Hacker News new | ask | show | jobs
by gerdesj 3515 days ago
I've never been anywhere near the GFW but I do find OpenVPN listening on 443/tcp and a few other ports (tcp and udp) on the outside quite handy for drilling through firewalls. It supports basic auth proxies but CNTLM is in the toolbox as well. Add in NAT and a few routing entries on other hosts.

It also provides a simple way to detect a transparent MitM proxy. If OVPN fails to connect but an "unprotected" https connection gets through then the alarm bells go off and the presented SSL cert gets a serious examination. I keep a couple of thumbprints of known certs handy for this - the discipline of proper checking rather than a cursory glance at an image that the GUI throws up.

I use readily available stuff but looking into the description of how the obfs protocols work in Tor I'm impressed and rather glad that my life or liberty doesn't depend on my efforts. When I get it wrong I simply lose access to BBC iPlayer or whatever. When someone who is having to take this rather more seriously gets it wrong, they might not get a chance to repeat their mistake.
1 comments
mikeash 3515 days ago
This sort of thing used to work, but doesn't anymore. The GFW is now smart enough to detect VPNs based only on the traffic they generate, not port numbers or other easily changed things. It's currently an arms race between VPN providers trying to mask their traffic and the firewall trying to uncover it, and the firewall is winning so far.
link
pixl97 3515 days ago
Whelp, that's pretty much it for the internet. Won't be long before many more governments are licensing and using this technology. The question is how long before supposedly 'free' governments start.
link
lisivka 3514 days ago
It's easy to fix by mirroring their behavior: drop incoming connections from China until they drop their firewall.
link
rahimnathwani 3515 days ago
If you're in China, you might want to use Shadowsocks. The server is easy to set up on any VPS (no need for TUN/TAP), and there are clients for Android (Shadowsocks), iOS9+ (Potatso), linux and routers.

I've found plain OpenVPN over TCP or UDP stopped working a few years ago (even using remote-random to shuffle ports). PPTP mostly still works.

I haven't used other VPN protocols for a long while, and don't use commercial VPN providers, but occasionally hear from friends that they have temporarily issues (for hours or days, but not weeks).

link
mikeash 3515 days ago
Thanks, I'll give that a shot next time. I think I tried PPTP when I was there last year without success, but I may be misremembering.
link