You may have heard the terms ‘Stealth VPN’ or ‘obfuscation’ being tossed around on a forum or review site, but you’re not quite sure what it means. In this article, you’ll learn:
- What the term ‘Stealth VPN’ means
- How ‘Stealth’ and other VPN obfuscation technology works
- When & Why to use Stealth
- The best providers who offer a stealth VPN protocol
Let’s dive in.
What is a ‘Stealth’ VPN?
A ‘Stealth VPN’ is simply a VPN server or protocol that is able to disguise VPN traffic as regular web traffic, even when subjected to deep packet inspection by your network administrator or firewall.
The term ‘Stealth’ is borrowed from the popular term used to describe Airforce planes that are designed to be invisible to radar (such as the stealth B2 Bomber). In the same way, a stealth VPN is designed to be hard to detect by firewalls and applications intended to block VPN traffic.
This is usually achieved by using some form of ‘obfuscation’ technology. To obfuscate simply means ‘to make obscure or unclear’.
Why use obfuscation?
Why you might use a Stealth VPN:
- Avoid throttling by your ISP
- Unblock websites at school or work
- Circumvent censorship (‘Great Firewall of China’)
- Streaming from sites that block VPNs (e.g. Netflix)
Throttling: Some ISP’s throttle certain network traffic, including HD Video and p2p file-sharing protocols. A VPN can help circumvent throttling, but what if your ISP also throttles VPN usage. By hiding your VPN usage you may be able to restore full speeds. Learn: ISP throttling.
Unblock sites at school/work: A network administrator might also choose to block VPN access on an company/office or school network (in order to better monitor and control network activity). These firewalls frequently (try) to block VPNs as well. If you disguise (obfuscate) your VPN traffic as regular SSL traffic you can avoid the blockade.
Censorship: VPN-blocking firewalls are common in countries that restrict or censor access to the internet. Famous examples would be: Iran, Pakistan, Cuba, United Arab Emirates, and most famously…’The Great Firewall of China‘.
Streaming: Video streaming sites like Netflix, HBO Max, Disney+ and Hulu are working hard to block VPN usage on their services. Obfuscation may avoid their VPN-detection methods.
How a ‘Stealth’ VPN works
Though the term ‘Stealth’ has caught on (mostly because it sounds cool), a more accurate description of the way the technology works would be ‘VPN Camouflage’.
Essentially, a ‘Stealth’ VPN disguises VPN data packets as regular HTTP traffic (HTTPS to be specific).
Because HTTPS connections are essential for secure data transmission on the internet (passwords, credit card numbers, etc) even the most restrictive firewalls won’t attempt to block HTTPS packets. This is what makes stealth VPN technology so effective.
Regular HTTP traffic is what is sent to your computer every time you visit a website. That’s why the URL of a website is: http://www.thewebsite.com
You probably use the HTTPS protocol every day without realizing it. Any time you login to your online bank account, credit card account, Facebook.com, etc… you’re using HTTPS encryption to make sure that someone sharing the same internet connection can’t steal your login/password information.
Just look for the ‘lock’ icon in your browser bar and an ‘https’ before the ‘www’ and you’ll know you’re using https.
Even google uses https now 100% of the time, ensuring that your search history is fully encrypted.
A router or firewall can easily identify HTTPS traffic, because it always uses port #443. (You can think of data ports like channels on a TV. Different protocols or data types will use a different port so they can be routed correctly).
Stealth VPN technology uses this characteristic of HTTPS traffic (TLS encyrpted data using port #443) to easily impersonate HTTPS data and slip through firewalls undetected.
How your data is converted to ‘stealth’ packets
This is the step-by-step process VPN providers use to create un-blockable (or hard-to-block) VPN tunnels.
Step #1 – Start with regular OpenVPN encrypted data
A typical OpenVPN data packet consists of two parts:
- The Header – Which has packet identification and routing information
- The Payload – The encrypted portion of the data packet, which will be forwarded by the VPN server to the correct web address
The header includes information that can identify the source of a packet. This includes the port #. It also includes information that identifies the packet as OpenVPN data. We don’t want this.
Step #2 – Strip away the VPN data from the Header
A stealth VPN uses a technique called ‘Obfuscation’ to remove all meta data from the packet header that identifies the data as belonging to a VPN protocol.
It’s the same as if you were looking at a new TV but someone removed all the labels, branding, and serial numbers. It would be pretty hard quickly determine who actually manufactured the TV you’re looking at.
Step #3 – Disguise the VPN data as HTTPs
Now that we’ve obfuscated the source of the packet, the final step is to cloak it (disguise it) as regular HTTPS encrypted web traffic. To do this, we will use the two prominent characteristics of https data.
First, we wrap the OpenVPN data packet in a 2nd layer of encryption, using the SSL or TLS protocol (the same type of encryption used by HTTPS).
Secondly, we assign the data to port #443 (the port # that is always used by HTTPS traffic).
With these two steps, the data packet is virtually indistinguishable from regular https data (from facebook google, or any other site) and is nearly impossible to block.
Other Obfuscation Methods
Their are several other obfuscated protocols, with varying levels of support among mainstream VPNs. They range from simple and efficient (XOR) to slower but extremely effective (obfsproxy).
Here’s an overview of the best obfuscation technologies (and supported VPN services).
OpenVPN Scramble (XOR)
OpenVPN Scramble is an ‘unofficial’ patch to the OpenVPN library that uses an XOR cipher to disguise VPN traffic. XOR is a substitution cipher that is extremely efficient (minimal speed loss) while being quite effective. In fact, most malware is camouflaged with XOR (a testament to it’s effectiveness).
XOR’s encryption is rather simplistic so while it will get around average firewalls (like your office), it probably won’t work in China, or possibly even your ISP’s high-end packet inspection.
Supported Clients: Tunneblick.
Obfsproxy is a technology pioneered by the Tor Project. It was originally conceived as a method to make Tor more firewall-resistant but it can also implemented as an OpenVPN wrapper to disguise the traffic as HTTP.
According to the official site:
Pluggable Transports (PT) transform the [VPN] traffic flow between the client and the bridge. This way, censors who monitor traffic between the client and the bridge will see innocent-looking transformed traffic instead of the actual [VPN] traffic– Tor Project
Unfortunately, we don’t know of any VPN providers that currently build Obfsproxy into their software. Instead, you have to implement it yourself.
Supported VPNs: None
ShadowSocks is a similar technology to Obfsproxy. It is simpler to implement and has faster speeds than Obfsproxy. The downside is it is still vulnerable to ‘Active Probing‘ which is a technique used by China’s firewall.
Shadowsocks is starting to get mainstream VPN support, and Private Internet Access now has it built into their desktop client.
Supported VPNs: Private Internet Access
There is one other ‘Stealth’ protocol, known as SSTP (Secure Socket Tunneling Protocol). SSTP is only available on windows machines (so not all VPN providers offer the SSTP protocol).
SSTP does have a significant advantage though; because it natively uses SSL encryption as it’s primary encryption algorithm, it is even harder to block because you can skip the first two steps (OpenVPN packet, Remove VPN header data). All that is required is to choose port #443 and SSTP works like a charm to evade firewall blocking attempts.
When to use a Stealth VPN
For some people, Stealth VPN technology is an absolute necessity. If you’re located in a country with internet restrictions like: UAE, Iran, or China, it may be difficult (or nearly impossible) to access certain websites without using a stealth-enabled VPN service. In some countries (like Iran) VPN usage is actually a crime, so making sure your VPN is undetectable is absolutely critical.
Many other people will choose Stealth VPN technology for reasons or personal privacy, or to avoid throttling (some firewalls won’t block VPN traffic but will slow it dramatically. Even major ISPs like mobile providers are known to do this).
Here are some example uses:
At School/University/Work (hide your VPN usage)
Many people choose to use a VPN on a school or work network in order to access websites that might be blocked by the Network firewall (common examples would be facebook, youtube, or gaming sites).
The problem is, by using a VPN (which can be detected by the firewall) it raises the question of why you’re using a VPN in the first place. The answer? Stealth VPN. If you unblock websites using a stealth-enabled VPN service, your Network admin will be none the wiser and you won’t have to be called into an awkward meeting to explain what you’re using the VPN for.
To Prevent VPN Throttling
Some ISPs or networks throttle (slow down) VPN traffic. I’ve also noticed this issue alot with on-demand internet services like when you buy internet access at a hotel. By using a stealth VPN server, you can avoid the throttling of your VPN packets and keep your speeds at the max.
For Extra Privacy
If you’d prefer that your internet provider (or even national spy agencies like the NSA) not know that you’re using a VPN, Stealth/Obfuscated VPN services are a great option.
Your VPN traffic will be mixed in with all the billions of other HTTPS data packets transmitted daily, and your ISP won’t have a clue. This technique will become increasingly popular, as more countries (including Austalia and the UK) have been talking recently about the idea of banning encryption (ludicrous) or banning VPN usage (silly and dangerous, but possible).
The Best Stealth VPNs in 2020
Not all VPN providers go the extra mile to add stealth capabilities to their suite of VPN protocols. Moreover, some stealth implementations work much better than others at evading detection and firewall blocking. Here are some of our favorite companies that do offer obfuscated VPN protocols.
NordVPN has dedicated obfuscated servers, designed to get through even the toughest firewalls. NordVPN’s support videos specifically mention China as a use-case.
They’re a bit secretive about the exact method used, but it’s likely either Obfsproxy or an SSL wrapper on OpenVPN traffic.
Enabling stealth-mode is as easy as connecting to one of Nord’s special-use server locations. In our testing speeds were fine but not outstanding. Enhanced privacy does come at a cost. They also have double-encryption servers if you want even more security.
RELATED: NordVPN Review
VyprVPN is one of the premier VPN providers in the world, and they’ve developed their own proprietary stealth VPN protocol known as ‘Chameleon’ which allows for 256-bit OpenVPN encryption obfuscated and transmitted via TLS port 443.
It’s highly effective at evading firewalls, and is a top choice for users located in China, Iran, UAE, and Pakistan.
VyprVPN’s best feature may well be their outstanding custom VPN software, available for all major platforms including Windows, Mac, iOS, and Android devices. They built in custom features like ‘Smart’ VPN connection rules, dual VPN Kill-switch, NAT protection, VPN bandwidth monitor, and more. For full details, read our in-depth VyprVPN Review
BEST OFFER: Save 50% off your first month, using the link below:
Torguard decided to create dedicated ‘Stealth’ VPN servers (as opposed to a special VPN protocol) which makes their stealth technology accessible from any device or platform, including mobile.
Torguard claims success in circumventing even infamous country-wide firewalls like the ‘Great Firewall of China’.
Watch the video below for more details about Torguard’s stealth implimentation.
Torguard is a popular choice among p2p/filesharing enthusiasts because of their ‘No-Logs’ policy and anonymous proxy service, but they’re also a great all-around choice even if you’re just interested in general VPN security. Torguard also has excellent speeds, and was capable of 4k video streaming in our speed tests.
Torguard is relatively affordable as VPNs go, with annual plans costing only $4.99/month.
RELATED: Torguard VPN Review
IPVanish is one of our top-rated VPNs, in part because they offer nearly ever feature you could want. Like a stealth protocol.
IPVanish opted to go with the XOR scramble, prioritizing speed over unblockability. It works well in our testing and speeds are great when ‘scramble’ mode is enabled. We were successfully able to circumvent video throttling on Verizon Fios and Spectrum internet using IPVanish.
They’re also testing Wireguard as an additional protocol which may bring more obfuscation options in the future.
5. Other VPNs
There are several other VPN services with obfuscated protocols and servers. Here is an up-to-date list of the best options:
- ExpressVPN: Obfuscated servers, much like NordVPN
- VPN.AC: XOR Scramble
- StrongVPN: XOR Scramble
By using ‘Stealth’ VPN encryption, you can easily bypass most firewalls, even those that utilize Deep Packet Inspection to identify and block VPN traffic.
There are two primary stealth protocols:
- OpenVPN – The most popular choice, and supported on all platforms. Usually OpenVPN stealth mode will obfuscate the packet headers and wrap each data packet in SSL or TLS encryption to disguise it as regular HTTPS traffic, using port #443. More advanced stealth techniques can also use XOR or Obfsproxy.
- SSTP – This VPN protocol natively uses SSL encryption, and is easily disguised as HTTPS traffic. It is supported on all windows platforms but has little support on other platforms.
Choose stealth when you want your VPN usage to go undetected by network admins (like at work, school, or college). The other common usage is to get through firewalls that attempt to block common VPN ports and protocols.
Featured Image Credit: Flyover B-2 Spirit by prayitnophotography on Flickr under CC License 2.0. Modified from original.