Russia starts blocking VPN at the protocol (WireGuard, OpenVPN) level

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • Xray-core

    Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.

  • I have been researching VPN protocols that work in China and found that Xray [0] is the most recommended route to escape the GFW. An ideal VPN setup is one where packets appear as normal https traffic. Some VPN setups take it a step further and proxy the traffic through Cloudflare. Setting all this up is nowhere as easy as Wireguard. Coincidentally, I came across this project on Github earlier today which is an obfuscation proxy for Wireguard [1], but I haven't found any information about how well it works.

    [0] https://github.com/XTLS/Xray-core

    [1] https://github.com/database64128/swgp-go

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
  • swgp-go

    🐉 Simple WireGuard proxy with minimal overhead for WireGuard traffic.

  • I have been researching VPN protocols that work in China and found that Xray [0] is the most recommended route to escape the GFW. An ideal VPN setup is one where packets appear as normal https traffic. Some VPN setups take it a step further and proxy the traffic through Cloudflare. Setting all this up is nowhere as easy as Wireguard. Coincidentally, I came across this project on Github earlier today which is an obfuscation proxy for Wireguard [1], but I haven't found any information about how well it works.

    [0] https://github.com/XTLS/Xray-core

    [1] https://github.com/database64128/swgp-go

  • wstunnel

    Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available

  • While working in an environment where VPN connections were pretty much all blocked⁰ a friend of mine had success using https://guacamole.apache.org/ to access a remote machine¹. Not quite the same as a direct VPN connection but worth a try if nothing else functions, it looks enough like normal HTTPS traffic that he got away with it.

    To keep your wireguard setup more as-is, you could try https://kirill888.github.io/notes/wireguard-via-websocket/ to tunnel that via a web server. In fact https://github.com/erebe/wstunnel which that uses could be used just as well with any other UDP based VPN.

    I once tinkered with https://github.com/yarrick/iodine and successfully connected to resources over the wireless on a train, bypassing its traffic capture and sign-up requirement, so that might be an option, though I think fully blocking external DNS is more common now so this is less likely to work²³.

    --

    [0] practically only HTTP(S) permitted, not even SSH, DPI in use that detected just using SSH or OpenVPN over port 443

    [1] NOTE: be careful breaching restrictions like this, you are at risk of an insta-sacking if discovered, or worse if operating in some securiry environments!

    [2] and the latency when it does work is significant!

    [3] and that much traffic over port 53 might get noticed by the heuristics of data exfiltration scanner, encouraging sysadmins to notice and implement a way to block it

  • iodine

    Official git repo for iodine dns tunnel

  • While working in an environment where VPN connections were pretty much all blocked⁰ a friend of mine had success using https://guacamole.apache.org/ to access a remote machine¹. Not quite the same as a direct VPN connection but worth a try if nothing else functions, it looks enough like normal HTTPS traffic that he got away with it.

    To keep your wireguard setup more as-is, you could try https://kirill888.github.io/notes/wireguard-via-websocket/ to tunnel that via a web server. In fact https://github.com/erebe/wstunnel which that uses could be used just as well with any other UDP based VPN.

    I once tinkered with https://github.com/yarrick/iodine and successfully connected to resources over the wireless on a train, bypassing its traffic capture and sign-up requirement, so that might be an option, though I think fully blocking external DNS is more common now so this is less likely to work²³.

    --

    [0] practically only HTTP(S) permitted, not even SSH, DPI in use that detected just using SSH or OpenVPN over port 443

    [1] NOTE: be careful breaching restrictions like this, you are at risk of an insta-sacking if discovered, or worse if operating in some securiry environments!

    [2] and the latency when it does work is significant!

    [3] and that much traffic over port 53 might get noticed by the heuristics of data exfiltration scanner, encouraging sysadmins to notice and implement a way to block it

  • Wireshark

    Read-only mirror of Wireshark's Git repository at https://gitlab.com/wireshark/wireshark. ⚠️ GitHub won't let us disable pull requests. ⚠️ THEY WILL BE IGNORED HERE ⚠️ Upload them at GitLab instead.

  • They even have a nice comment explaining the heuristic: https://github.com/wireshark/wireshark/blob/ef9c79ae81b00a63...

         * Heuristics to detect the WireGuard protocol:

  • browsh

    A fully-modern text-based browser, rendering to TTY and browsers

  • > If you are using a JS based browser, you don't deserve security in first place.

    In some cases, that is true, but not all, and I suggest not even most. In many cases, I think people are just as liable for being unwilling to use Whonix.

    > If I had time I could set up a tutorial not to use SSH as a proxy, but as a client to a remote VPS/tilde to use the offpunk client there to browse web/gemini and gopher sites anonymously.

    https://github.com/browsh-org/browsh can be pretty decent, too. It's a shame that it's not common practice to provide resource gleanings in the form of such access to random others from one's VPS. Easily reproduced NixOS tool in VM with locked down containers proxying through a local tor would scale up alright and significantly limit risks for the donor. I find very few people take up the offer to even use another's VPS though.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • List of ngrok/Cloudflare Tunnel alternatives and other tunneling software and services. Focus on self-hosting.

    61 projects | dev.to | 30 Apr 2024
  • WireGuard client that exposes itself as a HTTP/SOCKS5 proxy

    14 projects | news.ycombinator.com | 1 Apr 2024
  • Show HN: This Website Is Hosted on DNS

    1 project | news.ycombinator.com | 25 Feb 2024
  • Russia has started indiscriminately blocking all OpenVPN/WireGuard connections

    12 projects | news.ycombinator.com | 20 Jan 2024
  • DNS Exfiltration Tool

    2 projects | news.ycombinator.com | 5 Dec 2023