this post was submitted on 10 Aug 2023
1090 points (98.5% liked)

Technology

60134 readers
3275 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] cman6 169 points 1 year ago (6 children)

In case anyone wondered how to potentially get around this...

  • Pay for a server in another country that gives you SSH access
  • Create SSH SOCKS tunnel: ssh -N -D 8008 your-server-ip
  • Open your browser and set the SOCKS server to localhost:8008 (in Chromium/Firefox you can search for this in Settings)
[–] [email protected] 29 points 1 year ago* (last edited 1 year ago) (2 children)

So, that's definitely better than nothing, but your browser isn't the only thing -- though these days, it is a very important thing -- that talks to the Internet. If, for example, you're using a lemmy client to read this, I'd bet that it's good odds that it doesn't have SOCKS support.

Though I wouldn't be surprised if someone has made VPN software that intercepts connections and acts as a proxy SOCKS client, which would make it work more like a traditional VPN if you can reach a remote SOCKS server, though maybe with a performance hit.

googles

Yeah, okay, looks like stunnel can do this on Linux. So it's a thing.

You don't need a 100% solution, though, to have a pretty big impact on society. Combine technical barriers with it just being easier to not think about what's going on outside, maybe some chilling effects from legally going after people who do start doing things that you don't like (viewing websites, spreading information, etc), and you can control people's information environment a lot. Make using circumvention solutions illegal -- okay, maybe you can bypass their system if you don't get caught, but do you want to risk it? Make creating or spreading circumvention solutions really illegal. Do you want to risk getting in a lot of trouble so that random other person can get unrestricted or unmonitored Internet access?

On that note, I was reading about the way North Korea does it in an article from someone who got out of North Korea. That is about as close as it gets to a 100% solution. Only a few thousand people are authorized to get Internet access. You need to apply to use the Internet with a couple of days lead time. Each pair of computers has a "librarian" monitoring what the Internet user on each side is doing, and every five minutes or so the computer will halt with whatever you were doing on the screen and require fingerprint re-authorization from the "librarian" to continue. Users are not allowed to view pages in Korean, just English and Chinese (I assume because most information out there that you'd have to go outside North Korea to get access to is likely available in either English or Chinese, and they definitely don't want people seeing anything out of South Korea).

That pretty much screws North Korea in terms of access to information, is a costly solution, but if you place an absolute priority on control of the information environment, North Korea does prove that it's possible to take a society there.

load more comments (2 replies)
[–] petrich0r 15 points 1 year ago* (last edited 1 year ago) (1 children)

Unfortunately it would be trivial to block an SSH tunnel like this. I recall reading news 10 years ago (maybe even earlier) some foreign journalist tried this at a Beijing hotel room and got shut down in minutes. That was when people are still using PPTP and L2TP protocols to get around censorship, Wireguard and shadowsocks wouldn't be born for another couple years.

[–] MooseBoys 14 points 1 year ago (2 children)

trivial to block an ssh tunnel like this

Far from trivial unless you’re willing to brick ssh completely, or at least cripple a bunch of non-VPN uses for tunneling. Of course it’s trivial to just block ssh outright, or block tunneling above a certain bandwidth. But that would also block, as an example, most remote IDE sessions, loopback-only server management frontends, etc.

load more comments (2 replies)
load more comments (4 replies)
[–] eran_morad 110 points 1 year ago (1 children)
[–] [email protected] 47 points 1 year ago (10 children)

Worse: shithole country that turns everything they touch into shit too.

load more comments (10 replies)
[–] [email protected] 72 points 1 year ago (12 children)

But how are their propaganda farms going to be able to pretend they are in your country now?

[–] [email protected] 34 points 1 year ago

They still get to operate don't worry!!

[–] avater 15 points 1 year ago

official companies are still able to use vpn 😏

load more comments (10 replies)
[–] [email protected] 67 points 1 year ago (1 children)

annnd another dictatorship box checked off the list... wont be long now

[–] [email protected] 90 points 1 year ago (3 children)

Until what? Until Russia is a dictatorship? That ship sailed a long time ago.

[–] fluxion 17 points 1 year ago (20 children)

Won't be long before Putin catches up to Kim Jong Un in the Oppression Olympics

load more comments (20 replies)
load more comments (2 replies)
[–] biblbrox 57 points 1 year ago* (last edited 1 year ago) (4 children)

I live in Russia and I have vps with wireguard vpn in Netherlands. At the current moment it works for me pretty well except the some connection failures two days ago. But they were very short. But I don't know how long my vps will be accessible with these fucking blocking.

[–] godless 44 points 1 year ago (1 children)

You might want to sign up with astrill. Greetings from China, we've been dealing with this shit for decades.

load more comments (1 replies)
load more comments (3 replies)
[–] [email protected] 35 points 1 year ago (1 children)

Now comes the Great Russian Firewall.

[–] BrianTheeBiscuiteer 30 points 1 year ago (1 children)
load more comments (1 replies)
[–] breakerfall 27 points 1 year ago (4 children)

ProtonVPN has a "stealth" protocol. Does anyone know if that breaks through?

load more comments (4 replies)
[–] Ildar 27 points 1 year ago (3 children)

It was not working 2 day on mobile operators, now waiting full shutdown

load more comments (3 replies)
[–] [email protected] 26 points 1 year ago* (last edited 1 year ago) (1 children)

I am pretty confused by the article.

What I'd expected based on what I've seen so far was that the Kremlin would not care what protocols are used, just whether the a given VPN provider was in Russia and whether it provided the government with access to monitor traffic in the VPN.

So, use whatever VPN protocol you want to talk to a VPN provider where we can monitor or block traffic by seeing inside the VPN. You don't get to talk to any VPN providers for which we can't do that, like ones outside Russia, and the Russian government will do what it can to detect and block such protocols when they pass somewhere outside of Russia.

But that doesn't seem to fit with what the article says is happening.

The media in Russia reports that the reason behind this is that the country isn’t banning specific VPNs. Instead, it’s putting restrictions on the protocols these services use.

According to appleinsider.ru, the two protocols that are subject to the restrictions are:

  • OpenVPN
  • WireGuard

A Russian VPN provider, Terona VPN, confirmed the recent restrictions and said its users are reporting difficulties using the service. It’s now preparing to switch to new protocols that are more resistant to blocking.

I don't see what blocking those protocols internal to Russia buys the Kremlin -- if Terona conformed to Russian rules on state access to the VPN, I don't see how the Kremlin benefits from blocking them.

And I don't see why Russia would want to permit through other protocols, though maybe there are just the only protocols that they've gotten around to blocking.

EDIT: Okay, maybe Terona doesn't conform to state rules or something and there is whitelisting of VPN providers in Russia actually happening. Looking at their VK page, it looks like Terona's top selling point is "VPN access to free internet" and they have a bunch of country flags of countries outside of Russia. So maybe Russia is blocking VPN connectivity at the point that it exits Russia, and it's affecting Terona users who are trying to use a VPN to access the Internet outside Russia, which would be in line with what I would have expected.

load more comments (1 replies)
[–] [email protected] 26 points 1 year ago (31 children)

Russia is a terrorist state. #SlavaUkraini #ArmUkraineForVictory

load more comments (31 replies)
[–] callmepk 25 points 1 year ago

Shadowsocks/ShadowsocksR/vmess/vless/trojan:

[–] egeres 22 points 1 year ago (3 children)

Is it possible to bypass this block? Say, embedding VPN packets within a different protocol?

[–] [email protected] 16 points 1 year ago (2 children)

I don't know why some moron downvoted you, but the answer is maybe. For reference, I have always bypassed SSH firewall blocking by sneaking SSH packets within https.

The only way this won't be possible is if the government enforces installing a certificate to use the internet, so that they can do a man-in-the-middle-attack. I heard this is already being done in Afghanistan.

load more comments (2 replies)
load more comments (2 replies)
[–] rustydomino 19 points 1 year ago (4 children)

Can someone explain from a technical standpoint how they can block OpenVPN running on port 443? my admittedly limited understanding is that port 443 is the common port for https. If they blocked that port wouldn't that mean that they would be blocking nearly the entire internet?

[–] [email protected] 13 points 1 year ago (1 children)

I don't know what they actually do but one possibly is to look for (absence of) the TLS handshake. Or maybe they simply infect all devices on the Chinese market with MITM certificates to be able to decrypt all TLS encrypted traffic. Should be easy to force companies to do that in such a country.

[–] Shan 29 points 1 year ago (4 children)

The port isn’t their focus, they’re looking at the protocol that is being used, regardless of the port. The protocol is still visible when not doing deep packet inspection. That’s why there suggesting a socks proxy for Russian citizens, because that uses HTTPS to tunnel traffic, so it wouldn’t be caught up in protocol analysis.

load more comments (4 replies)
load more comments (3 replies)
[–] BloopWut 18 points 1 year ago

OpenVPN + obfs4proxy should still work. I've been using it in China for some time along with a VPN client on Android & windows that support obfs3.

[–] [email protected] 17 points 1 year ago (8 children)

Couldn't you just use any server/droplet/AWS instance via SSH to get around this law? Seems much simpler.

[–] [email protected] 17 points 1 year ago

If you're savvy enough, sure. But for the lay person who doesn't want a clouded view of the world, they likely won't have the same resources or technical capabilities.

load more comments (7 replies)
[–] [email protected] 17 points 1 year ago (3 children)

Is this just address/port blocking, or DPI of some kind? I'm wondering what they can trigger off?

load more comments
view more: next ›