obfs4 support added!

Table of contents

  1. Introduction
  2. Using obfs4 on Linux
  3. Using obfs4 Windows
    1. for widget users
    2. for OpenVPN GUI users


For those of you that don't know what obfs4 is, gitlab.com/yawning/obfs4/-/blob/master/README.md says:

[obfs4] is a look-like nothing obfuscation protocol that incorporates ideas and concepts from Philipp Winter's ScrambleSuit protocol

If you want to read the technical specification, it's at gitlab.com/yawning/obfs4/-/blob/master/doc/obfs4-spec.txt

Even though it's intended for obfuscating Tor traffic, obfs4 can also be used to obfuscate OpenVPN traffic (or any other TCP traffic). The main reason anyone would need to connect to cryptostorm using obfs4 is that they're behind a restrictive firewall that's doing DPI to block TCP OpenVPN, and our SSH or HTTPS tunnels are also being blocked.

obfs4 will only work on our ECC and RSA TCP configs.
It will NOT work on our Ed25519 or Ed448 configs, or the UDP ones.

But you should be able to connect with obfs4 on any of our servers on any TCP port (well, 1-29999).

Using obfs4 on Linux

First, you need to install obfs4proxy. Some distros' package managers include it, but if yours doesn't, there's building instructions on gitlab.com/yawning/obfs4/-/blob/master/README.md, under the "Installation" section.

We also have a precompiled static binary at cryptostorm.is/obfs4proxy for those of you who don't feel like building it yourself. Checksums for verifying the integrity of that file are at cryptostorm.is/obfs4proxy.txt

Once you've got obfs4proxy installed to /usr/bin/ or wherever, you would start it with the command:


If everything went smoothly, you should see the output:

CMETHOD obfs4 socks5

Except that the 38785 port there will be different for you. Make a note of it since it's used in the next step.

Unfortunately, there's no option to specify the same port each time you run obfs4proxy since gitlab.com/yawning/obfs4/-/blob/master/obfs4proxy/obfs4proxy.go#L55 has the IP/port: hardcoded.
That ":0" sets a dynamic port on each run.
So if you restart obfs4proxy, you'll also need to make changes to your OpenVPN config too.

Anyways, once obfs4proxy is up and running, you would next download one of our ECC TCP OpenVPN configs from cryptostorm.is/configs/ecc/ (or our GitHub). 

Next, open the config in a text editor and add the following lines (at the top or bottom, doesn't matter):

socks-proxy 38785 socksauth.txt
route denmark.cstorm.is net_gateway

That 38785 would be the port number from earlier, from the obfs4proxy output, to the right of the "" text.
The "denmark.cstorm.is" part you would replace with whichever node you're connecting to (specified in the "remote" lines in the config).

Next, you'd create a socksauth.txt file with this as it's first line:


and on the second line, a single zero.
You could use a couple of commands like this to create the file:

echo "cert=JZHwkJuuOKmPuFiMyj5xjGRAqZ3jytorRmShi4L1OeQqVWDILTAfmf0s6CuBr7UCIFeCVA;iat-mode=" > socksauth.txt
echo 0 >> socksauth.txt

Make sure you're running those commands in the same directory that your OpenVPN config is in.

Finally, just start OpenVPN like you normally would (`openvpn --config whatever_TCP.ovpn` etc.).

Your VPN traffic will now be obfuscated by obfs4.

Using obfs4 on Windows

Same as with the Linux steps, building instructions for obfs4proxy are on gitlab.com/yawning/obfs4/-/blob/master/README.md, under the "Installation" section.

But for those who don't want to install Go and all of the other dependencies, we also have a precompiled version at cryptostorm.is/obfs4win.zip. Checksums for it are at cryptostorm.is/obfs4win.zip.txt
Just download obfs4win.zip, unzip it to a folder, and double click the start_obfs4.bat file.

Some AV software will say there's a virus in obfs4win.zip
It's just a false positive.
obfs4proxy.exe is used by some malware to talk to C&C servers over Tor,
so some AVs will say that all Tor pluggable transports,
including obfs4proxy, are malware.

start_obfs4.bat will open a black window that says something like:

CMETHOD obfs4 socks5

Except that the 38785 port there will be different for you. Make a note of it since it's used in the next step.
And be sure to keep that window open. If you close it, the VPN session will terminate.

For widget users

To tell the widget to use the obfs4proxy you just started, open the widget then click the Options button, then the Advanced tab. On that screen, select the "Use SOCKS proxy" checkbox, and should already be filled in for the IP, so in the port box you would type in the port from the previous step (38785 in my example, it'll be different for you). Next you'll uncheck the "No username/password needed" box, and in the username field you'll copy/paste:


Then in the password field just type a single zero. It should look something like this:

Before you press the Back button to go back to the widget's main window, click on the Security tab and make sure next to TLS cipher the "secp521r1" option is selected, since obfs4 only works with that.

When you're done with that, just click the Back button to go to the main window, then connect to whichever server you want to connect to.

All of your traffic will now be obfuscated by obfs4

For OpenVPN GUI users

The obfs4win.zip file from above contains the socksauth.txt file that's needed to connect, so make note of the file's full path.

I.e., if your Windows username is john and you unzipped obfs4win.zip to a folder called "obfs4win" on your desktop, then the path to it would be c:\Users\john\Desktop\obfs4win\socksauth.txt

Next, download one of our TCP ECC OpenVPN configs from cryptostorm.is/configs/ecc/ (or our GitHub), if you haven't already. 

Then open the config in Notepad or your favorite text editor and add the following line (at the top or bottom, doesn't matter):

socks-proxy 38785 c:\\Users\\john\\Desktop\\obfs4win\\socksauth.txt

That 38785 should be changed to the port number from the previous step, the one from the black start_obfs4.bat window, to the right of the "" text.

The c:\\Users\\john\\Desktop\\obfs4win\\socksauth.txt part in this example would be the full path to wherever you unzipped obfs4win.zip. Make sure to use two backslashes just like in the example as well, since OpenVPN will treat single backslashes as escape characters.

Once you're sure that the port number and the socksauth.txt location is correct, just connect with that config from OpenVPN GUI like you normally would.

Your VPN traffic will now be obfuscated by obfs4

Posted on