The Idiot’s Guide To VPN Blocking

So my colleague has already highlighted the fact that some people are now having problems accessing social media when connecting using VPNs. It would appear that ISPs and IAPs have also been secretly directed to block VPNs. They are unlikely to achieve much success on that front given how VPN works but they will no doubt score some kills.

We will now examine in layman terms how VPN is blocked and how that blocking can be defeated. The first thing to understand is the term VPN itself and how it works. VPN stands for Virtual private network. Currently the government has directed service providers to block access to social media sites as well as others. They are achieving this through two main methods from what I have observed:

• DNS level, my ISP is saying the Facebook domain does not exist at the time of this writing. That can be easily thwarted by changing to say Google’s DNS servers. In fact I highly suspect this failure to resolve is linked to method 2 below as the ISP’s own resolver cannot access blocked IPs.
• IP level where entire ranges for the services are intentionally blocked. Here is something amusing. Most of Zimbabwe’s service providers already know these IP addresses because they use them to create things like WhatsApp and Facebook bundles.

VPN involves your computer connecting to another computer somewhere on the internet. All or Some of your internet traffic is then routed through that computer. So if the computer is say in South Africa you will appear to the entire internet as if you are using that computer.

How VPN blocking works?

The easiest thing for those blocking VPNs is to simply block known VPN IP addresses. It’s harder than it sounds though. There are a gazillion IP address you will have to find and block and you are bound to miss a lot of them. The problem is compounded by the fact that you can in fact create your own VPN server without the need to sign up with a provider. If you do this right your ISP should be none the wiser.

In addition to IP addresses the internet also makes extensive use of ports. Think of a port as a door/apartment/flat. Most houses have more than one door each taking you to a different room. Typically computers have various services running on the same computer. Ports are used to distinguish between these services. So a computer might have the IP 192.168.0.1 but on port (room) 80 there could be a web server. Typing 192.168.0.1:80 connects you to this web server.

The same computer can have an email server listening on port 25, another instance of the server listening on port 443 and so on. Although a service can listen to any port it is customary for specific services to occupy certain ports. The most popular port is port 80 which is the default webserver port. Port 443 is close especially given Firefox and Chrome’s drive to secure the internet.

There are three popular VPN protocols and all have default ports which are well known. We have PPTP (Point-to-Point Tunneling Protocol) an old broken protocol which uses ports 1723 and 47. L2TP favoured by Microsoft uses 500, 1701 and 4500. OpenVPN meanwhile defaults to 1194.

All your ISP has to do is block these ports and it’s sayonara VPN. To be fair PPTP has been broken for a while and L2TP was never really meant to help you hide from anyone it was meant for businesses. In fact think that ZOL/Liquid are blocking L2TP right now and it seems like on a port level but I am just guessing.

One of the reasons why I love Free and Open Source Software is that you can modify it and it comes with the expectation that you might want to modify it. OpenVPN can use pretty much any port you tell it to. In fact most paid VPN services allow you to connect using ports 443 and 80. Internet providers cannot block these ports as doing so  will disable most of the web.

And then there was Deep Packet Inspection

Now this is another beast altogether and it deserves its own section. China, the NSA and other state sponsored actors wanted to find the best way to identify VPN traffic and their answer is Deep Packet Inspection. You see all internet traffic is split into packets which are then routed around the internet.

The internet relies on protocols (rules) that govern how computers/services talk to each other. We are referring to the high layer protocols here. We have protocols such as SMTP, HTTP, HTTPS and so on. These protocols involve computers talking to each other (negotiating) and doing things in pretty specific ways involving predictable bytes of data being exchanged. This and the careful analysis of packets can reveal if VPN is being used even when you switch to ports 80 and 443.

I am not sure of our local Telecom’s capabilities on this front but DPI comes with overhead and costs that most ISPs might not want to fully implement it. Sandvine’s products (widely used by ZOL and other ISPs) come with some form of DPI for quality control purposes allowing them to effectively throttle torrent traffic even if you switch ports for example.

Fortunately the Free and Open Source Software community has come up with tools to make it highly difficult for DPI to see that you are using VPN. Stunnel is by far my most recommended. It makes it look like you are actually sending legitimate HTTPS traffic.

In our next instalment we will look at how you can create a bulletproof VPN server that will be extremely hard to block. It is always important to use social media and the internet responsibly and within the confines of the law. Nothing we post here shall be construed as allowing you to break the law. We feel strongly about that.