Page 1 of 1

Automated OpenVPN detection and blocking from china

Posted: Wed Dec 12, 2012 12:06 pm
by senseless
Around November this year China fired up a new detection and blocking technique in china. Typically in the past any website that is banned in china would just have incorrect DNS information given to them by their ISP. Now, They're leaving the DNS information alone instead blocking the ip address and port of any active OpenVPN servers.

I believe this technique to be automated, here's why.

I always left UDP connections for OpenVPN disabled forcing connectivity via TCP port 443. When this became banned I had a client allow me to team viewer into their system within china. I noticed that the DNS information for my server was fine, but that the port was outright blocked by their ISP. I could still connect to other ports on the server, just not OpenVPN ports. Figuring this out, I thought "I'll just changed the port or enable alternative ports". So, I enabled the UDP OpenVPN connectivity which runs over UDP 1194. Within 48 hours of enabling this and only allowing 1 client to connect this new port was banned. Either the client was a government shill, or they're doing some sort of automated packet scanning technique. I then changed the port once more, and again within 48 hours it was banned.

There has to be some sort of identifying information within the packet or the port that they're able to detect. If any hacker on here would be willing to dissect the OpenVPN packets to see if there is any identifying information it would be greatly appreciated. There has to be something that can be changed within OpenVPN to make it once again undetectable or look like SSL data; so it cannot be blocked.

IPSec based vpns still seem to be working fine from china. Also, I'm using the Access Server version, but many people are reporting the same issue on the community version.

Re: Automated OpenVPN detection and blocking from china

Posted: Wed Dec 12, 2012 1:26 pm
by maikcat

Re: Automated OpenVPN detection and blocking from china

Posted: Mon Dec 17, 2012 12:49 pm
by frankunblock
Hi,
I am inside China. And I am experiencing the same issue. I think they have developed the new technique of automatic detection and blocking.
When we were first blocked in Nov., all of us stopped using UDP and shifted to TCP. Nowadays, it is very unstable and even cut off after a few hours of successful connection when changing port.
Do you have any idea? Or, I can offer help from inside.

Re: Automated OpenVPN detection and blocking from china

Posted: Fri Dec 21, 2012 9:15 am
by marcel
Hi,

we also got the same problem with our OpenVPN server which is included in an IPCop. We already tried to change the port of the server. This works for some time but then the connections failed again. Is there any change for a stable VPN connection from China to Europe (Germany)?
Would a change from OpenVPN to IPSec for example solve this?
I cannot find any information for this problem on the internet. But I don't think that we are the only one who have this issue. Would be great if anybody can help us here.
Thanks
Marcel

Re: Automated OpenVPN detection and blocking from china

Posted: Fri Dec 28, 2012 7:03 pm
by senseless
I saw this today on google news and thought I would share

http://www.nytimes.com/2012/12/29/world ... ted=2&_r=0
The Chinese government has been experimenting over the past two years with ways to identify and block VPNs, said Xiao Qiang, the leader of a team of Chinese Internet researchers at the University of California, Berkeley. But the government did not begin deploying that capability on a considerable scale until September, and it has stepped up its use of blocking since then, particularly in the weeks leading up to the Communist Party’s National Congress in early November, he said.

Although many had expected the blocking of Web sites and VPNs to recede after the party congress, that has not happened. Mr. Xiao said that the Chinese blocking of VPNs was “technically savvy and politically self-destructive,” in that it may allow the authorities to more effectively monitor communications and interfere with the dissemination of politically sensitive information, but at a high price in terms of antagonizing computer users across China.

Re: Automated OpenVPN detection and blocking from china

Posted: Fri Dec 28, 2012 7:04 pm
by senseless
marcel wrote:Hi,

we also got the same problem with our OpenVPN server which is included in an IPCop. We already tried to change the port of the server. This works for some time but then the connections failed again. Is there any change for a stable VPN connection from China to Europe (Germany)?
Would a change from OpenVPN to IPSec for example solve this?
I cannot find any information for this problem on the internet. But I don't think that we are the only one who have this issue. Would be great if anybody can help us here.
Thanks
Marcel
I've been having my customers use L2TP/IPSec which seems to still be functioning from inside china at this time. I don't think they will break the IPSec protocol, at least not at this time, there are to many businesses that rely on it. SSTP may work, but runs on SSL, so may also be targeted along with OpenVPN.

Re: Automated OpenVPN detection and blocking from china

Posted: Sat Dec 29, 2012 6:27 am
by chinali
I am also in China and have experienced exactly the same pattern.

We have been using a VPN service through OpenVPN running on our office's servers in France.
Seemingly through DPI techniques, VPN connections are accepted the first time, then within 24 the IP:PORT pattern is blacklisted nation-wide on all internet providers. Since the ban is not "per IP", changing the port helps restoring the connectivity, but only for one more time.

Noteworthy, this affects also VPN servers with very limited user-base. For instance only 2 people in our office have used it at any time. Let me also point out that our purpose is accessing our office's intranet remotely, not browsing otherwise blocked websites.

Since early this year the Obfsproxy project has been started: https://github.com/isislovecruft/obfsproxy whose goal is to conceal traffic from DPI systems. However, so far Obfsproxy is only bundled with TOR (which is not a solution for our company given the exposure of the exit node).

I would like to hear from OpenVPN devs on ways to use obfsproxy with OpenVPN. Or any other ideas on how to restore a VPN in China.

Please let me know if I can provide you with more supporting documentation or testing logs.

Re: Automated OpenVPN detection and blocking from china

Posted: Thu Jan 03, 2013 9:51 pm
by zstarman
Man..All of us over in NA thought SOPA was going to be rough.... I couldn't imagine having to deal with restraints like that.. Screwed up.

Re: Automated OpenVPN detection and blocking from china

Posted: Thu Jan 16, 2014 11:37 pm
by dinaomarafifi
I've been able to bypass any blocked websites using this OpenVPN software freely https://www.iwasel.com/en/ . It is the best way to open blocked websites everywhere.

Re: Automated OpenVPN detection and blocking from china

Posted: Mon Jul 07, 2014 2:57 pm
by linda.carter
I have tried many ways, free and paid ways to open blocked websites, I think vpn works better than others, this is what I can recommend,try the service before you pay for it!
I ordered my account from http://saturnvpn.com the price is great. 1Months $3.3 , 3Months $7 and 12 Months $16
It has free test account and you can try the service for free.
http://saturnvpn.com/free-test-account/
It supports all protocols(PPTP, L2TP, OpenVPN), And you don't have to buy different accounts for different devices(use 1 account to connect on your computer and your mobile at the same time)

Re: Automated OpenVPN detection and blocking from china

Posted: Wed Aug 29, 2018 6:46 am
by Lindaawilsoon
dinaomarafifi wrote:
Thu Jan 16, 2014 11:37 pm
I've been able to bypass any blocked websites using this OpenVPN software freely. It is the best way to open blocked websites everywhere.
Yes this is the best way to unblock GEO-Restriction sites and social network as well using this OpenVPN software freely.
https://www.bestvpn.co/best-vpn-for-china/