OpenVPN running over port 443 is generally going to be using a CA that is not a public CA, and issues certificates directly rather than through an intermediate.
Even if you tunnel something over normal TLS, the type of traffic can potentially be determined by analyzing how much data flows in which direction and when.
If circumvention is seen as too widely spread, Uganda may simply decide that all TLS traffic leaving the country must be intercepted by a MitM proxy, and require everyone to trust their CA.
I'm sure there are plenty of companies that would be happy to get the contract to provide this service.
These blocks can often be circumvented by methods that do not scale, but if only tech savvy people who can afford to run their own VPN server on a VPS somewhere can circumvent the block, it's "mission accomplished".
Normal TLS handshakes over TCP typically look very similar, so if OpenVPN did those, it would be tough. But OpenVPN's TCP mode is basically just a TCP encapsulation of the UDP mode messages, and even with the new tls-crypt option enabled, the packets still contain unencrypted parts that could easily identify them as OpenVPN traffic.
As far as I can tell, if you're looking for your TCP port 443 traffic to look just like normal web traffic, you'll need to use a different protocol.
In which case you start using stego. All you need is a tunnel to the "free world". Good luck trying to figure out whether someone's packets are saying what they're actually saying, or something else.
There is a hidden message in the above paragraph. ;-)
Have a look at https://www.cs.tufts.edu/comp/116/archive/fall2016/ctang.pdf - it talks about GFW using machine learning with flow analysis to do this.
tools like obfsproxy for openvpn can help.
It's probably easier to just block all AWS/Azure/Linode/DigitalOcean/etc... blocks.
If you end up with this sort of data configuration in China, you'll be having a bad time using it for anything performance-sensitive. Good enough for email though, I bet.
nothing preventing you from using letsencrypt.
>Even if you tunnel something over normal TLS, the type of traffic can potentially be determined by analyzing how much data flows in which direction and when.
true, but only if you're doing packets-over-TCP. if you think beyond a VPN, like a https proxy (http proxy, but over TLS), it's indistinguishable from regular https traffic.
Encapsulated TCP SYN packets, for example, smaller than any HTTP request inside TLS would be.
Want to beat that by padding? Everything always being the same size is an anomaly too.
How else do they figure it out? My mind jumps directly to funny traffic patterns like a single person using the domain or maybe a non-normal looking website that doesn't serve static assets to non-vpn users or other normal things, etc. Can they probe the server somehow and and figure out it's a vpn?
Does the user need to visit other sites unrelated to the vpn in order to mask their own usage and appear normal?
Only makes sense if you are doing it for a bunch of people and at that point you are another VPN provider.
If you want to build your own, use at least VPN that was developed in Japan. (Google)