Time was, a VPN was all you needed to stay anonymous and secure online. And if you were travelling outside your home country but you still wanted to enjoy your favorite shows, a VPN was all you needed there too.
But things have changed. Netflix isn’t the only location-sensitive website to start investing in proxy blocking software but it is probably the most annoying on a day-to-day basis. If you’re tired of seeing that ‘Oops, something went wrong’ error message and you’d like to get back to the days when you could unlock your favorite shows wherever you are in the world, a standard VPN isn’t going to cut it anymore. You need to step up your game – you need a VPN with obfuscation.
Why isn’t a standard VPN enough anymore?
VPNs work by creating a private, encrypted tunnel between your computer and another computer – a server. If I’m in Portugal but I want the websites I visit to think I’m in California, I connect to a California server and that’s where my internet traffic emerges onto the web.
So far, so good.
VPNs also encrypt traffic, making it nearly impossible to read it or know what kind of traffic it is. Is it emails? Gaming? Video streaming? With standard, unencrypted web traffic, it’s easy to tell. With VPN traffic, it’s not.
But VPNs have a fatal flaw. The one thing you can tell about VPN traffic is that it’s coming from a VPN. The changes to the traffic are characteristic.
How do websites block VPN traffic?
Sometimes, geo-sensitive or censored sites use lists of known VPN server IP addresses and simply bulk block them. That’s ineffective because there are so many VPN providers, so less well-known ones typically don’t get IP-blocked, and larger ones have huge server lists – plus a trick or two up their sleeves, as we’ll see.
A simpler way to block VPN traffic is to block the ports it typically uses. Different protocols use different ports – #1194 (UDP), #1723 (TCP), #500 (UDP), #4500 (UDP), #1701 (UDP), and so on.
But more often, they snoop for those recognizable VPN traffic characteristics and use them to identify a VPN user and bounce them back. This is called Deep Packet Inspection.
When your data is sent over the internet, it’s broken up into packets and reassembled at the other end. Deep Packet Inspection reads the data in the packet, to see if it’s been encapsulated by a VPN. This is the system used to target advanced VPN protocols like OpenVPN, L2TP, and PPTP. If you’re using a VPN you used to rely on just a few weeks ago and now, you suddenly can’t finish your favorite shows on Netflix, Hulu, or BBC, this is probably why.
So if you want to get around those blockers, you need a VPN that disguises the fact that it’s a VPN. That’s what obfuscation means.
How stealth mode works
Obfuscation is a long, dull word. Stealth sounds cooler, which is why VPNs that come with obfuscation get called stealth VPNs. Basically, a stealth VPN conceals the nature of its traffic by disguising it as regular HTTPS traffic – the standard for the web. (Look in the URL bar of this post or any other window you’ve got open. See how every web address starts ‘https://’?)
Any time you use HTTPS, you use port #443 and TLS encryption, because that’s how HTTPS was designed to work. So a VPN that uses port #443 and TLS encryption tends to look more like standard web traffic. (And no-one can block port #443 anyway, without blocking basically the entire internet, so you’re safe from port blocking by default.)
Data packets have two types of data – header data and payload. The payload is the information you actually want to send. The header data is like the labels and writing on the outside of an envelope. It says where the packet is going, where it’s from, what kind of protocols were used and which port it was sent by and a whole lot of other stuff that we don’t want.
Header data scrubbing
Stealth VPNs start work here, in the header section of your packet data, by scrubbing all the elements that identify the packet as coming from a VPN. Now the packet has no labels that ID it as VPN traffic, VPN blockers won’t flag it and block it, right?
Not so fast. All we’ve done so far is create a packet with no labels on it. But that looks weird and shady; begging to be blocked on general principles. If you want to disguise yourself, the first step is to take your clothes off – but if you stop there, I’m guessing you’re going to stand out. You also have to put someone else’s clothes on.
The final step for stealth VPNs is to cloak the packet by dressing it up as standard HTTPS traffic. It’s wrapped in a second layer of SSL encryption – think of this as a second envelope. On this envelope we add the labels and addresses you’d see on normal HTTPS traffic – port #443 and all.
Finding a stealth VPN
Where can you get a VPN with stealth? In recent years the arms race between streaming providers and other would-be VPN-blockers on one side, and VPN providers and users on the other, has heated up. As it does, stealth mode becomes a more common feature. Good examples are Vypr’s Chameleon protocol, while other big providers like Nord provide previously-rare features like VPN over TOR to deliver multiple additional layers of encryption for obfuscation and security.
Best advice? As always, your mileage will differ and you need something that works for you. Grab a free trial of several different VPNs that offer stealth modes and try them all for your purposes, then you’ll know which is best for you.