Government firewall has been kicking my arse lately, I'm motivated to do something about it and felt that I'd brainstorm here
Amerifats might be interested given possible action on VPNs etc.
Basically, OpenVPN can be detected via deep packet inspection, it has a signature. PPtP isn't officially secure but it's good enough for casual use however regardless, it's a fixed port and easily blocked.
Long lived encrypted connections can be detected over time and blocked or throttled.
I've experienced all of the above at various times, plus connections outside the country are often just slower (because of keyword scanning against url/page content and packet inspection and because fuck you that's why) so sometimes VPNs just die because the handshake lags out without being explicitly blocked.
I made a feature list that I'd want for a VPN and nothing delivers it.
* frequency hopping/spread spectrum over ports * emulate game traffic or other potentially whitelisted protocols * nominative steganography - insert encrypted binary content into jpg wrappers (or other whitelisted file types) and send as http * no exactly regular keep-alive, randomise port and time * detect disconnected state but allow reconnect when bandwidth recovers * avoid mindless polling when disconnected, use whitelisted IPs that won't attract government attention to detect bandwidth recovery before resuming contact with VPN * support encryption plugins
Basically only the last one is really a feature of existing VPNs.
This means that I really need to code my own.
Charles Ramirez
TCP networking is complicated though and I'm definitely inexperienced with it.
So my thoughts are: * Rip the client and server code out of OpenVPN * Write an API to these * Move all port/timing/handshaking/keep-alive/reconnection code into swappable module classes * implement custom code in those classes
Caleb Anderson
So what does Sup Forums think of this as a project?
Any interest in helping out?
Joseph Jones
you need udp to emulate game traffic and to detect disconnected state but allow reconnect
Austin Lopez
also i dont think you can do the "spread spectrum" over ports or pipelineing at the vpn layer but im not entirely certain about that
Liam Rivera
its reasonably easy to have the client and server negotiate a new port each time they connect but i think it will have to be out of band (i.e. a https server). i dont think you have thought through the keep alive stuff. you will feel it when it cuts out on your and then reconnect is expensive in network terms.
Luis Garcia
any applications you have running will need to know about this i suppose or maybe the keep-alive port change happens when you are network idle
Landon Roberts
if you try to send http traffic over udp everyone will know for sure its fake
Ryder Garcia
gee user it looks like you havent even spent 2 days thinking about this but keep scribbling and eventually something good will come out
Christian Peterson
hey user have you tried shadowsocks. it can apparently get through GFC undetected.
Parker Wright
>you need udp to emulate game traffic and to detect disconnected state but allow reconnect I could infer disconnection from packet timeout maybe. Switching to udp as required should be ok though. Only IP blocking would stop that, right?
IP blocking is unlikely but I suppose it's possible if the server were detected as a VPN but we're trying to avoid that anyway.
>also i dont think you can do the "spread spectrum" over ports or pipelineing at the vpn layer but im not entirely certain about that Why not? Just have a range of ports that we transmit at, renegotiated now and then in real-time. Like, the ports are 25332, 45925, 55402 for now and then a minute later, the server suggests a new set of ports and the client acknowledges and then the server uses the new ones. The client probably needs to keep listening on the old ones until it receives a confirmation on the new ones.
>its reasonably easy to have the client and server negotiate a new port each time they connect but i think it will have to be out of band I guess the initial handshake would pass over a list of ports that could be used like a one-time pad for future connections. The list can be wiped and replaced after every successful connection.
The stuff about reconnection is more about just dropping packets until the server/internet is available again rather than terminating the client side process, which most existing VPN clients do.
Nicholas Hughes
>shadowsocks >GFC
Never heard of it but I'll look into it. Any thing to say about it?
Aiden Martinez
no openvpn doesnt terminate when over udp/tcp not sure when the connection drops out. its doesnt release the routes either. if your vpn terminates and releases the routes then you are actually putting people at risk
Brayden Phillips
when you disconnect you feel it. your applications feel it too. when you have to reconnect you will have to go through the entire process of DH key exchange etc... to get going again. it takes a while and its super annoying.
Ian Gonzalez
>no openvpn doesnt terminate when over udp/tcp not sure when the connection drops out. its doesnt release the routes either. if your vpn terminates and releases the routes then you are actually putting people at risk It does terminate, though that might actually be spoofed hangup packets maybe.
If I'm using OpenVPN or PPtP, sooner or later the connection dies and the client terminates. Then I have to reconnect.
Sometimes the connection dies but the client is still alive and I just have zero bandwidth but that's less common.
Eli Walker
post your config file
Xavier Gutierrez
>when you disconnect you feel it. your applications feel it too They feel the packet loss anyway, sublime will block until it's read/write completes or the kernel eventually kills it.
So what can I do to more gracefully reestablish a connection?
A disconnection here is more like being throttled because I tripped some GFC rule than anything else, it would most likely look like packet loss or a huge lag spike or lots of corrupt packets being flooded and spoofed into the stream (one reason for wanting some port hopping).
Dominic Edwards
--resolv-retry n If hostname resolve fails for --remote, retry resolve for n seconds before failing.
Set n to "infinite" to retry indefinitely.
By default, --resolv-retry infinite is enabled. You can disable by setting n=0.
ever have that thing happen when youre browsing on your vpn and loading some page on your browser and then the vpn cuts out so you restart it and refresh the page that was loading but it doesnt work until you open it again in a new tab and then it works? this. stall more shitcunt
>ever have that thing happen when youre browsing on your vpn and loading some page on your browser and then the vpn cuts out so you restart it and refresh the page that was loading but it doesnt work until you open it again in a new tab and then it works? >this. That would be the browser getting confused with hits dns cache, right? I sometimes have problems if I open a page without VPN and it's blocked and then I activate the VPN and the browser keeps loading the block until I slap it
Colton Jones
Server/OpenVPN Now without comments port 443 proto udp dev tun
ca ca.crt cert anonserver.crt key anonserver.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key persist-tun
status openvpn-status.log
verb 3
push "redirect-gateway def1" push "dhcp-option DNS 10.8.0.1"
Colton Davis
You guys are having a very lengthy discussion about things I don't understand but I'm going to ask, wouldn't it be easier and or simpler to simply use a disposable/burner cellular connection in order to achieve maximum privacy?
It isn't conceivable that you will hide within the crowd by dissimulating your traffic, it still is going somewhere and who ever is monitoring the network would be able to see that wouldn't they?
Matthew Evans
>wouldn't it be easier and or simpler to simply use a disposable/burner cellular connection in order to achieve maximum privacy? Not as a permanent networking solution.
>it still is going somewhere and who ever is monitoring the network would be able to see that wouldn't they? They can see the source and destination but not the content. Anyway, it's about defeating automated monitoring which attempts to detect and supress VPN traffic.
Christian Hall
If you get this going, OP then it would be super interesting.
Noah Edwards
>t's about defeating automated monitoring which attempts to detect and supress VPN traffic. I understand the point and what you're trying to achieve. But there will never be such a thing as a permanent solution. And when found out that such a bypass exists by authorities you would essentially be labeled guilty with no evidence and have even more attention onto you that you're trying to avoid to begin with.
Zachary Murphy
>I understand the point and what you're trying to achieve. But there will never be such a thing as a permanent solution. And when found out that such a bypass exists by authorities you would essentially be labeled guilty with no evidence and have even more attention onto you that you're trying to avoid to begin with.
Part of the reason why I want the encryption and traffic part of the software to be modular. If governments adapt, we can swap out the module or rewrite it.