VPN Gate, or - a distributed VPN network that cannot be killed by the Great Firewall of China

Hornbeam

3 min

View Original

Today we will talk about a distributed VPN Gate, a kind of enemy of the Middle Kingdom in the field of Internet censorship. There are a lot of articles on Habré on the topic of SoftEther VPN (the underlying layer of VPN Gate), but there is not a single technically comprehensive article about the distributed network itself and it feels like it was completely forgotten about.

VPN Gate is Daiyu Nobori's academic experiment since 2013. The project is an Internet research service at the Graduate School of the University of Tsukuba, Japan. The purpose of this study is to expand the knowledge of "Global Distributed Open VPN Relays".

A distinctive feature of this network is its functioning in the form of a swarm. That is, each user who wishes can share his bandwidth with others. I know what you're thinking, another failed blockchain-based dVPN PR.

However, this project already has 8634 nodes and 534 petabytes of traffic since its inception. Even TOR nodes have 7 thousand.

The main users are the Chinese, due to the successful architecture of the fight against the active samples of the Great Firewall of China.

Installation of a GUI client, server with a built-in plugin is carried out through VPN Gate 's own website . Each generated zip build of the program differs in size to complicate DPI analysis of the data inside. It also stores random VPN server addresses if the original VPN Gate servers are blocked from receiving lists.

But as for me, the biggest success of the project team was screwing up NAT Hole Punching, where each user, even without a white IP , could share his bandwidth. No registration.

You ask why the Chinese Firewall (GFW - Great Firewall of China) has not blocked it yet, here begins the chronology of the struggle between the forces of good and evil:

Immediately after the start of the project, the first 4 days the influx of most users was from China, 5k users flooded the service at once.

On the fifth day, GFW blocked the main VPN Gate website. Users started sharing installers on portals like Weibo.

Then GFW started blocking the servers by getting them from the main page of the project, only they made a mistake, they did not check the IP addresses for legitimacy, and then the project team throws this thing on the table:

They start mixing random IP addresses with the list, within three days they have full control over what GFW blocks, they break Chinese internal sites.

After some time, GFW starts checking each IP address using a powerful DPI technology called active probing . This is when a random GFW bot (from a random IP) is first sent to each remote IP address requested by the user with a test request, and if the received response contains words forbidden by the filter, the remote IP address is blocked.

But since the number of VPN Gate servers is large, the network has the advantage that if clients send each short-term request from nodes that wanted to connect to them for verification?

The guys automatically began to process such requests on their server, since the providers of the Celestial Empire have a large pool of addresses, single servers do not always manage to find out the IP address of the bot that scanned them and issued them for execution by GFW.

But if we take into account the statistics from all nodes to which IPs are connected and disconnected at the same time in a short interval, then they can be weeded out and blocked. Thus, the network reflects the attempts of GFW bots to find them. In addition, it only gives out a limited list of servers to users, so even if GFW tries to scan the network simultaneously with 16 million (according to some reports, there are even foreign pools) IP addresses, it will not succeed.

Dynamic IP addresses of participants behind NAT also played a positive role in network availability.

VPN servers operate on four protocols: SSL-VPN, OpenVPN, L2TP/IPsec, MS-SSTP.

Anyone who wants to help, who does not mind sharing an Internet channel, can download the server package, which is configured in 5-6 clicks. You can also specify your message to users when connecting, leave an email address for communication - there is some safety net from silovikov, the client stores connection packages for two weeks (you can please Yarovaya and put it for 30 days, just kidding), the speed can also be configured, there is a built-in firewall with settings security, i.e. your local addresses are safe, installation without administrator rights.

Those who want to connect can download the client package. It is possible to choose countries with the best ping and throughput.

Просмотры: