Is there any way to implement obfuscation services to open vpn running on top of openwrt?

hello, is there any way to implement obfuscation services to open vpn running on top of openwrt? i am looking for a workaround to implement any kind of obfuscation trick to ... trick my isp while using vpn so i can bypass dpi firewalls, and speed throttle mainly, cause i lose like 15mbps while connecting to vpn ... just doing it because want me to be protected from bad actors, nothing illegal or risky... however i am losing almost 70% of my internet bandwidth... have a powerfull arm processor so i am .. just looking to see what can i do.. :smiling_face_with_tear:

options in the table are:

obsproxy, socks5, shadowsocks, openvpn over ssl, openvpn over https, openvpn over stunnel, openvpn over... tls ? any tought or idea? found nothing on google..

and why not? wireguard on top of any other wrap obfuscation technology

is it possible?

also heard about openvpn patch with xor implementation, however apparently the patch is very old and with a lot of security exploits.


Are you certain that the ISP is actually throttling your OpenVPN traffic? There is a good chance that this is just due to the router you are using...

Unless you have a very powerful router (i.e. x86 class or with appropriate hardware acceleration for the encryption in use), OpenVPN will tend to slow down the connection
because it is extremely CPU intensive.

What hardware are you using?

ubus call system board

That said, I've personally used shadowsocks to encapsulate OpenVPN... it works, but the performance suffers even more.

Since you mentioned Wireguard -- try that... unless your ISP is actively throttling VPN connections, Wireguard should be far more performant than OpenVPN on the same hardware.


With OpenVPN on WRT3200ACM I never got above 16Mbit/s.
ER4 gives 36Mbit/s.

1 Like

OpenVPN is tls traffic so there isn’t any meaning to put on tls/ssl over tls to begin with to make it go faster.

Go wireguard if possible.

OpenWrt wg server running on ipq4019 with a mobile wg-tunneled over wifi/5g gets:

1 Like

my actual router is a paperweight which throttles vpn traffic up to 80%, , however, had other routher which is a old i5 intel, and got throttled by my isp dpi"ing my traffic so i am trying to find a way to use any kind of obfuscation in openwrt, can you use shadowsocks with oepnvpn in openwrt?? can you please tell me more? i have found nothing! like that in google

my hardware is a cheap mr3420 so i do not use it for vpn for now.. , but i will buy a beefy arm 4 core router so i can run openwrt-openvpn easily without hardware throttle ,also, i cant wireward for now, have read that is the winner because more optimal performant, , is there any plugin to obfuscate openvpn tcp traffic???

yes that is was reading some days before

Yes... actually, I've tunneled OpenVPN via shadowsocks and via stunnel...

When I have some time later, I'll see if I can pull some config examples.

However, this assumes that you have control over both sides of the tunnel... can you confirm that this is the case?


i only control client side.. and have manual .vpn config, and a free shadow server, nothing else

what is better stunnel or shadow?, i would be glad if you could show some examples of it, so i can play with my config in my homelab, thx

hello, can you elaborate? thank you

Then you canoot implement this method.

oh now i get it, but does is not tor very slow?

OpenWrt Makefile, it's a tor project

why not? shadowsock is... just input credentials and good to go

stunnel have never used it, shadow you can buy a shadow instance

is this?

Couldn't tell you, I run a snowflake proxy in a x86 VM for folks, but what they may be experiencing on the usage side I have no idea.

sounds neat! but would not the isp detect the traffic as TOR traffic? hmmm

From the snowflake wiki:

your Internet activity appear as though you're using the Internet for a regular video or voice call

1 Like

You need a shadowsocks server to 'unwrap' the tunnel and then send the data that was inside the tunnel to the OpenVPN server.

The way I have mine configured, it looks like this:

[OpenVPN client > Shadowsocks client] >>> internet >>> [shadowsocks server > OpenVPN server]

where the items in brackets are a single device, such that I have a [travel router] >>> internet >>> [home router].

It is possible that the server side could be broken up into two servers, but I haven't tried this.