the port number from the previous step, the one from the black start_obfs4.bat window, to the right of the "127.0.0.1:" text.
The c:\\Users\\john\\Desktop\\obfs4win\\socksauth.txt part in this example would be the full path to wherever you unzipped obfs4win.zip. Make sure to use two backslashes just like in the example as well, since OpenVPN will treat single backslashes as escape characters.
Once you're sure that the port number and the socksauth.txt location is correct, just connect with that config from OpenVPN GUI like you normally would.
Your VPN traffic will now be obfuscated by obfs4