From January 7, Russia will completely ban VPN

Hornbeam

13 min

How do you like the title, huh? How do you like this present for Christmas?

No, it's not true, it's a joke.

Not from January 7th will be banned. From another date it will be banned.

Welcome to the cut, we will learn together to bypass VPN blocking from our colleagues from friendly countries - China, Iran, Turkmenistan and, of course, North Korea.

AmneziaVPN is back!

It's wrong to spell arctic fox right now

About VPN Services

Keep in mind that regular commercial VPN services are fairly easy to block. Despite the fact that the most advanced and cool commercial VPN clients are able to mask VPN traffic from blocking systems and DPI, they are still vulnerable to blocking the IP address subnets on which these VPN servers are located, and blocking control servers. Another argument is that the regulator itself can purchase a subscription to this VPN service, and analyze where the VPN client is accessing, and block these addresses in real time. Chances are some people already do that.
The larger and more popular a commercial VPN service, the stronger the desire of supervisory authorities to block it. In this regard, small VPN services can remain invisible and not come under close scrutiny from regulators. But for them, the probability of blocking by traffic signatures remains high if it comes to this and such a VPN service does not have VPN masking functions.
If some VPN service is still running, this does not mean that it cannot be blocked, perhaps the queue has not reached it, or the right moment has not come. It should be borne in mind that in non-free countries quite a lot of attention is paid to blocking issues, progress does not stand still, and the means of detecting VPNs and blocking them only improve over time.

About VPN protocols

All popular VPN protocols are quite easily detected by DPI tools, and as a result, they are easily blocked.

In more detail, the situation is as follows. I would break VPN protocols into several groups:

The first group - the most vulnerable to blocking - are the Wireguard, OpenVPN protocols in UDP mode, as well as IKEv2, and all sorts of old protocols like L2TP. Such protocols are blocked by simple signatures, or even by a port number.
The second group are protocols that are more difficult to block. They work on the basis of the TLS protocol (on which the web works), and it would seem that they should resist blocking well. But in fact, it turns out that they still have signatures by which they can be distinguished, and therefore are also blocked. This is OpenVPN in TCP mode, as well as a regular socks proxy.
The third group is protocols or protocol bundles that are well disguised as web traffic, as a result of which it is difficult to detect and block them. These are OpenConnect / AnyConnect, OpenVPN with the XOR patch, and I would also include the ShadowSocks protocol and the tunnel through SoftEther in this group. I would call the main distinguishing feature of this group that these protocols are difficult to distinguish from ordinary web traffic, but still possible. For example, there is such a possible way to block - by analyzing the entropy of headers. ShadowSocks completely randomizes the transmitted headers, which makes it look like real web traffic. Or an even more tricky check - if the VPN protocol is disguised as web traffic, then the analysis system itself tries to open the same web address that is indicated in the packet header - this is how the Great Chinese Firewall works.
And the fourth group is protocols or protocol bundles that are extremely difficult or absolutely impossible to distinguish from real web traffic. This includes special plugins for VPN masking, which are developed specifically for this purpose of mimicking web traffic, in particular plugins such as v2ray, vless, wstunnel, cloak and others.
So, these plugins began to appear in large numbers for one reason - because at some point they came up with the idea that the masking task could be taken out in a separate module, in a plugin. And even a whole standard appeared - it's called Pluggable Transport. It was originally made for TOR back in 2012, and later Pluggable Transport support was added to the ShadowSocks client. And even later, just a couple of years ago, unofficial Pluggable Transport support for OpenVPN appeared.
Write in the comments if I placed some protocols in the wrong groups, or made a mistake in something - we will correct, supplement.

About AmneziaVPN

It's time to remind about AmneziaVPN, a project that was born at the first Demhack hackathon, upgraded in the Privacy Accelerator and became one of the most promising self-hosted VPNs of the present time.

In our last article, published back in 2021, we clearly showed you what you need to prepare for by 2033 using the example of an illustration of the technology of a portable folding satellite probe. Unfortunately, our predictions did not come true, and the reality is that these devices can find their niche, sorry for the pun, as early as 2023.

So, the main goal of the AmneziaVPN project is to save your … strength and nerves when accessing the unlimited Internet in the new harsh reality.

AmneziaVPN is free and open source software for creating a personal VPN on your server. It does not require special technical knowledge to install and configure the server, and also uses a wide protocol stack - OpenVPN, WireGuard, IKEv2, as well as ShadowSocks and Cloak, which are much more resistant to VPN blocking. To date, Amnezia is one of the few solutions that works even in the repressive environment of Turkmenistan and Iran.

VPN services are actively fought in countries with severe Internet censorship. In Russia, for example, many VPNs have been blocked over the past year. You probably know such names as Surfshark, Proton, TunnelBear and others. Doesn't it bother you that they stopped working? It's very stressful for us. Therefore, the main task of Amnezia is to create a product that can withstand blocking of varying complexity.

We assume that if VPN protocols are blocked in Russia, Amnesia will remain one of the few tools to circumvent censorship, along with such projects as Tor, Lantern, Psiphon, Ceno.

The main task of AmneziaVPN is to support both regular VPN protocols and protocols from the fourth group, which are extremely difficult to detect and block.

AmneziaVPN already has an implementation of VPN cloaking via the Cloak plugin, while this only works on desktop platforms, but we are already working on adding such functionality to AmneziaVPN's Android and iOS releases.

More on this below, while everything is in order.

This article is dedicated to the long-awaited event - we have finally released the application for iOS . Now we have a full arsenal - clients for Windows, MacOS, Linux, Android and iOS. And you won’t believe it, everything is packed into a single code base, the project is written in c++/Qt/QML using platform-specific inserts in Java/Kotlin/ObjectiveC/Swift.

For the lazy, or who are not interested in the inner subtleties of Amnesia, you can rewind to the very bottom, to the “A-A-A WHAT TO DO” section.

About Docker

In principle, users do not need to know the details of how it works inside Amnesia, but since we are still on Habré, let's dive into the details a little.

After you enter the login, password and server address into Amnesia, it connects to it via SSH and starts installing VPN services on it, of course, those that you explicitly indicated.

Each service in Amnesia is called a container - this is because in Amnesia everything is packaged in Docker containers.

The name of the container indicates which port/protocol it has, for example, the OpenVPN container will open only one OpenVPN port (TCP or UDP depending on the choice during configuration). And you can connect to this container from the outside only through OpenVPN.

The same with the ShadowSocks container - only the ShadowSocks port sticks out. But inside this container there are already two protocols OpenVPN and ShadowSocks. That is, you can connect to this container simply with the ShadowSocks protocol, or with a bunch of OpenVPN over ShadowSocks.

TCP / 443 sticks out in the Cloak container, to which you can only connect through Cloak, you understand. And inside there is already a whole zoo, in addition to Cloak, both OpenVPN and ShadowSocks live. Accordingly, for VPN to work through this container, you need to connect with a bunch of OpenVPN over Cloak or ShadowSocks over Cloak. And it doesn't matter if you connect with Amnesia itself, or with another client that supports such a bundle, for example, the official ShadowSocks client with the Cloak plugin connected.

A little tricky? Perhaps yes, but it creates flexibility. The list of supported containers can be found here , right in the turnip. You can read these scripts, and make sure that Amnesia does not do anything extra, and maybe even give us recommendations on how to improve them!

About config export

Amnezia has a feature, and it lies in the fact that the user can connect to a configured VPN server not only using Amnezia.

We are making a free universal tool, you can, for example, set up an Amnesia OpenVPN container, export the config for OpenVPN, and connect to it using a regular OpenVPN client by loading the generated config into it.

The same is true for all other containers, but in the case of the Cloak container, for example, you will need to get very confused to set up a bunch of OpenVPN over Cloak or ShadowSocks over Cloak yourself.

However, this is what we gave a year ago to users from Turkmenistan and Iran. And to our surprise, there were many enthusiasts who started setting up ShadowSocks over Cloak on mobile devices in this way. Recall that Amnesia for Android and iOS does not yet support connection via these bundles, we are working hard on it, it will be soon, and it will be a gun!

About OpenVPN

At the moment, Amnezia has the most complete support for the OpenVPN protocol - it works on AmneziaVPN clients for all supported platforms - Windows/MacOS/Linux/Android/iOS.

Good old OpenVPN will still give heat. And that's why.

A little higher, I already mentioned that Pluggable Transport was added to OpenVPN . And this means that we can hang any masking plugins on it. And not only can we do it, we have already started doing it, made a prototype, and we are embedding this OpenVPN with PT support into Amnesia.

And this, in turn, means that we will have full VPN masking for mobile devices - for Android and for iOS. In short, on mobile platforms everything is strict with VPN and access to system functions, so it’s not possible to simply launch two processes directly – OpenVPN separately and a separate plugin, as it works on desktop platforms.

Our roadmap is as follows: add OpenVPN with Pluggable Transport support, finish with a bunch of OpenVPN over Cloak for mobile platforms, then add v2ray support , and then, if there is enough time, effort and resources, support wstunnel and other tools that will be in demand and relevant.

Cloak

Some services, such as TOR, provide the ability to obfuscate traffic, they use a utility such as obfs4. It seemed to us that this is not a very modern utility, and the level of masking that can be achieved with obfs4 is not the highest...

Therefore, initially our choice fell on Cloak. The main feature of Cloak is that you can set up a donor site in it, under which Cloak will disguise itself, which makes blocking very difficult.

It works like this - even if the DPI equipment knocks on the server where the user has installed his VPN, then in response the DPI system will receive directly the content of the site that is predefined in Cloak. For example, you can set Habr.com there, and DPI will think that users are reading habr news, although at that moment they are sitting through a hidden VPN tunnel in the forbidden Book of Faces, Mockingbird and other devilish sites, RKN forbid me to write their names.

Cool? We think so! This is certainly not a panacea, this scheme can be burned on invalid certificates, but so far even the Great Chinese itself cannot cope with such a disgrace.

Say thanks to Andy Wang for this great tool! If anything - all the arrows are on it, we just collected several utilities from the Internet into one application, isn't it forbidden yet?

О WireGuard

And we do it too. Not everyone is lucky enough to live in countries where there is a need to use the coolest and most sophisticated VPN masking tools. We haven't had any luck yet either, and WireGuard is still running, and all sorts of different knee VPN services using WG are working. It’s fast, it doesn’t drain the battery on mobile devices much, so it’s working for now - and thank ~~God~~ for the RKN.

AmneziaVPN only supports WireGuard on Windows/Android/iOS. Soon we will finish it for MacOS, and a little later for Linux.

About other VPN protocols

We generally have Napoleonic plans, we want Amnesia to be able to use all VPN protocols. We started adding support for IKEv2, while it only works on Windows.

We also managed to embed into Amnesia a container with a DNS server, a container with file storage, and even a container into which, in one click, raises a website in the TOR network with customized WordPress. Just don’t write and don’t ask why it’s all there, the most important thing is that it works!

And is it safe?

The first thing I would like to remind you is that AmneziaVPN is an open source project, that is, all our configuration scripts, all library forks and much more can be found in our GitHub repository .

The most important event in the life of the project was the fact that in the summer of 2022 AmneziaVPN passed a full independent security audit by 7ASecurity with the support of the Open Technology Fund . As a result of the check, various levels of vulnerabilities were found, which were successfully closed in the same year, updates were released. Details of the audit can be found in the official press release , or you can immediately read the report in pdf format.

In other words, AmneziaVPN is now an established project that you can trust.

Where is Amnezia VPN available?

AmnesiaFree

Oh, by the way, for easy access to the Book of Faces, Mirror, Mockingbird, Jellyfish and all other media like CBB, NNC, we created a Telegram bot that gives out configs for WireGuard to everyone and just curious. To use it, it will ask for a subscription to our AmneziaNews Telegram news channel , then it will issue a config and instructions on how to set up a VPN. Oh, by the way, it's powered by WireGuard, so... let's not panic while it's still running.

A-A-A WHAT TO DO

If you do not pay attention to the strengthening of blocking (and everything else), then you can suddenly find yourself the hero of the famous meme “Hold the banana, take the TV, save the bear, throw me and climb into the closet”, or some other meme, but also most likely with banana.

Here is a brief guide to Internet survival in the face of tightening blocking.

Check out the list of tools that help bypass hard blocks. Let's write them together here, I'll start - this is, of course, AmneziaVPN , and also Tor , Lantern , Psiphon , Ceno ... write in the comments who knows what other services.
Install at least a couple of such applications, play around with them, it's better to do it now, while it's easy and simple. When the Internet is blocked, things can get a lot more complicated. Well, or to your taste, you can go through this quest later, at an increased difficulty level. For example, like Turkmen freelancers. Or in general, at the level of difficulty " Adept Juche ", when to bypass the blocking you need to literally bypass it on your own two feet.
Just do not forget about your inalienable right to freedom of thought, to freedom of access to information, to other points of view. If you look at the same picture for several minutes, it then stands before your eyes for a few more seconds, interrupting the real image. If you look at the same picture of the world through the screen for years, you will not see reality for a long time through the veil of thoughts that seem to be your own... © Mazai Banzaev.

Просмотры:

Шукати в цьому блозі

Розслідування, osint розвідка, osint Україна, osint open source intelligence.