This is a most excellent place for technology news and articles.
In case anyone wondered how to potentially get around this...
ssh -N -D 8008 your-server-iplocalhost:8008 (in Chromium/Firefox you can search for this in Settings)So, that's definitely better than nothing, but your browser isn't the only thing -- though these days, it is a very important thing -- that talks to the Internet. If, for example, you're using a lemmy client to read this, I'd bet that it's good odds that it doesn't have SOCKS support.
Though I wouldn't be surprised if someone has made VPN software that intercepts connections and acts as a proxy SOCKS client, which would make it work more like a traditional VPN if you can reach a remote SOCKS server, though maybe with a performance hit.
googles
Yeah, okay, looks like stunnel can do this on Linux. So it's a thing.
You don't need a 100% solution, though, to have a pretty big impact on society. Combine technical barriers with it just being easier to not think about what's going on outside, maybe some chilling effects from legally going after people who do start doing things that you don't like (viewing websites, spreading information, etc), and you can control people's information environment a lot. Make using circumvention solutions illegal -- okay, maybe you can bypass their system if you don't get caught, but do you want to risk it? Make creating or spreading circumvention solutions really illegal. Do you want to risk getting in a lot of trouble so that random other person can get unrestricted or unmonitored Internet access?
On that note, I was reading about the way North Korea does it in an article from someone who got out of North Korea. That is about as close as it gets to a 100% solution. Only a few thousand people are authorized to get Internet access. You need to apply to use the Internet with a couple of days lead time. Each pair of computers has a "librarian" monitoring what the Internet user on each side is doing, and every five minutes or so the computer will halt with whatever you were doing on the screen and require fingerprint re-authorization from the "librarian" to continue. Users are not allowed to view pages in Korean, just English and Chinese (I assume because most information out there that you'd have to go outside North Korea to get access to is likely available in either English or Chinese, and they definitely don't want people seeing anything out of South Korea).
That pretty much screws North Korea in terms of access to information, is a costly solution, but if you place an absolute priority on control of the information environment, North Korea does prove that it's possible to take a society there.
Unfortunately it would be trivial to block an SSH tunnel like this. I recall reading news 10 years ago (maybe even earlier) some foreign journalist tried this at a Beijing hotel room and got shut down in minutes. That was when people are still using PPTP and L2TP protocols to get around censorship, Wireguard and shadowsocks wouldn't be born for another couple years.
trivial to block an ssh tunnel like this
Far from trivial unless you’re willing to brick ssh completely, or at least cripple a bunch of non-VPN uses for tunneling. Of course it’s trivial to just block ssh outright, or block tunneling above a certain bandwidth. But that would also block, as an example, most remote IDE sessions, loopback-only server management frontends, etc.
This is actually pretty interesting, thanks for sharing. Although i live in a third world country that doesnt care about anything at all including piracy, but this tunneling thing looks pretty handy
Shithole country
Worse: shithole country that turns everything they touch into shit too.
But how are their propaganda farms going to be able to pretend they are in your country now?
They still get to operate don't worry!!
official companies are still able to use vpn 😏
annnd another dictatorship box checked off the list... wont be long now
Until what? Until Russia is a dictatorship? That ship sailed a long time ago.
Won't be long before Putin catches up to Kim Jong Un in the Oppression Olympics
Proton vpn has a feature that can be turned on for oppressive governments, ‘alternate routing’ I believe. Would that be sufficient or no?
Theoretically, yes, since there are options other than WG/OVPN available through Smart Protocol, which Alternate Routing leverages.
I live in Russia and I have vps with wireguard vpn in Netherlands. At the current moment it works for me pretty well except the some connection failures two days ago. But they were very short. But I don't know how long my vps will be accessible with these fucking blocking.
You might want to sign up with astrill. Greetings from China, we've been dealing with this shit for decades.
ProtonVPN has a "stealth" protocol. Does anyone know if that breaks through?
It was not working 2 day on mobile operators, now waiting full shutdown
I am pretty confused by the article.
What I'd expected based on what I've seen so far was that the Kremlin would not care what protocols are used, just whether the a given VPN provider was in Russia and whether it provided the government with access to monitor traffic in the VPN.
So, use whatever VPN protocol you want to talk to a VPN provider where we can monitor or block traffic by seeing inside the VPN. You don't get to talk to any VPN providers for which we can't do that, like ones outside Russia, and the Russian government will do what it can to detect and block such protocols when they pass somewhere outside of Russia.
But that doesn't seem to fit with what the article says is happening.
The media in Russia reports that the reason behind this is that the country isn’t banning specific VPNs. Instead, it’s putting restrictions on the protocols these services use.
According to appleinsider.ru, the two protocols that are subject to the restrictions are:
- OpenVPN
- WireGuard
A Russian VPN provider, Terona VPN, confirmed the recent restrictions and said its users are reporting difficulties using the service. It’s now preparing to switch to new protocols that are more resistant to blocking.
I don't see what blocking those protocols internal to Russia buys the Kremlin -- if Terona conformed to Russian rules on state access to the VPN, I don't see how the Kremlin benefits from blocking them.
And I don't see why Russia would want to permit through other protocols, though maybe there are just the only protocols that they've gotten around to blocking.
EDIT: Okay, maybe Terona doesn't conform to state rules or something and there is whitelisting of VPN providers in Russia actually happening. Looking at their VK page, it looks like Terona's top selling point is "VPN access to free internet" and they have a bunch of country flags of countries outside of Russia. So maybe Russia is blocking VPN connectivity at the point that it exits Russia, and it's affecting Terona users who are trying to use a VPN to access the Internet outside Russia, which would be in line with what I would have expected.
Shadowsocks/ShadowsocksR/vmess/vless/trojan:
Is it possible to bypass this block? Say, embedding VPN packets within a different protocol?
I don't know why some moron downvoted you, but the answer is maybe. For reference, I have always bypassed SSH firewall blocking by sneaking SSH packets within https.
The only way this won't be possible is if the government enforces installing a certificate to use the internet, so that they can do a man-in-the-middle-attack. I heard this is already being done in Afghanistan.
Can someone explain from a technical standpoint how they can block OpenVPN running on port 443? my admittedly limited understanding is that port 443 is the common port for https. If they blocked that port wouldn't that mean that they would be blocking nearly the entire internet?
I don't know what they actually do but one possibly is to look for (absence of) the TLS handshake. Or maybe they simply infect all devices on the Chinese market with MITM certificates to be able to decrypt all TLS encrypted traffic. Should be easy to force companies to do that in such a country.
The port isn’t their focus, they’re looking at the protocol that is being used, regardless of the port. The protocol is still visible when not doing deep packet inspection. That’s why there suggesting a socks proxy for Russian citizens, because that uses HTTPS to tunnel traffic, so it wouldn’t be caught up in protocol analysis.
Couldn't you just use any server/droplet/AWS instance via SSH to get around this law? Seems much simpler.
If you're savvy enough, sure. But for the lay person who doesn't want a clouded view of the world, they likely won't have the same resources or technical capabilities.
Is this just address/port blocking, or DPI of some kind? I'm wondering what they can trigger off?
OpenVPN + obfs4proxy should still work. I've been using it in China for some time along with a VPN client on Android & windows that support obfs3.