Download Latest Version ws-server-windows.zip (6.4 MB)
Email in envelope

Get an email when there's a new version of UDP OpenVPN/WebSocket + CDN

Home
Name Modified Size InfoDownloads / Week
openvpn-ws-CDN-client < 11 hours ago
0
openvpn-ws-CDN-forwarder-vps 2026-06-12
85 85 weekly downloads
Illustrative device-share comparison.png 2026-06-12 94.4 kB
0
README.md 2026-06-12 8.1 kB
1 1 weekly downloads
vpn_openvpn_websocket_cdn_architecture.png 2026-06-12 104.3 kB
0
Totals: 5 Items   206.8 kB 86

OpenVPN-over-WebSocket-CDN

Bypass ISP throttling and DPI by tunneling OpenVPN UDP traffic over WebSocket with Host Header spoofing through major CDN networks (CloudFront / Cloudflare / Akamai).

Platform Protocol Tunnel License

What It Does

Many ISPs throttle or block VPN traffic using Deep Packet Inspection (DPI). OpenVPN-over-WebSocket-CDN wraps OpenVPN UDP inside a WebSocket connection with a spoofed Host header, routing traffic through major CDN edge networks (CloudFront, Cloudflare, or Akamai). To any firewall or DPI system, the traffic looks like a legitimate WebSocket upgrade to a CDN-hosted domain.

Result: Full OpenVPN speed and privacy, even on heavily restricted networks — including campus, corporate, and ISP-level DPI systems.

Why WebSocket + CDN over plain SNI Tunneling?

Technique How DPI sees it Weakness
Raw OpenVPN UDP UDP to known IP:1194 Easily fingerprinted and blocked
TLS/SNI tunnel TLS to spoofed SNI domain IP-based blocking still possible; no CDN relay
WebSocket + CDN (this project) WebSocket upgrade to trusted CDN domain CDN IP ranges are whitelisted by most ISPs

The CDN relay is the key upgrade: your traffic exits through Cloudflare, AWS CloudFront, or Akamai edge nodes — IP ranges that ISPs almost never block because doing so would break huge portions of the internet.

Architecture Overview

[Android App]
    └─► OpenVPN (UDP config)
          └─► Tunnel client (WebSocket encapsulation)
                └─► Host: <CDN-hosted domain> (spoofed Host header)
                      └─► CDN Edge Node (CloudFront / Cloudflare / Akamai)
                            └─► [Your VPS — tunnel server]
                                  └─► OpenVPN server (UDP)

The Host header names a real domain served by the CDN. The CDN routes the connection to your origin VPS. ISP DPI sees only a standard WebSocket handshake to a CDN IP — indistinguishable from normal app traffic.

Features

Feature Description
Anti-DPI OpenVPN UDP traffic hidden inside WebSocket frames
CDN Relay Traffic exits via CloudFront / Cloudflare / Akamai IP ranges (rarely blocked)
Host Header Spoofing Appears as a WebSocket upgrade to a trusted CDN domain
HTTP/HTTPS support Works on port 80 (ws://) and port 443 (wss://)
Domain Fronting CDN routes by Host header — survives SNI-based filtering
Double Encryption WebSocket TLS layer on top of OpenVPN native encryption
No Root Required Runs entirely in Android user-space
Full OpenVPN speed Preserves all OpenVPN performance and DNS privacy

Requirements

  • Android: 7.0 or higher
  • VPS: Ubuntu 20.04+, public IP, port 80 and/or 443 open, OpenVPN server running on UDP
  • CDN: Domain registered and proxied through CloudFront, Cloudflare, or Akamai
  • Apps:
  • OpenVPN for Android (Play Store / F-Droid)
  • Tunnel client APK from Releases

Quick Start

1. CDN Setup

Point a domain (or subdomain) at your VPS IP using CloudFront, Cloudflare proxy, or Akamai. Make sure the CDN passes WebSocket upgrades to your origin.

Cloudflare example:

  • DNS A record: tunnel.yourdomain.com → your VPS IP, Proxied (orange cloud)
  • SSL/TLS mode: Full
  • WebSockets: Enabled (Network tab)

2. Server Setup

chmod +x setup-server.sh && ./setup-server.sh

Configures the WebSocket tunnel server on port 80 (and optionally 443), forwarding decapsulated OpenVPN UDP to the local OpenVPN server.

3. Android Setup

  1. Install OpenVPN for Android
  2. Install tunnel-client.apk from the Releases page
  3. Import openvpn.ovpn into OpenVPN (endpoint points to loopback)
  4. Configure the tunnel client (see tunnel.conf template in configs/)
  5. Start tunnel client first, then connect OpenVPN

4. Verify

Check your public IP — you should see your VPS IP, confirming OpenVPN is active.

Host Header Presets

These are real CDN-hosted domains. The Host header tells the CDN which origin to route to; your own domain sits behind the same CDN so routing works correctly.

Host Header Domain CDN Use Case
support.appsflyer.com Cloudflare Default — general use
d1qq0afxwtfi6m.cloudfront.net AWS CloudFront Campus / corporate networks
ms.mw.cloud.front.net Azure CDN Microsoft-whitelisted environments
a104-98-96-10.deploy.static.akamaitechnologies.com Akamai Enterprise ISPs
zoom.us Cloudflare Video-call whitelisted networks

Custom host headers can be set in the tunnel client config file. The domain must resolve to the same CDN you are routing through.

Traffic Flow (Packet-Level)

Android OpenVPN → UDP loopback
    ↓
Tunnel client encapsulates in WebSocket frame
    ↓
TCP to CDN IP:80 (or :443)
Host: support.appsflyer.com        ← ISP/DPI sees this
Upgrade: websocket
    ↓
CDN edge node routes to your VPS (by Host header)
    ↓
Tunnel server strips WebSocket framing
    ↓
UDP → OpenVPN server (local)       ← decrypts and forwards traffic

ISP DPI sees: TCP → [CDN IP]:80, Host: support.appsflyer.com, Upgrade: websocket
Actual payload: Encrypted OpenVPN frames inside WebSocket binary frames.

Direct VPS Mode (No CDN)

If you skip the CDN, point the tunnel client directly at your VPS IP or domain. The CDN relay step is removed:

Client → WebSocket → VPS → OpenVPN server

Simpler setup and lower latency, but your VPS IP is visible to DPI and can be blocked. Good for ISPs with only basic traffic filtering.

Troubleshooting

Issue Fix
WebSocket connection refused Check CDN WebSocket passthrough is enabled; try port 443
301 redirect loop CDN SSL mode set to "Flexible" — change to "Full"
Frequent drops Switch Host to a more stable CDN domain (e.g. CloudFront subdomain)
High latency Choose a CDN with an edge node close to your location; move VPS closer
Tunnel client won't start Disable OpenVPN first; re-grant VPN permissions
ISP still blocking Try port 443 (wss://); rotate Host header to a different CDN domain
101 Switching Protocols but no traffic Verify tunnel server UDP forward reaches OpenVPN server port

Project Structure

openvpn-over-ws-cdn/
├── README.md
├── ARCHITECTURE.md             ← Detailed architecture & data flow
├── setup-server.sh             ← VPS setup script
├── configs/
│   ├── openvpn.ovpn            ← OpenVPN config template
│   └── tunnel.conf             ← Tunnel client config template
└── releases/
    └── tunnel-client.apk       ← Bundled Android tunnel client

Differences from SNI Tunnel Version

SNI Tunnel WebSocket + CDN (this project)
Transport TLS with spoofed SNI WebSocket with spoofed Host header
Relay Direct to VPS Via CDN edge (CloudFront/Cloudflare/Akamai)
IP blocking resistance Moderate High (CDN IPs are globally whitelisted)
Port 443 80 or 443
ISP fingerprinting TLS ClientHello SNI HTTP Upgrade headers
Setup complexity Low Medium (CDN setup required)

License

Server-side components: MIT License
Tunnel client APK: Proprietary — personal, non-commercial use only

Use only where permitted by local laws and your ISP's terms of service.
Source: README.md, updated 2026-06-12