VPN blocking is around the corner, but you can fight them

[Teacher]

On November 1, 2019, the Law on "Sovereign Runet" came into force, according to which the Russian segment of the Internet should "be centrally controlled by Roskomnadzor." And the department undertook to establish full control. And on the way to this are VPN services that provide Russians with access to sites blocked in Russia.

Roskomnadzor has repeatedly made attempts to prosecute VPNs that do not want to filter user traffic and block the registry of prohibited sites (which is absurd for a VPN in itself). So, during the summer of 2021, information periodically appears in the media that either one or the other VPN service was allegedly blocked by the government. True, in most cases, their users do not notice any special failures in their work. Roskomnadzor, on the other hand, clearly intends to continue its attempts, including using the new capabilities of TSPU (technical means of countering threats), to block such services. And it seems that the risks of blocking or other sanctions for obstinate VPNs are really high right now.

We will try to answer the questions, how realistic is the prospect of VPN blocking, who and how can implement these blocking and how modern VPN services are generally arranged, how they can defend themselves against RKN attacks and protect their users.

And let's start with an up-to-date list of the current state of VPN protocols - which ones work, which ones are outdated, and what features they have.

Glossary of terms:

• A private network is a computer network that uses reserved IP address ranges for internal addressing and is isolated from the Internet. An example would be a private residence where several devices are connected to a router, or an internal network of an educational institution. To communicate with the Internet, a private network uses gateways - network nodes that have several network interfaces, one of which is connected to the internal network, and the other to the external one.
• A virtual private network (VPN) is a network that allows nodes to exchange data with each other without being directly connected by a wire to each other (as is the case with a private network), but working on top of another network (in most cases, the Internet) ...
• Initially, the technology was used in a business environment to provide remote work of employees (remote access) and to connect the internal networks of the company, which are physically separated (for example, branches in different cities, site-to-site).
• Later it began to be used by ordinary users to ensure anonymity on the Internet and bypass restrictions on access to resources.
• Tunneling technologies are used to implement VPN.
• Tunnel is a technology that allows you to establish a connection between two nodes over a network and transfer data from other applications within this network.
• This is achieved by encapsulating (nesting) protocols.
• The encapsulated (nested) protocol is usually (outside of the encapsulation situation) at a lower level of the "network model" than the one used as the tunnel. An example would be TCP encapsulated inside HTTP, or Ethernet inside TCP / UDP. In "normal times" TCP and UDP run over Ethernet, and HTTP over TCP. In the case of traffic passing through the tunnel, in some cases the double use of some protocols is obtained.
• Encryption Protocol - Provides (de) encryption of data transmitted over the network. Examples: TLS (formerly SSL), Noise, and others.
• The TCP / IP network model is a model that describes the relationship of the protocols used to transfer information over the Internet. There are 4 levels in it:
• The link layer is the lowest layer, it provides physical transmission in this wired or wireless way. Examples of protocols: Ethernet (wired), IEEE 802.11 (wireless)
• The internet layer is responsible for addressing and routing between networks. Main protocol: IP (Internet Protocol)
• The transport layer is responsible for establishing a connection (data transmission channel) between 2 nodes in the network and transferring data over it. 2 main protocols: TCP, UDP
• TCP (Transmission Control Protocol) guarantees the completeness and integrity of the delivered data by increasing the volume of traffic and reducing the speed of data exchange
• UDP (User Datagram Protocol) does not provide such a guarantee and has no corresponding disadvantages.
• In addition to them, there are other protocols of this level, for example SCTP (Stream Control Transmission Protocol) - a more modern protocol designed to compensate for some of the shortcomings of TCP, or ICMP, which is poorly suited for data transmission, but is used to transfer technical information (for example, in the ping command checking the availability of a node in the network).
• Application layer - it contains the protocols of various applications that perform their tasks. Examples of protocols: HTTP, SMTP (mail transfer), SSH (remote connection to a computer via the command line, tunneling TCP traffic). There are many application layer protocols

List of common VPN protocols:
1. L2TP / IPsec - a bunch of two protocols, where first IPsec establishes a secure communication channel, within which L2TP establishes a secure tunnel. This combination is considered obsolete for security and performance reasons.

a) IPSec (Internet Protocol Security) - developed by the Internet Engineering Task Force (IETF) for IPv6 (initially mandatory, later became a recommendation)

i) Can also be used as tunnel mode, but in conjunction with L2TP is used in transport mode.

b) L2TP (Layer 2 Tunneling Protocol) - tunneling protocol. Its standard was published in 2000 and was a development of the L2F (Layer 2 Forwarding Protocol, Cisco) and PPTP protocols.

i) Does not itself have a data encryption mechanism.

2. Alternatively, a bunch of IKEv2 / IPsec is used, which provides a higher data transfer rate compared to L2TP / IPsec and allows you to maintain a connection when switching from one network to another (which is important for mobile applications). This combination does not provide maximum protection, but provides high speed and stability of the connection.

a) IKEv2 (Internet Key Exchange) is a key exchange protocol that allows you to establish a preliminary secure connection so that network nodes can safely exchange information necessary to establish a full-fledged secure connection (encryption algorithm used, encryption key, etc.)

b) That is, in this binding, IPsec is used as a tunneling protocol.

3. OpenVPN - free software, a daemon for establishing a secure connection between clients and the server.

a) Uses proprietary protocol including SSL / TLS for data encryption.

b) Open source allows anyone to conduct their own audit and make sure there are no accidentally or intentionally left backdoors.

c) Has a reputation for being a reliable, time-tested solution.

4. WireGuard is a modern protocol created as a replacement for OpenVPN.

a) Small codebase simplifies auditing compared to OpenVPN.

b) Holds a leading position in speed and uses modern encryption technologies. However, there is also criticism of the project from some cryptanalysts for the lack of such extensibility in terms of using encryption protocols that IPSec has.

c) NordLynx - Proprietary WireGuard used by NordVPN. According to the company, it "solves the problem of WireGuard, which must store the IP addresses of the clients connected to it on the server."

Other VPN protocols:
1. PPTP (Point-to-Point Tunneling Protocol) is an outdated protocol that does not provide reliable encryption.

1) SSTP (Secure Socket Tunneling Protocol) is a proprietary Microsoft protocol that allows you to use PPTP along with SSL / TLS encryption.

2) MPPE (Microsoft Point-to-Point Encryption) - used to encrypt data within PPTP and PPP (Point-to-Point Protocol).

2. SoftEther is the protocol used by the SoftEther VPN application (which also supports alternative protocols).

1) Provides good protection against DPI (deep packet inspection) by using Ethernet encapsulation inside HTTPS.

2) Supports VPN over ICMP and VPN over DNS, allowing you to penetrate networks that do not allow TCP / UDP traffic to pass through.

3. Cisco AnyConnect - VPN connection establishment technology. It can also use UDP and SCTP (Stream Control Transmission Protocol) protocols for data exchange. In some cases (UDP) also uses DTLS (Datagram Transport Layer Security) to secure the connection.

1) OpenConnect - open-source implementation of this connection method.

4. Lightway - ExpressVPN's own development as an alternative to WireGuard. It has a minimal code base, and, according to the developers, it works stably when switching between different networks.

Related technologies:
1.TLS, formerly SSL (Transport Layer Security, Secure Sockets Layer) - a common cryptographic protocol (also used within HTTPS). It is widely used in the framework of VPN connection protocols (OpenVPN, SoftEther, Cisco AnyConnect).

2. SSH (Secure SHell) - By itself - a protocol for remote control. But its most common implementation, OpenSSH allows a tunnel to be established within such a connection and provides an interface (via the SOCKS protocol) for connecting over this tunnel, the result of such a connection is similar to anonymizing the user through a VPN, but it is not. This technology is not optimal, as the use of TCP over TCP leads to poor communication quality.

By themselves, popular VPN protocols are vulnerable to blocking using DPI (Deep packet inspection) technology, which analyzes traffic passing through a network node and blocks packets that it recognizes as belonging to VPN protocols.

However, there are technologies that make it possible to additionally disguise VPN traffic as a different type of traffic, which makes it difficult to detect it using DPI.

Obfuscation technologies:
1. Shadowsocks, an encryption protocol based on SOCKS5, allows, among other things, to hide the fact of using a VPN, passing traffic through an intermediate SOCKS5 proxy server, which allows you to bypass VPN blockages.

1) SOCKS is a protocol for exchanging data through a proxy server. Its SOCKS5 extension provides an authentication mechanism.

2.obfs4 (obfs4proxy) is one of the PT (Pluggable Transports) implementations of the Tor project. It can also be used within OpenVPN and in conjunction with other technologies. PTs disguise Tor (or VPN) traffic as a different type of traffic, which allows you to bypass blockages from providers or authorities.

3. Cloak is another PT variant that disguises traffic of other protocols as HTTP traffic, which makes it difficult to block it.

1) Besides the above, there are other PT options.

4. Stunnel is a tunneling technology that allows, among other things, to mask traffic under HTTPS, that is, ultimately under TLS, which makes it difficult to block VPN traffic.

5. OpenVPN Scramble (XOR Obfuscation) is a traffic obfuscation technology that uses the XOR cipher (also known as gamma) to prevent DPI algorithms from recognizing it.

6. Chameleon is a proprietary VyprVPN protocol that masks OpenVPN traffic.

7. V2Ray - part of Project V (a set of tools for protecting privacy on the network), provides the ability to work with proxy servers, supports various protocols, including Shadowsocks.

In fact, commercial VPN services most often offer the following protocols:

• OpenVPN as a proven and reliable solution.
• WireGuard as a modern alternative.
• IKEv2 / IPsec as a legacy option (phased out).
• Own proprietary solutions.

Summary table of protocol usage by popular services (information will be updated):

We also remind you where to get secure and trusted VPNs that help both ensure privacy and restore access to censored information on the Web - the vpnlove.me service.