I wish VPN also considers DPI when they design their protocol. It just sucks that every self-claimed decentralized app can easily be blocked. They can block faster than you can host another new instance & migrate users.
Every VPN advertised in China takes DPI in account and there is a very huge community around how to circumvent GFW. The previously popular protocol was Shadowsocks (until GFW blocked fully random traffic) and now I use Hysteria2 (which masquerades itself as QUIC) and it has not been blocked yet.
In case your favorite VPN provider does not provide these protocols you can buy a VPS and deploy one of these protocols by yourself.
Is there any sort of criminal risk to playing cat and mouse with GFW censorship? Or are you generally free to just do your best to subvert the limitations put in place?
A quote from someone I know working in a related agency for “cybercrime” in China:
> If you just set it up and use it yourself, at most you will just be given a verbal warning and urged to rectify and confiscate the tools. If you set it up and give it to your friends to use, there may be risks, but in reality, law enforcement agencies usually don't have extra time to manage these small things. If you set it up for your friends to use, the traffic of three or five people is very small, just normal access to the external network, and there is no other illegal behavior such as money laundering, telecommunications fraud, etc. No one cares. If you are the airport owner, that is, the VPN commercial service provider, then your legal risk will be very high, you will be involved in illegal operation of telecommunications services, because this requires you to apply for a license, and VPN commercial service providers usually earn large illegal income, may be sentenced and confiscated for several years. Note that the sentence is due to its illegal operation. Once he has the qualifications, then he will be a legal communication service.
> Because such behavior can be subject to administrative penalties at most in the law, which is what I just said, warnings or orders to make corrections and confiscate tools, and at most fines, but generally not. The fine will be determined based on your attitude of admitting your mistakes. If your attitude is good, there will basically be no fine. In addition, if there is illegal income to be confiscated, such as illegal income obtained by browsing the Internet and conducting cross-border money laundering or cross-border telecommunications fraud or computer network crimes with international illegal organizations, it will be confiscated.
Funnily enough, he says almost everyone used VPN-like technologies, even within the regulatory agencies.
Shameless plug, you can use wstunnel which disguise your traffic as websocket to tunnel any traffic you want. I had most success with it, as it uses TCP, than with QUIC/HTTP3 as usually UDP is more heavily restricted.
It works behind GFW and let you use your wireguard for example...
I had also good feedback from people in Turkey and Iran
Packet size is dependent on the MTU, so practically speaking you're trying to put something 1460 bytes into a 1460 byte container and the only way for that to fit is the split the packet or tell the packet generator to make smaller packets. both of which are reasonable options but they're not the most efficient, leading to slower connections when tunneling one inside the other. It's less of a deal theses days, but that's the why of it.
Well, sure, but then any kind of encapsulation is less than ideal. However, here the context is VPNs and this means there’s always going to be some sort of encapsulation. And if the choices are between encapsulating something in TCP and encapsulating something in UDP, the latter should always be chosen.
I use the word tunnel but it would be more correct to use "proxy"
There is no wrappring of udp packet into another layer of TCP. Wstunnel unpack the data at the client forward it using tcp/websocket, and after re-take this data to put it back into its original form (i.e: udp)
so there is no encapsulation of many protocol.
The only place where there is encapsulation, is for tls. if your client use tls to connect to wstunnel server. And that your data is already encrypted with tls (i.e: https) there will be 2 tls encryption
Not a VPN but I think Telegram takes that into account? My understanding is they use some of the millions of AWS registered IPs to goad ISPs into blocking them - censoring blocks of AWS IPs isn't usually a fun time.
