Obfuscated VPN Server

I created and started to run the OpenVPN and Wireguard VPN servers on my Slate Plus.

A few of my friends are using the server I created. One of my friends who is in a location that VPNs are blocked cannot use my VPN server. They cannot connect to the OpenVPN server at all and can connect to Wireguard but the internet doesn’t work.

So, I wanted to know if/how we can run some form of obfuscated VPN servers on GL iNet routers. Any possibility of having OpenVPN Scramble, Obfsproxy, or anything like that to make the VPN connection undetectable or at least harder to be detected to be blocked?

Try running openvpn with TCP on port 443.


This works especially well if you use the port share feature and have a real website behind it.

No obfuscated parameter is not supported yet. As for OpenVPN it needs a specific patch to work.

I have had good luck running SoftEther as a VPN server on my AR300M using the SoftEther protocol on TCP port 443, and this seem to be very good at getting around VPN blocking. Not the easiest thing to setup, but it can be done.


When I tried to change the port to 443 to see if it helped, it said that it was being used! But I can’t find how/where it is used.
Any idea?
Edit: forgot to mention that I checked by commands in cmd and port 443 is not used by any software. So, I’m not sure what’s happening!

Openvpn binds to all ports by default, so use the local command so that the server only binds to the WAN side.

Thanks for this suggestion.
I installed and set up SoftEther on my Windows laptop to see how it works and could connect from other devices. So it’s working great on a computer.
However, I’m not sure how it can be set up on the router??

It is possible to install the SoftEther server using the SoftEther package softethervpn-server and its dependencies on a GL-AR300M with 128MB of flash. I am using the 4.x version of SoftEther and not the experimental 5.x code base. By default SoftEther writes log files and other temporary files to the same directory as the executable binary files are located, which can quickly wear out the flash memory, so I modified my install to put all the files needed for the SoftEther server into a RAM based file system, that is created and loaded at boot. This way the log and other files are written to RAM and not flash storage. It took me awhile to work this out. It has been running for more then 18 months.

I was able to install the SoftEther client on my GL-AR750S-EXT with 128MB of flash. It is also a custom install, that moves it into a RAM disk when I run it, to keep it from wearing out the flash storage.


Thank you so much, eric!
I could install Softether VPN on my router, and have another Windows client (through installing and using Softether Client) connect to the server on the router! This is great!

However, I couldn’t connect from a mobile device. To connect through the mobile device, I used the OpenVPN client program to connect to the server but it couldn’t connect to it (from a location with restricted internet that inspects internet communication and blocks VPNs). I tried to find a widely available software for Softether, like OpenVPN Connect, but there’s no such software.
So, I guess, I should connect through OpenVPN but somehow obfuscate the communication? What’s the best to do to solve this issue in your opinion?

I have not seen a native SoftEther client for a phone. I have connected my phone via WIFI to my AR750S router, that is running the SoftEther client, that is connected to my SoftEther server.

1 Like

I see. I can use OpenVPN clients to connect if the internet is not restricted but not otherwise. I’ll post here if I could and how I could make it work.
Thanks again, eric. :slight_smile:

You’ll need to set up OpenVPN as TCP on another port (e.g. 4443) then use firewall rules to forward WAN 443 to device 4443.

I tried your suggestion but it didn’t help. Did I do it wrong?:

Very much so.

Delete that rule asap and I’ll try to jump on and screen shot you something later.

1 Like

I see. I guessed so.
I’ll delete it and look forward to your screenshot.

So 1), sorry, I didn’t notice the right hand side of your rule and don’t deal much with Luci forwarding. I thought you were doing something very different (and very bad!). What you had was close to correct, though you need to specify TCP. You’re wanting something like the above where is whatever your router’s IP address is (what you did before is right) and 1194 is the internal (TCP!) port that you’re running OpenVPN on.

I suspect the problem is that OpenVPN does not run on TCP by default. You will have to change this in the configuration file, as there is no way to do it in GL.iNet’s GUI

What you really want to do to be obfuscated is to run something like nginx with a dummy webserver, then use OpenVPN’s portshare feature to pass traffic from the firewall to OpenVPN, then have it transparently pass non-OpenVPN traffic to the webserver. So basically it looks like you’ve got a bog standard webserver to the outside world, but properly formatted VPN traffic works great.

Is it this complicated? I can see doing port forwarding if the openvpn server is operating on another device on the LAN side, but the idea of port forwarding from the WAN side of the router to a port on the LAN side of the same router, where the server is listening, is a configuration I’d never considered.

I thought you could just set up Openvpn server on the router on port 443 listening for TCP traffic on the WAN side.

That requires using local static.ip.address.or.ddns.address in the configuration, as well as the port and protocol, so that the server binds only to the WAN interface.

Then the client configuration specifies that protocol, etc:

dev tun
proto tcp
remote static.ip.or.ddns 443

If the VPN is being blocked on the client side, this looks like normal internet traffic unless they are inspecting packets, in which case nothing will work.

I believe either Luci or the stock firmware listen on TCP443 for https connections, hence the different port. In any event, I wouldn’t call that particularly complicated.

There is some way to bind OpenVPN to a specific interface, but I’ve never done it via the config file.