WISHLIST, access in China, Iran, Pakistan etc

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
jeff.tutin@ntlworld.com
OpenVpn Newbie
Posts: 1
Joined: Fri Oct 03, 2014 12:23 pm

WISHLIST, access in China, Iran, Pakistan etc

Post by jeff.tutin@ntlworld.com » Fri Oct 03, 2014 12:39 pm

VPN access in undemocratic repressive regimes is an absolute must for democracy. Unfortunately China has, for a while been using deep packet inspection and seems to be able to tell the difference between OpenVPN SSL traffic and normal SSL traffic. Surly the geniuses out there who write Open VPN can do something to make this impossible. L2TP/IPSec VPNs work ok but OpenVPN does not. I cannot think of a more worthy cause for you guys to work on.

There is one post out there of a patch but this is far too complicated for most people and does not cover mobile clients (Android Phones) that are the norm for access in these countries.

Let’s get the community behind a fix in the core product

skeeve
OpenVpn Newbie
Posts: 14
Joined: Tue Jun 10, 2014 3:49 am

Re: WISHLIST, access in China, Iran, Pakistan etc

Post by skeeve » Mon Nov 24, 2014 11:52 am

I would really appreciate a fix for this as well. China has shut me down every time I set up a new server.

Douglas
Forum Team
Posts: 285
Joined: Wed Aug 27, 2008 2:41 am

Re: WISHLIST, access in China, Iran, Pakistan etc

Post by Douglas » Mon Dec 29, 2014 1:40 pm

jeff.tutin@ntlworld.com wrote:VPN access in undemocratic repressive regimes is an absolute must for democracy. Unfortunately China has, for a while been using deep packet inspection and seems to be able to tell the difference between OpenVPN SSL traffic and normal SSL traffic. Surly the geniuses out there who write Open VPN can do something to make this impossible. L2TP/IPSec VPNs work ok but OpenVPN does not. I cannot think of a more worthy cause for you guys to work on.

There is one post out there of a patch but this is far too complicated for most people and does not cover mobile clients (Android Phones) that are the norm for access in these countries.

Let’s get the community behind a fix in the core product
I think this would be a worthy cause. Good idea. Not sure it is feasible, though. :mrgreen:

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: WISHLIST, access in China, Iran, Pakistan etc

Post by Traffic » Wed Dec 31, 2014 3:23 am

Worthy cause .. Yes !

Possible .. No :(

Consider this:

A packet transmitted over the internet is structured (more or less) like so:

[Some data]:: not relevant
[IP Destination Address]:: Very Relevant ! << This is the problem.
[IP Source Address]:: Quite Relevant
[Payload]:: Could be anything ..

The destination address of your packet reveals, to the Powers that Be, the means by which they can choose to filter. If that destination is something they don't like they drop it. Otherwise known as "The Great Firewall" ..

I think a more viable solution, for people enslaved by undemocratic governments, would be to dig secret tunnels (in the ground) out of your countries and link up to the rest of the world that way. Either with signals or on foot.

My deepest sympathy .. fight the power .. don't believe the hype ..

Tor network might be of more use in this situation.

DarkCenobyte
OpenVpn Newbie
Posts: 1
Joined: Sun Apr 26, 2015 2:18 pm

Re: WISHLIST, access in China, Iran, Pakistan etc

Post by DarkCenobyte » Sun Apr 26, 2015 2:41 pm

Traffic wrote:Possible .. No :(

Consider this:

A packet transmitted over the internet is structured (more or less) like so:

[Some data]:: not relevant
[IP Destination Address]:: Very Relevant ! << This is the problem.
[IP Source Address]:: Quite Relevant
[Payload]:: Could be anything ..

The destination address of your packet reveals, to the Powers that Be, the means by which they can choose to filter. If that destination is something they don't like they drop it. Otherwise known as "The Great Firewall" ..

I think a more viable solution, for people enslaved by undemocratic governments, would be to dig secret tunnels (in the ground) out of your countries and link up to the rest of the world that way. Either with signals or on foot.

My deepest sympathy .. fight the power .. don't believe the hype ..

Tor network might be of more use in this situation.
It's not completely impossible, and Tor has exactly the same problem in these countries with the basic configuration.

Actually, Tor has a component named "obfsproxy", he obfuscate the traffic (using protocols as obfs3, scramblesuit, ...).
With Tor you need to configure the transport bridge server to use (you can get their IP here: https://bridges.torproject.org/ ) and then the traffic can pass "the great firewall" and others DPI systems.

There is some tutorials on the web who speak about accessing to an OpenVPN Server with an obfsproxy access, but this add some constraint (udp protocol unsupported, ...).

So I don't think it's impossible to implement directly the obfsproxy functionnalities into OpenVPN, that could at least protect users using their own VPN on an external server, ... (because even if a big VPN is banned because his IP is known, I guess they can't detect a VPN Server if his traffic is obfuscate).

(sorry if my english isn't very good, not my mothertongue)

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: WISHLIST, access in China, Iran, Pakistan etc

Post by Traffic » Mon Nov 23, 2015 2:35 pm

Unless you can bypass TGFW completely, they are in control of what you can send and receive .. no matter what encryption you use.

Post Reply