Hacker News new | ask | show | jobs
by 68c12c16 2789 days ago
FYI, the great fire wall engineers have already found ways to inspect packets sent through OpenVPN...

A couple of weeks ago, I was asked by a friend who was traveling in China at the time to set up a VPN for him so he could use Gmail and other Google services there...I went for the easy way and used the OpenVPN for him, but to our disappointment, with that VPN tunnel, he still could not access google search page while many other pages on other domains were fine...I spent a few hours trying to figure out why, and then I came across these discussion,

https://superuser.com/questions/1187525/vpn-to-avoid-the-gre...

https://www.quora.com/Can-Openvpn-still-bypass-the-GFW-of-Ch...

My friend and I haven't experimented further; but I think one way that might work is to chain multiple VPNs or perhaps obfuscate your protocol a bit (i.e. make some minor customization yourself)...
2 comments
walrus01 2789 days ago
It isn't that they need to inspect the contents of the packets, tcp and udp flow analysis will reveal VPN traffic patterns even if the crypto is perfect. What I've seen reported is that people using openvpn see it work for a while, then increasing latency and packet loss, then eventually total lack of ability to move traffic between the two endpoint IPs.
link
68c12c16 2788 days ago
that's true...they have been studying the packet flow patterns for a while -- such as this research,

http://security.riit.tsinghua.edu.cn/share/classify_encrypte...

But if the government completely blocks out VPN uses in the country, lots of international business operating there will suffer and then they will complain, which is not something the government can ignore (at least not always)...VPN whitelist could be a solution, but I don't know how well that is implemented (if it has been implemented) -- not to mention keeping a perfect consistent whitelist at that scale would be difficult...in addition, there is always some false positive/negative in their flow pattern analysis -- those are statistical approaches after all...so there is some grey area here...

Anyway, back to that openvpn experiment I did with my friend, many websites were still accessible with my openvpn tunnel -- although Google was not among those sites -- this seems to imply that they were doing some package semantic analysis (i.e. deep packet inspection)...

link
lordlimecat 2788 days ago
They will detect the VPN trivially if you try to layer them. They only need to see either the pattern of traffic or the outermost layer's handshake.

OpenVPN has been offlimits in China for like 8 years now.

link