Enderman
@enderman.ch
A software engineer, a malware enthusiast and most importantly, a weird tall creature. I poke tech and act surprised when it breaks.
💖 300K+ subs on YouTube 🐤 @endermanch 🌐 https://enderman.ch
💖 300K+ subs on YouTube 🐤 @endermanch 🌐 https://enderman.ch
Okay, that should be it for the thread. I'm out. Your digital freedom is important to the Internet.
Please ask your questions under the first post of the thread if you have any. Also just in case, I am not suicidal.
Please ask your questions under the first post of the thread if you have any. Also just in case, I am not suicidal.
September 1, 2024 at 10:33 AM
Okay, that should be it for the thread. I'm out. Your digital freedom is important to the Internet.
Please ask your questions under the first post of the thread if you have any. Also just in case, I am not suicidal.
Please ask your questions under the first post of the thread if you have any. Also just in case, I am not suicidal.
Now the idea is strikingly similar to that in the «undetectable» VPNs. The tools are also open-source and freely available, I'll list them here (OpenWRT as an example):
• DNSCrypt-proxy
• Stubby
• HTTPS-DNS-proxy
• DNSCrypt-proxy
• Stubby
• HTTPS-DNS-proxy
September 1, 2024 at 10:32 AM
Now the idea is strikingly similar to that in the «undetectable» VPNs. The tools are also open-source and freely available, I'll list them here (OpenWRT as an example):
• DNSCrypt-proxy
• Stubby
• HTTPS-DNS-proxy
• DNSCrypt-proxy
• Stubby
• HTTPS-DNS-proxy
An ISP may very well hijack your DNS requests server-side and redirect them to their server. Or, they could just block any outgoing UDP traffic on port 53 without their servers as an endpoint.
The solution to both of these digital rape cases is DNS over HTTPS or DNS over TLS.
The solution to both of these digital rape cases is DNS over HTTPS or DNS over TLS.
September 1, 2024 at 10:32 AM
An ISP may very well hijack your DNS requests server-side and redirect them to their server. Or, they could just block any outgoing UDP traffic on port 53 without their servers as an endpoint.
The solution to both of these digital rape cases is DNS over HTTPS or DNS over TLS.
The solution to both of these digital rape cases is DNS over HTTPS or DNS over TLS.
Now it should be apparent the DNS server is also a weak link. Well, the best case scenario — you can directly set custom DNS-servers (1.1.1.1, 1.0.0.1, 8.8.8.8, 8.4.4.8) either network-wide or per device. Problem solved. However, this might not work!
September 1, 2024 at 10:32 AM
Now it should be apparent the DNS server is also a weak link. Well, the best case scenario — you can directly set custom DNS-servers (1.1.1.1, 1.0.0.1, 8.8.8.8, 8.4.4.8) either network-wide or per device. Problem solved. However, this might not work!
Chances are you are using a DNS server provided by your ISP free of charge. Let's say the state asked the ISP to block shitter(.)com. The ISP might use DPI, but it also might resolve the domain name to localhost, for example, or in this case, RFC-private IPv4 10.20.30.40, as shown in the figure.
September 1, 2024 at 10:32 AM
Chances are you are using a DNS server provided by your ISP free of charge. Let's say the state asked the ISP to block shitter(.)com. The ISP might use DPI, but it also might resolve the domain name to localhost, for example, or in this case, RFC-private IPv4 10.20.30.40, as shown in the figure.
4. Let's talk about DNS. It's a very important subject, because a DNS server is what resolves domain names for you, and censorship can also be applied to it.
That's what DNS does:
x.com -> 104.244.42.129
google.com -> 108.177.14.139
That's what DNS does:
x.com -> 104.244.42.129
google.com -> 108.177.14.139
x.com
x.com
September 1, 2024 at 10:31 AM
4. Let's talk about DNS. It's a very important subject, because a DNS server is what resolves domain names for you, and censorship can also be applied to it.
That's what DNS does:
x.com -> 104.244.42.129
google.com -> 108.177.14.139
That's what DNS does:
x.com -> 104.244.42.129
google.com -> 108.177.14.139
Umm, yea. You probably won't ever need those. But keep that in mind, there's no way to censor the internet.
September 1, 2024 at 10:31 AM
Umm, yea. You probably won't ever need those. But keep that in mind, there's no way to censor the internet.
The bottom of the barrel, where everything else is literally banned:
• Hysteria
• KCP
• Meiru
• TUIC
• Brook
• Pingtunnel
The state-of-art censorship circumvention is achieved by masking your VPN traffic as browsing a web page. There's almost no way to detect that.
• Hysteria
• KCP
• Meiru
• TUIC
• Brook
• Pingtunnel
The state-of-art censorship circumvention is achieved by masking your VPN traffic as browsing a web page. There's almost no way to detect that.
September 1, 2024 at 10:31 AM
The bottom of the barrel, where everything else is literally banned:
• Hysteria
• KCP
• Meiru
• TUIC
• Brook
• Pingtunnel
The state-of-art censorship circumvention is achieved by masking your VPN traffic as browsing a web page. There's almost no way to detect that.
• Hysteria
• KCP
• Meiru
• TUIC
• Brook
• Pingtunnel
The state-of-art censorship circumvention is achieved by masking your VPN traffic as browsing a web page. There's almost no way to detect that.
There's no decent nomenclature for them, but:
• VMess
• VLess
• Naive
• Trojan
The whole idea behind these protocols is to mask your VPN traffic as HTTPS. It is considerably slower than any of the VPN solutions shown before, but you gotta do what you gotta do.
• VMess
• VLess
• Naive
• Trojan
The whole idea behind these protocols is to mask your VPN traffic as HTTPS. It is considerably slower than any of the VPN solutions shown before, but you gotta do what you gotta do.
September 1, 2024 at 10:31 AM
There's no decent nomenclature for them, but:
• VMess
• VLess
• Naive
• Trojan
The whole idea behind these protocols is to mask your VPN traffic as HTTPS. It is considerably slower than any of the VPN solutions shown before, but you gotta do what you gotta do.
• VMess
• VLess
• Naive
• Trojan
The whole idea behind these protocols is to mask your VPN traffic as HTTPS. It is considerably slower than any of the VPN solutions shown before, but you gotta do what you gotta do.
Undetectable protocols in reality aren't 100% safe, but they're state-of-art as of 2024 and work as a bypass for the Great Firewall of China. Most of these aren't documented in English. You likely won't need those for at least the next 10 years, but let's go over them anyway.
September 1, 2024 at 10:30 AM
Undetectable protocols in reality aren't 100% safe, but they're state-of-art as of 2024 and work as a bypass for the Great Firewall of China. Most of these aren't documented in English. You likely won't need those for at least the next 10 years, but let's go over them anyway.
Detectable protocols are usually obfuscated versions of the common protocols, e.g. AmneziaWG (WG + garbage packet spam during handshake initiation), OpenVPN over Cloak, Shadowsocks. They require much more scrutiny to be sifted out by the censorship systems.
September 1, 2024 at 10:30 AM
Detectable protocols are usually obfuscated versions of the common protocols, e.g. AmneziaWG (WG + garbage packet spam during handshake initiation), OpenVPN over Cloak, Shadowsocks. They require much more scrutiny to be sifted out by the censorship systems.
3. Advanced VPNs. When the state goes rogue as described in a tweet above, the protocols separate out into three categories: easily detectable, detectable, and undetectable. All common protocols are easily detectable, thus easily bannable. A more complex solution is required.
September 1, 2024 at 10:30 AM
3. Advanced VPNs. When the state goes rogue as described in a tweet above, the protocols separate out into three categories: easily detectable, detectable, and undetectable. All common protocols are easily detectable, thus easily bannable. A more complex solution is required.
It's open-source and based on WireGuard. It uses Docker to completely automate the process, which allows even your grandma to set it up easily. There are also options when the state goes hog wild and blocks connections per protocol — as an example, Russia and China.
September 1, 2024 at 10:30 AM
It's open-source and based on WireGuard. It uses Docker to completely automate the process, which allows even your grandma to set it up easily. There are also options when the state goes hog wild and blocks connections per protocol — as an example, Russia and China.
The VPN servers only differ by protocol. So, the suggestions off the top of my head are WireGuard, OpenVPN, Outline. You'll need to read a lot and understand the UNIX terminal basics. There's a single free one-click automated option I know of right now. AmneziaVPN
github.com/amnezia-vpn/...
github.com/amnezia-vpn/...
GitHub - amnezia-vpn/amnezia-client: Amnezia VPN Client (Desktop+Mobile)
Amnezia VPN Client (Desktop+Mobile). Contribute to amnezia-vpn/amnezia-client development by creating an account on GitHub.
github.com
September 1, 2024 at 10:30 AM
The VPN servers only differ by protocol. So, the suggestions off the top of my head are WireGuard, OpenVPN, Outline. You'll need to read a lot and understand the UNIX terminal basics. There's a single free one-click automated option I know of right now. AmneziaVPN
github.com/amnezia-vpn/...
github.com/amnezia-vpn/...
The biggest problem with hosting a VPN server yourself is that it costs money. However, you can find a cheap VPS ($3-5/mo range) with a 100Mbit/s throughput practically anywhere right now. If you can't afford it, unfortunately, you have to resort to using a free VPN.
September 1, 2024 at 10:29 AM
The biggest problem with hosting a VPN server yourself is that it costs money. However, you can find a cheap VPS ($3-5/mo range) with a 100Mbit/s throughput practically anywhere right now. If you can't afford it, unfortunately, you have to resort to using a free VPN.
A VPN client! Which one should you use? Well. Forget the free VPNs. These sell your data, show you ads, install malware and do other unspeakable things to keep their service free. The best way out is to host a VPN server yourself. The client and server always go in conjunction.
September 1, 2024 at 10:29 AM
A VPN client! Which one should you use? Well. Forget the free VPNs. These sell your data, show you ads, install malware and do other unspeakable things to keep their service free. The best way out is to host a VPN server yourself. The client and server always go in conjunction.
Personally, I have network-wide split tunnelling set up with the VPN interface used solely to bypass regional blocks. That's really advanced, and I suggest you starting by simply setting up a client and a server.
September 1, 2024 at 10:29 AM
Personally, I have network-wide split tunnelling set up with the VPN interface used solely to bypass regional blocks. That's really advanced, and I suggest you starting by simply setting up a client and a server.
Yes, the figure above is fucking dumb. Don't murder me, network guys. It's a vast oversimplification. The problem with a VPN is that it adds a whole bunch of hops and overhead that comes with them for your packets to overcome. 99% of the time it slows the connection down.
September 1, 2024 at 10:29 AM
Yes, the figure above is fucking dumb. Don't murder me, network guys. It's a vast oversimplification. The problem with a VPN is that it adds a whole bunch of hops and overhead that comes with them for your packets to overcome. 99% of the time it slows the connection down.
2. The VPNs. If the above does not work, your next best option is a VPN. The VPNs aren't magic, they're virtual networks that coincidentally allow delegating sending packets to a different gateway.
September 1, 2024 at 10:28 AM
2. The VPNs. If the above does not work, your next best option is a VPN. The VPNs aren't magic, they're virtual networks that coincidentally allow delegating sending packets to a different gateway.