10 Tips for Effective Web Unblocking With A VPN
Update, 04/2015: Save yourself the time and effort of manually configuring your VPN as shown here. Use one of the newer obfuscating and self-configuring VPNs that are shattering censorship barriers. You no longer need to manually pick through server lists, set up obfuscation, and do the tedious task of starting a VPN session. Tools like Psiphon and Bitmask will do it all for you in mere seconds.
The list of VPN user tips geven here have developed out of experience traveling to many countries and using VPN services to maintain connectivity to sites and services in the webmaster's home country. In particular, using the internet in China has been a struggle. Rather than adapt to barriers like the Great Firewall of China, the webmaster has chosen to fight the internet censorship. Suggestions given below are considered effective means of using VPN conventional services in non-permissive environments.
- Subscribe to a service with many gateways. If you run your own servers, have them on many IP addresses, and prepared to abandon IPs as they are blocked by the adversary sysadmin / government.
- Use ports that are most inconspicuous. Ports 443 and 1194 are well known to carry VPN traffic in addition to their other common uses (SSL and online gaming, respectively), and are often blocked by countries like China or Saudi Arabia.
Here are some common ports with enough traffic to make your presence harder to detect:
|TCP or UDP||6970-6969||BitTorrent|
|TCP||3389||Windows Remote Desktop|
|UDP||123||Network Time Protocol|
|UDP or TCP||531, 5190-5193||AOL Instant Messenger|
|UDP||666||Doom, Online Game|
|UDP or TCP||749||Kerberos Administration|
|UDP or TCP||1503||Windows Live Messenger|
|TCP||4664||Google Desktop Search|
|TCP||16080||MAC OS X Server|
Other randomly chosen ports between 1025 and 64000 will work as long as your firewall will permit the traffic and the remote server is configured to accept data on that port. Here is a very good list of ports and applications.
- Whenever you attempt to access sites with sensitive content, use the VPN. Never go to such pages in the clear, then try the VPN after finding them blocked. That merely gets the attention of traffic analysts and makes denial of access more likely. Some countries will detect this and cut off your access (or worse). Some will send police to visit you.
- Use the VPN only whe needed. Deep packet inspection can be used to detect VPN traffic, and when constant usage is found, access is often restricted for the user's IP address. Adversaries can't easily determine what was in the data, but they can choke it off as in item (3) above.
- Two hop VPNs sound sophisticated, but offer limited increases in security. For better security, use better encryption and stronger keys. OpenVPN does a very good job with 256 bit Blowfish and 2048 bit RSA keys. Don't expect the NSA to crack your codes during the lifetime of the world.
- Don't forget to use a trustworthy DNS server. Google DNS and OpenDNS are great, and there are others as well. Continuing to use the internet service provder's DNS, in countries such as Iran, Syria, or China, will result in denied access.
- Avoid VPN services claiming to have their own, special, uncrackable encryption. The largest providers do not make such claims, but smaller companies, offering a cheaper product have been known to make this ridiculous claim. Note that SoftEther and OpenVPN are free and open sourced. They use protocols known to be strong, proven robust through peer review. Why take risks with a proprietary system closed to professional scrutiny?
- For highest speed, use a server located near you, for access to the world. For access to systems sensitive to location and IP address (Facebook, Google, banks, etc), stay with one server near the remote system. Sending your internet data packets on long, world spanning round trips will reduce your bandwidth.
- For the most secure protection of your internet traffic, use a service with SoftEther or OpenVPN SSL tunneling. As a secondary choice, LT2P is widely used and almost as secure.
- Always bear in mind that security and anonymity are two different things. Your VPN provides security between your computer and the distant gateway server. It also provides anonymity to the extent that your traffic enters and exits the internet at a remote IP address and not your actual address. The VPN doesn't time-shift your traffic, nor does it prevent your other software from giving you away. If you publish an expose of your local perverted, cannibalistic, bestial dictator on the internet, please remember to not let your software sign the document with your actual name!
- A bonus tip: Use your "hosts" file to directly access blocked websites, by IP address, without the need for DNS lookups. Facebook and many others have SSL secured pages that are difficult to block, since the data is encrypted and resistant to blacklist screening.
SAMPLE HOSTS FILE DATA FOR ACCESSING GOOGLE SERVICES FROM CHINA: 126.96.36.199 apps.google.com 188.8.131.52 books.google.com 184.108.40.206 drive.google.com 220.127.116.11 0.drive.google.com 18.104.22.168 1.drive.google.com 22.214.171.124 2.drive.google.com 126.96.36.199 3.drive.google.com 188.8.131.52 4.drive.google.com 184.108.40.206 5.drive.google.com 220.127.116.11 groups.google.com 18.104.22.168 play.google.com 22.214.171.124 scholar.google.com 126.96.36.199 mail.google.com 188.8.131.52 www.google.com 184.108.40.206 google.com.hk 220.127.116.11 google.com.hk 18.104.22.168 www.youtube.com 22.214.171.124 youtube.com
- Another bonus tip: In countries most hostile to VPNs, consider using additional software to obvuscate or hide the protocol from deep packet inspection. Stunnel and Obfsproxy are effective add-ons which make OpenVPN data packets difficult to detect and isolate. SoftEther VPNs are also coming under sophisticated attacks by Chinese censors and need obfuscation.