I am not sure if this is the right sub, but I didn’t find other more appropriate.
I visited Russia yesterday and found out that the most paid VPN services I used - NordVPN, Surfshark are now banned. Both WireGuard and OpenVPN, even manual setup. I used to say that they wouldn’t do it, because many businesses depend on private VPNs and it would break too much, but they seem to be doing it successfully. I had my job VPN working without issues the whole time. I was able to find some less known services in GooglePlay, but it was tricky.
Are they just banning IPs or there is something else? What if I set up my own VPN service and use it alone, is there a high chance that it may be banned too?
Russia has a specific government entity called “Roskomnadzor” (Russian Communication Supervisor).
What they do is that they publish an XML file with blocking instructions that all ISPs should follow. The specific instructions are case per case basis. Most bans are on DNS or IP level.
All VPN providers basically offer a zip file with all their servers IPs, all the national service for “truth” needs to do is regularly collect these and block them…
In my experience they block URL’s of VPN servers from known providers. When I worked for one we would just rotate domains frequently.
Wireguard and openvpn have specific type of traffic that can be detected. That’s why there are some extra privacy features that help with that. One option i saw is to use port 443 to try to pretend that it’s https traffic. But it’s still not fool proof. Also the big name VPNs like nordvpn have limited amount of servers, and banning them is as easy as banning their ips. That’s why some vpn services provide a list of bridges (intermediary server).
I think your best bet is to run your own wireguard vpn server and connect to it on 443, or use a bridge, or connect to less known smaller vpns, or new servers on big vpns. You can also try to use proxies. That’s what i would do at least. Have you tried Mullvad VPN? It’s the one firefox uses.
If you are in Russia btw you can go to a local internet cafe and ask how you could access some blocked international sites, i am pretty sure they know how to bypass it.
I am not condoning nor recommending you break any laws. Not your lawyer, etc.
They ban IPs and also VPN protocols are easily identifiable by Application Firewalls and banning these protocols is easy unless you use something udp2raw or encrypt the VPN data in tls itself to make the data stream not identifiable but that’s overhead I haven’t seen any VPN doing.
If you use cloudflare or google dns can you get around that?
I’m Russian and I know that. They fought Telegram and lost shamefully. I don’t really get how can they ban entire VPN providers (who supposedly update their IPs?) with supposedly thousands of IP addresses all over the world.
Wireguard is blocked by detecting the zero padding in the initial handshake packet. That packet is dropped and the tunnel is never initialized. Since Wireguard devs refuse to add obfuscation, the solution is to either bridge or roam in (i.e. initialize the tunnel elsewhere).
OpenVPN is banned by a TLS handshake signature specific to OpenVPN.
they didn’t block entire protocols, because my job vpn was working
China does protocol level blocking. Russia is a bit more “lawful” as it requires court order to add it to banlist.
they didn’t ban entire protocols, because my job VPN was working fine
That would never work for something like this.
Search for studies of the Great Chinese Firewall, this is the best one I’m aware of: https://gfw.report/publications/usenixsecurity23/en/
And yes, even if you setup your own VPN service (outside Russia), it can get banned. I am running OpenVPN for friends, and it stopped working reliably about half a year ago. Look into Shadowsocks or, better yet, XTLS (GitHub - XTLS/Xray-core: Xray, Penetrates Everything. Also the best v2ray-core. Where the magic happens.)
Telegram went above and beyond abusing Google Push notifications as traffic channel.
Tor Browser - THIS- is allowed? Or you can get in trouble for using it?
Thank you. I didn’t remember technical terms. Mullvad offers wireguard obfuscation: udp over tcp.
We did own VPN for China and we needed to use HTTPS hiding, as they cut OpenVPN on protocol level