‘Many decades from now, people could look back at this period and say ‘that was a very rare moment, the period from the 1990s to 2010 where there was this global communications platform that just disintegrated’, and so that’s why many of us […] are advocating for an Internet protection movement […]’
Ron Deibert, The Citizen Lab.
Exactly as I warned everyone for the past two years, the Internet ‘pornography’ filter was a political move that had nothing whatsoever to do with pornography and everything to do with simply having the capability to censor stuff. All it took was for the Daily Heil to muster a few
easily misled cretins lobbyists to make that happen.
If anyone still thinks I’m a paranoid conspiracy theorist, TalkTalk is now providing roughly the same level of crippled Internet access you’d expect in a primary school library, with sites related to martial arts, electronic cigarettes, alcohol and even nicotene patches – none of them even remotely pornographic – all blocked, and it’s proving rather difficult to (legally) sign into the customer portal to resolve this as a responsible adult with the freakin login details written in black and white.
At the risk of this blog ending up on the shitlist (which might happen anyway), I’ll dedicate this post to the readers who didn’t see this coming, and will provide a solution that requires the least effort. Unfortunately it’s still going to involve learning some technical networky-type stuff.
Proxies and VPNs
The technical situation is basically this: The IP addresses for most sites actually point to their hosting providers’ nameservers, and the ISP filtering seems to work by scanning the TCP payloads for blacklisted URLs. What this means is the only practical countermeasure is to encrypt and proxy our HTTP requests. There are two options available to us.
The average web proxy, the type we’d get after a brief Google search, operates by fetching web pages and sending requests on behalf of the client, in effect acting as a relay between the client and destination server. Of course, if the ISPs are scanning TCP payloads for URLs, this method would only be effective when the connection to the proxy server is encrypted.
It’s the quick and easy way to get around filtering, but users might be setting themselves up for a Man-in-the-Middle attack, with the proxy operators able to read everything that passes through, and no doubt some people, thanks to someone’s clever idea of getting ISPs to filter legitimate non-pornographic stuff, will resort to conducting financial transactions with a blocked site via a potentially malicious proxy.
Virtual Private Networks function in roughly the same way, but they are fundamentally different in that they allow a pass-through of connections properly encrypted between the client and destination server, while adding another layer of encryption between the client and proxy. In other words, the TCP/IP packets between the client and destination server are re-encapsulated to become the encrypted payload for TCP/IP packets between the client and VPN server.
For the time being, it looks like VPNs are the safest, most practical and reproducible method of getting around censorship in a client-server Internet.
Now let’s apply the theory using something called ‘OpenVPN‘.
Setting Up OpenVPN
The UWN Thesis blog has several months’ research, some decent walkthroughs and YouTube vids on setting up OpenVPN. There’s also a SANS paper for anyone who’s interested in the technical details.
Here I’ll cover the setup on a Linux system with a Gnome/LXDE/Mate desktop, and go a little more into the background so readers understand what’s happening.
There are actually two steps to getting VPN access: Firstly, we need to install the OpenVPN client on the local system to handle tunneling, encryption, authentication and other back-end stuff. Unlike HTTPS, where data is encrypted by the browser and written to TCP/UDP sockets, the OpenVPN client is functioning as an intermediary and handling the traffic below the application layer. Therefore we should see encrypted sessions between the browser and web server being tunneled through another encrypted session between the OpenVPN client and whatever VPN service.
The second stage involves configuring the OpenVPN client to establish that tunnel with a VPN service.
So, the OpenVPN client backend needs to be installed first, and most users will want a GUI front-end. Linux users will need to fetch ‘openvpn‘, ‘gadmin-openvpn-client‘ and ‘openvpn-blacklist‘ from the package repositories. The latter should alert users when a known dodgy certificate is being used.
When the packages have been successfully installed, the OpenVPN GUI will normally be found somewhere in the System or Administration section in the desktop menu, although I won’t actually be using it here.
The next step is to find a VPN service, and it’s important to choose one that’s reputable. Time to scour the Internet for a provider that supports OpenVPN and download something called a ‘bundle’ – an archive text files containing the service settings and certificates. For this demo I chose an excellent service called VPNBook (another recommended by UWN Thesis). Extract this.
Now for a tiny bit of command line work. Navigate to the extracted bundle directory in the command line (as root), and enter the following:
#openvpn --config vpnbook-euro2-tcp80.ovpn
The authentication details it asks for are available on the VPNBook’s ‘Free VPN Accounts‘ page.
This uses just one of the files to set up the VPN connection for web browsing. The other files are for HTTPS, DNS and I’m assuming the UDP 25000 file is for stateless packets to get around certain firewalls that otherwise block VPN traffic.
And that’s it. To prove it worked I was able to access the sites that were previously blocked. I also checked the SSL/TLS certificates on the other sites I was accessing, and am 99% certain that VPNBook was safely tunneling my encrypted connections – always check this anyway.
And I’ll leave readers with some useful links:
PrivateTunnel (Does a free limited data account): https://www.privatetunnel.com/index.php
Public Proxy Servers: http://www.publicproxyservers.com/