April 19 2024, VPN Community Gathering

From TCU Wiki
VPN Community Gatherings.png

Monthly VPN Community Gatherings bring together technologists, academics, providers and frontline defenders working within and around the VPN ecosystem on a monthly basis in order to:

  • Create a space for open dialogue and discussion around current issues and challenges in the VPN ecosystem;
  • Provide an opportunity for community members to share news and updates about their respective work; and
  • Facilitate collaboration and mutual support among community members that furthers improvement of the VPN ecosystem for end users.


April VPN Community Gathering

Date: April 18, 2024
Time: 14 UTC / 10 EDT

Contact Erin for more information.


Resources

Presentation Slides

Hoogmoon Presentation Slides

Q&A

Isn't just a VPN enough for measurements, since you can send IP packets? You can even monitor the packets sent and received.

In Turkmenistan, the internet connection is really slow and not reliable, with a lot of latency. All of the IP addresses are blocked, so you must use a tunnel over TCP, resulting in additional slowdown. That is why it is additionally painful to use.

Sure you can use a VPN, but I also don’t know of any system that is easy to handle that provides a VPN. On Windows you would need to manage firewall rules as well. It’s cumbersome. Thanks to [vircutol bock <- Transcribed incorrectly] it creates a breach to your network, so it generally works better. It also works over wi-fi without issues. Other systems generally don’t allow you to breach over wi-fi.

How do you get a Psiphon config and non-public server list? Are you running your own Psiphon server?

I’m not running my own Psiphon server. I asked if I could use their system in this project, assuming that they would allow me to use their public list. Instead they offered a custom list.

You are using Psiphon and Tor to give access to the server - Have you used the cloudflare server or ngrok?

SSH-J.com was used to overcome ngrok limitations. Unfortunately other services require an account or only offer free services with limitations (e.g. 1GB of transfer or 3 - 5 connection limitations etc.)

How do you envision the trust management if/when the system grows? (i.e., giving access to researchers, or accepting boxes from other entities than yourself). I'm thinking of potential adversaries in repressive environments that could want to identify individuals active in the circumvention community, for instance. Is that a concern you have thought about, or discussed with your user community?

I thought about it, but in a different way. I have made the system undetectable so that an adversary cannot scan for it. It’s secure by default.

Regarding giving access to researchers, right now I’m only building the system and am the lone user along with select other researchers. I don’t know how to handle such access reliably - it is quite a topic for discussion. From a technical standpoint you can use time-limited access, but how to handle it gracefully in terms of management, I would like to hear opinions.

Does SSH-J support SOCKS over SSH like regular SSH?

Yes, SOCKS is also supported

If it’s just port forwarding, how do you capture the username?

There are two usernames. There is a username for the services, SSH-J, and then there is also a username for connecting to the machine.

What’s the hardware required or recommended for running a node? Beth from Tor made an interesting prototype: a remote desktop over onion services (and docker): https://gitlab.torproject.org/tpo/onion-services/onion-desktop

Minimum is 256 MB of RAM and 128 MB of disk space. Light on hardware. Can be run on a very underpowered old system. Hasn't been tried on a router though.

Virtual machine v. docker
A virtual machine allows you to load all kernels, but containers like docker don’t allow that. Using docker comes with an increased burden.

Are you using different protocols with Tor (snowflake for example)? You can add more jumps btw: ssh -J user1@host1:Port1,user2@host2:Port2 user3@host3…

No, not yet.

Request for Feedback

The developer is interested in feedback from user and researcher perspectives:

  • Was it easy to use?
  • Does it have any deficiencies?
  • How can the project deal with access management? (i.e. access for researchers and developers) (Developer wants to make it a public open source project open to all researchers.)
  • How can the documentation be improved?

Additional Notes

Outline SDK

Outline is also building up Outline SDK which is also helpful for measurements Allows you to multi-hop and run a local proxy forwarder…

Used Outline servers that people were running in Russia and in Iran had an ssl machine

Is it possible to use Android as an Outline server?

Meduza is using the Outline SDK and they run a local proxy in the app itself and configure the local libraries on when to use the proxies.

Could you run the server on the phone to test the censorship of the mobile connection?

Yes, that would be possible, but theOutline team would have to think about how to make that service accessible. They would need to figure out how to start the connection, but once there is a connection, the mobile device could work as a client.


Additional Resources:

Outline SDK

Fyne Proxy and Gio Fyne and Gio are nice platforms to create cross-Platforms to create graphical apps in Go. Though Fyne is not easily extended, so you won't be able to run a background service. With Gio you might. Or just write a regular app + Go Mobile.