Tunnelblick with obfsproxy (Stealth VPN)

This howto describes how to tunnel OpenVPN through obfsproxy on MacOS. This should work with any VPN application, for this documentation we are using Tunnelblick.

Requirements

Download and install Tunnelblick. You can find detailed documentation for this here.

Next install Homebrew. This is a package management system for MacOS. You can either download and install from the website or by pasting the following command into a terminal window:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

This will take a while to finish.

Homebrew is needed because Python2 is needed for obfsproxy. With Homebrew installed, we can get a newer Python with the following command in a terminal window:

brew install python2

With Python installed you now can use pip2 to install obfsproxy. Use the following command in the terminal window:

pip2 install obfsproxy

Now download the OpenVPN configuration files for MacOS from the Perfect Privacy download site in the member area. Make sure to select the TCP configuration as obfuscation does not work with UDP. Here is the direct download link (you need to login with your Perfect Privacy credentials).

If you are using Safari, the zip file will be automatically unpacked after download. If you are using a different browser, you may need to unzip the file first.

Choose the location you want to connect to and copy the configuration file to modify it for usage with obfsproxy. In this example we have copied Basel.ovpn and named the file Basel-obfs.ovpn.

Right-click on the basel-obfs.ovpn file and open it with any text editor like TextEdit.

First, either remove or comment out all lines starting with remote. (comment by putting # in front of the line, see the screenshot on the left).

Then add the following four lines:

socks-proxy-retry
socks-proxy 127.0.0.1 LOCAL_PORT
remote 4TH_SERVER_IP TUNNEL_PORT
route 4TH_SERVER_IP 255.255.255.255 net_gateway

LOCAL_PORT can be any port that is not in use on your system. For this howto we are using port 990.

You can choose between obfsproxy2 and obfsproxy3. We recommend the latter, obfsproxy2 is provided for legacy support. When using obfsproxy3 you will need to connect to the 4th IP address of the VPN server (for obfsproxy2 use the 5th IP instead). You can find the server IP addresses on the server page in the member area. In this howto we are using obfsproxy3, so we use the 4th IP of the Basel server which is is 82.199.134.166.

For TUNNEL_PORT you can choose between the following ports: 22, 53, 443, 8085, 9009 and 36315. Generally, 443 (SSL) should work fine for all purposes but port 53 may help to get internet access from hotspots where you normally need to register on a public website first.

Once you added these lines you can save the file and exit the editor.

Now you can import the edited configuration into Tunnelblick by double clicking the file. You will be asked whether you want to import the configuration for all users on your system or just for you.

Next start obfsproxy with the following line:

sudo obfsproxy obfs3 socks 127.0.0.1:LOCAL_PORT

The LOCAL_PORT must be the same that you used in the OpenVPN configuration file, in our case this was 990.

Note: If you use a high port (>1024) you don’t need to use sudo when starting obfsproxy.

Now you can connect the VPN. Click on the Tunnelblick symbol in the top right and choose the modified configuration file for the connection.

You will be asked to enter your Perfect Privacy username and password. If you check “Save in keychain”, your credentials will be remembered for future sessions.

Tunnelblick will confirm the established connection.

Visit our Check-IP site to verify that you are connected to the VPN correctly.

If you have any questions, comments or other feedback regarding this howto, please use the corresponding thread in our community forums.