October 6 2022 GM
Glitter Meetup is the weekly town hall of the Internet Freedom community at the IFF Square on the IFF Mattermost, at 9am EDT / 1pm UTC. Do you need an invite? Learn how to get one here.
Date: Thursday, October 6th
Time: 9am EDT / 1pm UTC
Who: Vinicius Fortuna
Where: On IFF Mattermost Square Channel.
- Don't have an account to the IFF Mattermost? you can request one following the directions here.
Introducing Outline VPN and the Outline Support Community!
Outline allows you to create and manage your own VPN server and provide access to the open internet to your networks. It is one of the fastest-growing tools to access the open internet, but setting it up right requires some technical skill. Join us as we discuss Outline and welcome a new community channel on the Team CommUNITY Mattermost in which individuals can learn how to use and run Outline, get community support, and provide user feedback directly to the Outline development team!
Vinicius Fortuna is the engineering lead of the team at Jigsaw that protects people’s ability to participate in the global internet. He has led the team through initiatives to prevent censorship via stronger internet standards and platforms; mitigate censorship via circumvention tools such as the Outline VPN and Intra; and expose censorship via measurements and data analysis.
@fortuna is the engineering lead of the team at Jigsaw that protects people’s ability to participate in the global internet. He has led the team through initiatives to prevent censorship via stronger internet standards and platforms; mitigate censorship via circumvention tools such as the Outline VPN and Intra; and expose censorship via measurements and data analysis. @daniellacosse and @gracekd are present during this Glitter Meetup as part of the Outline Team.
Can the Outline team introduce us to Outline?
- Outline is really 3 components: The Manager, the Client and the Server. They work together.
- It's a product that lets you create your own VPN on the cloud
- It all starts with downloading the Manager. You use that to create a VPN server and manage access.
- Then you share access keys to people needing VPN. They download the client, add the access key, and use it to tunnel their traffic over the Server on the cloud.
- There are key differences to regular VPNS:
- You or someone you trust owns the server.
- It uses a protocol (Shadowsocks) that is hard to detect (unlike standard VPN protocols)
- The client doesn't come with service. You need to get service via private communication. This prevents server enumeration attacks that all other VPNs are vulnerable to
- You can tweak it to meet your needs
- It’s also Open Source and they don’t track anything.
So the person who creates the server & manages access can’t see any logs or anything?
- The Outline team can't see anything. The person running the server has access to some metrics, like bytes used per access key. But the server doesn't log actual traffic (domain names etc).
- However, they own the server, so they could perhaps modify it to log traffic. So you still need to trust the provider.
- We may not communicate that well. It's also hard for a user that receives a key to know who is behind the server.
- There's space to improve there. But then you start getting into authentication, which is less private.
- One thing that is possible is to use domain names as identity
- Agracekd adds that this is very tricky, and also why we haven't cracked the "marketplace" yet. There's trust within a small circle of people you know, but as soon as people start distributing keys to 100s or 1000s of others, the end users don't know the server manager anymore. The Facebook/Telegram distribution groups are even more distant from a direct connection.
Are there limitations on the number of keys you can distribute?
- Daniellacosse says that not really, but the more keys you distribute, the more the bandwidth of the underlying server gets split up among them. So it's a tradeoff that needs to be managed.
- Fortuna adds that the limit is usually on bandwidth/data usage. You can have thousands of keys, though a few hundred active ones. Shadowsocks has very low overhead in terms of memory and CPU, which makes it cheaper than TLS-based solutions. Though the main cost is data.
- Gracekd points out that on the "clients abusing servers" side, they hear complaints about end users using BitTorrent, and then the server owners getting DMCA takedown requests. They'd love to hear if others are detecting and/or blocking BitTorrent activity.
- Fortuna continues says that it's very hard to block Bitorrent and shares somehting that may help. This is also a useful resource for people running servers
To help people better understand Outline out in the real world, do you have some examples to share of individuals or orgs. Who creates and runs Outline VPN servers?
- We recently met with a few Russian expats who created Outline servers for their networks still in Russia, for example, but there are many, and different types of orgs.
- We've seen orgs running public servers and setting up key distribution systems, like ASL19 here
- Some use the Outline server and fork the Client, like nthLink and beepass vpn.
- Some run private servers for other organizations, like Code for Africa.
- There are many groups on Telegram, Facebook where people share keys
- We-pn.com has a device to plug to your internet to share your connection, then you can use the Outline client
- Many VPN providers in China are offering their own apps, but redirecting people to Outline on iOS, because their app can't be on the App Store, while our can
- Satoshi VPN takes crypto to create a private Outline server for you (though that's expensive)
There are many tweets from folks in Iran saying Outline is not working (right when Outline has been added to Google search page in Farsi) because they needed the key, where should we direct them to in order to get the keys?
- Gracekd says that Outline in Iran is going through a dynamic situation right now, keeping the team very busy right now. It's working for a lot of people and it's not working for a lot of people. Google/Jigsaw doesn't provide VPN service directly, but as Vini mentioned there are services like outline.paskoocheh.com (that's in Farsi) that distribute Outline access keys.
- And Fortuna adds that the intent was to reach the diaspora, so they can run servers and share with people in Iran, since they can't run servers from the country.
- Currently nthlink.com and ASL19 both offer free service, so those are good options. nthlink does quick IP rotation, which helps a lot
- It's very hard to tell what's going on in Iran, because we don't have infrastructure there. And people in tech have been arrested for collaborating with the external world.
- Outline is working on some networks, but not others. It works on mobinnet, but not Irancell or Rightel
- Fortuna’s understanding is that they are blocking or severely throttling traffic to external clouds. We need to redirect them to an internal network that has good external access, but that's a major challenge, to run servers in the country
How are end users currently connecting with individuals running servers? And what are some of the challenges you are facing in this area?
- This is very hard. People have "I created a server, now what?" "How do I share access with people in Iran?"
- There's offer and demand, but no good market for access.
- This is something I'd love to hear from the community. How can we create a market for VPN servers/access?
- Who should run it? Should we have multiple ones?
- How do we address the question of trust?
- Trust goes both ways. Some clients will abuse the server
A participant adds that VPNs are usually assessed by their number of users. The Iran situation is a good reminder that there is another metric too: ease of blocking
- if someone builds an outline server and only gives access to 10 people, it will be hard to track by IRI, but if it's on a public list, the bad guys can automate discovery and blocking
- Fortuna adds that if it's a public list we are vulnerable to server enumeration attacks. ASL19 uses a tiered approach to assign trust to users. The longer your server stays up, the longer they trust you. But that requires some sort of identity. There's space for different types of distribution. Smaller ones are definitely better than fewer bigger ones.
For individuals who are interested in running an Outline VPN server for their networks or for an organization etc. What kind of technical and financial resources are necessary to make that happen? How easily accessible is it?
- it's pretty easy for a non-technical person to run a server for a small organization. No command line needed.
- The default digital ocean server costs 6$/month. The main hurdle is having a usable credit card.
- At the workshop I ran at FIFAfrica last week we were able to walk people through the basic process in about half an hour. The Manager makes it easy!
- But if you're looking to do something more advanced - we've started an "Outline Community" channel in this very Mattermost if you need help!
What is the Outline Community Channel? And how are you hoping to support Outline users in the channel?
- The team has noticed some communication gaps in multiple areas. and the Outline Community Channel in our initial attempt to try to bridge some of those gaps.
- They want to create a space where people in the community using Outline can help each other and where they can learn what the main needs are.
- Also, learn about success and failure stories, so they can improve. There are many cases they have never heard about.
- They'd also love to collaborate with other censorship circumvention developers to figure out how they can stop reinventing the wheel at times.
- There are two types of Outline “users”:
- Managers, who run servers
- Clients/end users, who use the server
- The plan to keep the channel updated with the latest information about Outline - what releases are going out, and the features they contain
- They tend to focus on the Managers, because they enable others, amplifying the impact.
- In general their users are concentrated in the countries with the most repressive censorship.
- The VPN world is crowded, and they don't want to compete. Where there are plenty of options, Outline doesn't grow much. They shine where the users lack options.
- Their top countries are Iran, China, Russia, Myanmar, Turkmenistan
So one of your highest priorities is censorship resistance?
- We were doing fine until last November, when China started blocking random traffic temporarily. It seems that's back on. And we are struggling in some networks in Iran. So that's a priority again.
- It's hard to fight back without information though. We strive to minimize information we collect for privacy reasons, but that hurts our effort
- It would be great to understand what the community feels comfortable with in terms of metrics collection
And for developers that may want to collaborate with or integrate Outline? Is this the right space to go to? Or are there other channels for those conversations and requests?
- We only have the Outline Community channel for now and plan to spin up more channels as they become necessary. So please jump in if you want to help, and if enough people do we'll create a dedicated channel for it!
Is it possible to block Outline using DPI?
- DPI is a bit of a loaded term. But kind of.
- We don't believe the sensors can detect the use of Outline. However, they can do things like blocking traffic that looks random and they don't recognize the protocol, which is happening in China.
- They can also block or throttle access to external cloud providers, which seems to be happening in Iran.
- We still need more info on Iran
- Though generally that type of blocking (the type in China) seems to mainly be deployed temporarily during sensitive situations due to the high collateral
China used to use active probing , but we made that ineffective
Are there specific network manipulation monitors working on Iran that you are depending on at the moment?
- See this APC Article and this about things we did to protect the server against detection in the past
- We have our own implementation of Shadowsocks. But ss-libev implemented those too
- Our open source implementation