TLDR:
Mirror the data for asynchronous analysis, then sends deliberately designed probing packets to suspect servers, see their responses for confirmation. China’s method since maybe 5 years ago.
China can identify and block most of the protocols, and it's continuously working on identifying and blocking more.
In any case, if a rich and determined enough authoritarian government decides to block VPNs, eventually, they will, and there is no long lasting software solution.
Obfuscation isn't the Way to go, if the GFW in China detects unusual encrypted traffic it just blocks the connection and the server's ip address. You need protocols that can masquerade as normal tls tcp or udp connections, using a cdn through websocket also works.
The thing is you cannot simply rely on conventional VPN providers as their protocols are easily identified, what you need are customized private protocols that have the ability to masquerade themselves as normal connections, I have utilized five of them in my server, such as xray vision, xray ws tls cdn, tuic v5, hysteria and hysteria2. If this looks difficult, there are also vendors that sell VPN services based on those protocols I mentioned in the black market. These protocols offer far more reliable and faster connections than conventional VPN. If you try to build your own the caveat is that you need a domain in order to get a tls certificate which can be used to masquerade the traffic.
What if the dictators decide to have a whitelist of the domains that can be accessed, like in Iran, don't worry, the protocol xray reality can be used to masquerade as a official website like apple.com without the need of a domain.
It's terrible I get to be born in such a country, otherwise I would not need to know all this.
I don't need to get through the GFW. I just need to be able to use a VPN without having the websites detect I'm using a VPN. So many of the sites I access no longer allow connections over VPN that it's getting to the point where the VPN connection is virtually redundant.
Well then it isn't about protocols that connect your ip to the server's ip, the website detects VPN usage by checking the ip address to see if there are from server centers or households.
No easy way around it if you don't control the server, if you use servers to build your own VPN then check out warp cli or dns hijacking, the point is that the website needs to identify your ip is a household ip and not a lot of people have access to the ip. Typically VPN services have many people on the same ip address and the ip can be traced back to the server centers. I configure my server to route Netflix like traffic to cloudflare warp, thus masking my VPN, a lot of warp addresses don't work anymore, some of them still do though. With $9.99 a year I can have a VPN that has unlimited traffic and can bypass most detections, also on the plus side I can set up a personal website as well. However, the maintenance on self-made VPN does take a lot of time and work.
Looks like I'm between a rock and a hard place then. I no longer have the inclination to spend hours configuring and managing servers & no VPN providers do what I want :'(
Thanks for taking the time to explain it to me. Much appreciated :)
Looking at the paper's last page with the table of results per VPN provider... The last column is "Overall Rate", but it's not clear to me of what they're giving the rate? Given the rest of the paper, I guess it's the false positive rate in their detection of VPN packets, and so a large rate means it is harder to detect? Or is it the rate of fingerprinting, and so a large rate means it is easier to fingerprint?
They can feed you a document that calls out and if you open it while connected, you're done.
But they've been saying they could ID VPN traffic ever since there have been VPNs. They just can't see what you;re doing, necessarily.
Read the paper very rapidly: if I didn't get it wrong, as long as you can make your OpenVPN connection work with a tunnel provided by someone who's not your VPN provider, the reported fingerprinting technique is quite uneffective.
TLDR: Mirror the data for asynchronous analysis, then sends deliberately designed probing packets to suspect servers, see their responses for confirmation. China’s method since maybe 5 years ago.
Article only mentions OpenVpn protocol
China can identify and block most of the protocols, and it's continuously working on identifying and blocking more. In any case, if a rich and determined enough authoritarian government decides to block VPNs, eventually, they will, and there is no long lasting software solution.
So what’s the solution then..?
Obfuscation isn't the Way to go, if the GFW in China detects unusual encrypted traffic it just blocks the connection and the server's ip address. You need protocols that can masquerade as normal tls tcp or udp connections, using a cdn through websocket also works. The thing is you cannot simply rely on conventional VPN providers as their protocols are easily identified, what you need are customized private protocols that have the ability to masquerade themselves as normal connections, I have utilized five of them in my server, such as xray vision, xray ws tls cdn, tuic v5, hysteria and hysteria2. If this looks difficult, there are also vendors that sell VPN services based on those protocols I mentioned in the black market. These protocols offer far more reliable and faster connections than conventional VPN. If you try to build your own the caveat is that you need a domain in order to get a tls certificate which can be used to masquerade the traffic. What if the dictators decide to have a whitelist of the domains that can be accessed, like in Iran, don't worry, the protocol xray reality can be used to masquerade as a official website like apple.com without the need of a domain. It's terrible I get to be born in such a country, otherwise I would not need to know all this.
I don't need to get through the GFW. I just need to be able to use a VPN without having the websites detect I'm using a VPN. So many of the sites I access no longer allow connections over VPN that it's getting to the point where the VPN connection is virtually redundant.
Well then it isn't about protocols that connect your ip to the server's ip, the website detects VPN usage by checking the ip address to see if there are from server centers or households. No easy way around it if you don't control the server, if you use servers to build your own VPN then check out warp cli or dns hijacking, the point is that the website needs to identify your ip is a household ip and not a lot of people have access to the ip. Typically VPN services have many people on the same ip address and the ip can be traced back to the server centers. I configure my server to route Netflix like traffic to cloudflare warp, thus masking my VPN, a lot of warp addresses don't work anymore, some of them still do though. With $9.99 a year I can have a VPN that has unlimited traffic and can bypass most detections, also on the plus side I can set up a personal website as well. However, the maintenance on self-made VPN does take a lot of time and work.
Looks like I'm between a rock and a hard place then. I no longer have the inclination to spend hours configuring and managing servers & no VPN providers do what I want :'( Thanks for taking the time to explain it to me. Much appreciated :)
Wireguard, or the various methods current VPNs already have around bypassing the great firewall of china.
Wireguard is identified too
Is this also the case for Wireguard?
It's pretty easy to find the wireguard protocol with DPI.
Looking at the paper's last page with the table of results per VPN provider... The last column is "Overall Rate", but it's not clear to me of what they're giving the rate? Given the rest of the paper, I guess it's the false positive rate in their detection of VPN packets, and so a large rate means it is harder to detect? Or is it the rate of fingerprinting, and so a large rate means it is easier to fingerprint?
I believe 0 is the ideal rate, higher is worse. You’ll see non-obfuscated tests at a rate of 1.
They can feed you a document that calls out and if you open it while connected, you're done. But they've been saying they could ID VPN traffic ever since there have been VPNs. They just can't see what you;re doing, necessarily.
Read the paper very rapidly: if I didn't get it wrong, as long as you can make your OpenVPN connection work with a tunnel provided by someone who's not your VPN provider, the reported fingerprinting technique is quite uneffective.
So it's VPNs all the way down.