There are several countries around the world that heavily censor the internet (China, Iran, UAE, Oman, Pakistan, etc.). Typically, they block the internet using two techniques:
- Firewall Blocks (simple rules that block traffic to particular websites (e.g. YouTube, Twitter)
- Deep Packet Inspection (examining the traffic leaving your computer, in order to detect if you are using a VPN for example)
Let’s examine how to avoid these two censorship techinques:
Avoiding Firewall Blocks
You can avoid simple Firewall Blocks by making use of a VPN (virtual private network). This is the simplest and most reliable method of hiding your internet traffic. You may need to be creative about which protocols to use. In many cases OpenVPN will be blocked, but you can use a protocol like L2TP instead.
Here are the VPNs I recommend: The Best VPN Providers.
Your may find that your VPN connections are being blocked, however, and in these cases you may be up against a more sophisticated firewall.
Avoiding Deep Packet Inspection
“Deep Packet Inspection” is usually done at the ISP (internet service provider) level, on behalf of a government. A “packet” is a chuck of computer data that is sent over a network. Packet Inspection involves examining your internet traffic and trying to determine what you are doing (for example using a VPN).
To avoid Deep Packet Inspection, you must hide the fact that you are using a VPN. One of the simplest way to do this is to forward your OpenVPN traffic through port 443. OpenVPN uses port 80 by default, and this port is usually heavily monitored by firewalls. When you switch to port 443 your traffic will be camouflaged. This is because 443 is the default port for HTTPS, and this protocol is heavily used by web browsers for secure connections. Whenever you see “https” in a web browser address (for example while access an online bank or access web-based email) your browser is using a HTTPS connection on port 443.
So using port 443 makes a lot of sense, because it is very difficult to detect your traffic amongst all the other secure traffic on this port.
However, some governments (China, Iran) are now using methods to detect the difference between “normal” SSL encryption and VPN encryption. In cases like this you will need more sophisticated cloaking techniques (see below).
Avoiding Advanced Deep Packet Inspection
There are several ways to avoid advance deep packet inspection, but they will probably require co-operation from your VPN providers, and they will slow down your internet connection.
Commonly used techniques include:
- Using the Obfsproxy tool
- Using OpenVPN through an SSL tunnel
- Using OpenVPN through an SSH tunnel
Obfsproxy is a tool designed to make VPN connections difficult to detect. It was created by the Tor network when China started blocking Tor nodes — but it can be used outside of the Tor network to mask VPN connections.
To use Obfsproxy, you must install it on your computer, and it must be installed on the VPN server you are connecting to. In most cases, you’ll have to ask your VPN provider to set it up.
Obfsproxy does not encrypt your traffic, but it also does not require much overhead, so if it is useful in countries where bandwidth is limited (e.g. Syria or Ethiopia).
There are instruction for setting up Obsfproxy with OpenVPN on this page.
Using OpenVPN through a SSL tunnel
Another method of avoiding Advance Deep Packet Inspection, is use OpenVPN through a SSL tunnel, to wrap you data in another layer of encryption. This makes your OpenVPN traffic virtually indistinguishable from regular SSL traffic, because Deep Packet Inspection cannot penetrate this addition layer of encryption.
One provider, AirVPN, does this by default — they state:
We offer OpenVPN on ports 80 TCP / UDP, 443 TCP / UDP and 53 TCP / UDP. Additionally, every Air server supports directly OpenVPN over SSH and OpenVPN over SSL. This means that even the most brutal techniques of monitoring, censorship, throttling and traffic shaping will fail against AirVPN, because your ISP and your government will see only TCP or UDP traffic (as you prefer) on a unique port.
Please not that using a SSL tunnel will slow down your internet connections.
OpenVPN through an SSH tunnel
Using OpenVPN with a SSH tunnel is very similar to using it with a SSL tunnel. The difference is that you wrap your OpenVPN traffic with SSH encryption instead of SSL encryption. SSH is the “secure shell” software used to make connections to shell accounts in Unix. You can find SSH clients for most operating systems — see PuTTY for example.
AirVPN also supports SSH tunneling by default.