Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[mofa2020]

I hope this is the correct section in the forum to post this, so ISP (and also the only broadband gateway in my country so this is also applied to all other ISPs) is blocking VPNs traffic so when I try to connect my internet goes down while a vpn try connecting and it keeps in connecting with no vail at the end. is there anyway to get around this? even Opera web browser is blocked cause it has some sort of vpn built-in or so.

P.S,, I tried most VPNs either I can not reach the website at all or I can (like Kaspersky for ex.) and therefor download the vpn app. but it can not connect as mentioned above.

[Alex Atkin UK]

Surely VPNs which tunnel over SSL MUST be able to bypass this?  I know AirVPN have specific servers for this.

Another option would be to rent a VPS of your own to use for this, as its less likely to be blacklisted as a VPN endpoint at the ISP.  But even then if they are aggressive enough they could see all your traffic going to one place and decide that must be a VPN.  It really depends how hard they are looking at what their customers are doing.

[mofa2020]

Thank you Alex.. I will give this a try hopefully it will do the trick, but they are going nuts over these things here 

[XGS_Is_On]

Thank you Alex.. I will give this a try hopefully it will do the trick, but they are going nuts over these things here 

Using DoH is probably a good idea.

Tunneling over SSL will help but isn't a magic bullet, don't need to know every or even any endpoints to block them and they can increase the aggressiveness of the blocking depending on the cost they're willing to pay in terms of usability for businesses. Residential customers don't matter besides to allow them access to their employer VPNs, and those are easy enough to whitelist.

[Alex Atkin UK]

Yeah like I was saying, if all traffic is going to one place its going to scream VPN, if they're paying attention.  You'd need something more distributed line Tor, but not Tor as that traffic I believe is easily recognised so will almost certainly be blocked also.

Basically the problem is anything tunnelled is going to be obvious as a none-standard traffic pattern, given normal browsing will be scattered across hundreds of IP addresses.

[XGS_Is_On]

TLS MitM downgrade it all to 1.2, then snoop the certificate and use that to identify is one way to monitor. Block anything that won't permit downgrade unless you can whitelist.

Proprietary VPNs have signatures within call set up process unless they're intentionally being obfuscated.

Two ways to increase the amount you catch some more. Takes care alongside the dull stuff of all IPSEC, all Watch guard, various Proprietary, various hiding behind TLS.

The rest traffic analysis.

I imagine they'll do this in stages with basic identification from IP and port in-line, interesting/unknown  stuff kicked over to the next level of analysis with applications DPI'd and if TLS and not known okay if TLS 1.2 certificate is snooped if 1.3 attempt downgrade to 1.2. Other apps depends on policy.

After this see what's up. If using a known bad certificate: block, if downgrade refused: block.

If a flow is still unknown IPFix or NetFlow from ISP. If the customer has a flow the DPI can't categorise open for a long period carying a lot of traffic relative to rest of the traffic it's a VPN tunnel. If there is no other traffic they've a VPN on their router.

Lowering the bar completely if the system can't categorise it, disrupt it.

At least some of the blocking kit is out of line, and is sending either forged TCP resets or ICMP Unreachable messages of some sort to break things. If there's a basic check inline that can just drop things that fail its quick checks.