Russia has started tentative blocks of the OpenVPN protocol on several mobile internet service providers since last week.
The fact became known after several Moscow-based users complained about their ability to connect to OpenVPN-powered services through the MTS, Tele2, Megafon, Colna, Yota, and Beeline providers.
While connectivity has been restored in some cases, problems persist on several providers, with many users reporting that even when they achieve to establish a connection, they lose it after about 10 seconds.
The situation prevents internet users in Russia from accessing the web privately. At the same time, organizations in Moscow that use OpenVPN as part of their corporate network design currently suffer from catastrophic outages.
The latter is an excellent example of why attempting to block entire internet communication protocols, let alone widely used ones, is never a good idea, no matter how imperative the need for censorship may be.
Russia vs. VPNs
The Russian state has already blocked or prohibited the use of the most reliable and trustworthy VPNs, allowing only those that agreed to connect their services to the FGIS database (permitted content) to continue operating in the country. Notable services blocked in Russia are NordVPN, ExpressVPN, ProtonVPN, VyprVPN, Opera VPN, and PrivateTunnel.
More recently, Moscow-based security company Kaspersky also decided to retract its VPN product, Secure Connection, away from the Russian market, opting not to explain why it has reached this decision.
However, many of the banned providers reverted to using routing servers located just outside the Russian border, continuing to support their Russian user base, albeit at reduced speeds and server options, which is the inevitable result of implementing unfavorable bypassing solutions.
Blocking all traffic that appears as OpenVPN traffic makes logical sense as a next step in the Russian state’s effort to curb the use of restricted VPN products, so these tentative small-scale blocks might be just a first-phase test-bed. In fact, there have been several reports of Russian ISPs testing blocks on IKEv2 and WireGuard in other regions, so it is clear that the country’s authorities experiment with this type of aggressive censorship.
What Can Russians Do?
The environment for Russian netizens who value their privacy and would like to continue accessing “unapproved” internet spaces or information sources is getting increasingly hostile, and the methods to bypass all the blocks imposed at multiple levels are, unfortunately, more challenging to implement.
A solid way to bypass protocol-based blocks would be to select a VPN product offering multiple protocol options and try connecting with one Russia’s internet watchdog does not actively target.
A second block-circumvention method would be to use special obfuscating tools that make OpenVPN traffic appear as regular internet traffic, making it less likely to raise flags on the ISP’s checking points. One effective tool that does this is ‘GoodbyeDPI,’ which even releases a special version for Russia-based users.
ExpressVPN and NordVPN should be able to bypass this problem thanks to the ‘Domain Fronting‘ system they incorporate into their products. Tunnelbear also has a ‘GhostBear‘ system that obfuscates network traffic by randomly adding data or trimming data packets, making deep inspection impossible, thus avoiding automated blocks.
Finally, there’s the option of using the Shadowsocks encryption protocol, which offers a fast tunnel proxy helping bypass aggressive internet censorship measures. Shadowsocks has been successfully used against the “Great Firewall” of China, masking VPN traffic and encrypting all data packets so they cannot be scrutinized by intermediaries or providers.