Unfortunately it would be trivial to block an SSH tunnels like this. I recall reading news 10 years ago (maybe even earlier) some foreign journalist tried this at a Beijing hotel room and got shut down in minutes. That was when people are still using PPTP and L2TP protocols to get around censorship, Wireguard and shadowsocks wouldn’t be born for another couple years.
Comment on Russia starts blocking VPN at the protocol (WireGuard, OpenVPN) level
cman6@lemmy.world 1 year ago
In case anyone wondered how to potentially get around this…
- Pay for a server in another country that gives you SSH access
- Create SSH SOCKS tunnel:
ssh -N -D 8008 your-server-ip - Open your browser and set the SOCKS server to
localhost:8008(in Chromium/Firefox you can search for this in Settings)
petrich0r@lemmy.world 1 year ago
MooseBoys@lemmy.world 1 year ago
trivial to block an ssh tunnel like this
Far from trivial unless you’re willing to brick ssh completely, or at least cripple a bunch of non-VPN uses for tunneling. Of course it’s trivial to just block ssh outright, or block tunneling above a certain bandwidth. But that would also block, as an example, most remote IDE sessions, loopback-only server management frontends, etc.
tal@kbin.social 1 year ago
The Kremlin could maybe have something set up that looks for accesses to stuff inside Russia from outside Russia, then flag that IP as suspicious as being a VPN endpoint outside Russia.
So, okay, take this scenario:
-
IP A, user inside Russia.
-
IP B, VPS outside Russia.
-
IP C, service inside Russia that state can monitor.
User in Russia on IP A has an SSH tunnel to VPS on IP B with SOCKS that they control.
That's fine as long as user is only browsing the Internet outside Russia. But if you're routing all traffic through the VPS and you use any sites in Russia, the Great Russian Firewall can see the following:
-
IP A has a long-running SSH connection to IP B.
-
IP B is accessing stuff in Russia.
You could maybe also do heavier-weight traffic analsysis on top of that if you see 1 and 2, or gather data over a longer period of time, but seeing 1 and 2 alone are probably enough to block IP A to IP B connections.
That can be defeated by using two external VPSes, opening an SSH tunnel to the first one, and then talking to SOCKS on the second (maybe with another SSH connection linking the two). But that's increasing complexity and cost.
MooseBoys@lemmy.world 1 year ago
can be defeated with two VPSes, but that’s increasing complexity and cost
A marginal increase, perhaps. You don’t need a separate VPS - just a second IP. Accept incoming traffic on port 22 on one, and set the default route for outbound traffic to the other.
-
DefinitelyNotBirds@lemmy.world 1 year ago
This is actually pretty interesting, thanks for sharing. Although i live in a third world country that doesnt care about anything at all including piracy, but this tunneling thing looks pretty handy
Jaysyn@kbin.social 1 year ago
I'm not 100%, but I think you could set this up for free with an Oracle AlwaysFree tier VM.
(Boo Oracle, yes I know. Still very handy.)
DAMunzy@lemmy.world 1 year ago
Just looked up Oracle Always Free… Good to know about, thanks!
droans@lemmy.world 1 year ago
Couldn’t you also just set the VPN to use port 443?
tal@kbin.social 1 year ago
So, that's definitely better than nothing, but your browser isn't the only thing -- though these days, it is a very important thing -- that talks to the Internet. If, for example, you're using a lemmy client to read this, I'd bet that it's good odds that it doesn't have SOCKS support.
Though I wouldn't be surprised if someone has made VPN software that intercepts connections and acts as a proxy SOCKS client, which would make it work more like a traditional VPN, though maybe with a performance hit.
googles
Yeah, okay, looks like stunnel can do this on Linux.
SpaceCowboy@lemmy.ca 1 year ago
I don’t think NK took themselves there, they were already there when the internet was invented. Easier to limit access to few people when you have draconian measures in place when access becomes possible.
Having a society that already widely has access to one that has extremely limited access is a lot more difficult.
Corkyskog@sh.itjust.works 1 year ago
This is a good point that many don’t think about. Even if you could somehow drop hardware and free starlink into North Korea it wouldn’t even matter because the citizens never grew up on internet culture. No one would be able to figure out what to do with it by the time they got caught.