VPNs use different obfuscation and stealth techniques to disguise their traffic, including different VPN connection protocols and proxies. The most common obfuscation methods are listed below:
Shadowsocks
Pros |
Cons |
Open-source |
No official audit |
Fast speeds |
No port forwarding |
Uses less RAM |
|
Shadowsocks is a free and open-source obfuscation proxy protocol. The protocol was created in 2012 by a Chinese programmer named clowwindy, and is widely used by people in China to circumvent government censors without being detected.
Loosely based on the Socket Secure 5 or ‘SOCKS5’ protocol, Shadowsocks is a proxy that reroutes your internet connection through a third server, making it look like you’re in a different location. It also hides your VPN traffic by making it look like HTTPS traffic.
We tested Private Internet Access’ Shadowsocks proxy and found it worked well at bypassing VPN blocks.
It’s important to note that regular proxies are unsafe because they do not encrypt your traffic. To combat this, Shadowsocks uses an AEAD cipher – similar to SSH tunneling – to encrypt your web traffic and prevent it from being read by your ISP.
AEAD is a form of encryption that allows a recipient to check the authenticity and integrity of data. It is associated with the industry-standard AES encryption cipher and makes up part of its cipher suites.
Unfortunately, Shadowsocks is not a common feature in VPN services because the setup process is complicated for both the VPN provider and users.
SoftEther
Pros |
Cons |
Open-source |
Extremely rare in VPN services |
Great for bypassing online censorship and restrictions |
Requires manual configuration to be safe |
Incredibly fast speeds |
Vulnerable to man-in-the-middle-attacks |
SoftEther VPN is an open-source, multi-protocol VPN software created by Daiyuu Nobori in Japan. SoftEther VPN runs on Windows, macOS, Linux, FreeBSD, and Solaris. Once implemented, it can create fast, low-latency connections that can circumvent sophisticated firewalls.
SoftEther’s VPN protocol uses Ethernet over HTTPS (HTTP over SSL) to establish a VPN tunnel. This works well to bypass firewalls because HTTPS is the industry standard for secure communications across the internet, which makes it difficult for ISPs and governments to detect.
SoftEther’s VPN software is not only compatible with its own protocol – it also supports OpenVPN, L2TP/IPSec, L2TPv3, and EtherIP protocols.
Hide.me offers the SoftEther protocol in its Windows client.
The protocol works by dividing all TCP connections into two groups. The first group is designated for uplink and the second group is only for downlink. This segregation helps to fool any firewall and DPI into thinking the connection is a typical HTTPS connection.
A sophisticated firewall is able to detect an abnormally long TCP connection. To combat this, SoftEther VPN connections also set a time limit for all TCP connections, which forces them to terminate before they are detected.
Despite its good qualities, SoftEther has notable downsides. Mainly, it’s only available on Hide.me. A majority of VPN services have unfortunately avoided SoftEther because of its extremely complicated setup process, which is both convoluted for VPN providers and their customers.
In 2019, researchers discovered two vulnerabilities in Hide.me’s implementation of SoftEther. Firstly, the client did not verify the server’s certificate. This meant that a network attacker could perform a man-in-the-middle-attack and obtain the victim’s credentials and network traffic.
Secondly, Hide.me’s back-end management interface did not require password authentication, which also exposed users to man-in-the-middle attacks.
EXPERT ADVICE: Before using SoftEther, make sure to tick Always Verify Server Certificate in the New VPN Connection settings.
OpenVPN over SSL/TLS
Pros |
Cons |
Open-source software |
SSL is more common but outdated |
TLS 1.3 was updated in 2018 |
Difficult to configure manually |
Commonly used by VPNs |
|
OpenVPN over SSL (Secure Sockets Layer) or TLS (Transport Layer Security) is a combination of the OpenVPN protocol and a layer of SSL or TLS encryption. It’s designed to hide the fact that you are using a VPN from your ISP.
In order to implement OpenVPN over SSL/TLS obfuscation, the VPN service will have to use Stunnel, another type of open-source software. However, many VPNs are put off by the complexity of the setup process.
OpenVPN over SSL/TLS provides robust encryption, but it’s not suited to the individual user. It’s very rare to find a VPN that has SSH or SSL enabled and none of the top-rated VPNs have it configured.
SSTP
Pros |
Cons |
Effective at bypassing firewalls |
Closed-source |
AES-256 encryption |
Dubious links with the NSA |
Fast speeds |
|
Secure Socket Tunnel Protocol (or SSTP) is a very secure and widely-used VPN protocol developed and owned by Microsoft. It’s supported on Windows, Linux, Android, and a variety of routers. SSTP was made in 2007 to replace the very outdated and vulnerable PPTP protocol.
SSTP used to be vulnerable to Man-in-the-Middle (or Poodle) attacks, where an attacker redirects your web traffic or injects malicious content into an existing data packet. Nowadays, SSTP is secure because it’s implemented using TLS 1.2 and 1.3, whereas Poodle attacks relied on SSL3.
SSTP is available on a lot of trusted VPNs including IPVanish and Hide.me. However, the VPNs that work best against censorship have dropped the protocol and moved onto more sophisticated systems.
It’s a protocol that’s also commonly used in Windows 10 for people working away from the office that want to safely connect to their corporate network.
Despite the positives of SSTP, there were dubious links found between Microsoft and the NSA established by Edward Snowden in 2013. For example, it was revealed that Microsoft helped the NSA to circumvent its encryption to intercept web chats on Outlook.com.
Obfsproxy
Pros |
Cons |
Completely random patterns of handshake |
Obfsproxy traffic stands out in comparison to other protocols |
Requires less bandwidth |
Difficult to set up for the VPN service and servers |
Obfsproxy, short for Obfuscation Proxy, was originally adopted by the Tor community to obfuscate Tor traffic and hide their internet activity from their ISP.
Obfsproxy works by using obfs2, obfs3, scramblesuit, obfs4, or meek to implement an obfsproxy tunnel that your VPN traffic is routed through. It also adds an extra layer of encryption. It’s lightweight and uses less bandwidth, but this also makes it less secure.
Scramblesuit, obfs4, and meek are currently the only protocols with obfsproxy that we would recommend using to bypass censorship, as the others are out of date and easily detected by DPI.
It’s rare to see a VPN adopt this technology because it’s extremely difficult to set up. However, we see some VPN services adopt it due to its success rate at bypassing firewalls and circumventing censorship.
IVPN offers Obfsproxy with an OpenVPN connection.
Obfsproxy can disguise your Tor or OpenVPN traffic as any type of traffic you would like. However, it’s not always guaranteed to bypass firewalls and DPI because it does have some recognizable patterns.
A majority of protocol handshakes are very clearly defined, and easily recognizable. And so, obfsproxy traffic stands out because it looks like completely random data in comparison. ISPs can use entropy tests, which analyze the randomness of data, to potentially identify obfsproxy traffic.
It’s used to circumvent online firewalls and was created for people in China, Iran, or Russia, where there are strict online censors.
OpenVPN/XOR Scramble
Pros |
Cons |
Open-source |
Weak encryption keys |
|
Sometimes can’t bypass sophisticated firewalls |
|
Hackers use XOR to hide malware |
OpenVPN Scramble, or XOR obfuscation, is a third-party patch for OpenVPN that adds an extra layer of obfuscation.
It works by applying the bitwise XOR cipher, a substitution-based algorithm, to OpenVPN traffic. This replaces each character in a data string and disguises the fact it is OpenVPN traffic. OpenVPN Scramble will make your VPN traffic look like UDP traffic.
StrongVPN offers XOR Scramble on UDP or TCP with multiple ports.
This type of VPN obfuscation has two major downsides. First, it can be easily deciphered by reapplying the same XOR cipher with the key to the data string. This makes it one of the least secure methods of obfuscation on this list.
Secondly, it can be an unreliable tool for bypassing online firewalls and censors. As mentioned in our IPVanish tests, its scramble features have been failing in our weekly tests to circumvent the China firewall.
However, StrongVPN’s implementation of OpenVPN Scramble is very effective at bypassing the Gret Firewall of China.
Overall, OpenVPN Scramble provides a low level of security and rudimentary obfuscation compared to some other tools.
V2Ray/VMess
Pros |
Cons |
Highly customizable |
Extremely rare in VPNs |
|
Complicated implementation for VPN providers |
|
Hasn’t undergone a security audit |
V2Ray is an open-source platform and subsection under Project V, where any developer can use a protocol called VMess to develop new proxy software.
Both Shadowsocks and V2Ray were created with the specific aim to help people in China circumvent the Great Firewall. However, Shadowsocks is designed to make the process as simple as possible, whereas V2Ray has a much more complicated configuration process.
VPN.AC is the only VPN we’ve reviewed that has implemented V2Ray tunneling. The feature is available in its native Windows app, but not in macOS or mobile versions. It can be found in advanced settings.
In our tests, enabling V2Ray on VPN.AC caused our VPN connection to drop and sometimes blocked us from connecting to the VPN server altogether.
VPN.AC has renamed its V2Ray feature ‘OpenVPN TCP proxy / obfuscation’.
As you can see in the image above, you can choose between a direct connection through VPN.ac’s obfuscation proxy servers, or a connection to VPN.ac’s proxy servers through Cloudflare.