Tell HN: Russia has started blocking OpenVPN/WireGuard connections

I have the fortune to reside in Russia-controlled Donbas. Over here they have been blocking all WireGuard connections for a long time. OpenVPN seems to be blocked selectively depending on the host. The government and commerce must need it more than WireGuard.

It isn't consistent. Different ISPs block different hosts and protocols at different times. I assume we are a kind of test and staging environment for censorship in Russia.

In the interest of anonymity I am not going to respond to your questions.

[stub for offtopicness]

Stay strong, hopefully, Russia will collapse and you'll be free - I may be naive but I still think there are enough Russians who can see this tragedy as the doing of a man who wants to continue to live the life of a king, and it's probably his only way of survival after so many murdering and prosecution.

I'm not sure a collapse of Russia would be good for GP. Living under an oppressive regime is not fun, but Putin's Russia isn't that bad as dictatorships go, and anarchy/societal collapse aren't fun either.

GP won’t suffer from anarchy or societal collapse. According to internationally recognized state borders, they live in Ukraine, not in Russia.

Russians have lost approximately half of the land they have occupied in the first 3 months of the full-scale war. We have repeatedly observed that Ukrainian government is willing and capable of bringing law and order to these liberated territories.

I know someone who has spent a lot of time working in Ukraine, and has acquaintances there they keep in touch with. Their description of the situation is not nearly as rosy as yours. The war (which, for the Donbass, started in 2014) has devastated an immense amount of territory. Ukraine had Europe's lowest fertility rate even before the war, and now millions of working-age men are dead, wounded our have left the country, which makes prospects of a quick recovery slim. Also, Ukraine's government is extremely corrupt, and while less autocratic than Russia it is very far from a model democracy (was even before the war, and war tends to make countries more corrupt and authoritarian). The best thing for GP to hope for would likely be peace, as soon as possible, and which side of the armistice line they fall on won't make much difference for them.

not nearly as rosy as yours

Ukraine is at war, nothing rosy about that.

Still, living conditions of people north of Kyiv, north of Kharkiv, or in Kherson is dramatically better than GP’s situation. Note GP can’t even freely talk to English-speaking strangers here on HN because they fear the consequences from the Russian invaders who call themselves “government”.

GP has very good reasons for that fear. Russians are doing horrible things to Ukrainians on the occupied territories, for example https://www.reuters.com/world/europe/torture-chambers-ukrain...

Still, living conditions of people north of Kyiv, north of Kharkiv, or in Kherson is dramatically better than GP’s situation.

They are also dramatically better in Moscow, St. Petersburg, or Vladivostok. Of course being far from the front lines is better than being near them.

GP can’t even freely talk to English-speaking stranger

People in Ukrainian-controlled territory can't talk freely either, there have been many cases of extrajudicial arrests and even killings of dissidents by Ukrainian government authorities. For example, peruse Gonzalo Lira's list (Lira himself died a week ago in Ukrainian custody): https://twitter.com/GonzaloLira1968/status/15174577687976796...

---

This is a war between two thuggish regimes. One thug might be a bit more brutal than the other, but the war itself is what's doing the most harm to ordinary people.

being far from the front lines is better than being near them

Kherson is less than 5 km from the active war zone. Northern parts of Kharkiv oblast have a Russian border nearby, with Russian recon groups routinely trying to infiltrate.

can't talk freely either

I have several friends currently in Ukraine. None of them is scared of expressing their political views, neither IRL nor on the internets. None of them supports Russia for obvious reasons, but not all of them are huge fans of their current government.

extrajudicial arrests and even killings

Wikipedia has an interesting article about the guy https://en.wikipedia.org/wiki/Gonzalo_Lira The article says the arrest was lawful, Ukrainians released him on house arrest, he tried to flee the country, then he was arrested for real and died of pneumonia in custody.

Every death is a tragedy, but I don’t believe Ukrainian government deliberately killed that person. Why would they fake pneumonia during the war, at the time when random civilians are routinely killed by Russian missiles and drones across the whole country?

This is a war between two thuggish regimes

This is Ukraine’s war of independence. Ukrainians have lost the last time in 1917-1922. This time, things will be different.

the arrest was lawful

He was arrested for political speech, which is ipso facto an unjust violation of his fundamental human rights and of natural law. Putin's Russia also has "laws" that justify the arrest of dissidents, doesn't make it OK. (And many of the other people on Lira's list were simply summarily executed, without any trial or other legal process)

I don't know what political speech means to you.

Are you aware that Ukraine engaged in an existential war? Gonzalo Lira was justifying Russian aggression against Ukraine, denying the facts of Russian missile strikes on Ukrainian cities, as well as massacres of civilian Ukrainians by Russian invaders in Bucha and other cities.

Then he was taken into custody because he violated the terms of his bail and tried to escape. Originally meant to be under house arrest in Kharkiv, Lira was detained in another part of Ukraine: Zakarpattia Oblast, where he tried to cross the border into Hungary

There are a number of real journalists in Ukraine investigating big corruption cases, some of which have even resulted in the replacement of the Minister of Defense. These journalists have not faced assassination or imprisonment, although there have been instances of them being pressured in some ways

If a state's continued existence relies on restricting people's fundamental human right to free expression, then that state deserves to die.

It seems you apply US laws to the rest of the world. Ukraine is not part of the US, it’s a part of Europe. In Europe, the legal systems are rather different.

For example, public display of Nazi symbols in the US is a protected free speech under the first amendment. However, the same action in many other countries is a crime: https://en.wikipedia.org/wiki/Bans_on_Nazi_symbols This doesn’t make governments of France or Belgium “thuggish regimes”.

serious question -- your first sentence: is it sarcasm or do you really consider yourself to be fortunate?

Fortune is like fate or luck here. There's good or bad, but it's still ones lot in life.

That is obviously sarcasm

I have the fortune to reside in Russia-controlled Donbas.

My condolences. Hope Ukraine and allies can can sustain enough pressure to free those lands.

Damn. So sorry, mate! I was born not far from a Soviet base back before the curtain fall, but nothing like Donbas.

Fingers crossed and some contributions to the cause already done. In the meantime : Slava Ukraini!

How, technically, can they block wire guard? It can operate as pure UDP on any port. Are we referring to wireguard vendors like tailscale here?

This is what I was wondering. I don’t understand these VPNs too deeply (though I do occasionally administer an OpenVPN setup), but I was under the impression that they’re sending encrypted packets over UDP on arbitrary ports. That seems quite tough to analyze and block.

That seems quite tough to analyze and block.

Why analyze when you can whitelist?

Ok fair. The approach might be block everything except https/tcp.

In which case what we need is https side channel VPNs.

The protocol has a defined structure (check out 5.4.6 in [1]), and can therefore be detected and blocked. It's probably easier to block than a TLS VPN, which has a lot of typical TLS noise to hide in.

[1] https://www.wireguard.com/papers/wireguard.pdf

What about something like udp over tcp?

This is the first (that I know of) public conversation about this and goes into detail about the various problems with obfuscating WireGuard.

https://lists.zx2c4.com/pipermail/wireguard/2016-July/000184...

The reply https://lists.zx2c4.com/pipermail/wireguard/2016-July/000185...

... is pretty informative. There is a PSK mode, which really should be essentially indistinguishable from random UDP packets. But I haven't read deeply enough. I do PSK on all my networks, but that has its own disadvantages. I honestly thought that was the only way to do wireguard.

China uses statistics, entropy of packets and other DPI-like methods[1],

also HN discussions of it[2]:

[1] https://gfw.report/publications/usenixsecurity23/en/

[2] https://news.ycombinator.com/item?id=36531485

Wireguard headers are fingerprintable.

I would have thought psk mode would have encrypted the entirety of the initial handshake

maybe not

You might see some confused faces. To most English speakers "fortune" mostly means good, unless it is preceded by something that specifies that it is bad fortune, like "ill fortune" or misfortune.

Their English is actually good enough to properly use sarcasm. “I had the fortune of getting food poisoning last week” would be understood as a joking way of taking about misfortune.

It is. But just because you speak English doesn't mean you use sarcasm constantly. Sarcasm is a lazy way of communicating in almost any language. It reveals lazy thinking and poor vocabulary. I never assume someone is using sarcasm when they could actually be speaking intelligently, albeit with a common grammatical error.

It's called sarcasm.

The circumstances suggest that it's probably just a simple error and not sarcasm. Not everyone in the world really loves sarcasm so much. People who use it frequently are usually trying to mask a poor imagination and small vocabulary. So I prefer to believe it's just a simple mistake. No big deal.

OpenVPN looks more similar to regular https traffic, hence its a bit more difficult to fingerprint.

Openvpn is trivial to see , what you need to do is wrap it in stunnel

Yeah I suspect they know they can never block everything but if they can block 98% of "casual users" they've probably reached their goal. They will just put out propaganda that the other 2% technically apt people who get around it are conspiracy nuts, western civ sympathizers, traitors to mother russia, etc.

Even though openvpn uses TLS, AFAIK it's used on top of some wrapper which makes it trivial to detect and block. At least in my experience it's the one of the first protocols to get blocked.

They called the Chinese to help with their experience like 6 months after the start of the war as they realised some young people could access news outside the official channels.

They have been testing it since then.

In China once their AI systems or whatever decides that you are using a VPN you will be punished by increasingly blocking your Internet for more and more time.

In China once their AI systems or whatever decides that you are using a VPN you will be punished by increasingly blocking your Internet for more and more time.

This isn’t true. VPN use is widespread here, but I’ve never heard of anyone’s internet getting wholesale blocked because of it.

Selling VPN services, however, is a big no-no.

Thank you so much for posting this.

If anyone else has any educated guesses about the mechanism, please do share!

My guess is that it's cat and mouse with various providers and upgrades and research are inconsistent.

Unfortunately, thanks to the Great Firewall of China, there has been a lot of resources put in to fingerprint VPNs and block them by state actors.

Fortunately, however, there is equally years of some of the smartest minds on the planet working to bypass Chinese censorship, so there are some great OpenVPN alternatives.

I really encourage you to look into something like Shadowsocks which Chinese people have found great success in using over the last several years.

In your case, however, it's worth mentioning that if you can't connect at all then it's likely they've blocked the commercial IPs of the VPN nodes.

It's quite sad that projects like Streisand[0] were archived, but I'm sure there are other alternatives that might make it just as easy to roll onto a server.

[0] https://github.com/StreisandEffect/streisand

Can anyone confirm Shadowsocks works anymore? When I tried to use it a few years ago, it got blocked in a few days.

To be honest, I think they are blocking anything that exchanges a lot of data with oversesas IPs, after hitting a certain threshold.

Shadowsocks and ShadowsocksR don’t work anymore in my experience in China or Iran. V2ray does which is the successor to those.

Shadowsocks does work against MITM attacks by my US ISP Comcast though. It is great software.

What "MITM attacks" are you talking about?

Comcast started attacking it's customers via MITM about ~2013 or so. Initially it was ads, https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=co... . This would break things like, say, the Steam browser and prevent it from working. I literally had this happen to me. Eventually Comcast changed it's terms of service and violated it's contracts with existing customers and started limiting total data transfer to about 1 TB/mo. When it started doing this it also started MITM injecting JS about your usage into HTTP connections: https://rietta.com/blog/comcast-insecure-injection/

Comcast is the only non-56k ISP available in my area still in 2024. So I use them... but I also have to make sure to protect myself from their attacks. If I did what they're doing I'd go to prison. But some types of legal persons have more rights than human persons.

Comcast intercepts and rewrites your DNS queries to their own servers. I spent hours figuring out why I wasn't getting NXDOMAIN back from 8.8.8.8 until I realized Comcast was MITMing me.

Stream-downscaling, ad injection, etc. US isp shenanigans.

Not the person you're replying to, but most ISPs and cellular providers log DNS queries and use that to profile you or resell to data brokers.

If you want to have some fun understanding this better, call up (for example) Verizon and have them send you the data they have on you. It's surprisingly detailed, including timestamped logs of every DNS query (in addition to specific profiling data, like "how likely you are to buy a new phone" or "household income", etc).

https://www.verizon.com/support/download-and-view-vpd-file/

After doing this myself, I always (at a minimum) use a privacy centric DNS and never the ISP's default.

Wouldn’t plain WireGuard also do that?

WireGuard is a lot heavier than shadowsocks-libev. shadowsocks-libev is literally under 5MB of ram used and very little CPU. Also very quick to compile and config. WireGuard is a full fledged heavy VPN. Shadowsocks can be used as a simple socks proxy if you want; and that's plenty for stopping Comcast from injecting malicious javascript into my HTTP connections.

I wonder how many of these services are just state actors, who can then track people more directly.

If I was in Russia I would be a lot less afraid of USA/Britain/Germany MITM than I would of Putin's agents catching wind of the free flow of information and coming for me and my family and throwing us off the roof or putting polonium in our water supply.

Interesting. I said 'state actor' not 'western actor'.

The state, any state, often employs such tactics to make people believe they are protected, and therefore said people will act more openly. There are a myriad of such known cases, in fact the examples are endless.

So if one is in Russia... beware, for ways to get around blocking which work, may be ways secretly controlled by the Russian state. An example is a VPN service which is secretly run by the state, regardless of where it is incorporated or physically located.

Another example is blocking products which are effective, but letting products which are easily MITM by the state to "work", thereby providing the illusion of security and safety.

These tactics are thousands of years old, the employment of such methods is all that has changed. Make those which you distrust, use methods you control to organize. An example; the pub which is uses for meetings, is actually owned by state sympathizers, who claim otherwise.

These are open source proxies, not centralized services, so I think it's unlikely.

At least shadowsocks was well researched in the past, I'm not sure about v2ray.

What's the current legal risk of using a VPN in China or Russia these days? I found a couple articles about people getting charged, but none I know to be reputable or particularly well written.

China at least, isn’t a strong rule of law country, rather it is more of a rule by law one. So if they want to get you, they’ll find some law to get you on, and if they don’t, they won’t go after you for using a VPN or other minor offenses. So I wouldn’t really worry about it.

Are there any other types of countries? Note: you don't need to put something into law to silence someone.

If necessary anyone can be canceled. Everybody is "guilty" but select few are prosecuted.

Therefore the real power belongs to those who decides what issues can be ignored.

Yes, they are. There is a world of difference. In the West you normal people have so much power they do not even realise. You see that when you live outside it.

In the West there is a long History of institutions(like cities) that went against the abuses of the people in charge. You were a servant, you entered a city(burg) you became free, the city protected you. This happened for centuries. In China something like that happened at specific periods, but eventually the Emperor took all the power.

In China the Emperor or the Tzar in Russia could do anything. In Russia those that wanted freedom lost every single time. If a servant entered a city and the city did not deliver the fugitive, the Tzar will burn the city. The same happened with the Soviets. You want your own food? We will kill you all and send your children and wife to Siberia. Everybody else(not the Emperor) were servant. Now Xi or Putin are the new emperors, like Lenin, Stalin or Mao were.

I have lived in China as a privileged engineer/expatriate.

Basically most people have no idea what a country without rule of law(like China) is.

If necessary anyone can be canceled. Or you can cancel them. You consider yourself a victim, a nobody, but people can get public and get a million views and could do real damage to those in power.

you were also a privilege person in the West and oblivious to poorer people outside of larger cities as the people you saw in China being oblivious to poorer people living outside of larger cities. foreigners, no matter how privileged, hardly can live inside the safety bubbles you yourself lived in the west.

There is no black and white rule of law/rule by law countries. Only ones that tilt more to one or the other. So like China might be a 35 and the states might be a 65.

Pretty much the same applies to Putin's Russia as well.

I guess it depends on what sites you want to visit using VPN. People here in Russia openly use VPN to visit Instagram etc., and no one seems to have an issue with that. But if you want to read some opposition sites, however... Now that's some gray area.

If the VPN is working then they wouldn't know if you're going to instagram or fuckrussianoppression.org tho

That ambiguity is beneficial, they can simply say you did whatever they want to say with the VPN usage as a pretext.

Don't forget that the "real" risk and the "legal" risk in states like Russia/China can be very different.

The laws are written in specifically vague verbiage as to be interpreted in favor of state actors by judges whenever they need to be. You may be clear in the letter of the law in your mind, until a charge is brought up against you using another law, etc.

"We support democracy and freedom of expression except in these 20,352 exceptions"

In Russia using VPN itself is not illegal. Using VPN to do certain stuff can be punished, of course.

Just block CNN to sleep better )

Outline (https://getoutline.org) is even easier to deploy than Streisand in my experience and uses Shadowsocks.

This is really cool, thanks for sharing! I've been using Tail scale for a while, mostly because it's simple, but I don't love relying on some company for my VPN. Is this more like OpenVPN or Wireguard? Reading their site, it seems like it's closer to a traditional, OpenVPN-like connection, but I'm still interested in this over something like Nebula.

You could also use headscale to self host a tailscale control server

Headscale. https://github.com/juanfont/headscale

getoutline.org uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.

Doesn't even let me decline cookies not required for operation of the website, yet wants me to trust them with my data?

gtfo.

Just decline them in your browser settings...?

all those things are useless.

if you have contact out of the country you're already part of a very small elite. if not, you cannot use this. they are so oblivious to the demography they claim to help that the site requires js, a big no if you want to be seen by really f** people having to use tor browser.

all this does is placate some small elite. it helps china/Russia more than anything else.

Should point out when people go into the Sturm und Drang of the Great Firewall, that it was largely built by corporate America.

https://www.wired.com/2008/05/leaked-cisco-do/

Shameless plug, there is also wstunnel (i am its author) https://github.com/erebe/wstunnel/, hope you enjoy.

v2ray is a great alternative

I imagine that is something that is not "top secret" that Xi can easily share with Putin and something that could be applied almost immediately to routers in Russia. That sucks that Russians can't see other perspectives. It doesn't seem to matter a lot since 80% of Russians still support him mindlessly, but those other 20% can help set a seed of doubt on his atrocities and autocratic lies but not if they can't get info.

Russian here, living in Russia.

My paid VPN provider stopped working months ago. Then my self-hosted Outline server stopped working. Then my self-hosted OpenVPN stopped working too. Both were hosten on Digital Ocean (Frankfurt).

What currently works for me is self-hosted Outline running on an US server, but I suspect that won't last long.

Looks like I have no choice but to learn how to self-host XRay. A smart friend told me that it still works and is hard to block, but unfortunately he has no personal experience with it -- and no need for it anymore, since he emigrated to another country.

Does anyone here have any experience with XRay / XTLS-Reality?

I was so hopeful in the beginning of 90s. There was sense of harmony all over the Northern hemisphere.

But then Russia started to quickly become more and more aggressive, yes, first in the rhetoric, but then Putin came and the shit became real. Now I understand that the Russian society first had a kind of agreement with him - they don't mind the politics and Putin doesn't mind them.

It looks like it has played out well for Putin but not so well for the rest of the Russians.

Closing down close to all of the Internet traffic to the free world feels completely logical when the play of elections is nearing and if it is successful then it will probably remain like this.

I was a teenager during the 90s in Moscow and share none of your sentiment.

Yes, we lost the Cold War. NATO won. Understood.

We got child prostitution, heroine epidemics, kids inhaling acetone vapors from glue to get hi in basements, together with so called 'democracy'. Also lost significant part of science and industry, free education and health care.

Something's terribly missing from you "harmony". Sorry, but this seems like ignorance.

Disclaimer: This is just an opinion and I'm not expert in Russian affairs in any way

I assume that Russians know but choose to ignore it. Russian frontiers are simply too big to became closed to external info forever. There are a million ways to sneak terabytes of videos among the import containers. Just a pigeon carrier with a SD or micro SD card would pass the blockage.

But it doesn't matter. Showing the carnage and the lies of the government of the last two years will not move a hair. IMAO, Russians are in an archetypal abusive relationship with Putin. In this cases, the abused lives in denial, too afraid to break the bubble. As long as there is a tiny chance that the grinder-meat will stop before they reach top of the list, will obey and remain quiet as a flock of sheep. They will choose to please their abuser hoping to remain low in the punish list.

Most of the 302.000 Russians killed in this war either never see it coming, or were too paralyzed to make a move and put themselves out of the frying pan (And videos in Avdiivka for example are crystal clear showing that is exactly that: a chain of frozen blue hamburgers running towards a giant frying pan).

Unfortunately a lot more will die this year, so the army remains distracted dying, far from turning their focus towards Kremlin. Unless they will break the spell, the eventual disintegration of Russia in smaller states vassals of China seems more and more probable each day.

The USA dropped the ball on this. I was screaming at the news (or anyone that would listen :) ) that we needed work closer with Yeltsin/Gorbachev to support the burgeoning democracy. The USA just patted itself on the back and didn't do anything diplomatically/financially other than lip service to build economic ties and then the big collapse and rise of oligarchs and Putin.

As a curiosity, how do you pay for an EU VPS given the sanctions?

DO does accept cryptocurrencies, that could be an option

Via a business bank account in one of the Baltic countries, or via a personal bank account in Georgia.

For people who don't have bank accounts in other countries, or are of conscription age (means you can't get an international passport which is necessary to cross the border) I'd recommend teaming up with friends who emigrated. Some of them still need rubles in Russia (to pay for mortgages, or help their parents), so you provide them with rubles and they pay for your VPS.

Why do you host your VPN in "hostile" countries?

Wouldn't it be better to host in Asia (Viet-Nam comes to mind) or Central / South America (Nicaragua etc)? Latency might suck but it would be better than no access.

Chances that “the baddies” have an informal Five Eyes alike agreement are pretty high, I’d say.

Just plain convenience and my laziness. Also, I'm not concerned about being prosecuted for the use of VPN (well, at least for now), I just want my Internet to work.

I’ve written an Ansible playbook [1] to automate XRay installation on a Linux machine. Some people say XRay works well, but I don’t have personal experience.

[1]: https://github.com/pilosus/Xray-ansible

(Sorry, this is possibly just my naivety here) - Would Mullvad+WireGuard still be an option?

https://mullvad.net/en/help/connecting-to-mullvad-vpn-from-r...

(And allows you to pay by posting cash or paying by cryptocurrency)

you're probably getting spoted by using a single server every time. protocol doesn't matter

Try SquareX's disposable browser - works for me in China and is basically Remote Browser Isolation but for consumers. It seems free right now - https://www.sqrx.com

requiring an email in order to download a privacy tool isnt a great start for anonymity. why should I trust this tool?

Technically you are buying VPN services by giving your credit card :D

use a dummy email -- if you feel so unsafe. At least Squarex is free right now so no credit card needed

You can pay for VPNs with crytocurrency instead

For Mullvad you can buy gift cards as well. Even if you pay for those with a credit card, there's no link between the payment and the contents of the gift card.

I send cash and it has worked just fine. I guess depends on honest mail people between you and them though.

Maybe don't trust it?

It seems to accept sharklasers.com (aka anonymous) email addresses though, so you don't have to use your real email address. :)

It also seems to work via Tor Browser, although it's a bit slow.

Thanks. For now my VPN is still working, and Tor as well. But it is nice to have one more alternative.

I wonder how this will affect political discourse in the USA. Legitimate question. I’m not concerned with “sides”, more interested to know if there will be less “division/fiery rhetoric”. There seems to have been a systemic psyops campaign from foreign actors into US political “hot” topics.

What's the US internal political life got to do with Russians' access to the outside internet? This is the same level of psy-op-ing as the Democrat presidential candidate from 2016 accusing some kids in North Macedonia (?!?) for her losing the election.

It is a fact that Kremlin sponsored psyops campaigns worked to hinder her candidacy. The Mueller report laid this out in detail.

To answer your question, I think they were wondering if this would make it more difficult for Russian groups to do perform these psyops jobs. My thought is no: these groups will likely not have to deal much with these firewalls, considering they're explicitly backed by the Kremlin in their effort.

I've received some downvotes here that I don't quite understand, I am guessing folks haven't read the report or understood it:

High level reporting of the report contents: https://time.com/5610317/mueller-report-myths-breakdown/

Volume 1 of the report itself, a pretty easy read really: https://www.justice.gov/archives/sco/file/1373816/download

It's also possible that Russian troll factories still have their own VPN to outside the Russian firewall.

It's not just possible, it's very, very likely.

I would take 100 to 1 odds on that as well. No way the troll farms are blocked. Just scroll through twitter feed on a fresh account. Lots of obvious Iranian and Russian troll farm bots. I think if I was a billionaire I'd probably set up American "patriotism" troll farms, but they would be milquetoast and happy medium "western civilization is great bots" instead of all the hyper partisan stuff. If nothing else as an experiment.

Absolutely not, this cannot be to restrict access of bad actors TO the West. This is to restrict regular old Russian citizens from getting information FROM the West. There is no chance at all that such blockage cuts off the ability to conduct military operations on the internet.

It's worth mentioning that the Russian government has a plan to completely detach the country from the wider Internet. This system has already been tested and is available at the flick of a switch.

Unfortunately, it's probably a matter of time until this system is activated for real and the Iron Curtain drops to the floor. Then Putin will find some way to blame the West and rally against us.

I don't believe that this is coming. It would have large economic costs (how to conduct international business with "friendly" countries? etc. etc.), would piss off a significant share of the population (e.g. online gamers) etc. It's just not worth it.

For countries like Russia, the goal isn't necessarily to cut off all connections, the goal is to discourage it, make it expensive, annoying, slow, so that a large majority of the population will opt to use the Russian internet.

I don't know. People said the same thing about the invasion to begin with. That it would cause significant economic harm to Russia, cause civil unrest, and so on. Yet they did it and pulled through somehow.

I don't they'll hesitate to do it if they see the need to. Putin wants the Soviet times back at any cost. He has many strings he can pull if he feels threatened.

Bread and circuses. It's weird to say, but I do believe that banning circuses (the internet) would cause more problems than a conscription.

circuses (the internet)

According to a Russian resident I follow on social media, over the last 2 years Russians improved their localized circuses: VK, mail.ru, etc. The guy says these are now somewhat close to the originals i.e. Facebook, Instagram, YouTube.

How is the Russian equivalent of Marvel doing? Is there a strong Manga production? How many AAA games does Russia produce? K-pop is pretty popular in Russia, how about that?

Internet/media has a very long tail, which Russia can't hope to replace.

of course it's possible. any country can do this. all trunk connecting are owned by the government telecom branch on 99pct of the world.

but then Russia would have a hard time making their hacking. lol.

Ten years ago, I was working for a US post-production company that produced a one-off game show in China. We used OpenVPN to monitor our servers, but it was being blocked. I ended up setting up a new OpenVPN server using obfsproxy, and it worked. It might be worth trying in your situation: https://community.openvpn.net/openvpn/wiki/TrafficObfuscatio...

It should be an OS-level implemented feature at the TCP/IP layer so all non-local traffic is unrecognizable to anyone but the true recipient.

IDS/IPS's are virtually worthless these days anyway so I can't see much downside if every Window's, Mac's and Linux OS's network traffic appeared to be completely random/obfuscated out-of-box.

But sir, how will they protect the children, if the OS does that?

Good one

I've heard it claimed that IPv6 was supposed to bake in IPsec as part of the core protocol which I think would have given you what you want, but 1. obviously that's not how history actually turned out, and 2. honestly I'm kind of glad that it didn't because I would rather not be stuck with IPsec forever.

Working around DPI blocks is possible as long as you can get your hands on foreign VPS. Just invent your own protocol and use it for yourself. Wrap it with HTTPS or even HTTP, nobody's has resources to analyse every single website protocol.

However some huge ingress/egress traffic to unknown website with few random pages looks very suspiciously. So it's possible to select those websites using statistics analysis.

Now the question to hackers: how do I hide tunnelled traffic so its statistics does not look suspicious?

Ideally one would use some CDN webserver (like cloudflare or amazon), however without encrypted SNI, host is extractable with DPI.

That's what "domain fronting" was: you put an innocuous domain in the SNI but a different domain in the Host: header and in some circumstances with some CDNs this would work.

FWIW I stumbled upon the fact that AnyConnect (VPN from Cisco) about 10 years ago could walk over our HTTPS/DPI proxies/firewalls at Ubisoft. Which was mostly interesting because it was Ubi itself using AnyConnect.

In my efforts to use Linux (which is not supported by Cisco) I found "OpenConnect" and it's partner: "OCServe"; which are open source compatible client & server software (respectively) for the protocol

On the wire traffic looks like normal HTTPS traffic, and without the SSL "CONNECT" header which DPI loves to drop as it's known used for proxies and vpn solutions.

YMMV, but it's worked for me with aggressive HTTP proxies in other companies too. :)

Working around DPI blocks is possible as long as you can get your hands on foreign VPS. Just invent your own protocol and use it for yourself. Wrap it with HTTPS or even HTTP, nobody's has resources to analyse every single website protocol.

Some firewalls will simply drop those protocols.

Bashkiria is heating up with thousands on the streets for two days in a row, plus moscow rolling blackouts just kicked in.

The Ural federal district is the testing site for the ASBI (АСБИ).

What blackouts are you talking about? I'm in Moscow. Never heard of that.

Already supressed, which is expected given that it's just 2 months before the election.

Mullvad has a Wireguard obfuscation feature you can enable. Does that work for you?

no need, but thanks. daily routine become a more painful, because of two-way blocking. i even cant read new science paperwork from US universities, they're block whole ASN's. we're slowly moving to great firewall, i suppose.

I think that would fail since that is just wg through a wg tunnel

This is HN not PN. I do realize HN is full of libertarian spoiled youth (and spoiled not-so-youth-already including myself) but I don't want to teach anyone how to live.

The time will show.

I do understand libertarians. I personally was really unhappy to see more and more "regular people" getting internet access since the late 90s. Now the Internet is full of crap. I have trouble finding stuff that was easy to find in, say, 2010.

I do miss "the underground days" of FidoNet. And underground is total denial of the mainstream. But the Internet is not just the mainstream, it's the infrastructure now.

I grew up in Moscow in the 80s-90s and my passion for computers somewhat saved me from the street influence but OTOH I did have the Anarchist's cookbook, for instance, precisely b/c of the computers. Absolutely unregulated. That is I'm sort of the early kind of spoiled kids.

Most Russians had enough of 90s with child prostitution, heroine, skinheads etc. They just want unspoiled kids to continue rebuild the country they lost in 90s but better. They don't need BLM/LGBT/whatever extreme stuff in the mainstream. There's place for that and it's called underground.

Also, I think English-speaking Internet may be viewing modern Russian at least as oppressive as the USSR but this isn't true IMO. They have learnt the lesson and do realize that prohibiting and classifying almost everything is not the way. As well as basing regulations, policies and even international affairs on ideological principles.

That's is the system is very much interested in the existence of underground. It's similar to how enforcing customs regulations totally has turned out to be too expensive and bad for economy. Some expert in the area said that ~10% of smuggling is a healthy balance.

Another example. I once talked to a guy from Sochi who told me that during the preparation of the 2014 Olympics some local hippies were approached by special "people in civilian clothes". The hippies have been told something like: we know you grow shrooms and weed, and that's OK, no worries, but we need you to stay away off during the Olympics.

Yet another example. While visiting the village where my grand-grandfather was born I heard that they got their own potheads and shroom eaters, in the next village or something. Everyone knows about that, police included.

Dumb enforcement never works well for such things. Just remember how desperately the Russian Empire was trying to make the Ashkenazi cultivating the land. The government gave them the rich black earth in Novorossia. That worked perfectly for many of the Germans and the Greeks but not so much for the Ashkenazi. The government didn't want to understand that this just wasn't something Ashkenazi would like to do.

Also, I think most of those young kids thinking they're protecting freedom of speech are just acting like offended children how ran away from home. For how long can they survive? Even if they can, is it good for them? The Soviet Union was a very parentalistic system that everybody was fed up with. People thought that with the destruction of the Union they'll only get freedom. In reality the not only got freedom but lost many things they were taking for granted like free health care and education, science and significant part of the industry.

You think you're not mainstream, but your whole spiel is written in imperialist, anitsemitic tropes, which Russia is so well-known for. Corrupt police in Russia not persecuting drug dealers? A true underground. Human rights abuses? All par of the course.

Here's what my country lost with your 'union': our occupiers, abusers, and enslavers. 'The time' already showed us what's what. Good riddance.

What is interesting is that since 2022 a lot of sites and host services decided to ban access from Russia. Quite often to a very simple things - nothing related to technology. And I don't remember anybody outside Russia found it crazy. (I am too lazy for VPN and accessed through web.archive.org to the most of the stuff). So, when Russia closes some access it is an attack on the freedom. And when West blocks access from Russia it is protection of the freedom :)

For example, I found about some 'world oldest tree' competition through the news that it banned trees from Russia. Curious enough, I found their site and.... it rejected me by IP.

"That's different" (tm)

We are supposed to go overthrow Putin to get LinkedIn and Spotify back (or something).

Most probably related with the revolts started in the Russian republic of Bashkortostan the last week.

The play of elections is also coming.

Typing this from Moscow, over OpenVPN. I have been around the country over the last year and am yet to experience protocol-level blocks (although there are credible reports this happened, just not in my experience). It seems like the current wave is about blocking popular providers. Folks with own server, like myself, are not a target so far.

I'd expect the government to cool down expansive internet censorship until the "elections" in March, since hitting the preapproved outcome figures will be harder this way.

their heuristics is probably looking for long time connections.. you're scaping by moving the client around

Maybe now I can play CS:GO/CS2 in peace.

But Steam network services are not blocked in Russia, as far as I know. Steam itself does block certain games for Russia, but CS is not one of them.

I don't believe it is true. They might block commercial solutions, but i'm using Wiregiard with exit point in Netherlands right now, works fine (although on certain providers, I've seen some throttling, but that could just be coincidental)

UPD: I asked some friends, some of them have faced probmes. I guess it is not protocol block, but instead combination of protocol and "suspicious" server. Mine has stuff other then VPN running on it, so it might have flown under the radar.

The same for me. I use Wireguard to connect to VM in Netherlands and to VM in a local cloud. Didn't notice any problems.

Any hints on how they're doing it and at which layer? DPI at the 7:th layer?

It's been rumored to be DPI and what's even worse it's being done by circumventing sanctions: https://theins.ru/en/politics/265749

With some luck they end up blocking their own troll farms.

Unfortunately I imagine those operate from regions without controls. I remember the story of the fire at the troll factory from a few years ago when internet discourse magically improved for a few days.

Maybe it's the right place to advertise Snowflake. It's a browser extension that allows people to bypass Tor censorship if I understood correctly : https://snowflake.torproject.org/

Snowflake users from Russia are still on the rise

https://metrics.torproject.org/userstats-bridge-combined.htm...

For what it's worth I tried NordVPN in China recently and all the servers were blocked. Totally useless. But weirdly, when I connected to the internet over cell data on my phone, there was no blocking at all...

Was that a Chinese SIM or a foreign SIM in roaming? Hong Kong SIM cards are an effective way to circumvent the Chinese firewall, and, if you don't mind the prohibitive cost, they work against the Russian firewall, too.

Doesn't Russia still have TOR nodes running ? Are those blocked ?

I would advise against using popular or well known protocols as those are prime targets. I’d use disguised protocols instead.

Writing this from Moscow over private OpenVPN instance hosted on Hetzner by a friend of mine. Sometimes it stops working. It's been like that for a couple of years like that.

I highly recommend hans to bypass such shenanigans: https://github.com/friedrich/hans

Russians at this point are somewhat accepting the latest shenanigans of Roskomnadzor and in some cases are even somewhat supportive of it ("necessary evil"). So part of why there is not a lot of discussion on the English internet is that not even on the Russian internet there is not a ton of discussion about it.

VPNs stop and continue working on a somewhat regular schedule for a long time at this point.

Maybe that's why while playing dota2 in EU, as a support, I have been getting in the last few days very bad cores? Or am I into a lose streak which valve matchmaking became master at crafting for us once in a while?

just checked - OpenVPN works just fine if all traffic is local (we use it to access company network).

Because of the issues with OpenVPN/Wireguard blocking, a few months ago I completely switched to shadowsocks which I think mostly works. But it looks like https://github.com/amnezia-vpn/amneziawg-go -- is the way to go, which is an obfuscated wireguard.

This thing works perfectly well: https://xtls.github.io/

I provide some server nodes to certain people there.

And here I am writing this post via Wireguard VPN through my home router marking traffic to an outside VPN gate with ease.

Information control is just one part of how totalitarian regimes maintain that control. Western media is full of stories of the Russian "meat grinder" that would probably incense Russians, so it's probably in Putin's best interests to control how many Russians can actually see that.

IKEv2 hasn't worked since last fall (and mine was self-hosted). They keep upgrading the DPI.

I haven't been able to use my OpenVPN server since August 2023. All connections are reset. Surprised someone could still use it. Perhaps it was rolled out on a per-ISP basis.

I had a friend recently visit China and he needed access to the real internet and the VPN providers he had used before were blocked.

It took me all of 10 minutes to set up a OpenVPN server in East Asia on DigitalOcean. The container even comes with a client installer that has the parameters preloaded.

Worked fine.

Wouldn't something like v2ray helps? How did you post on HN btw?

You can use wstunnel to bypass firewall. I had many feedbacks from chinese/turkish/iranian people using it with success. Easy to setup also with static binaries.

https://github.com/erebe/wstunnel/

Might be a case of me being too stupid to use ctrl + f

But its very much worth mentioning that Russia has totalitarian laws that criminalize the use of vpns.

The prospect of an isolated Russian interweb has become oh so real.

none of the comments below have picked up on this specific thing but Russia has done exercises on exactly this topic. they seem much more prepared to do it / want to appear to be willing to do it than any other large country that isn't already a police state.

There is always shortwave radio: https://www.theverge.com/2022/3/4/22961286/bbc-news-blocked-...

Hey there! Lots of experience with this having lived in China for 2 years. I recommend you look into xray-core or v2ray.

https://github.com/v2fly/v2ray-core

https://github.com/XTLS/Xray-core

Here are my configs: https://github.com/acheong08/notes/tree/main/xray

Why this over WireGuard or OpenVPN or commercial solutions? Because it’s obfuscated and you’re much less likely to get caught. Try hosting a small game server on the same machine as well so the traffic doesn’t look too out of place.

I want to point out that many sites still work without any VPN, including this site. And not all foreign sites are blocked, but only those included in special lists.

Some good news amidst this doom and gloom: I just installed AmneziaVPN (https://amnezia.org) on my VPS and it works great so far -- and pretty fast as well.