August 25 2022, VPN Community Gathering: Difference between revisions
From TCU Wiki
Created August VPN Gathering notes |
Adding remaining notes from meeting |
||
| Line 1: | Line 1: | ||
=Resources= | =Resources= | ||
[https://drive.google.com/file/d/1odIO1Bi9laU-B-JZMoZFWGEwkTl95oq9/view?usp=sharing Censorship in Turkmenistan Slides]<br> | [https://drive.google.com/file/d/1odIO1Bi9laU-B-JZMoZFWGEwkTl95oq9/view?usp=sharing Censorship in Turkmenistan Slides]<br> | ||
[https://vpnalyzer.org/survey2022.html "All of them claim to be the best”: A multi-perspective study of VPN users and VPN providers]<br> | [https://vpnalyzer.org/survey2022.html "All of them claim to be the best”: A multi-perspective study of VPN users and VPN providers]<br> | ||
[https://www.rferl.org/a/turkmenistan-vpn-koran-ban/31402718.html VPNs Are Not A-OK: Turkmen Internet Users Forced To Swear On Koran They Won't Use Them] | [https://www.rferl.org/a/turkmenistan-vpn-koran-ban/31402718.html VPNs Are Not A-OK: Turkmen Internet Users Forced To Swear On Koran They Won't Use Them] | ||
=Notes= | =Notes= | ||
==Presentation== | |||
In August, a VPN Community Initiative member presented on censorship in Turkmenistan and alternative approaches to circumventing it. | |||
'''General State of Censorship in Turkmenistan''' | |||
* There are only three internet providers in Turkmenistan. | |||
** One cellular provider, and two wired providers. | |||
** Data costs are prohibitively high, leading to low internet penetration. | |||
** Speeds are also prohibitively slow: 2 mb/s | |||
* A majority of popular messengers are blocked. | |||
** [https://imo.im/ imo.im] and [https://www.icq.com/ ICQ] are still accessible. | |||
* Most foreign websites are unreachable. | |||
** Russian sites are also highly censored. | |||
* VPN protocols are blocked (IPSec, OpenVPN, Wireguard…) | |||
* There is strong censorship of content that puts Turkmen government/political figures in a negative light. | |||
'''Censorship Methods''' | |||
* Deep packet inspection | |||
* DNS Hijacking | |||
* Manual inspection by traffic amount to host | |||
'''What Works?''' | |||
* Psiphon, until recently | |||
** Meeks was working and was employed by Psiphon. | |||
*** As of a few days ago, it is no longer working. | |||
* Some shady/less-known VPN services | |||
* Some less-known protocols/utilities | |||
'''What doesn't work?''' | |||
* Tor | |||
** Tor was working up through a month or so ago, using additional circumvention methods. | |||
*** DNS fingerprinting block. | |||
* Commercial VPN providers | |||
* All regular VPN protocols (Wireguard, IPSec, L2TP, PPTP, OpenVPN) | |||
* Software that relies on 3rd party DNS (Google, CloudFlare...) | |||
* Outgoing TCP/UDP connections are blocked, incoming are not. | |||
* You cannot use public DNS resolvers, you must use the ISP's resolvers. | |||
* DNS protocol is also blocked. | |||
* VPN protocols are blocked (IPSec, OpenVPN, Wireguard…) | |||
'''Experimental Alternative Circumvention Method''' | |||
* Establish VPN session from the blocked server to the client to circumvent the filter. | |||
** Setup knocking server on non-blocked IP range | |||
** Knocking server delivers connecting event to the blocked server | |||
** Blocked server sends UDP packet towards client’s IP/port, with random data | |||
** The packet circumvents IP filter, random data circumvents OpenVPN filter | |||
'''Additional User Hurdles''' | |||
* Language: Many do not speak English or Russian. | |||
** Turkmen is a Turkic language | |||
* No regular documentation of censorship | |||
===Presentation Q&A and Additional Notes=== | |||
Q: What is the data cap for users in Turkmenistan? | |||
A: Celular: 4 GB per month at an approximate cost of 14 USD for 2 GB/mo; Wired Connections: No limits | |||
Q: With super low speeds, what will the performance impacts be for users of a VPN that is actually accessible? | |||
A: Any solution that works to some degree is worthwhile. | |||
* Tor Project giving Turkmen users Azure as domain fronting to connect to Snowflake. | |||
** Snowflake - PT that makes conenction to Tor look like WebRTC | |||
** Issue: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40024#note_2830707 | |||
Latest revision as of 09:39, 8 September 2022
Resources
Censorship in Turkmenistan Slides
"All of them claim to be the best”: A multi-perspective study of VPN users and VPN providers
VPNs Are Not A-OK: Turkmen Internet Users Forced To Swear On Koran They Won't Use Them
Notes
Presentation
In August, a VPN Community Initiative member presented on censorship in Turkmenistan and alternative approaches to circumventing it.
General State of Censorship in Turkmenistan
- There are only three internet providers in Turkmenistan.
- One cellular provider, and two wired providers.
- Data costs are prohibitively high, leading to low internet penetration.
- Speeds are also prohibitively slow: 2 mb/s
- A majority of popular messengers are blocked.
- Most foreign websites are unreachable.
- Russian sites are also highly censored.
- VPN protocols are blocked (IPSec, OpenVPN, Wireguard…)
- There is strong censorship of content that puts Turkmen government/political figures in a negative light.
Censorship Methods
- Deep packet inspection
- DNS Hijacking
- Manual inspection by traffic amount to host
What Works?
- Psiphon, until recently
- Meeks was working and was employed by Psiphon.
- As of a few days ago, it is no longer working.
- Meeks was working and was employed by Psiphon.
- Some shady/less-known VPN services
- Some less-known protocols/utilities
What doesn't work?
- Tor
- Tor was working up through a month or so ago, using additional circumvention methods.
- DNS fingerprinting block.
- Tor was working up through a month or so ago, using additional circumvention methods.
- Commercial VPN providers
- All regular VPN protocols (Wireguard, IPSec, L2TP, PPTP, OpenVPN)
- Software that relies on 3rd party DNS (Google, CloudFlare...)
- Outgoing TCP/UDP connections are blocked, incoming are not.
- You cannot use public DNS resolvers, you must use the ISP's resolvers.
- DNS protocol is also blocked.
- VPN protocols are blocked (IPSec, OpenVPN, Wireguard…)
Experimental Alternative Circumvention Method
- Establish VPN session from the blocked server to the client to circumvent the filter.
- Setup knocking server on non-blocked IP range
- Knocking server delivers connecting event to the blocked server
- Blocked server sends UDP packet towards client’s IP/port, with random data
- The packet circumvents IP filter, random data circumvents OpenVPN filter
Additional User Hurdles
- Language: Many do not speak English or Russian.
- Turkmen is a Turkic language
- No regular documentation of censorship
Presentation Q&A and Additional Notes
Q: What is the data cap for users in Turkmenistan? A: Celular: 4 GB per month at an approximate cost of 14 USD for 2 GB/mo; Wired Connections: No limits Q: With super low speeds, what will the performance impacts be for users of a VPN that is actually accessible? A: Any solution that works to some degree is worthwhile.
- Tor Project giving Turkmen users Azure as domain fronting to connect to Snowflake.
- Snowflake - PT that makes conenction to Tor look like WebRTC
- Issue: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40024#note_2830707
