VPN obfuscation is increasingly common. Sometimes it’s called cloaking, other times Obfsproxy servers or stealth VPN. Whatever the buzz term used, more and more providers are including it as a feature.
But, are obfuscated VPN servers something we really need to care about? And what are they even in the first place?
As it turns out, VPN obfuscation can indeed be a very handy tool. And in this article, I’ll cover everything you need to know about it – what it is, why and when you should use it (if at all), how it works, and which VPNs best implement it.
What Is VPN Obfuscation?
Simply put, VPN obfuscation is a way to disguise VPN traffic so that it doesn’t look like VPN traffic.
By default, even though the data sent between your device and a VPN server is encrypted (which prevents anyone from reading it), it still has detectable patterns. For example, OpenVPN, the most commonly used VPN protocol, has a distinctive signature that is not too difficult to identify.
To put it differently, when connecting to regular VPN servers, a third party can usually tell you’re using a VPN even though it doesn’t know which websites you visit or what you download.
Obfuscation fixes that. It eliminates detectable protocol and encryption patterns and signatures, so you get the privacy and anonymity of a VPN without anyone knowing you’re using one.
Why Use an Obfuscated VPN?
So, obfuscation hides the fact that you’re using a VPN service. That may not seem like such a useful feature, but there are many situations where it comes in handy.
Here are five excellent reasons you may want to use it.
Get Around Government Censorship
There are plenty of countries – China, North Korea, Iran, Egypt, and Turkey, to name a few – where internet traffic is restricted. Some governments chose to, for example, block social media services, while others may limit access to foreign news websites.
VPNs are the perfect solution to get around such censorship attempts.
When you connect to one, all your traffic goes through a VPN server beyond which any banned website can be accessed. The traffic is also encrypted, making it impossible for a third party to see when you’re doing online.
Governments that censor the internet obviously don’t like that. So, they try to detect and ultimately filter or block VPN traffic to prevent their use, which gives them back control over what people can and can’t see online. Obfuscation prevents them from doing that.
Use a VPN at School or Work
It is not only countries with oppressive governments that block VPN use. Many schools and workplaces that don’t want you to access certain websites or services from their network will do the same.
VPN obfuscation can get around detection measures put in by network administrators and let you access the internet as though those filters didn’t exist.
Stop ISP Throttling
A VPN can be used to stop ISP throttling – a practice where internet speeds are reduced by your provider based on what you’re doing or accessing online.
In response, some ISPs are getting more aggressive with their throttling efforts. They will not only cap your connection speed if you’re, for example, using Netflix or downloading a torrent but go as far as doing so anytime you connect to a VPN.
It’s guilty until proven mentality – you’re using a VPN; therefore, you’re automatically doing something that should be throttled.
Connecting to an obfuscated server hides VPN use. Then, as far as the ISP is concerned, you’re just browsing random secure websites.
Stream Geo-Blocked Content
In the name of copyright and licensing agreements, most online streaming services block access to their libraries to anyone outside the country in which they operate.
Well aware of that, streaming services do their best to block VPNs.
Most resort to more rudimentary practices like banning server IPs. However, others inspect the data packets to seek out those VPN protocol signatures mentioned above – if one is found, no streaming for you.
VPN obfuscation once again saves the data. By making it seem like you’re not using a VPN, you’ll be able to watch what anything you want anytime and from any place.
Improve anonymity and privacy
Using obfuscated servers can also take your privacy to a new level.
Many of us use VPN purely for that reason. With obfuscation, not only do you benefit from an encrypted data stream and the ultimate destination of your traffic hidden behind a VPN server, but no one can tell you’re even using one.
It’s an extra layer of protection that makes the job of anyone trying to keep tabs on what you do online that much more difficult (if not impossible).
When Is Server Obfuscation Not Needed
As useful of a feature as VPN obfuscation is, it’s not always needed. Ultimately, whether it should be used or not boils down to our circumstances and needs. And the vast majority of us tend to skip it.
Unless VPN use is restricted or you’ve very keen on having an additional layer of privacy, obfuscation is generally not necessary – using regular VPN servers should give you everything you need.
As you decide whether to obfuscate your VPN traffic, there are also two things you should keep in mind.
- Obfuscation slows down your VPN. Obfuscating data means applying additional operations to it, and those operations are never free – any way you cut it, your connection will be slower. If top-notch performance is critical, you may want to skip obfuscation (if possible, of course).
- Server locations can be limited. Because most VPN users don’t use obfuscation, providers tend to offer fewer servers that support it than regular servers. You’ll typically be able to connect to popular locations like the United States or the UK. But finding an obfuscation server in even relatively high-in-demand countries like Australia or Germany may not be easy.
How VPN Obfuscation Works
Ultimately, though, there are four common methods of traffic obfuscation, and all providers will use one or a combination of several of them.
But, to help us better understand those methods a bit better, let’s first take a look at how a third party may detect and block a VPN in the first place.
How Are VPNs blocked?
While there are countless reasons why governments, ISPs, or online services block VPNs, there are just three techniques most of them rely on.
IP Address Blocks
When you use a VPN, your device’s IP address is replaced by that of the server you connected to. If, for example, you’re in Australia and connect to a US server, any website you access will think the United States is where you’re located.
Over time, based on usage patterns, any site or service that wants to do so can identify and build up a database of known VPN IP addresses. And once an IP is in that database, any attempt to connect from it is denied.
This method is commonly used by streaming services like Netflix or the BBC iPlayer and the reason why they often don’t work with a VPN.
Port VPN Blocking
By default, VPN protocols use pre-determined port numbers to access the outside world. OpenVPN, for example, usually binds to port 1194.
It’s trivial for any network administrator to block a port using a firewall – there isn’t even a detection step here. Simply deny all connections on port number 1194, and you’ve now blocked OpenVPN.
Deep Packet Inspection
The most advanced method of detecting VPN traffic is deep packet inspection (DPI).
DPI doesn’t look at what IP address a connection is coming from or which port it uses. Instead, it analyzes what the traffic looks like.
Data sent over a VPN connection is always encrypted so that no one can see what it contains. But just because someone can’t read your data doesn’t mean they can’t figure out you’re using a VPN.
Protocols like OpenVPN have a unique signature that can be detected – this is true of other protocols as well. And, if something can be detected, it can be blocked.
DPI is a technique many governments implemented VPN detection systems use, including the so-called Great Firewall of China.
Common Obfuscation Methods
VPN providers have their work cut out for them if they want to get around VPN blocks. But, where there’s a will, there’s a way.
Just like anyone trying to detect and block a VPN has several options available, VPN companies have multiple ways of camouflaging traffic.
Obfsproxy was created by the Tor Project – the organization that gave us (and continues to maintain) the Tor anonymity network. The technology was initially implemented to prevent the governments of Iran and China from blocking Tor, which they started doing in 2012.
Obfsproxy scrambles Tor traffic so that it’s unrecognizable as such – it pretty much makes it look like nothing. But because Obfsproxy is designed to use a flexible technology called pluggable transports, it can also be used to camouflage VPN traffic, including the popular OpenVPN protocol.
It’s hard to filter out something that looks like nothing, which makes Obfsproxy a very effective method of obfuscation.
Stunnel is a relatively simple open-source software solution that hides a VPN connection by making it look like TLS/SSL traffic.
TLS/SSL is how every HTTPS website encrypts sensitive information it sends and receives – it is indispensable for internet security.
Without HTTPS, it would be trivial for hackers to steal anything from our logins and passwords to credit card and banking information. TLS/SSL is therefore never blocked, even by the most authoritarian of governments.
And because TLS/SSL ads an extra layer of encryption to the VPN traffic redirected through it, it also hides all of its detectable patterns and signatures. TLS/SSL makes it impossible for anyone to tell apart run-of-the-mill secured website traffic from a VPN connection.
The SSTP protocol is a VPN protocol designed to hide the fact it’s VPN traffic. Using SSL encryption and port 443, just like Stunnel, SSTP makes a VPN connection look like regular HTTPS traffic.
And, exactly as it the case with Stunnel, it’s very difficult, if not impossible, to tell real HTTPS traffic apart from disguised VPN data.
The one downside to SSTP is that you can only use it with Microsoft Windows. If you use a VPN on any other platform, you’ll have to resort to other obfuscation methods.
OpenVPN XOR Scramble
The XOR Scramble is a simple yet effective method of obfuscating OpenVPN data.
Based on a pre-defined mask called the key, it changes the value of each byte in a VPN data packet into something else. When the data arrives at its destination, the scramble is reversed, and the original message restored.
Like the Obfsproxy method described above, XOR obfuscation hides the OpenVPN’s protocol tell-tale signatures so that it’s unrecognizable by deep packet inspection.
That said, even though XOR Scramble can work well, due to its relative simplicity, it is not quite as effective as Obfsproxy. Even the developers of OpenVPN recommend the latter as a safer method of traffic obfuscation.
Is Obfuscated Traffic Still Encrypted?
All obfuscation methods work on an already encrypted VPN data stream. They apply additional operations on top of the stream and never undo anything that has been previously done to it.
In other words, yes, obfuscated VPN traffic is always encrypted. Depending on how the connection is camouflaged, it may even benefit from a second layer of encryption.
VPNs With Obfuscated Servers
Getting VPN obfuscation to work well is no easy task, which is why most VPN providers don’t bother. Thankfully, a handful does offer it, including some of the biggest names in the industry.
If obfuscated servers are a feature you feel you need – or may need in the future – the four providers below do the best job of implementing it.
Arguably the best VPN provider in the market, NordVPN is an excellent all-rounder service. From privacy and security to a quick server network and uncanny ability to unlock geo-blocked content, Nord does it all and does it all very well.
Keeping in line with its other features, NordVPN’s implementation of obfuscated servers is also among the best in the business and the reason why this VPN works so well in China. It currently runs 107 such servers spread across a very impressive 16 countries.
By default, VPN obfuscation is disabled in the NordVPN client. To enable it, follow the steps below.
How to Enable Obfuscated NordVPN Servers
- Launch the NordVPN app.
- From the main screen, go to the Settings menu.
- Go to the Advanced tab.
- Enable the “Obfuscated servers” option.
- Exit the settings menu to go back to the main screen.
- Pick a location or server and connect to it.
Though Surfshark is a relatively new VPN provider, it started making waves (no pun intended) the moment it entered the market – everything was done right from day one.
Excellent privacy and security? Check. Great performance? Check. Second to none streaming support? Check? And, of course, VPN obfuscation? Check. Surfshark is surprisingly inexpensive too.
Surfshark calls their version of server obfuscation “NoBorders” mode. The feature automatically detects if you’re in a restricted environment and camouflages your VPN traffic accordingly – you don’t have to manually pick any specialized servers.
NoBorders should be enabled by default, but just in case, here’s how you can make sure it’s on.
How to Enable Server Obfuscation With Surfshark
- Start the Surfshark client.
- Go to the Settings tab by clicking the gear icon.
- Proceed to the Advanced section.
- Double check the “NoBorders” option is enabled.
- Click on the locations to return to the main screen.
- Pick a location and click connect.
Based in Switzerland and an independently audited and verified no-logging provider, VyprVPN is all about doing internet anonymity, security, and privacy right.
In an industry where renting hardware from third-party data centers is the norm, VyprVPN runs its own servers, which translates to better security and privacy network-wide.
And when it comes to obfuscation, VyprVPN takes things to the next level as well. To ensure maximum effectiveness, the provider has developed a proprietary obfuscated VPN protocol called “Chameleon.” It’s based on OpenVPN (and just as secure) and indeed works very, very well.
Enabling obfuscation in VyprVPN’s app is as easy as switching to the Chameleon protocol. Here’s how you do it.
How to Activate VyprVPN’s Obfuscated Servers
- Launch the VyprVPN client.
- Proceed to the “Customize” tab.
- Locate and click the “Protocol” setting.
- Pick “Chameleon” from the protocols list.
- Click on the “Connection” tab and connect to a location of your choice.
ExpressVPN has long been a favorite of many online privacy and anonymity seekers – and with good reason.
Headquartered in the privacy-friendly jurisdiction of the British Virgin Island, ExpressVPN has a strict no-logging policy. It runs a large server network that spans 94 countries and offers performance few other VPN services can beat.
Obfuscation, called “Stealth VPN”, is, of course, also available. That said, using it is not as straight forward as with other providers. Obfuscated locations are not marked in the client, and you need to contact the support team to get a list.
Once you know which country to connect to, you can camouflage your VPN traffic by following these steps.
How to Turn On Obfuscation in ExpressVPN
- Start the ExpressVPN app.
- Click the three dots next to the current selection location to open the VPN location screen.
- In the VPN location screen, type or find the name of one of the obfuscated countries as given by support.
- Click on the country to set it as the new selected location.
- Press the “On” button to connect.
Improving Obfuscated Server Performance
Regardless of how obfuscation is done, it always involves carrying out additional operations on the VPN stream – and no operation is ever free. So, you will experience some slowdown.
How much slowdown depends on many factors, from the obfuscation methods used, to how quick your internet and device are – and everything in between.
In general, though, you can speed up your VPN connection by following these three guidelines:
- Use a nearby server. Anytime you use a VPN, your data goes through a VPN server before reaching its final destination. That adds to how far it ultimately has to travel. The closer the server is to you, the shorter the data’s route, the faster your connection.
- Use split tunneling. Some things don’t need to be private. Split tunneling is a feature many providers offer that lets you choose which traffic goes through a VPN connection and which doesn’t. There’s no point sending something over a VPN and paying the associated performance overhead when there’s no need for it – app updates are a great example of this.
- Use optimal DNS settings. Most VPNs automatically change your DNS from the ISP assigned default to that of the provider. Among other benefits, this will improve performance. If your VPN doesn’t have private DNS servers – although any VPN worth its salt should – use a public DNS like Cloudflare or OpenDNS instead.
Final VPN Obfuscation Thoughts
VPN obfuscation is a technique that camouflages VPN traffic and prevents someone from finding out you’re using a VPN. It’s a very useful tool if:
- The government in your country blocks or restricts VPN connections
- The network at your school or workplaces blocks VPNs
- Your ISP throttles VPN traffic
- You want to access streaming platforms that block VPN traffic
- You want an extra layer of online privacy
Most of us don’t use obfuscation – and indeed, in most cases, a regular VPN connection will do fine. But, even if you do not need it now, picking a VPN provider that offers it is not a bad idea. You never know when it may come in handy.