You may have heard the term ‘Stealth VPN’ being tossed around on a forum or review site, but you’re not quite sure what it means. In this article, you’ll learn:
- What the term ‘Stealth VPN’ means
- How ‘Stealth’ VPN technology works
- When & Why to use Stealth
- The best providers who offer a stealth VPN protocol
Let’s dive in.
What is a ‘Stealth’ VPN?
A ‘Stealth VPN’ is simply a VPN server or protocol that is able to disguise VPN traffic as regular web traffic, even when subjected to deep packet inspection by your network administrator or firewall.
The term ‘Stealth’ is borrowed from the popular term used to describe Airforce planes that are designed to be invisible to radar (such as the stealth B2 Bomber). In the same way, a stealth VPN is designed to be hard to detect by firewalls and applications intended to block VPN traffic.
VPN-blocking firewalls are common in countries that restrict or censor access to the internet. Famous examples would be: Iran, Pakistan, Cuba, United Arab Emirates, and most famously…’The Great Firewall of China‘.
A network administrator might also choose to block VPN access on an company/office or school network (in order to better monitor and control network activity).
By using a Stealth VPN, you can often evade these blocking techniques, and successful create a VPN tunnel through the firewall.
How a ‘Stealth’ VPN works
Though the term ‘Stealth’ has caught on (mostly because it sounds cool), a more accurate description of the way the technology works would be ‘VPN Camouflage’. Essentially, a ‘Stealth’ VPN disguises VPN data packets as regular HTTP traffic (HTTPS to be specific).
Because HTTPS connections are essential for secure data transmission on the internet (passwords, credit card numbers, etc) even the most restrictive firewalls won’t attempt to block HTTPS packets. This is what makes stealth VPN technology so effective.
Regular HTTP traffic is what is sent to your computer every time you visit a website. That’s why the URL of a website is: http://www.thewebsite.com
You probably use the HTTPS protocol every day without realizing it. Any time you login to your online bank account, credit card account, Facebook.com, etc… you’re using HTTPS encryption to make sure that someone sharing the same internet connection can’t steal your login/password information.
Just look for the ‘lock’ icon in your browser bar and an ‘https’ before the ‘www’ and you’ll know you’re using https.
Even google uses https now 100% of the time, ensuring that your search history is fully encrypted.
A router or firewall can easily identify HTTPS traffic, because it always uses port #443. (You can think of data ports like channels on a TV. Different protocols or data types will use a different port so they can be routed correctly).
Stealth VPN technology uses this characteristic of HTTPS traffic (TLS encyrpted data using port #443) to easily impersonate HTTPS data and slip through firewalls undetected.
How VPN data is transformed into ‘Stealth’ packets
This is the step-by-step process VPN providers use to create unblockable (or hard to block) VPN tunnels.
Step #1 – Start with regular OpenVPN encrypted data
A typical OpenVPN data packet consists of two parts:
- The Header – Which has packet identification and routing information
- The Payload – The encrypted portion of the data packet, which will be forwarded by the VPN server to the correct web address
The header includes information that can identify the source of a packet. This includes the port #. It also includes information that identifies the packet as OpenVPN data. We don’t want this.
Step #2 – Strip away the VPN data from the Header
A stealth VPN uses a technique called ‘Obfuscation’ to remove all meta data from the packet header that identifies the data as belonging to a VPN protocol.
It’s the same as if you were looking at a new TV but someone removed all the labels, branding, and serial numbers. It would be pretty hard quickly determine who actually manufactured the TV you’re looking at.
Step #3 – Disguise the VPN data as HTTPs
Now that we’ve obfuscated the source of the packet, the final step is to cloak it (disguise it) as regular HTTPS encrypted web traffic. To do this, we will use the two prominent characteristics of https data.
First, we wrap the OpenVPN data packet in a 2nd layer of encryption, using the SSL or TLS protocol (the same type of encryption used by HTTPS).
Secondly, we assign the data to port #443 (the port # that is always used by HTTPS traffic).
With these two steps, the data packet is virtually indistinguishable from regular https data (from facebook google, or any other site) and is nearly impossible to block.
Other Stealth Protocols (Besides OpenVPN)
Most ‘Stealth’ VPN servers will typically use OpenVPN encryption, because OpenVPN offers the best combination of security, speed, and cross-platform compatibility.
But there is one other ‘Stealth’ protocol, known as SSTP (Secure Socket Tunneling Protocol). SSTP is only available on windows machines (so not all VPN providers offer the SSTP protocol).
SSTP does have a significant advantage though; because it natively uses SSL encryption as it’s primary encryption algorithm, it is even harder to block because you can skip the first two steps (OpenVPN packet, Remove VPN header data). All that is required is to choose port #443 and SSTP works like a charm to evade firewall blocking attempts.
When to use a Stealth VPN
For some people, Stealth VPN technology is an absolute necessity. If you’re located in a country like UAE, Iran, or China, it may be difficult (or nearly impossible) to access certain websites without using a stealth-enabled VPN service. In some countries (like Iran) VPN usage is actually a crime, so making sure your VPN is undetectable is absolutely critical.
Many other people will choose Stealth VPN technology for reasons or personal privacy, or to avoid throttling (some firewalls won’t block VPN traffic but will slow it dramatically. Even major ISPs like mobile providers are known to do this).
Here are some example uses:
At School/University/Work (hide your VPN usage)
Many people choose to use a VPN on a school or work network in order to access websites that might be blocked by the Network firewall (common examples would be facebook, youtube, or gaming sites).
The problem is, by using a VPN (which can be detected by the firewall) it raises the question of why you’re using a VPN in the first place. The answer? Stealth VPN. If you unblock websites using a stealth-enabled VPN service, your Network admin will be none the wiser and you won’t have to be called into an awkward meeting to explain what you’re using the VPN for.
To Prevent VPN Throttling
Some ISPs or networks throttle (slow down) VPN traffic. I’ve also noticed this issue alot with on-demand internet services like when you buy internet access at a hotel. By using a stealth VPN server, you can avoid the throttling of your VPN packets and keep your speeds at the max.
For Extra Privacy
If you’d prefer that your internet provider (or even national spy agencies like the NSA) not know that you’re using a VPN, Stealth/Obfuscated VPN services are a great option.
Your VPN traffic will be mixed in with all the billions of other HTTPS data packets transmitted daily, and your ISP won’t have a clue. This technique will become increasingly popular, as more countries (including Austalia and the UK) have been talking recently about the idea of banning encryption (ludicrous) or banning VPN usage (silly and dangerous, but possible).
The Best Stealth VPN Services (2016 edition)
Not all VPN providers go the extra mile to add stealth capabilities to their suite of VPN protocols. Moreover, some stealth implementations work much better than others at evading detection and firewall blocking. Here are some of our favorite companies that do offer obfuscated VPN protocols.
VPNac might be a company you’ve never heard of. That might be on purpose. They keep an incredibly low profile to keep attention away from their network, so they can continue maximize the privacy of their active subscribers.
They’ve climbed near the top of our VPN privacy rankings, including ranking #1 for VPNs with best private/encrypted DNS servers. Their non-logging DNS servers mix all your DNS requests for millions of randomly generated DNS requests for maximum privacy.
VPNac is based on Romania, so they should be free of much of the governmental pressure facing VPN companies in the USA and western Europe. VPN.ac’s software is clean and functional, and even gives users custom control over the encryption strength and algorithm used.
Their ‘Stealth VPN’ protocol uses a technique called XOR obfuscation which is even strong enough to get through China’s ‘Great Firewall’. If it can do that, your office or ISP’s firewall should be cake.
VyprVPN is one of the premier VPN providers in the world, and they’ve developed their own proprietary stealth VPN protocol known as ‘Chameleon’ which allows for 256-bit OpenVPN encryption obfuscated and transmitted via TLS port 443.
It’s highly effective at evading firewalls, and is a top choice for users located in China, Iran, UAE, and Pakistan.
VyprVPN’s best feature may well be their outstanding custom VPN software, available for all major platforms including Windows, Mac, iOS, and Android devices. They built in custom features like ‘Smart’ VPN connection rules, dual VPN Kill-switch, NAT protection, VPN bandwidth monitor, and more. For full details, read our in-depth VyprVPN Review
BEST OFFER: Save 50% off your first month, using the link below:
Torguard decided to create dedicated ‘Stealth’ VPN servers (as opposed to a special VPN protocol) which makes their stealth technology accessible from any device or platform, including mobile.
Torguard claims success in circumventing even infamous country-wide firewalls like the ‘Great Firewall of China’.
Watch the video below for more details about Torguard’s stealth implimentation.
Torguard is a popular choice among p2p/filesharing enthusiasts because of their ‘No-Logs’ policy and anonymous proxy service, but they’re also a great all-around choice even if you’re just interested in general VPN security. Torguard also has excellent speeds, and was capable of 4k video streaming in our speed tests.
Torguard is relatively affordable as VPNs go, with annual plans costing only $4.99/month.
RELATED: Torguard VPN Review
Proxy.sh (Hardcore TOR Obfuscation)
Proxy.sh doesn’t have a dedicated stealth protocol, but they do provide detailed instructions in their knowledge-base showing subscribers how to create their own stealth protocol using Obfsproxy (an obfuscation technology run by the Tor Project).
Essentially, this technique will wrap your VPN traffic in multiple layers of Tor SSH encryption, making virtually impossible to block.
Proxy.sh is one of the only VPN providers that offers VPN-over-Tor technology.
RELATED: Proxy.sh Review
SwitchVPN is one of the few VPN providers that offers the SSTP protocol, which is natively designed to look like regular SSL/HTTPS traffic. SSTP is an excellent stealth technology, with the one limitation that it is mostly supported only within the Windows OS.
This means SSTP is really only an option if you’re connecting on a windows machine. If you often use a Mac, you’ll want to choose a different stealth protocol.
By using ‘Stealth’ VPN encryption, you can easily bypass most firewalls, even those that utilize Deep Packet Inspection to identify and block VPN traffic.
There are two primary stealth protocols:
- OpenVPN – The most popular choice, and supported on all platforms. Usually OpenVPN stealth mode will obfuscate the packet headers and wrap each data packet in SSL or TLS encryption to disguise it as regular HTTPS traffic, using port #443. More advanced stealth techniques can also use XOR or Obfsproxy.
- SSTP – This VPN protocol natively uses SSL encryption, and is easily disguised as HTTPS traffic. It is supported on all windows platforms but has little support on other platforms.
Choose stealth when you want your VPN usage to go undetected by network admins (like at work, school, or college). The other common usage is to get through firewalls that attempt to block common VPN ports and protocols.
Featured Image Credit: Flyover B-2 Spirit by prayitnophotography on Flickr under CC License 2.0. Modified from original.