Resources

Censorship in Turkmenistan Slides
"All of them claim to be the best”: A multi-perspective study of VPN users and VPN providers
VPNs Are Not A-OK: Turkmen Internet Users Forced To Swear On Koran They Won't Use Them

Notes

Presentation

In August, a VPN Community Initiative member presented on censorship in Turkmenistan and alternative approaches to circumventing it.

General State of Censorship in Turkmenistan

• There are only three internet providers in Turkmenistan.
  • One cellular provider, and two wired providers.
  • Data costs are prohibitively high, leading to low internet penetration.
  • Speeds are also prohibitively slow: 2 mb/s
• A majority of popular messengers are blocked.
  • imo.im and ICQ are still accessible.
• Most foreign websites are unreachable.
  • Russian sites are also highly censored.
• VPN protocols are blocked (IPSec, OpenVPN, Wireguard…)
• There is strong censorship of content that puts Turkmen government/political figures in a negative light.

Censorship Methods

• Deep packet inspection
• DNS Hijacking
• Manual inspection by traffic amount to host

What Works?

• Psiphon, until recently
  • Meeks was working and was employed by Psiphon.
    • As of a few days ago, it is no longer working.
• Some shady/less-known VPN services
• Some less-known protocols/utilities

What doesn't work?

• Tor
  • Tor was working up through a month or so ago, using additional circumvention methods.
    • DNS fingerprinting block.
• Commercial VPN providers
• All regular VPN protocols (Wireguard, IPSec, L2TP, PPTP, OpenVPN)
• Software that relies on 3rd party DNS (Google, CloudFlare...)
• Outgoing TCP/UDP connections are blocked, incoming are not.
• You cannot use public DNS resolvers, you must use the ISP's resolvers.
• DNS protocol is also blocked.
• VPN protocols are blocked (IPSec, OpenVPN, Wireguard…)

Experimental Alternative Circumvention Method

• Establish VPN session from the blocked server to the client to circumvent the filter.
  • Setup knocking server on non-blocked IP range
  • Knocking server delivers connecting event to the blocked server
  • Blocked server sends UDP packet towards client’s IP/port, with random data
  • The packet circumvents IP filter, random data circumvents OpenVPN filter

Additional User Hurdles

• Language: Many do not speak English or Russian.
  • Turkmen is a Turkic language
• No regular documentation of censorship

Presentation Q&A and Additional Notes

Q: What is the data cap for users in Turkmenistan? A: Celular: 4 GB per month at an approximate cost of 14 USD for 2 GB/mo; Wired Connections: No limits Q: With super low speeds, what will the performance impacts be for users of a VPN that is actually accessible? A: Any solution that works to some degree is worthwhile.

• Tor Project giving Turkmen users Azure as domain fronting to connect to Snowflake.
  • Snowflake - PT that makes conenction to Tor look like WebRTC
  • Issue: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40024#note_2830707