Is OpenVPN not just SSL traffic?
They can block the default port and IP addresses owned by VPN service providers, but is there any way to block the protocol without block all encrypted web traffic?
this post was submitted on 10 Aug 2023
835 points (98.0% liked)
Technology
59052 readers
6622 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
Blocking all encrypted traffic... fantastic suggestion comrade, I'll forward this on to the Kremlin. Also, you've been drafted.
load more comments
(6 replies)
It's a custom protocol that uses SSL/TLS for key exchange and such, so it can be detected. It's actually causing huge problems for many large Russian companies, as it's common to use those protocols for remote access, work, etc.
As mentioned in the article you need something like "Shadowsocks" to avoid protocl blocking, since it fully disguises the traffic as standard SSL/TLS. Which was created for, and is still used to circumvent this type of blocking in "the great firewall of china".
https://security.stackexchange.com/questions/187649/is-it-possible-to-detect-vpn-in-the-network
tl;dr: You can infer that OpenVPN is used from the key exchange somehow.
SSL is a higher layer thing, isn't it? A VPN is just encapsulating an IP packet in another IP packet and getting it the tunnel endpoint. Unless the whole of the IP packet is encrypting, the service provider could just sniff your packets and block anything that looks like an IP packet in the outer packet payload?
load more comments
(1 replies)
Yes there is a difference between https traffic.
load more comments
(2 replies)
Shithole country
Worse: shithole country that turns everything they touch into shit too.
load more comments
(3 replies)
using a vpn is also illegal in russia since 2017 😅
But also laws don't really matter in Russia.
load more comments
(4 replies)
annnd another dictatorship box checked off the list... wont be long now
Until what? Until Russia is a dictatorship? That ship sailed a long time ago.
Won't be long before Putin catches up to Kim Jong Un in the Oppression Olympics
load more comments
(6 replies)
Until he stops pretending?
But how are their propaganda farms going to be able to pretend they are in your country now?
They still get to operate don't worry!!
official companies are still able to use vpn 😏
load more comments
(5 replies)
I live in Russia and I have vps with wireguard vpn in Netherlands. At the current moment it works for me pretty well except the some connection failures two days ago. But they were very short. But I don't know how long my vps will be accessible with these fucking blocking.
You might want to sign up with astrill. Greetings from China, we've been dealing with this shit for decades.
Thanks for advice. I didn't hear about it before. It will be my backup plan.
load more comments
(2 replies)
Proton vpn has a feature that can be turned on for oppressive governments, ‘alternate routing’ I believe. Would that be sufficient or no?
Theoretically, yes, since there are options other than WG/OVPN available through Smart Protocol, which Alternate Routing leverages.
Now comes the Great Russian Firewall.
The Copper Curtain?
I don't think they can afford copper at the moment. Try cotton maybe.
ProtonVPN has a "stealth" protocol. Does anyone know if that breaks through?
protonvpn hasn't worked here at all for a long time now lol
load more comments
(3 replies)
I am pretty confused by the article.
What I'd expected based on what I've seen so far was that the Kremlin would not care what protocols are used, just whether the a given VPN provider was in Russia and whether it provided the government with access to monitor traffic in the VPN.
So, use whatever VPN protocol you want to talk to a VPN provider where we can monitor or block traffic by seeing inside the VPN. You don't get to talk to any VPN providers for which we can't do that, like ones outside Russia, and the Russian government will do what it can to detect and block such protocols when they pass somewhere outside of Russia.
But that doesn't seem to fit with what the article says is happening.
The media in Russia reports that the reason behind this is that the country isn’t banning specific VPNs. Instead, it’s putting restrictions on the protocols these services use.
According to appleinsider.ru, the two protocols that are subject to the restrictions are:
- OpenVPN
- WireGuard
A Russian VPN provider, Terona VPN, confirmed the recent restrictions and said its users are reporting difficulties using the service. It’s now preparing to switch to new protocols that are more resistant to blocking.
I don't see what blocking those protocols internal to Russia buys the Kremlin -- if Terona conformed to Russian rules on state access to the VPN, I don't see how the Kremlin benefits from blocking them.
And I don't see why Russia would want to permit through other protocols, though maybe there are just the only protocols that they've gotten around to blocking.
EDIT: Okay, maybe Terona doesn't conform to state rules or something and there is whitelisting of VPN providers in Russia actually happening. Looking at their VK page, it looks like Terona's top selling point is "VPN access to free internet" and they have a bunch of country flags of countries outside of Russia. So maybe Russia is blocking VPN connectivity at the point that it exits Russia, and it's affecting Terona users who are trying to use a VPN to access the Internet outside Russia, which would be in line with what I would have expected.
load more comments
(1 replies)
It was not working 2 day on mobile operators, now waiting full shutdown
load more comments
(1 replies)
Is it possible to bypass this block? Say, embedding VPN packets within a different protocol?
I don't know why some moron downvoted you, but the answer is maybe. For reference, I have always bypassed SSH firewall blocking by sneaking SSH packets within https.
The only way this won't be possible is if the government enforces installing a certificate to use the internet, so that they can do a man-in-the-middle-attack. I heard this is already being done in Afghanistan.
load more comments
(1 replies)
Is this just address/port blocking, or DPI of some kind? I'm wondering what they can trigger off?
load more comments
(1 replies)
Shadowsocks/ShadowsocksR/vmess/vless/trojan:
Couldn't you just use any server/droplet/AWS instance via SSH to get around this law? Seems much simpler.
If you're savvy enough, sure. But for the lay person who doesn't want a clouded view of the world, they likely won't have the same resources or technical capabilities.
load more comments
(4 replies)
This has been happening intermittently since 2012 or something.
Not wg, cause it wasn't popular then.
HTTP\HTTPS tunneling etc are not that hard, ya knaw.
Or encrypted GRE, ffs.
!chapotraphouse@hexbear.net will love this.
After a discussion that lasted for way too long, it appears that they like censorship.
They think that this is a perfectly reasonable argument: https://youtu.be/QFgcqB8-AxE and that the government knows better and thus information should be suppressed.
Absolutely ridiculous...
Peeps on hexbear are atrocious
Yes they are. And they shadow delete comments! That's after several of their members straight up sent abusive messages to me. I of course reported them. That's when I noticed my comments deleted.
I'm not too worried about it. If that's how they are with others, their message and community won't reach far. Fuck em
load more comments
(1 replies)
load more comments
(2 replies)
view more: next ›