I have the fortune to reside in Russia-controlled Donbas. Over here they have been blocking all WireGuard connections for a long time. OpenVPN seems to be blocked selectively depending on the host. The government and commerce must need it more than WireGuard.
It isn't consistent. Different ISPs block different hosts and protocols at different times. I assume we are a kind of test and staging environment for censorship in Russia.
In the interest of anonymity I am not going to respond to your questions.
[stub for offtopicness]
Stay strong, hopefully, Russia will collapse and you'll be free - I may be naive but I still think there are enough Russians who can see this tragedy as the doing of a man who wants to continue to live the life of a king, and it's probably his only way of survival after so many murdering and prosecution.
I'm not sure a collapse of Russia would be good for GP. Living under an oppressive regime is not fun, but Putin's Russia isn't that bad as dictatorships go, and anarchy/societal collapse aren't fun either.
GP won’t suffer from anarchy or societal collapse. According to internationally recognized state borders, they live in Ukraine, not in Russia.
Russians have lost approximately half of the land they have occupied in the first 3 months of the full-scale war. We have repeatedly observed that Ukrainian government is willing and capable of bringing law and order to these liberated territories.
I know someone who has spent a lot of time working in Ukraine, and has acquaintances there they keep in touch with. Their description of the situation is not nearly as rosy as yours. The war (which, for the Donbass, started in 2014) has devastated an immense amount of territory. Ukraine had Europe's lowest fertility rate even before the war, and now millions of working-age men are dead, wounded our have left the country, which makes prospects of a quick recovery slim. Also, Ukraine's government is extremely corrupt, and while less autocratic than Russia it is very far from a model democracy (was even before the war, and war tends to make countries more corrupt and authoritarian). The best thing for GP to hope for would likely be peace, as soon as possible, and which side of the armistice line they fall on won't make much difference for them.
Ukraine is at war, nothing rosy about that.
Still, living conditions of people north of Kyiv, north of Kharkiv, or in Kherson is dramatically better than GP’s situation. Note GP can’t even freely talk to English-speaking strangers here on HN because they fear the consequences from the Russian invaders who call themselves “government”.
GP has very good reasons for that fear. Russians are doing horrible things to Ukrainians on the occupied territories, for example https://www.reuters.com/world/europe/torture-chambers-ukrain...
They are also dramatically better in Moscow, St. Petersburg, or Vladivostok. Of course being far from the front lines is better than being near them.
People in Ukrainian-controlled territory can't talk freely either, there have been many cases of extrajudicial arrests and even killings of dissidents by Ukrainian government authorities. For example, peruse Gonzalo Lira's list (Lira himself died a week ago in Ukrainian custody): https://twitter.com/GonzaloLira1968/status/15174577687976796...
---
This is a war between two thuggish regimes. One thug might be a bit more brutal than the other, but the war itself is what's doing the most harm to ordinary people.
Kherson is less than 5 km from the active war zone. Northern parts of Kharkiv oblast have a Russian border nearby, with Russian recon groups routinely trying to infiltrate.
I have several friends currently in Ukraine. None of them is scared of expressing their political views, neither IRL nor on the internets. None of them supports Russia for obvious reasons, but not all of them are huge fans of their current government.
Wikipedia has an interesting article about the guy https://en.wikipedia.org/wiki/Gonzalo_Lira The article says the arrest was lawful, Ukrainians released him on house arrest, he tried to flee the country, then he was arrested for real and died of pneumonia in custody.
Every death is a tragedy, but I don’t believe Ukrainian government deliberately killed that person. Why would they fake pneumonia during the war, at the time when random civilians are routinely killed by Russian missiles and drones across the whole country?
This is Ukraine’s war of independence. Ukrainians have lost the last time in 1917-1922. This time, things will be different.
He was arrested for political speech, which is ipso facto an unjust violation of his fundamental human rights and of natural law. Putin's Russia also has "laws" that justify the arrest of dissidents, doesn't make it OK. (And many of the other people on Lira's list were simply summarily executed, without any trial or other legal process)
I don't know what political speech means to you.
Are you aware that Ukraine engaged in an existential war? Gonzalo Lira was justifying Russian aggression against Ukraine, denying the facts of Russian missile strikes on Ukrainian cities, as well as massacres of civilian Ukrainians by Russian invaders in Bucha and other cities.
Then he was taken into custody because he violated the terms of his bail and tried to escape. Originally meant to be under house arrest in Kharkiv, Lira was detained in another part of Ukraine: Zakarpattia Oblast, where he tried to cross the border into Hungary
There are a number of real journalists in Ukraine investigating big corruption cases, some of which have even resulted in the replacement of the Minister of Defense. These journalists have not faced assassination or imprisonment, although there have been instances of them being pressured in some ways
If a state's continued existence relies on restricting people's fundamental human right to free expression, then that state deserves to die.
It seems you apply US laws to the rest of the world. Ukraine is not part of the US, it’s a part of Europe. In Europe, the legal systems are rather different.
For example, public display of Nazi symbols in the US is a protected free speech under the first amendment. However, the same action in many other countries is a crime: https://en.wikipedia.org/wiki/Bans_on_Nazi_symbols This doesn’t make governments of France or Belgium “thuggish regimes”.
serious question -- your first sentence: is it sarcasm or do you really consider yourself to be fortunate?
Fortune is like fate or luck here. There's good or bad, but it's still ones lot in life.
That is obviously sarcasm
My condolences. Hope Ukraine and allies can can sustain enough pressure to free those lands.
Damn. So sorry, mate! I was born not far from a Soviet base back before the curtain fall, but nothing like Donbas.
Fingers crossed and some contributions to the cause already done. In the meantime : Slava Ukraini!
How, technically, can they block wire guard? It can operate as pure UDP on any port. Are we referring to wireguard vendors like tailscale here?
This is what I was wondering. I don’t understand these VPNs too deeply (though I do occasionally administer an OpenVPN setup), but I was under the impression that they’re sending encrypted packets over UDP on arbitrary ports. That seems quite tough to analyze and block.
Why analyze when you can whitelist?
Ok fair. The approach might be block everything except https/tcp.
In which case what we need is https side channel VPNs.
The protocol has a defined structure (check out 5.4.6 in [1]), and can therefore be detected and blocked. It's probably easier to block than a TLS VPN, which has a lot of typical TLS noise to hide in.
[1] https://www.wireguard.com/papers/wireguard.pdf
What about something like udp over tcp?
This is the first (that I know of) public conversation about this and goes into detail about the various problems with obfuscating WireGuard.
https://lists.zx2c4.com/pipermail/wireguard/2016-July/000184...
The reply https://lists.zx2c4.com/pipermail/wireguard/2016-July/000185...
... is pretty informative. There is a PSK mode, which really should be essentially indistinguishable from random UDP packets. But I haven't read deeply enough. I do PSK on all my networks, but that has its own disadvantages. I honestly thought that was the only way to do wireguard.
China uses statistics, entropy of packets and other DPI-like methods[1],
also HN discussions of it[2]:
[1] https://gfw.report/publications/usenixsecurity23/en/
[2] https://news.ycombinator.com/item?id=36531485
Wireguard headers are fingerprintable.
I would have thought psk mode would have encrypted the entirety of the initial handshake
maybe not
You might see some confused faces. To most English speakers "fortune" mostly means good, unless it is preceded by something that specifies that it is bad fortune, like "ill fortune" or misfortune.
Their English is actually good enough to properly use sarcasm. “I had the fortune of getting food poisoning last week” would be understood as a joking way of taking about misfortune.
It is. But just because you speak English doesn't mean you use sarcasm constantly. Sarcasm is a lazy way of communicating in almost any language. It reveals lazy thinking and poor vocabulary. I never assume someone is using sarcasm when they could actually be speaking intelligently, albeit with a common grammatical error.
It's called sarcasm.
The circumstances suggest that it's probably just a simple error and not sarcasm. Not everyone in the world really loves sarcasm so much. People who use it frequently are usually trying to mask a poor imagination and small vocabulary. So I prefer to believe it's just a simple mistake. No big deal.
OpenVPN looks more similar to regular https traffic, hence its a bit more difficult to fingerprint.
Openvpn is trivial to see , what you need to do is wrap it in stunnel
Yeah I suspect they know they can never block everything but if they can block 98% of "casual users" they've probably reached their goal. They will just put out propaganda that the other 2% technically apt people who get around it are conspiracy nuts, western civ sympathizers, traitors to mother russia, etc.
Even though openvpn uses TLS, AFAIK it's used on top of some wrapper which makes it trivial to detect and block. At least in my experience it's the one of the first protocols to get blocked.
They called the Chinese to help with their experience like 6 months after the start of the war as they realised some young people could access news outside the official channels.
They have been testing it since then.
In China once their AI systems or whatever decides that you are using a VPN you will be punished by increasingly blocking your Internet for more and more time.
This isn’t true. VPN use is widespread here, but I’ve never heard of anyone’s internet getting wholesale blocked because of it.
Selling VPN services, however, is a big no-no.
Thank you so much for posting this.
If anyone else has any educated guesses about the mechanism, please do share!
My guess is that it's cat and mouse with various providers and upgrades and research are inconsistent.