I'm in China and I need to do shit with google apps, normally I just vpn through and it's cool.
Today is different. Yesterday was a bit different too. I think it's partly because I'm in a suburb with shitloads of overseas Chinese and partly just because someone somewhere came up with a new way to fuck with VPNs. The firewall is very decentralised, different ISPs, cities and even suburbs can have different stuff blocking/attacking VPNs and it's under active development so shit changes day to day; the internet has weather here.
Yesterday, some of my DNS results were corrupted even inside my VPN, it was pretty weird but didn't stop me doing shit except for my email which was retrieving someone else's ssl cert for my own server (I skipped doing email for a few hours).
Today, I can't get any of my VPNs to even connect. Two days ago, this connection (a starbucks) was fine for any of them, even used google hangouts to video chat, now nothing connects.
So, I need advice on what to do?
How to hide my vpn without completely killing latency.
I have two servers at my command.
One hosts a pptp vpn (Atlantic.net)
One hosts a pptp vpn and an openvpn vpn (AWS EC2)
Currently my openvon connection uses 443 which isn't working, it used to be on 8080 but that wasn't working either, as of this morning.
How do I evade the glorious golden shield project?
It's probably obvious but when it comes to VPNs, I usually roll my own rather than buying commercial subscriptions.
Anyone have anything to say about Quicktun? I wonder if it might be obscure enough to not be automatically detected? I'm not doing anything interesting enough to warrant someone actually monitoring and blocking me specifically.
This is what it looks like on my server when I try to connect using PPTP:
>Apr 28 03:34:51 localhost pppd: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
>Apr 28 03:34:51 localhost pppd: pppd 2.4.5 started by root, uid 0
>Apr 28 03:34:51 localhost pppd: Using interface ppp0
>Apr 28 03:34:51 localhost pppd: Connect: ppp0 <--> /dev/pts/3
>Apr 28 03:35:21 localhost pptpd: CTRL: Reaping child PPP
>Apr 28 03:35:21 localhost pppd: Hangup (SIGHUP)
>Apr 28 03:35:21 localhost pppd: Modem hangup
>Apr 28 03:35:21 localhost pppd: Connection terminated.
>Apr 28 03:35:21 localhost pppd: Exit.
>Apr 28 03:35:21 localhost pptpd: CTRL: Client sta.rbu.cks.ip control connection finished
>Apr 28 03:35:37 localhost pptpd: CTRL: Client sta.rbu.cks.ip control connection started
>Apr 28 03:35:38 localhost pptpd: CTRL: Starting call (launching pppd, opening GRE)
>Apr 28 03:35:38 localhost pppd: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
>Apr 28 03:35:38 localhost pppd: pppd 2.4.5 started by root, uid 0
>Apr 28 03:35:38 localhost pppd: Using interface ppp0
>Apr 28 03:35:38 localhost pppd: Connect: ppp0 <--> /dev/pts/3
>Apr 28 03:36:07 localhost pptpd: CTRL: Reaping child PPP
>Apr 28 03:36:07 localhost pppd: Hangup (SIGHUP)
>Apr 28 03:36:07 localhost pppd: Modem hangup
>Apr 28 03:36:07 localhost pppd: Connection terminated.
>Apr 28 03:36:07 localhost pppd: Exit.
>Apr 28 03:36:07 localhost pptpd: CTRL: Client sta.rbu.cks.ip control connection finished
IIRC, the firewall collapses VPN tunnels, which causes problems for everyone. Your best bet is Tor, since it's nearly impossible to collapse a link to that, but other than that, you're SOL. Sorry matey.
>wouldn't port 80 still work
No, for the same reasons that 8080 and 443 don't, deep packet inspection identifies the VPN traffic and terminates it (injects reset packets according to rumour).
I'm looking to obfuscate/encrypt the underly
ing channel in some way.
>the firewall collapses VPN tunnels
It has to do it on a case by case basis, I'm hoping someone here as some experience with VPN protocols and can advise on alternatives or combinations of channel and routing shit that might work.
I want to avoid putting everything in an ssh pipe because a) I don't know so much about that and b) the firewall is known to degrade ssh connections and induce latency and just generally fuck with them
>deep packet inspection identifies the VPN traffic
Well, we *think* it does.
We don't really know much for certain about how it all works, we can just make attempts and observe what happens to them.
However, the project employs nearly a million people, even if most of them are basically glorified mods with b& hammers that work on almost any social media website they find (i.e. anything not b& in china). Weibo, Wechat, whatever, any Chinese version of youtube/twitter/facebook, the mods can just wack any post which offends them and sometimes they b& users too. If the site doesn't allow the government mods to b& on it then that site doesn't get a license to operate.
Anyway. Of that million people, a bunch are employed on the firewall itself and they are actively trying to fuck with VPNs etc. It's like if every one of /g/'s paranoid fantasies about ISP technicians were actually true, because they are in China but mostly just for international traffic.
>businesses were fed up with China's bullshit with VPNs
Big businesses have dedicated internet connections and their VPNs back to USA HQ don't get blocked. Small businesses get a bit fucked and basically have to keep fucking around like I'm doing, trying shit until something works for a few months.
There's too much money for anyone to completely clock out of china but businesses do scale their investment appropriately. China doesn't mind *too* much because they'd prefer Chinese businesses to be making the money anyway so now they're about promoting Chinese owned companies to replace the western ones which leave.
What about sshd tunnelling on port 443 to a third world server? chinese people need ssh too. OP could probably find a reputable VPS that's not red-flagged in either china or the U.S.
When everything is working fine, I can ping some google server local to my VPN server with about 300ms ping.
Some days are bad and it degrades, I have had to work under 10s ping before but that's not too common.
It's usually fine for ssh, I'm occasionally typing, waiting a second for keystrokes to catch up, then hitting enter.
Saving code can mean a wait of five-ten seconds before the IDE responds and I can go reload a page or whatever.
>sshd tunnelling on port 443 to a third world server?
Should work but will have speed deliberately degraded and I don't know much about ssh tunnelling, any advice on that?
>Sony just said "Fuck it"
Oh, maybe. Wouldn't blame them but since there's money to be made and the Chinese government doesn't give in to ultimatums by anyway (see Google), it's not that useful an exercise. Mostly companies just maintain special outposts for China and work around the problems.
>I hope you don't disappear for using 4chin
Well, me too :)
No one gets arrested for VPNs though, they just get blocked en mass. Worst case, some cop might turn up and want to search my laptop but even that's basically unheard of. Social media posts can get you arrested, just using a VPN doesn't. The strategy is to make it too annoying to use rather than just punishing people. Also, the chinese government rarely actually punishes people for things everyone does, it would cause too much tension in a society where there is no legal way to relieve political tension...the side effect (or deliberate purpose, depending on paranoia levels) of democracy is to prevent revolutions by providing harmless outlets for enraged people that mean they become powerless dissenters
So Chinese police tell people to stop doing things and maybe take away the means of doing something rather than arresting them for doing things they're not supposed to do. I kind of prefer it on some levels, less people end up in jail.
>kill your government
It's not my government.
And I could ask the same of you, it's not like any other government is honest, open and benevolent, they're all basically a way for power-hungry politicians to rule over everyone else.
Anyway, not wanting to get into /pol/. Just trying to work around my problem this morning, I'll leave the revolution until after lunch.
1) you cant inject a reset packed into a encrypted connection. this would require a mitm, which isnt possible with a properly encrypted connection
2) stop using pptp
3) check your cert database, make sure your certs are being signed by the correct party
for your curiosity, if you need it.
example ssh pipe I use to open a local port to connect to psql behind a firewall on a remote host.ssh -f user@[remotehost.com] -L 9000:localhost:5432 -N
binds localhost:9000 to remotehost:5432
if you wanted to use something like this for browsing the web you would set your local proxy settings to 9000 and (because you arnt using psql) tell ipfilter to nat and forward 5432 to port 80.
well realistically, if he's using mschapv2 they may just not give enough of a fuck to break it.
they may also just be watching long lived encrypted streams that look like vpn's and pinch the tip.
>sir you cant point your stream over there
>1) you cant inject a reset packed into a encrypted connection. this would require a mitm, which isnt possible with a properly encrypted connection
That's not how encryption works. As long as the encryption sits on top of TCP, It can be terminated with a RST.
>you're not using encryption
>properly encrypted connection
>check your cert database
As anon said, PPTP isn't secure anymore. I know this but since I'm not plotting a revolution, I don't really care. My work is done over ssh within pptp and my email is https gmail so either way, the important stuff has its own encryption and if they read when I google for segfault stuff, I don't care. The problem is that they're now fucking with stuff inside my connection which is becoming a problem.
The cert weirdness is because dns is being fucked with and I'm getting someone else's cert from their server instead of my own. Basically if the firewall wants to fuck with a dns result, it usually just gives you a random IP instead of the real one. If there's a cert for that ip then you get that but since it doesn't match the domain name you requested, it looks like a mitm attack but is really just you getting redirected to a different ip.
I set up Quicktun in the last two hours and have a tunnel working in that but documentation on the client is pretty hard to find.
no it cant, its encapsulated in tcp, but tcp is not the authority in the connection. the driver / software wont even look at the tcp contents until the message is authenticated.
it might be worth noting that some configurations are encrypted but not authenticated.
I am. Mostly I was just not concerned about what they might find out, I'm just recently concerned with what they're doing.
I would disallow "mschap", there may be a way to influence a protocol downgrade attack (if mschapv2 is even the preferred protocol).
if there is they COULD EASILY mitm and rst the connection.
Just get a 1 dollar overseas cheap ass VPS and ssh tunnel through it. You can Google how to so it for both windows and unix systems and it actually pretty straightforward. If you're using windows just use putty to set up a tunnel and use https://code.google.com/p/putty-tunnel-manager/ to easily manage your tunnels from systray
Well, a combination of ssh bridge to server 1 (Canada) and vpn to server 2 (Sydney) seems to be working, so thanks.
I just need to work out how to make server 1 accept a vpn connection that comes locally from SOCKS I guess. Weirdly, my ping from China -> Canada -> Sydney seems to only be 380ish.
they dont let best koreans out of the country either, even though best korea and china have a reasonable relationship best koreans arnt really allowed to communicate with chinese (unless they are military people).
There are actually rather a lot of best korean refugees in China, it's the obvious and safest route into worst, decadent korea for them. And even if they don't make it, it's still a pretty sweet place in comparison. They make some fantastic breakfast food outside a university I went to a long time ago. Omelettes with thick spicy sauce rolled up in a cone of newspaper, one of the best things I've ever eaten and it's making me hungry thinking about it.
>best korea and china have a reasonable relationship best koreans arnt really allowed to communicate with chinese
They get sent back a lot if they're discovered but the government isn't really looking for them. China is a bit embarrassed with best korea, it's really just a buffer state that needs a firm hand but throws tantrums now and then.
If you don't want to set it up yourself, Mullvad is a vpn company that comes with a simple client. If it can't connect directly, it will use obfsproxy. This makes openvpn appear as http traffic.
Don't use pptp.
>Don't use pptp
Until recently, pptp was much more reliable. Presumably because it wasn't regarded as a serious threat.
Again, anything important is done in https (webmail) or ssh/sshfs (work) within the pptp, anything else is just browsing 4chan and segfault and not important.
Now that it's actually becoming something they're fucking with, more secure solutions are required.
This looks like what is required.