The trick that I found was not to make OpenVPN run on multiple ports, but instead to get iptables to forward any and all connections coming into a range of ports to the OpenVPN port.

First off was getting iptables to forward a port range to the OpenVPN port. To do that, I used Destination NATing, or DNAT:

sudo iptables -t nat -A PREROUTING -p udp –match multiport –dport 10000:40000 -j REDIRECT –to-ports $openvpn_port
sudo iptables -t nat -A OUTPUT -p udp –match multiport –dport 10000:40000 -o lo -j REDIRECT –to-ports $openvpn_port

Then we need to open the ports on the AWS Security Group

I’ve also changed the link-mtu option simply to make it harder for pure protocol detection to detect the packets as OpenVPN packets.

Add this to Client Config:

link-mtu 1400

The final step was making the OpenVPN client connect to random ports. To do this, we’re going to make use of connection profiles – essentially, just declaring multiple combinations of IP addresses and ports that you want OpenVPN to connect to. When combined with the remote-random option in the client side config file, OpenVPN should randomly go through the list and connect to a random port. To simplify matters, I turned to PHP to generate the 64 random IP/port combinations to paste into the config file:

 

<?php

for($i = 0; $i &lt; 65; $i++) {

$IP = "172.16.20.1";
$foo = "remote " . $IP . " " . rand(10000, 40000);
$result = chunk_split ($foo, 27, "\r\n");
echo $result;
}

?>

Simply change the $IP to your ip
You can run this code on http://codepad.org
Then paste this list of remote lines into the client config.
Also enable this line in your client config
remote-random
This makes the connection random!

sudo sh -c "iptables-save &gt; /etc/iptables.rules"
How to: Getting OpenVPN to run on random ports
DieSkim Uncategorized No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *