3

My ISP blocked a bunch of networks I need to access. I installed VPS (unix box) outside of my ISP's network and I now can build VPN between my home router and VPS, but I want to hide this fact from my ISP.

Here are several approaches and their weaknesses, could you please check my thoughts?

VPNs that work over IP. Their protocols are easy to detect (one needs to check "protocol" field in IP header), although my ISP will not be able to decrypt data, it will know for sure I am using VPN.

  • PPTP: Uses GRE
  • IPSec: Uses ESP header

Looks like I need application level VPN that will work over TCP and use well-known port to resemble valid traffic. I know 2 of them:

  • OpenVPN: TLS based, so I can use TCP mode and port 443 and make my ISP believe that I am using HTTPS. But my ISP may try to open website and quickly find that it is not website actually. To fight that, I can use destination nat on VPS to change dest. port for any IP except mine and launch webserver on this port. So, any access to MY_VPS:443 from anywhere will look like regular website. But for me it will act as VPN. I see one trouble here: keeping permanent connection with website may be suspicious for my ISP. I can create website that uses websockets, comet or some other technology to keep permanent connection (for webchat for example) and tell my ISP that this is the reason I have permanent connection.

  • SSH Tunneling. I do not need to DNAT anything here: my ISP connects to OpenSSH running on my VPS and sees "login:" prompt which is absolutelly legal. I can tell that I am sitting on my remote box via SSH all hight long:) However, traffic patterns differ a lot for character-based SSH (when I simply type commands) and for using it as VPN when I download large files (small HTTP request followed by huge HTTP response). My ISP may use this information. I can try to tell that I am downloading backups from my server via SCP or SFTP. I can also say that I am running X11 client there (ssh X11 forwarding) but it could be treated as kind of VPN. Patterns could be an issue for OpenVPN also, but there I can say that my website has a lot of data to download.

Which one is better? Is it possible for my ISP to use some DPI to find that I am using connection as VPN?

user996142
  • 308
  • 1
  • 7
  • 2
    Likely none of this will work against a motivated ISP. For example, there's been research on [Identifying HTTPS-Protected Netflix Videos in Real-Time](https://www.mjkranch.com/docs/CODASPY17_Kranch_Reed_IdentifyingHTTPSNetflix.pdf) that is based on statistical models. Many of these techniques require accurate timing, but your ISP has that. – Neil Smithline Apr 20 '18 at 00:19
  • You mention `absolutely legal`. Is using a VPN illegal where you are? Or do you mean that it doesn't violate your condition of hiding from the ISP? – Neil Smithline Apr 20 '18 at 00:22
  • Thank you for link to research. Does it work for SSH? It is "illegal to use VPNs to access websites blocked by ISP", so if they can find I am using VPN that will (probably) ask what for – user996142 Apr 20 '18 at 00:59
  • That technique is an example of what a motivated ISP can determine, not necessarily a specific attack that will be done to you. But if you're streaming movies, they could certainly use a similar strategy over SSH. That's why I say that you probably have no hope of tricking a motivated ISP. But if they're not motivated, all they'll do is see that you're using a VPN, but not see what you are using it for. – Neil Smithline Apr 20 '18 at 01:08

1 Answers1

3

I recently ran into a similar situation. An internet connection I was legally making use of was using deep packet inspection to prevent the use of SSH Tunnels or VPN.

To get around this I setup an instance of ShadowSocks with SSH Tunneling through it (example).

Shadowsocks - obfuscates the content of the connection making it much harder for deep packet inspection to identify the type of traffic (though not impossible).

SSH - provides much better security than Shadowsocks as well as provides a means for tunneling other types of traffic through it.

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40