[terrywang]

Thanks for pointing out, good insight. Haven't really done a deep dive for OpenVPN as strongSwan works perfectly fine for pretty much all my use cases.

However, strongSwan (IPsec) is easy to block (e.g. if detected by big brother - GFW in China) as by default is uses UDP ports 500, 4500, while OpenVPN can easily disguise as SSL/TLS or anything. In that sense, OpenVPN can be a backup for IPsec for remote access (fighting censorship).

[MichaelGG]

OpenVPN cannot disguise as SSL/TLS - every packet has an OpenVPN header, so it won't look like, say, an HTTPS connection. And the data packets do not use TLS at all. It would not take much effort at all to detect that a stream is using OpenVPN. Every data packet will start with the same few bits regardless of encryption options used. And the start of a new session has a recognizable sequence of initial bytes, again, regardless of the options used.

Whether or not firewalls are doing enough DPI to figure this out is another question.