Stealth OpenVPN and SSH Tunneling Over HTTPS

Contents
Tunneling OpenVPN and SSH via HTTPS for Windows,MAC and Linux ....................................................... 1
Benefits of HTTPS Tunneling: ................................................................................................................. 2
Pre-Requisites: .............................................................................................................................................. 3
Part A: Step by Step Instructions for OpenVPN Tunneling Over HTTPS ....................................................... 3
Switching OpenVPN Servers: ........................................................................................................................ 9
Part B: Step by Step Instructions for SSH Tunneling Over HTTPS ............................................................... 12
Agent Timeout and Re-launching the Agent:.............................................................................................. 17
Deleting all Traces of the Tunneling Agent ................................................................................................. 18
Getting Support: ......................................................................................................................................... 18

Tunneling OpenVPN and SSH via HTTPS for Windows,MAC and Linux
This guide explains how to tunnel OpenVPN or SSH over HTTPS for subscribers of Anonyproz OpenVPN
services. Tunneling OpenVPN or SSH over HTTPS is useful for users who are behind a restrictive firewall
or Deep Packet Inspection device (DPI) which is blocking OpenVPN or SSH traffic. Note that although
OpenVPN is already a VPN solution based on SSL/TLS and can fake HTTPS traffic by listening on TCP port
443 (HTTPS port) it is not the same as HTTPS. This is why some advanced DPI devices, proxy servers and
firewalls are able to detect that you are using an OpenVPN connection and can block it. In addition,
some firewalls and DPI are also able to detect SSH traffic and can block or throttle it.
In this guide, we present to you a stealth method to tunnel OpenVPN or SSH over HTTPS via an SSL
tunnel based on the open source OpenVPN ALS (Adito) which can bypass restrictive firewalls and DPI
devices. With this tunneling protocol, our HTTPS server receives the HTTPS packets directed to the
HTTPS server and redirects the incoming TCP port 443 traffic to the remote OpenVPN or SSH server for
tunneling. The method is easy to use and uses a light weight JAVA agent client which you have to run on
your computer. Our rule of thump is if you can connect to any https site such as your bank website or
Paypal.com, then you can use our HTTPS tunneling solution.
In addtion, this tunneling method involves a multi-layer tunneling consisting of a strong trusted 2048 bit
SSL certificate, SSH and OpenVPN SSL/TLS protocol with a smart SSH and OpenVPN protocol automatic
detection and will intelligently route your OpenVPN or SSH traffic to the approriate remote server. By
using a multi-layer encryption, the tunneling is extremely secure and can be regarded as double
tunneling or tunneling a tunnel over a tunnel at the price of a slight performance hit. The figure below
illustrates the concept:

To use the JAVA based agent client for tunneling OpenVPN or SSH over HTTPS, you do not need to install
any additional SSH tunnel client such as OpenVPN GUI or Putty software on your computer. After you
run the agent client, a pre-configured Putty SSH tunneling for all our SSH servers is automatically
launched on your computer from our HTTPS tunneling server. Hence, you are not required to have a
putty software on your computer. Since Putty does not require any Administrative rights to run, you can
easily setup a secure SSH tunnel using this technique on any PC in which you cannot install software
such as public computer due to lack of admin rights.
In addition if tunneling OpenVPN over HTTPS, you can use a portable version of OpenVPN
to connect which can be loaded directly from the agent GUI. You do not need to install our
OpenVPN GUI.

Benefits of HTTPS Tunneling:

The following benefits can be derived when using this system:

Stealth Tunneling: All OpenVPN or SSH traffic is nicely hidden in SSL/HTTPS traffic which makes it
very difficult to block and is completely indistinguishable from real HTTPS traffic.

Portability and Ease of Use: With this system you are not required to manually download and install
any additional program or client on your computer. In addition, the agent can be run from
removable media such as USB stick or memory cards. The required programs is automatically loaded
and started on your computer with the executable java agent.

Zero Configuration: This system requires no configuration from you. All you have to do is install the
client program and select your server and connect with few steps.

Tunnel OpenVPN or SSH over HTTPS Using a Single Client: With the single java based agent client,
you can use either tunnel OpenVPN or SSH securely over HTTPS from the same user interface
thereby eliminating the need to use separate clients. However, please note that you can only use
one of the tunneling protocol at the same time on a single computer.

To setup the system, please follow the setup instructions below depending your use case and operating
system. Part A explains the steps to take for tunneling OpenVPN over HTTPS while part B explains the
steps for tunneling SSH over HTTPS :

Pre-Requisites:

First you need to subscribe for any of our OpenVPN or SSH packages. If you do not have an active
account, please go to our order page to signup at:
https://www.anonyproz.com/member/signup.php

Make sure you have the latest version of JAVA installed on your computer. You can use the link
below to check if your system has JAVA installed. If it is not installed, please download and install
JAVA.

http://www.java.com/en/download/testjava.jsp

Part A: Step by Step Instructions for OpenVPN Tunneling Over HTTPS

Step 1: First ensure that JAVA is installed on your computer and then proceed to download the JAVAbased agent client in the link below:

http://www.anonyproz.com/agent.jar

The agent is a light weight JAVA program that provides functionality for tunneling your OpenVPN traffic
over HTTPS. It is based on the open source OpenVPN ALS (Adito) SSL-VPN software.
After download, to run it, just double click on it to launch the agent. Wait for a few seconds for the
agent to load. When launching, it should appear as shown below:

The agent is a light weight JAVA program that provides functionality for tunneling your OpenVPN traffic
over HTTPS.It should appear as a man wearing a black hat in your taskbar as shown below:

Step 2: Proceed to start the OpenVPN GUI client for your operating system:

For Windows Users:

If using Windows, tunneling OpenVPN over HTTPS with the agent is very easy. You do not need to install
our OpenVPN GUI client. A portable version of OpenVPN will be automatically downloaded and
executed on your computer. To begin, simply navigate to the Applications menu in the agent GUI and
click on OpenVPN over HTTPS.
By default, once this is clicked, an HTTPS tunnel to USA server will be started and you are now ready to
connect. If you wish to connect to a different server, please click here to learn how to switch to a
different server.

Next, wait a few seconds for the portable OpenVPN GUI to automatically load and initialize:

The OpenVPN GUI is a system-tray applet, so a red icon for the GUI will appear in the lower-right corner
of the screen as shown below:

Finally right click on the OpenVPN GUI and click on connect and enter your username and password to
authenticate:

After successfully authenticating to the server, the red portable OpenVPN GUI icon will change to green
indicating that a successful authentication has been made.

Alternatively, you may also use the Connect over HTTPS connection in our standard OpenVPN GUI if
you do not want to use the automatic loadable version from the agent.

To confirm that the tunnel was successfully initialized, go to the Agent icon on your taskbar and click on
Tunnel Monitor. There you will see the tunnel server that was successfully initialized and active for
tunneling.

To confirm if your traffic is being routed via HTTPS, go to the Tunnel Monitor icon and make sure that it
is flashing as shown below:

Switching OpenVPN Servers:

By default, when the HTTPS agent is run, a tunnel to USA server 1 will be started and you are now ready
to connect. If you wish to use a different server, first exit the active OpenVPN connection from the

OpenVPN GUI and then proceed to terminate the active default USA server connection from the agent
tunnel monitor panel by navigating to the Tunnels menu and select the USA server to highlight it and
and click on Stop. click on your desired server to start the HTTPS tunnel.
After terminating the tunnel, a confirmation balloon will pop-up from the agent as illustrated below:

Then go to the Tunnels menu and select the new server you wish to switch to and click on it to activate
the new tunnel. The finally go to the OpenVPN GUI and click on Connect to initiate the connection.

For MAC and Linux Users:

If you are using a MAC based OpenVPN GUI client such as Tunnelblick or Viscosity, you should download
our Connect over HTTPS config file from this link and place it into the OpenVPN config folder in
OpenVPN installation directory. This config file will enable you to utilize the HTTPS tunnel. Alternatively,
if you already have one of our current server config file, simply edit it to connect to : localhost on port
8080.

Next right click on the Agent icon and navigate to the Tunnels menu and click on your desired
OpenVPN server location. At this time, the agent is now active and ready to transmit your
OpenVPN traffic over HTTPS.

Finally, connect to the OpenVPN server from the Viscosity or Tunnelblick

Part B: Step by Step Instructions for SSH Tunneling Over HTTPS

I: For Windows Users:
Step 1: Follow the same steps as explained above to download the HTTP tunnel agent and ensure that
you have JAVA installed on your computer. Then launch the agent by running the file.

Step 2: Right click on the Agent icon and navigate to the Applications menu and click on your desired
SSH server location. At this time, the agent is now active and ready to transmit your SSH traffic over
HTTPS.
Once clicked, the SSH tunnel will be initialized and a Putty window will automatically open in your
computer. You do not have to install or download Putty on your local computer as the HTTPS server will
automatically download and start the Putty.

Accept the security warning and click on Yes.

Then finally you will be presented Putty window for Authentication. Simply authenticate using your SSH
username and password which corresponds to your member username and password.
Note: You must leave the Putty window open. Do not close it or attempt to enter any command. You
must leave the window open throughout your tunnel session.
This will connect to your local Agent first, which negotiates with the remote server, and finally the
ssh<=>sshd communication will begin and after authentication you will be dropped to a shell and have a
SOCKS proxy running on port 8080.

To confirm that the SSH tunnel that was successfully initialized, go to the Agent icon on your taskbar
and click on Tunnel Monitor. There you will see the tunnel server that was successfully initialized and
active for tunneling.

Step 3: Thats all you need to do to open the tunnel. Now you're ready to configure your web browser or
any other application with the Socks 5 proxy details shown below:
Host: localhost
Port: 8080
Proxy Type: Socks 5 (Requires no authentication)

Important: Make sure that only one Putty tunnel window is open in your system at a time. If
you attempt to start a new tunnel while another Putty tunnel window is open, the connection
will be refused!

II: For MAC Users:

Step 1: Follow the same steps as explained above to download the HTTP tunnel agent and ensure that
you have JAVA installed on your computer. Then launch the agent by running the file.

Step 2: Right click on the Agent icon and navigate to the SSL Tunnels menu and click on your desired
server location. At this time, the agent is now active and ready to transmit your SSH traffic over HTTPS.
You can also verify that necessary connection was established in Terminal window.
Open Terminal from menu Applications Utilities - Terminal

and run command netstat na |grep LISTEN. You will see all listened ports on you desktop.

Finally you can connect to 8080 local port with the appropriate command:
ssh -D 8080 user@127.0.0.1 -p 8080

Leave this window opened during all time you work through ssh tunnel.
Now you need to configure your application with the Socks proxy.

Host: 127.0.0.1
Port: 8080
Proxy Type: Socks 5 (Requires no authentication)

III: For Linux Users:

Step 1: Follow the same steps as explained above to download the HTTP tunnel agent and ensure that
you have JAVA installed on your computer. Then launch the agent by running the file.
Step 2: Right click on the Agent icon and navigate to the SSL Tunnels menu and click on your desired
server location. At this time, the agent is now active and ready to transmit your SSH traffic over HTTPS.
To setup the tunnel, you must issue the tunnel command via your SSH client. Using Terminal Console
type the command below replacing user with your member username:
ssh -D 8080 user@127.0.0.1 -p 8080
Note: In the commands above, replace user with your SSH username which by default is your
member username.
Enter your member login credentials for the SSH connection

Thats all. Now you can configure your application with the Socks 5 proxy:
Host: 127.0.0.1
Port: 8080
Proxy Type: Socks 5 (Requires no authentication)

Agent Timeout and Re-launching the Agent:

If the Agent encounters any connection issues or session timeout after some period of inactivity, it will
become inactive and will display with an error mark as shown below. In this state, no tunnel can be
started. You must re-launch the agent in order to start any further tunnel. To reactivate the agent simply

double click the agent file again and this will re-launch the agent. Thereafter, follow the same procedure
to select a server and connect as described in the step by step instructions above.

Please note that when you re-launch the agent, a new agent icon in your computer taskbar will be
created. Any previous agent icon or instances used for previous tunnels will remain in your taskbar and
cannot be exited.
If you wish to terminate all the agent processes running on your computer and remove all the agent
icons, simply run the following command on your windows command prompt:
taskkill /IM java.exe /F

Deleting all Traces of the Tunneling Agent

As a stealth tunneling method, it is possible to completely delete all traces of your footprints for your
tunneling activity while using the HTTPS agent. This is especially useful if the computer is a shared PC
and you wish to completely erase all traces of the agent from the computer. To do this simply go to Start
and type : C:/Users/%username% in the Search Programs and files box. Then locate the folder with the
name of the computer account you have used and look for the any of the following files and delete them
completely from the system:
.adito
.sslexplorer

Getting Support:
If you have any questions or encounter any issues while using the client, please do contact us by
submitting a ticket at : https://www.anonyproz.com/supportsuite/