VPNs, Virtual Private Networks, aren’t just a good idea to keep your data secure: for millions of people living under restrictive regimes they’re the only way to ensure full access to the internet. What do you do when your government orders ISPs to ban VPNs, like Russia has done recently? [LaserHelix] shows us one way you can cope, which is to use a ShadowSocks proxy.
If you’re not deep into network traffic, you might be wondering: how can an ISP block VPN traffic? Isn’t that stuff encrypted? Yes, but while the traffic going over the VPN is encrypted, you still need to connect to your VPN’s servers– and those handshake packets are easy enough to detect. You can do it at home with Wireshark, a tool that shows up fairly often on these pages. Of course if they can ID those packets, they can block them.
So, you just need a way to obfuscate what exactly the encrypted traffic you’re sending is. Luckily that’s a solved problem: Chinese hackers came up with something called Shadowsocks back in 2012 to help get around the Great Firewall, and have been in an arms-race with their authorities ever since.
Shadowsocks is not, in fact, a sibling of Gandalf’s horse as the name might suggest, but a tool to obfuscate the traffic going to your VPN. To invert a meme, you’re telling the authorities: we heard you don’t like encrypted traffic, so we put encryption in your encrypted traffic so you have to decrypt the packets before you recognize the encrypted packets.
What about the VPN? Well, some run their own shadowsocks service, while others will need to be accessed via a shadowsocks bridge: in effect, a proxy that then connects to the VPN for you. That means of course you’re bouncing through two servers you need to trust not to glow in the dark, but if you have to trust someone– otherwise it’s off to a shack in the woods, which never ends well.
Don’t forget that while VPNs can get you around government censorship, they do not provide anonymity on their own. If, like tipster [Keith Olson] –thanks for the tip, [Keith]!– you’re looking side-eyed at your government’s “think of the children!” rhetoric but don’t know where to start, we had a discussion about which VPNs to use last year.
It’s been a long time since 2012 and Shadowsocks is successfully detected and blocked by those oppressive regimes you’ve mentioned. They use active probing, DPI and statistical analysis to successfully block most of suspected shadowsocks traffic.
Maybe Amnezia https://docs.amnezia.org/documentation/amnezia-wg/ would be better. Seems to aim for the same, but is based on wireguard. I have no great experience with it, don’t go the kind of place you can’t use just a normal vpn, but came across it recently when working with wg.
Wireguard doesn’t look like other traffic that is likely to be allowed, so is trivially blocked (sometimes it is blocked unintentionally, even). I use wireguard with failover to openconnect + ocserv, for my own stuff, since ocserv is just regular TLS, and indistinguishable from web traffic to the less sophisticated outside observer ( openvpn does not use standard TLS, and its initial handshake is trivial to spot, and block with pretty much any layer 7 filter).
It is pretty simple to setup haproxy or nginx to reverse proxy based on SNI, so ocserv can share the same port 443 as your webserver. ESNI would help too, especially if you name the vpn e.g., vpn.example.org. But, if traffic analysis, you will still get caught– VPN traffic does not look like normal web browsing traffic. But, this setup is good enough to get past the fascist firewalls I’ve encountered on public wifi.
If your needs are greater than this, look for Chinese blogs and e.g., github pages for state of the art obfuscation of VPN traffic.
“Any problem in computer science can be solved with another level of indirection.”
Except the problem of too many abstractions. Maybe anyway… Maybe.
And they all leak.
Why do you call them gopniks?
A gopnik (feminine: gopnitsa, collective: gopota) is a derogatory Russian slang term for a member of a marginalized, often delinquent, lower-class youth subculture in Russia, Ukraine, Belarus, and other former Soviet states. They are stereotypically seen in Adidas tracksuits and engaging in the “slav squat”.
I’m guessing it was to re-use the term used in the youtube video’s title, but yeah, that made me tick too
Yeah, not a good look HD. Please change it.
Probably because the author of the video calls it “Gopnik edition” and starts off with a still shot of an anime girl in a tracksuit?
By that logic, we are all allowed to use the n-word?
Never stop, HaD comments
That is taken from the video title. I assume it’s in jest just like in the US we might say ghetto edition or poor-mans X
Yes, that’s how I took it. There are corners of the internet where the word has lost all derogatory sense. Evidently this isn’t one of them, and since it’s apparently a Big Deal™, I’ll remove the offending word.
I took it as joking in the video title– good people obey the law, so clearly only the delinquents would dare use a VPN.
Still, since you’re not the only one who found it too much, the word is removed. Be careful you don’t click through the link without a full string of pearls to clench.
Censorship bars coming to our favorite site.
Pretty poor taste to insult someone calling out stereotyping. What is the point of a comments policy if the authors are going to ignore it? Take the criticism like an adult and learn from it.
So much for an apology.
“Be careful you don’t click through the link without a full string of pearls to clench.” – double down
But he did take it down. You got your wish. Asking for an apology would be a tad entitled, wouldn’t it? The whole point of the article is to get around VPN bans, with a nod towards Russian efforts in particular. Do you know about “Mat”? It’s a Slavic language system built on swearing. The use of “mat” is banned in Russian mass media, movies, and public performances under laws enforced since 2013–2014, with public usage potentially classified as petty hooliganism. And now I’m afraid to give example here, but for language geeks it’s pretty awesome! It also spread through the old Soviet armies, it’s not just “Russian mob slang”, as Hollywood presents it. Now, you’re asking for the same kind of censorship here in English, and that seems ironic. I’m concerned at the amount of posts asking for it to be taken down, have Russian bots infiltrated the comment section of Hackaday? Oh noze!
No need to be a jerk.
wstunnel
Thank you! Good tool for the toolbox.
Sounds like somebody needs some “Life of Boris” in their lives.
Chiki Briki!
Hey lots of folks live very much like that by choice and enjoy it! There is no reason your shack in the woods living experience has to end badly, though for most HAD readers I’d suggest way too inconvenient to actually want to live there full time (I certainly wouldn’t want to). As we are likely too invested in the cool data and learning treasure trove that is the internet (even if its getting shittier and harder to access the good stuff) and too adapted to relatively fast delivery to your door of whatever you order.
There are shacks and then their are ‘shacks’…
I was thinking of a specific bearded mathematician who lost faith in technology and whose shack now resides in the FBI museum.
There’s nothing wrong with rural living– I wish I could move out of town myself. It’s only a problem if paranoia drives you out there.
Going schizo is not the same as ‘lost faith in technology’.
Did you ever actually try to read his manifesto?
Is incoherent illogical stack of bold crazy assertions.
Don’t take the word of reporters, those people are just stupid.
Schizophrenia is a bitch of a disease, each acute episode costs about 1 IQ point.
After some time the person remembers being smart.
Can make smart noises that can fool ‘born dumbs’, but is dumb.
It’s wild to hear people say, “You know, that terrorist had some good points.” Dumb will always dumb.
I was expecting that example, or perhaps another similar one to have been in your mind when you wrote it – Simply pointing out that being off to a shack in the woods, even if its in large part because you don’t like the modern world doesn’t have to work out badly for a functional individual.
2 questions:
* reticulum works on Russia or China?
* tox works?
meybe is time to revitalise Mute, Ant, etc.