Update, 04/2015: Save yourself the time and effort of manually configuring your VPN as shown here. Use
one of the newer obfuscating and self-configuring VPNs
that are shattering censorship barriers. You no longer need to manually pick through server lists,
set up obfuscation, and do the tedious task of starting a VPN session. Tools like Psiphon and Bitmask
will do it all for you in mere seconds.
The list of VPN user tips geven here have developed out of experience traveling to many countries and
using VPN services to maintain connectivity to sites and services in the webmaster's home country. In
particular, using the internet in China has been a struggle. Rather than adapt to barriers like the Great Firewall of China, the webmaster has chosen
to fight the internet censorship.
Suggestions given below are considered effective means of using VPN conventional services in non-permissive environments.
- Subscribe to a service with many gateways. If you run your own servers, have them on many IP addresses,
and prepared to abandon IPs as they are blocked by the adversary sysadmin / government.
- Use ports that are most inconspicuous. Ports 443 and 1194 are well known to carry VPN traffic in addition
to their other common uses (SSL and online gaming, respectively), and are often blocked by countries like
China or Saudi Arabia.
Here are some common ports with enough traffic to make your presence harder to detect:
|TCP or UDP|| 6970-6969||BitTorrent|
|TCP||3389||Windows Remote Desktop|
|UDP||123||Network Time Protocol|
|UDP or TCP||531, 5190-5193||AOL Instant Messenger|
|UDP||666||Doom, Online Game|
|UDP or TCP ||749||Kerberos Administration|
|UDP or TCP||1503||Windows Live Messenger|
|TCP||4664||Google Desktop Search|
|TCP||16080||MAC OS X Server|
Other randomly chosen ports between 1025 and 64000 will work as long as your firewall will permit the
traffic and the remote server is configured to accept data on that port. Here is a
very good list of ports and applications.
- Whenever you attempt to access sites with sensitive content, use the VPN. Never go to such pages in
the clear, then try the VPN after finding them blocked. That merely gets the attention of traffic analysts and
makes denial of access more likely. Some countries will detect this and cut off your access (or worse). Some
will send police to visit you.
- Use the VPN only whe needed. Deep packet inspection can be used to detect VPN traffic, and when
constant usage is found, access is often restricted for the user's IP address. Adversaries can't easily
determine what was in the data, but they can choke it off as in item (3) above.
- Two hop VPNs sound sophisticated, but offer limited increases in security. For better security, use better
encryption and stronger keys. OpenVPN does a very good job with 256 bit Blowfish and 2048 bit RSA keys.
Don't expect the NSA to crack your codes during the lifetime of the world.
- Don't forget to use a trustworthy DNS server. Google DNS and OpenDNS are great, and there are others
as well. Continuing to use the internet service provder's DNS, in countries such as Iran, Syria, or China, will
result in denied access.
- Avoid VPN services claiming to have their own, special, uncrackable encryption. The largest providers
do not make such claims, but smaller companies, offering a cheaper product have been known to make this ridiculous
claim. Note that SoftEther and OpenVPN are free and open sourced. They use protocols known to be strong, proven
robust through peer review. Why take risks with a proprietary system closed to professional scrutiny?
- For highest speed, use a server located near you, for access to the world. For access to systems sensitive
to location and IP address (Facebook, Google, banks, etc), stay with one server near the remote system. Sending
your internet data packets on long, world spanning round trips will reduce your bandwidth.
- For the most secure protection of your internet traffic, use a service with SoftEther or OpenVPN SSL tunneling.
As a secondary choice, LT2P is widely used and almost as secure.
- Always bear in mind that security and anonymity are two different things. Your VPN provides security
between your computer and the distant gateway server. It also provides anonymity to the extent that your
traffic enters and exits the internet at a remote IP address and not your actual address. The VPN doesn't
time-shift your traffic, nor does it prevent your other software from giving you away. If you publish an expose
of your local perverted, cannibalistic, bestial dictator on the internet, please remember to not let your software
sign the document with your actual name!
- A bonus tip: Use your "hosts" file to directly access blocked websites, by IP address, without the
need for DNS lookups. Facebook and many others have SSL secured pages that are difficult to block, since the
data is encrypted and resistant to blacklist screening.
SAMPLE HOSTS FILE DATA FOR ACCESSING GOOGLE SERVICES FROM CHINA:
©2015 - 2022 BunkerbusterVPN.com, All Rights Reserved.
- Another bonus tip: In countries most hostile to VPNs, consider using additional software to obvuscate
or hide the protocol from deep packet inspection. Stunnel
are effective add-ons which make OpenVPN data packets difficult to detect and isolate. SoftEther VPNs are also
coming under sophisticated attacks by Chinese censors and need obfuscation.