
VPN services blocked in Sri Lanka as information controls tighten - infodocket
https://netblocks.org/reports/vpn-services-blocked-in-sri-lanka-as-information-controls-tighten-RAe2blBg
======
abstractbarista
Looks like it's mostly DNS-based. Meh. But still, this underscores the
importance of operating your own VPN if you want to maintain comms through the
silly twitches of a gov't like this. The biggest VPN providers are the first
to be targeted. Even just having an SSH host outside the country will do fine.

On another note, I recently set up a Tor bridge with pluggable transports to
help those in choked areas. It was a fun homelab challenge, and a good way to
spread my privilege of having a free connection.

~~~
fb03
A VPS with a simple SSH server on a nonstandard port, maybe with some port
knocking if you think you might be scanned or targeted by accessing from the
offending country will do the trick just fine, keeping things reaaaally low
profile.

~~~
gruez
>simple SSH server on a nonstandard port, maybe with some port knocking if you
think you might be scanned or targeted by accessing from the offending country
will do the trick just fine, keeping things reaaaally low profile.

Sounds like security theater. Using port knocking isn't going to hide the fact
there's a SSH connection between you and some server. If anything, having a
non standard configuration (non standard port number or port knocking) makes
you more suspicious.

~~~
walrus01
I think you overestimate the desire, motivation and technical capability of
sri lankan ISPs to start doing netflow analysis and DPI on individual
subscribers' end user connections.

Unless you were to attract the attention of somebody in government, and they
forced an ISP to escalate an issue to the 3rd or 4th tier of network
engineering running the core of the bigger ASes there, they're not going to be
doing that. It's not the chinese GFW.

~~~
bArray
Not only this, but there's a massive difference between stopping people from
accessing the web via VPNs and stopping people from SSH'ing into their
servers. You block SSH access and you're probably going to take a financial
toll Country wide.

------
nstart
It's actually infuriating this ban. I'm from SL, currently on Nord VPN which
hasn't been blocked by 1 of the major ISPs. Both major ISPs are aggressively
blocking standard open vpn traffic however. I'm not entirely sure how since
this is not my knowledge domain but a default open vpn setup on digital ocean
(even on port 443) results in a timeout when contacting the server

I don't understand why one ISP is still allowing Nord and express vpn through.
If anyone is open to debug this and help create a work around I'd love help.
Feels like a good time to test things.

In the meantime people are using dubious vpn providers and are opening
themselves up as easy targets. I dread what would happen if a malicious party
created a vpn with malicious intent and then spent some bucks on targeted
advertising in SL on the app stores.

This block is such a shit move really. It's become the gov's default crisis
time response in the name of national security.

~~~
ArchD
OpenVPN, like many other VPN protocols, does not have censorship resistance as
part of its design goals. So, I'm guessing that its traffic patterns are quite
easy to detect.

You should have better luck with something like Shadowsocks, or even better,
Shadowsocks over a SSH tunnel. There are probably better and more potent
alternatives that I'm not familiar with. If you just want to do regular web
browsing, a simple thing to try is to just use "ssh -D" for a SOCKS5 proxy and
configure your browser to use the proxy.

Also, a possible first step in debugging is to run the same server setup in
the same country as the client and see whether it allows you to connect to a
domestic server. If it doesn't, it's probably a problem with your
client/server setup as the state's firewall probably doesn't need to block
domestic VPN connections.

~~~
nstart
Thanks. I'll be taking a look at tunelling soon. The material around it is
difficult to read and put together to be honest.

I'm right now using Nord via their ovpn files. Somehow it made its way through
one ISP ruleset.

For my digital ocean box, I asked someone else to use tunnelblick with the
ovpn file I provided them to see if it worked (they were in another country)
and it worked. This makes me believe it's most likely a country level issue.

In general though I'd like to learn about networking more thoroughly and set
up a censorship resistant option which I can help others to setup and share as
well later on. Any primers/pointers are appreciated too. I'll start with all
the things you mentioned though.

~~~
sjy
I suggest looking into WireGuard [1]. I found it easier to use than OpenVPN,
and I think it will displace it as the de facto standard when it eventually
gets merged into the Linux kernel. You'll have to use lower-level
configuration tools to get started with it, which I am finding helpful to
pursue the same goal of learning about networking more thoroughly.

[1]:
[https://news.ycombinator.com/item?id=17659983](https://news.ycombinator.com/item?id=17659983)

~~~
pferde
While like Wireguard a lot, it won't displace Openvpn completely, for the
simple reason that it only works over UDP, and cannot work over TCP, unlike
Openvpn.

~~~
zx2c4
Transforming generic layer 3 datagrams into traffic that looks like something
else is the general domain of obfuscation. Making WireGuard traffic look like
TCP is one form of such obfuscation. Making it look like TLS or DNS or HTTP
are other forms. (Actually putting layer 3 traffic into framing inside a legit
TCP stream is inefficient and the wrong way to think about the problem
domain.) No promises, but I'm expecting some nice things to come in this
domain of generic obfuscation mechanisms to punch through various forms of
filtering.

~~~
pferde
Inefficient as it may be, it is something I simply need for my use case -
connecting home from a certain network which only allows outgoing connections
on a handful of TCP ports.

~~~
zx2c4
No. You need your traffic to look like TCP, for your particular network
filtering. But you do not need to achieve that by using the naive and
inefficient approach of, "stick the packets into a TCP stream prefixed by a
length field." Rather, there are more clever tricks for making your traffic
look like TCP, which generally fall into the same realm as other obfuscation
mechanisms.

------
mig39
They've also banned drones.

[https://www.thehindu.com/news/international/sri-lanka-
bans-d...](https://www.thehindu.com/news/international/sri-lanka-bans-drones-
unmanned-aircraft-after-bombings/article26940849.ece)

------
chelovek89
Nothing a personal shadowSOCKS server cant handle. It works with the great
firewall and theres no way Sri Lankas filter is stronger than Chinas.

~~~
abc-xyz
Speaking of shadowsocks, I really feel sorry for the author.. I believe his
final words were "I hope one day I'll live in a country where I have freedom
to write any code I like without fearing"

~~~
emilfihlman
Can you share more on this?

~~~
abc-xyz
This is the HN thread from the time:
[https://news.ycombinator.com/item?id=10101469](https://news.ycombinator.com/item?id=10101469)

His GitHub went quiet after that, but as wiremaus points out, he seems to be
alive and well based on his twitter posts.

------
ianlevesque
Legitimate question: what do they hope to achieve by this?

~~~
npsomaratna
Sri Lankan here.

Historically, the people here have engaged in "knee-jerk" violence following
an initial inflammatory incident; see:

[https://en.wikipedia.org/wiki/Black_July](https://en.wikipedia.org/wiki/Black_July)

[https://en.wikipedia.org/wiki/2018_anti-
Muslim_riots_in_Sri_...](https://en.wikipedia.org/wiki/2018_anti-
Muslim_riots_in_Sri_Lanka)

In the second incident listed above, social media was used both as a vector to
spread hate speech and misinformation, and also to help mobs organize.

Regarding the current social media block: at the start, I felt this to be
reasonable, as it made sense to slow the spread of misinformation/hate speech
for a couple of days, until people's emotions cool down. However, the blocks
still continue - and I see no clear justification for continuing them for so
long.

~~~
npsomaratna
Update: social media isn't blocked anymore. Six days in total - reasonable
enough, I think.

~~~
edejong
Any form of limiting speech is an attack on the principles of a healthy
nation. State-wide censorship is never reasonable.

------
jgowdy
Privacy idealist hat on.

I believe there's a lot of potential for CDNs and major sites to offer anti-
censorship pass through traffic with HTTP/2 via CONNECT. By having a
multiplexed protocol with multiple streams that spans "normal" traffic and
tunneled traffic, it should be harder to identify. This would allow major
sites or CDN providers to provide service to those people behind such bans and
possibly require governments to break a significant portion of the web in
order to institute those blocks. I think it's valuable to increase the damage
done by government blocking so we can ensure that mainstream persons are
sufficiently upset by this conduct. I also think CloudFlare and other major
CDN providers should be the ones to provide this type of VPN access either as
a product or as a special case offering for people in countries who censor the
web.

I realize there are many businesses who wouldn't damage their primary
offerings to provide such a secondary service. But it only takes one or two
companies to increase the collateral damage of the bans, and thus make them
much more costly for the governments imposing them.

~~~
DenseComet
[https://blog.cloudflare.com/1111-warp-better-
vpn/](https://blog.cloudflare.com/1111-warp-better-vpn/)

Cloudflare also built and opensourced a rust implementation of wireguard which
will likely back the service [0], but unfortunately, they didn't collaborate
with upstream.

[0]
[https://github.com/cloudflare/boringtun](https://github.com/cloudflare/boringtun)

~~~
jgowdy
Yeah, I'm specifically pointing to the idea of leveraging HTTP/2's multiplexed
streams to embed VPNs into the same connection as normal web traffic from
CDNs. Things like 1.1.1.1 Warp don't attempt to hide the fact that they're a
VPN and thus wouldn't really help with what I'm talking about.

------
Causality1
Blocks like this are why I always recommend friends overseas to not use a VPN
for which they've ever seen an advertisement. The small guys offer performance
that's just as good and the big guys having ten times the number of servers
doesn't help when their whole list can be blocked in an instant.

------
octosphere
You can route around VPN blocks by using something like Ghostbear which uses
_obfsroxy_ and is similar to Tor's meek pluggable transport
[https://help.tunnelbear.com/hc/en-
us/articles/360007243291-G...](https://help.tunnelbear.com/hc/en-
us/articles/360007243291-GhostBear-Fight-censorship-on-restrictive-networks)

------
deependra
[http://www.defence.lk/new.asp?fname=Public_Requested_to_Iden...](http://www.defence.lk/new.asp?fname=Public_Requested_to_Identify_Terrorist_Suspects_20190426_02)

------
andreimiulescu
A VPN service that cannot be blocked:
[https://www.tunnelhero.com](https://www.tunnelhero.com) been using this guys
in China l, turkey and UAE works like a charm.

