Hey Sup Forums

Hey Sup Forums

Government firewall has been kicking my arse lately, I'm motivated to do something about it and felt that I'd brainstorm here

Amerifats might be interested given possible action on VPNs etc.

Basically, OpenVPN can be detected via deep packet inspection, it has a signature.
PPtP isn't officially secure but it's good enough for casual use however regardless, it's a fixed port and easily blocked.

Long lived encrypted connections can be detected over time and blocked or throttled.

I've experienced all of the above at various times, plus connections outside the country are often just slower (because of keyword scanning against url/page content and packet inspection and because fuck you that's why) so sometimes VPNs just die because the handshake lags out without being explicitly blocked.

I made a feature list that I'd want for a VPN and nothing delivers it.

Feature list follows.

Other urls found in this thread:

openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
twitter.com/NSFWRedditVideo

I'd want something like the following:

* frequency hopping/spread spectrum over ports
* emulate game traffic or other potentially whitelisted protocols
* nominative steganography - insert encrypted binary content into jpg wrappers (or other whitelisted file types) and send as http
* no exactly regular keep-alive, randomise port and time
* detect disconnected state but allow reconnect when bandwidth recovers
* avoid mindless polling when disconnected, use whitelisted IPs that won't attract government attention to detect bandwidth recovery before resuming contact with VPN
* support encryption plugins

Basically only the last one is really a feature of existing VPNs.

This means that I really need to code my own.

TCP networking is complicated though and I'm definitely inexperienced with it.

So my thoughts are:
* Rip the client and server code out of OpenVPN
* Write an API to these
* Move all port/timing/handshaking/keep-alive/reconnection code into swappable module classes
* implement custom code in those classes

So what does Sup Forums think of this as a project?

Any interest in helping out?

you need udp to emulate game traffic and to detect disconnected state but allow reconnect

also i dont think you can do the "spread spectrum" over ports or pipelineing at the vpn layer but im not entirely certain about that

its reasonably easy to have the client and server negotiate a new port each time they connect but i think it will have to be out of band (i.e. a https server). i dont think you have thought through the keep alive stuff. you will feel it when it cuts out on your and then reconnect is expensive in network terms.

any applications you have running will need to know about this i suppose or maybe the keep-alive port change happens when you are network idle

if you try to send http traffic over udp everyone will know for sure its fake

gee user it looks like you havent even spent 2 days thinking about this but keep scribbling and eventually something good will come out

hey user have you tried shadowsocks. it can apparently get through GFC undetected.

>you need udp to emulate game traffic and to detect disconnected state but allow reconnect
I could infer disconnection from packet timeout maybe.
Switching to udp as required should be ok though. Only IP blocking would stop that, right?

IP blocking is unlikely but I suppose it's possible if the server were detected as a VPN but we're trying to avoid that anyway.

>also i dont think you can do the "spread spectrum" over ports or pipelineing at the vpn layer but im not entirely certain about that
Why not? Just have a range of ports that we transmit at, renegotiated now and then in real-time. Like, the ports are 25332, 45925, 55402 for now and then a minute later, the server suggests a new set of ports and the client acknowledges and then the server uses the new ones. The client probably needs to keep listening on the old ones until it receives a confirmation on the new ones.

>its reasonably easy to have the client and server negotiate a new port each time they connect but i think it will have to be out of band
I guess the initial handshake would pass over a list of ports that could be used like a one-time pad for future connections. The list can be wiped and replaced after every successful connection.

The stuff about reconnection is more about just dropping packets until the server/internet is available again rather than terminating the client side process, which most existing VPN clients do.

>shadowsocks
>GFC

Never heard of it but I'll look into it. Any thing to say about it?

no openvpn doesnt terminate when over udp/tcp not sure when the connection drops out. its doesnt release the routes either. if your vpn terminates and releases the routes then you are actually putting people at risk

when you disconnect you feel it. your applications feel it too. when you have to reconnect you will have to go through the entire process of DH key exchange etc... to get going again. it takes a while and its super annoying.

>no openvpn doesnt terminate when over udp/tcp not sure when the connection drops out. its doesnt release the routes either. if your vpn terminates and releases the routes then you are actually putting people at risk
It does terminate, though that might actually be spoofed hangup packets maybe.

If I'm using OpenVPN or PPtP, sooner or later the connection dies and the client terminates. Then I have to reconnect.

Sometimes the connection dies but the client is still alive and I just have zero bandwidth but that's less common.

post your config file

>when you disconnect you feel it. your applications feel it too
They feel the packet loss anyway, sublime will block until it's read/write completes or the kernel eventually kills it.

So what can I do to more gracefully reestablish a connection?

A disconnection here is more like being throttled because I tripped some GFC rule than anything else, it would most likely look like packet loss or a huge lag spike or lots of corrupt packets being flooded and spoofed into the stream (one reason for wanting some port hopping).

--resolv-retry n
If hostname resolve fails for --remote, retry resolve for n seconds before failing.

Set n to "infinite" to retry indefinitely.

By default, --resolv-retry infinite is enabled. You can disable by setting n=0.

openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

Server or Client?
Which protocol?

ever have that thing happen when youre browsing on your vpn and loading some page on your browser and then the vpn cuts out so you restart it and refresh the page that was loading but it doesnt work until you open it again in a new tab and then it works?
this.
stall more shitcunt

Client/OpenVPN

[connection]
id=AnonVPN
uuid=xxxxxxxxxxxx
type=vpn
autoconnect=false
permissions=user:xxxx:;
secondaries=

[vpn]
connection-type=tls
remote=xxxxxxxxx
comp-lzo=yes
cert-pass-flags=0
port=443
cert=/home/.../user.crt
ca=/home/..../ca.crt
key=/home/.../user.key
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto


>ever have that thing happen when youre browsing on your vpn and loading some page on your browser and then the vpn cuts out so you restart it and refresh the page that was loading but it doesnt work until you open it again in a new tab and then it works?
>this.
That would be the browser getting confused with hits dns cache, right?
I sometimes have problems if I open a page without VPN and it's blocked and then I activate the VPN and the browser keeps loading the block until I slap it

Server/OpenVPN
Now without comments
port 443
proto udp
dev tun

ca ca.crt
cert anonserver.crt
key anonserver.key # This file should be kept secret

dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log

verb 3

push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"

You guys are having a very lengthy discussion about things I don't understand but I'm going to ask, wouldn't it be easier and or simpler to simply use a disposable/burner cellular connection in order to achieve maximum privacy?

It isn't conceivable that you will hide within the crowd by dissimulating your traffic, it still is going somewhere and who ever is monitoring the network would be able to see that wouldn't they?

>wouldn't it be easier and or simpler to simply use a disposable/burner cellular connection in order to achieve maximum privacy?
Not as a permanent networking solution.

>it still is going somewhere and who ever is monitoring the network would be able to see that wouldn't they?
They can see the source and destination but not the content. Anyway, it's about defeating automated monitoring which attempts to detect and supress VPN traffic.

If you get this going, OP then it would be super interesting.

>t's about defeating automated monitoring which attempts to detect and supress VPN traffic.
I understand the point and what you're trying to achieve. But there will never be such a thing as a permanent solution. And when found out that such a bypass exists by authorities you would essentially be labeled guilty with no evidence and have even more attention onto you that you're trying to avoid to begin with.

>I understand the point and what you're trying to achieve. But there will never be such a thing as a permanent solution. And when found out that such a bypass exists by authorities you would essentially be labeled guilty with no evidence and have even more attention onto you that you're trying to avoid to begin with.

Part of the reason why I want the encryption and traffic part of the software to be modular. If governments adapt, we can swap out the module or rewrite it.