This work allows obfuscation of the OpenVPN header to make it harder for
layer 7 inspection to identify such traffic, which may come with blocking
or recording actions in certain territories of the world.  This patch, in
a nutshell, can increase privacy and range of communication for its users.

The `scramble' option introduced hereby is off by default.

The option's usage, history and controversy of the patch is explained in
detail on the following wiki page:

https://tunnelblick.net/cOpenvpn_xorpatch.html

diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/forward.c openvpn-2.5_beta1.new/src/openvpn/forward.c
--- openvpn-2.5_beta1.old/src/openvpn/forward.c	2020-08-16 11:57:15.000000000 -0400
+++ openvpn-2.5_beta1.new/src/openvpn/forward.c	2020-08-16 11:57:15.000000000 -0400
@@ -811,7 +811,10 @@
 
     status = link_socket_read(c->c2.link_socket,
                               &c->c2.buf,
-                              &c->c2.from);
+			                  &c->c2.from,
+			                  c->options.ce.xormethod,
+			                  c->options.ce.xormask,
+			                  c->options.ce.xormasklen);
 
     if (socket_connection_reset(c->c2.link_socket, status))
     {
@@ -1621,7 +1624,10 @@
                 /* Send packet */
                 size = link_socket_write(c->c2.link_socket,
                                          &c->c2.to_link,
-                                         to_addr);
+                                         to_addr,
+				                         c->options.ce.xormethod,
+				                         c->options.ce.xormask,
+				                         c->options.ce.xormasklen);
 
                 /* Undo effect of prepend */
                 link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
diff -u -r -x .DS_Store openvpn-2.5_rc3.old/src/openvpn/options.c openvpn-2.5_rc3.new/src/openvpn/options.c
--- openvpn-2.5_rc3.old/src/openvpn/options.c	2020-10-19 13:38:17.000000000 -0400
+++ openvpn-2.5_rc3.new/src/openvpn/options.c	2020-10-19 13:38:17.000000000 -0400
@@ -821,6 +821,9 @@
     o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
     o->resolve_in_advance = false;
     o->proto_force = -1;
+    o->ce.xormethod = 0;
+    o->ce.xormask = "\0";
+    o->ce.xormasklen = 0;
     o->occ = true;
 #ifdef ENABLE_MANAGEMENT
     o->management_log_history_cache = 250;
@@ -973,6 +976,9 @@
     setenv_str_i(es, "local_port", e->local_port, i);
     setenv_str_i(es, "remote", e->remote, i);
     setenv_str_i(es, "remote_port", e->remote_port, i);
+    setenv_int_i(es, "xormethod", e->xormethod, i);
+    setenv_str_i(es, "xormask", e->xormask, i);
+    setenv_int_i(es, "xormasklen", e->xormasklen, i);
 
     if (e->http_proxy_options)
     {
@@ -1452,6 +1458,9 @@
     SHOW_BOOL(bind_ipv6_only);
     SHOW_INT(connect_retry_seconds);
     SHOW_INT(connect_timeout);
+    SHOW_INT (xormethod);
+    SHOW_STR (xormask);
+    SHOW_INT (xormasklen);
 
     if (o->http_proxy_options)
     {
@@ -6260,6 +6269,46 @@
         }
         options->proto_force = proto_force;
     }
+    else if (streq (p[0], "scramble") && p[1])
+    {
+        VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
+        if (streq (p[1], "xormask") && p[2] && (!p[3]))
+        {
+            options->ce.xormethod = 1;
+            options->ce.xormask = p[2];
+            options->ce.xormasklen = strlen(options->ce.xormask);
+        }
+        else if (streq (p[1], "xorptrpos") && (!p[2]))
+        {
+            options->ce.xormethod = 2;
+            options->ce.xormask = NULL;
+            options->ce.xormasklen = 0;
+        }
+        else if (streq (p[1], "reverse") && (!p[2]))
+        {
+            options->ce.xormethod = 3;
+            options->ce.xormask = NULL;
+            options->ce.xormasklen = 0;
+        }
+        else if (streq (p[1], "obfuscate") && p[2] && (!p[3]))
+        {
+            options->ce.xormethod = 4;
+            options->ce.xormask = p[2];
+            options->ce.xormasklen = strlen(options->ce.xormask);
+        }
+        else if (!p[2])
+        {
+            msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
+            options->ce.xormethod = 1;
+            options->ce.xormask = p[1];
+            options->ce.xormasklen = strlen(options->ce.xormask);
+        }
+        else
+        {
+            msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
+            goto err;
+        }
+    }
     else if (streq(p[0], "http-proxy") && p[1] && !p[5])
     {
         struct http_proxy_options *ho;
diff -u -r -x .DS_Store openvpn-2.5_git_57d6f10.old/src/openvpn/options.h openvpn-2.5_git_57d6f10.new/src/openvpn/options.h
--- openvpn-2.5_git_57d6f10.old/src/openvpn/options.h	2018-07-28 06:02:27.000000000 -0400
+++ openvpn-2.5_git_57d6f10.new/src/openvpn/options.h	2018-07-28 06:02:27.000000000 -0400
@@ -99,6 +99,9 @@
     int connect_retry_seconds;
     int connect_retry_seconds_max;
     int connect_timeout;
+    int xormethod;
+    const char *xormask;
+    int xormasklen;
     struct http_proxy_options *http_proxy_options;
     const char *socks_proxy_server;
     const char *socks_proxy_port;
--- openvpn-2.5_git_974513e/src/openvpn/socket.c	2017-08-17 11:27:23.000000000 -0400
+++ openvpn-2.5_git_974513e_patched/src/openvpn/socket.c	2017-08-18 18:37:11.000000000 -0400
@@ -54,6 +54,56 @@
     IPv6_TCP_HEADER_SIZE,
 };

+int buffer_mask(struct buffer *buf, const char *mask, int xormasklen)
+{
+    int i;
+    uint8_t *b;
+    if (  xormasklen > 0  ) {
+        for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
+            *b = *b ^ mask[i % xormasklen];
+        }
+    }
+    return BLEN (buf);
+}
+
+int buffer_xorptrpos(struct buffer *buf)
+{
+    int i;
+    uint8_t *b;
+    for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
+        *b = *b ^ i+1;
+    }
+    return BLEN (buf);
+}
+
+int buffer_reverse(struct buffer *buf)
+{
+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
+ * https://github.com/clayface/openvpn_xorpatch
+ * makes a copy of the buffer and it writes to the byte **after** the
+ * buffer contents, so if the buffer is full then it writes outside of the buffer.
+ * This rewritten version does neither.
+ *
+ * For interoperability, this rewritten version preserves the behavior of the original
+ * function: it does not modify the first character of the buffer. So it does not
+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
+ */
+    int len = BLEN(buf);
+    if (  len > 2  ) {                           /* Leave '', 'a', and 'ab' alone */
+        int i;
+        uint8_t *b_start = BPTR (buf) + 1;            /* point to first byte to swap */
+        uint8_t *b_end   = BPTR (buf) + (len - 1); /* point to last byte to swap */
+        uint8_t tmp;
+        for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
+            tmp = *b_start;
+            *b_start = *b_end;
+            *b_end = tmp;
+        }
+    }
+    return len;
+}
+
 /*
  * Convert sockflags/getaddr_flags into getaddr_flags
  */
diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/socket.h openvpn-2.5_beta1.new/src/openvpn/socket.h
--- openvpn-2.5_beta1.old/src/openvpn/socket.h	2020-08-16 11:57:17.000000000 -0400
+++ openvpn-2.5_beta1.new/src/openvpn/socket.h	2020-08-16 11:57:17.000000000 -0400
@@ -249,6 +249,10 @@
 #endif
 };
 
+int buffer_mask(struct buffer *buf, const char *xormask, int xormasklen);
+int buffer_xorptrpos(struct buffer *buf);
+int buffer_reverse(struct buffer *buf);
+
 /*
  * Some Posix/Win32 differences.
  */
@@ -1049,30 +1053,56 @@
 static inline int
 link_socket_read(struct link_socket *sock,
                  struct buffer *buf,
-                 struct link_socket_actual *from)
+                 struct link_socket_actual *from,
+                 int xormethod,
+                 const char *xormask,
+                 int xormasklen)
 {
+    int res;
     if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
     {
-        int res;
 
 #ifdef _WIN32
         res = link_socket_read_udp_win32(sock, buf, from);
 #else
         res = link_socket_read_udp_posix(sock, buf, from);
 #endif
-        return res;
     }
     else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */
     {
         /* from address was returned by accept */
         addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest);
-        return link_socket_read_tcp(sock, buf);
+        res = link_socket_read_tcp(sock, buf);
     }
     else
     {
         ASSERT(0);
         return -1; /* NOTREACHED */
     }
+    switch(xormethod)
+    {
+        case 0:
+            break;
+        case 1:
+            buffer_mask(buf,xormask,xormasklen);
+            break;
+        case 2:
+            buffer_xorptrpos(buf);
+            break;
+        case 3:
+            buffer_reverse(buf);
+            break;
+        case 4:
+            buffer_mask(buf,xormask,xormasklen);
+            buffer_xorptrpos(buf);
+            buffer_reverse(buf);
+            buffer_xorptrpos(buf);
+            break;
+        default:
+            ASSERT (0);
+            return -1; /* NOTREACHED */
+    }
+    return res;
 }
 
 /*
@@ -1163,8 +1193,34 @@
 static inline int
 link_socket_write(struct link_socket *sock,
                   struct buffer *buf,
-                  struct link_socket_actual *to)
+                  struct link_socket_actual *to,
+                  int xormethod,
+                  const char *xormask,
+                  int xormasklen)
 {
+    switch(xormethod)
+    {
+        case 0:
+            break;
+        case 1:
+            buffer_mask(buf,xormask,xormasklen);
+            break;
+        case 2:
+            buffer_xorptrpos(buf);
+            break;
+        case 3:
+            buffer_reverse(buf);
+            break;
+        case 4:
+            buffer_xorptrpos(buf);
+            buffer_reverse(buf);
+            buffer_xorptrpos(buf);
+            buffer_mask(buf,xormask,xormasklen);
+            break;
+        default:
+            ASSERT (0);
+            return -1; /* NOTREACHED */
+    }
     if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
     {
         return link_socket_write_udp(sock, buf, to);
