Starting with our Windows VPN client app version 4.4.5 (change log), we have introduced support for an additional obfuscation layer via V2Ray protocol, using TCP socket connections. The new option can be configured in the Advanced tab and it is named "OpenVPN TCP proxy / obfuscation"

How it works

This obfuscation layer works as a proxy for all OpenVPN connection types, using TCP ports. It establishes an encrypted TCP socket proxy connection first, then tunnels all OpenVPN traffic through it. Port 443 (TCP) is used for all proxy locations, then you can connect over OpenVPN using any of its available TCP ports. 

There are two ways to use it: 

1. Direct connection through our obfuscation proxy servers: 

This option sets a direct proxy connection, when you select a single location name such as e.g. "Germany". 
The TCP proxy will establish a direct IP connection to our obfuscation server without involving DNS lookups, then tunnel all OpenVPN traffic thorough it. 

2. Connection to our obfuscation proxy servers through Cloudflare: 

This option sets a proxy connection through Cloudflare CDN network before reaching the proxy server, when you select a double location such as e.g. "Germany via Cloudflare". In such case, it will use the Cloudflare network to reach the proxy in Germany over port 443 (TCP). The same applies to all other locations which include 'Cloudflare" in their name. 

in both cases, it is recommended to choose a proxy location close to your physical location, which may result in lower latency and higher speed. 

The Cloudflare option has its own advantages, such as: 
- In high censoring countries/networks where the VPN server IPs could be blocked, this will allow to reach our servers through Cloudflare IPs which are unlikely to be blocked. Blocking them would result in a massive number of websites not working, as Cloudflare is used by many websites and their IPs are shared. 
- In some cases, a connection through Cloudflare may be faster than a direct VPN or proxy connection, since they are running a very solid network infrastructure. 

Security and privacy considerations

In both cases mentioned above, there is an additional encryption layer for the proxy tunneling. We consider it secure as per the implementation design, though it is worth noting that OpenVPN encryption is not downgraded or affected in any way. OpenVPN's security is the same as connecting directly to our servers, and the additional tunnel using the new obfuscation proxy makes the whole connection arguably more secure. 
Regarding privacy, the obfuscation proxy adds one or two more hops in order to reach the actual VPN server. It is one hop for the direct proxy connection, and 2 hops for the Cloudflare connection. On the Cloudflare side, the visible connection is to our proxy servers not knowing the actual VPN servers. It looks like normal web browsing over HTTPS. Then, on our proxy servers, the visible connection is from Cloudflare to the actual VPN servers. Such setup brings a privacy upgrade over direct VPN connections. 
Moreover, it allows various multi-hop scenarios. Since by default it allows to use either one hop (direct proxy) or two hops (via Cloudflare), for "paranoid mode" privacy you may want to consider the double-hop options available with our OpenVPN connections types, which would consist of 3 or even 4 actual interim hops. 

Scenario: user (choosing e.g. 'Cloudflare via Germany' option) <-> Cloudflare network <-> our obfuscation proxy in e.g. Germany <-> our double hop server 1 <-> our double hop exit server <-> Internet   - where 'server 1' and 'exit server' are selected from the Double Hop locations list, e.g. 'Germany - Switzerland'

Speed considerations

OpenVPN via UDP ports will always be faster than OpenVPN via TCP, however - TCP connectivity provides good speed as it is. 
Using default OpenVPN Tap network driver, speed would be capped around 80 Mbps in best case scenario. 
Using the Wintun driver (selectable in the Advanced tab), speed would reach 100 Mbp, maybe more in best case scenario.  
The speed results above are based on our own tests. 

Depending on the actual location you want to connect to, the Cloudflare option could bring a speed benefit and may be a good option if the ISP throttles traffic such as OpenVPN via UDP ports. 

This new feature also adds support for local SOCKS5 proxy (the option called "Your own local SOCKS5 proxy"), meaning that you can tunnel OpenVPN's traffic through anything that supports a local SOCKS5 proxy such as SSH, as long as it is locally listening on port 1080 without authentication.