We are happy users of the Pritunl VPN Server.
However, lately, some of our employees have reported that their VPN access has been blocked more often than in previous years in different countries.
We are trying to find a way to continue providing VPN access and avoid situations when an employee is unable to connect to our server.
Our first idea was to:
Use the 443/tcp port
Use tls-crypt (or tls-crypt2) to mimic HTTPS traffic
This should make VPN traffic look like HTTPS traffic and help bypass most restrictions.
However, it’s not possible to configure the Pritunl VPN Server to use tls-crypt. Instead, Pritunl VPN Server enables tls-auth by default, which is similar, but it looks like it’s not enough to eliminate the issue (because tls-auth does not encrypt the TLS control channel).
We think it would be useful to introduce a new VPN server option called “tls security” with the following choices:
None
tls-auth
tls-crypt
tls-crypt2
In fact, it seems that we can switch to tls-crypt without any changes in the code, except for renaming corresponding variables and strings.
Therefore, it might be a good idea to make tls-crypt the new default choice for new installations.
This will be available in the next release with the command sudo pritunl set vpn.tls_mode '"tls-auth"', it may in the future be added as a server option which would replace this global option.
I typed “sudo pritunl set vpn.tls_mode ‘“tls-crypt”’” But when connecting I get the error “TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:xxxxxx”
How to configure this correctly?
I never checked the usage of tls-crypt in that option. It will require additional changes to generate a different key. It’s possible this will be done in the future but there is currently no support for setting that option to tls-crypt.
I have the latest version of pritunl v1.32.3805.95 installed. I entered the command in the console sudo pritunl set vpn.tls_mode ‘“tls-crypt”’. Then I restarted pritunl and mongo - sudo systemctl restart mongod pritunl. Then I created a new profile in the web interface and my VPN works. But I would like tls-crypt-v2 to work. Maybe I need to write my own plugin for this?
upd: tls-crypt only works with the openvpn client, with the pritunl client it produces errors, example:
TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:178.34.160.199:7740
@zach any ideas on how to make tls-crypt-v2 work with pritunl and make tls-crypt work with the pritunl client?
We already tested it with server version pritunl v1.32.3805.95 by setting sudo pritunl set vpn.tls_mode ‘tls-crypt’ with the local build of electron client PR and I can confirm it works. The server side apparently can handle the tls-crypt key generation and include it in the OVPN Profile.
But I believe tls-crypt-v2 still requires implementation on both server and client
Checked tls-crypt and tls-crypt-v2 option, and found, that some of ISP(MTS RUS in some regios) learned to block connection even if this option enabled - connection established, but after several control packets, all traffci blocks. So, when this rules applyed widely it wont be a silver bullet
We configured a obfs4proxy for obfuscate trafic. Simple tor proxy in front of server. Tested in different countries where ISP blocks traffic.
THe only problem is pritunl client does not support it, So we switched to viscosity.
It will be great feature for client to have an option to configure obfs connection.