VPN restrictions can be viewed as part of the phenomenon of Internet censorship, since ordinary users use this technology mainly to maintain anonymity on the network, prevent the collection of personal data by the Internet service provider and administrators of visited sites, as well as to gain access to prohibited content.
Blocking access to content based on the addresses of resources and network nodes (IP address, domain name) is easier to implement than blocking at the level of packets transmitted over the network. But this kind of blocking can be bypassed with a VPN - by routing traffic so that it "exits" elsewhere, often in another country. Therefore, after the implementation of blocking by address, the next step can be blocking at the packet level, which allows, for example, to block VPN traffic related to specific protocols, regardless of which server it is addressed to. At the moment, it is known from messages received from Internet users and Internet activists about blocking access to VPN "by address" (traffic is blocked to "entry points" - servers that accept connections from users). There were also messages about traffic blocking "by ports",
To block at the packet level, the provider (or other intermediary in the transmission of traffic, for example, TSPU) needs to analyze them. For this, DPI (Deep Packet Inspection) technology is used. This allows, for example, to block only those packets that relate to VPN traffic or those that are associated with direct access to prohibited resources. Thus, if the contents of the packet are not encrypted, then no additional tools and tricks are needed for analysis, and, depending on the contents of the transmitted packet (or group), it is already possible to make a decision on blocking.
To analyze encrypted data in the provider's network or in another place along the traffic route, an intermediate link can be used that has the ability to decrypt traffic, since traffic from the client to it is encrypted with the provider's self-signed certificates - in fact, this is a well-known "middleman attack" ( man-in-the-middle or - MITM), only the "attacker" here is not a "random cracker", but the provider itself. However, this approach requires voluntary installation by users of self-signed certificates of such fake “certification centers”, and for this reason it is not widespread in the world (it is known about isolated cases in Kazakhstan and China).
A variation of this method (MITM attacks) without the need for voluntary participation on the part of users is the creation by the state of "real" (that is, those on the lists of "trusted" in browsers and operating systems and certified) certification centers located in a country controlled by such a state. In the event that such situations become known, such certification authorities are removed from the trusted lists.
This situation is possible due to the peculiarities of the technology of signing certificates by trusted certification authorities: as a rule, neither the fact of re-signing nor the fact of signing another certificate issued to the same domain / ip-address is checked. And this is done on purpose, since otherwise it will create problems during "normal" use.
However, even without being able to decrypt encrypted packets, you can analyze and filter them based not on the main content, but on metadata (service information about the packet). Quite often, relying only on metadata, it is possible to determine with a fairly high accuracy whether a traffic belongs to a particular protocol. That, in fact, allows you to block such packets.
VPN protocols (like most messengers, by the way) by themselves, without additional obfuscation technologies, are vulnerable to such blocking due to the fact that they were not originally designed to be used in conditions of active opposition from the network infrastructure.
It should also be noted that DPI technologies based on probabilistic analysis of passing packets do not detect VPN traffic with 100% reliability, however, blocking even some part of the packets can greatly reduce the quality of the VPN connection. Also, the downside of this blocking method is the fact that DPI-based filters also have false positives when packets of ordinary users are blocked, which for the analyzer for one reason or another look like VPN traffic.
Thus, in order, on the one hand, to comply with the requirements of the state (represented by regulatory authorities), on the other hand, to minimize user dissatisfaction, more and more stringent rules regarding the quality of analysis are applied to DPI-based filters. At the same time, all kinds of traffic obfuscation tools are gaining more and more popularity (and, as a result, developing better and faster). As a result, this results in an "arms race": DPI technologies are becoming more and more "reliable", but at the same time, traffic obfuscation technologies are improving (Shadowsocks, obfs4 and others described in the previous part).
As for how VPNs are blocked in different countries, the available data is rather fragmentary:
- The governments and providers of these countries do not always publicly declare such blocking, and also do not provide technical information about their implementation.
- Blocks are not monitored at the global level (here it is possible from Active probing - by fixing a connection to a "suspicious" IP, the system independently sends a request to this node, and if it is convinced that this is really a VPN entry point, then blocks it. Such blocking can be bypassed by applying obfs4 technology, which uses an out-of-band shared secret. There is a transfer of secret information for authentication between the parties through other communication channels. A conventional example is an SMS message for two-factor authorization. Mark the Russian project Global Check, aimed at filling this gap).
- VPN blocks are usually counted as part of the overall level of internet censorship, rather than separately.
It should also be noted that in most countries where VPNs are limited or blocked, this happens at the level of fighting against technology or service providers, not always legally. At the same time, in Belarus, North Korea, Turkmenistan, Turkey, Iraq, Iran, the use of VPN is prohibited at the legislative level (however, this does not automatically mean that the law is regularly applied in fact to ordinary users). There are also partial legislative restrictions on the use of VPN in Russia, Oman, the United Arab Emirates, and China.
Among the countries listed, the most developed system of Internet censorship is in China (despite the fact that, unlike North Korea, China is not isolated from the rest of the world). This system is figuratively called the Great Firewall. In addition to filtering intra-Chinese traffic, it also controls all traffic that crosses the borders of China, which passes through several points, although the filtering mechanisms are most often located not at the border itself (depending on the provider, either in the border networks (AS, autonomous system), or in provincial ).
VPN blocking in China is done using a combination of a number of methods:
- Block access to sites of VPN service providers
- Block VPN Entry Points Known to Chinese Authorities by IP
- Blocking traffic on ports used by VPN protocols (for example, port 1194, which is used by OpenVPN by default)
- Analyzing and blocking traffic using DPI
- Quality of service filtering - “Suspicious” connections are analyzed and assigned a “rating”, depending on which a certain percentage of traffic is blocked.
- It is assumed that the system is able to recognize double encryption of traffic (for example, HTTPS over SSH) by analyzing the entropy of the packets. The use of encryption algorithms leads to the fact that encrypted packets contain a random sequence of characters, analyzing which, using statistical methods, it is possible to assume with a certain probability whether this traffic belongs to a VPN connection.
- A feature of the Chinese DPI system is that traffic is filtered not while passing through the corresponding nodes of the system, but after. Passing packets are copied to a separate device, where they are analyzed and if a decision is made to block them, then an appropriate forged command (TCP reset) is sent to both sides of the communication.
- This is possible due to the fact that the system is stateful, which allows them to fabricate commands to terminate the connection after analysis and block attempts of a similar connection after (such a connection is assigned a timeout, which can be increased after new attempts to establish it).
- Active probing - after fixing a connection to a "suspicious" IP, the system independently sends a request to this node, and if it is convinced that this is really a VPN entry point, then it blocks it. Such locks can be bypassed using obfs4 technology, which uses an out-of-band shared secret. There is a transfer of secret information for authentication between the parties through other communication channels. A conventional example is an SMS message for two-factor authorization.
- OpenVPN is blocked during the handshake phase. If the tls-crypt option is used, which protects against such blocking, then the tunnel traffic is slowed down to 56 Kbps.
- IPSec (in conjunction with other protocols) - is blocked at the stage of establishing a connection or also slows down.
- TLS (not a VPN protocol, but used to establish a connection) - parsed to separate HTTP over TLS (HTTPS) from other options that are blocked.
It will also be interesting for the Russian reader to find out that at least since 2016 Roskomnadzor has been cooperating with its Chinese counterpart to study and adopt their practices (see, for example, https://www.eurozine.com/china-the-architect-of-putins-firewall/).
As a comparison, consider the VPN blocking system in Turkmenistan, which also severely restricts its citizens' access to the Internet, but does not have the technical resources available to China to do so.
In Turkmenistan, there is only one Internet provider - the state Turkmentelecom, and there is also no state body regulating Internet communications (analogous to Roskomnadzor). It is reported that in September 2019, a certain state agency for cybersecurity was created, after the President of the country signed the relevant law on September 6.
Address blocking (by domains and IP addresses) is widespread in the country, and attempts to visit blocked resources by users are fraught with calls to the authorities, that is, user requests are monitored. With regard to VPN blocking in this country, we have only fragmentary information due to the closed nature of the society.
In October 2019, VPN users from Turkmenistan started complaining about blocking. At the beginning of 2019, restrictions on the use of VPN were also fixed, then this was implemented in the form of blocking VPN applications in the Play Store for Android, as well as blocking SIM cards of subscribers who used these applications. In addition to this, it is known that since 2017, the authorities have been interested in those who change their SIM cards in order to bypass the locks.
It is reported that illegal VPN installation services are widespread in the capital, Ashgabat. Previously, such services were offered directly in mobile phone stores and service centers, but later this practice stopped after the introduction of fines for such services. At the official level, the presence of blockages is not recognized by the authorities of Turkmenistan.
It should also be noted that the use of VPN in Turkmenistan was previously prohibited at the legislative level. And in August 2021, news appeared that when connecting to the Internet in the country, the user is required to take an oath in the Koran that he will not use VPN services.
As for the technical blocking mechanisms, little is known about this, but it can be noted that the blocking affected only those VPNs that do not mask their traffic under HTTPS. There is information that the locking software is supplied by the German company Rohde & Schwarz (https://www.rohde-schwarz.com, also cooperates with the Belarusian authorities through a local partner). Based on this, we can assume that DPI is used, but without the ability to analyze encrypted traffic.
