So desperate

Virus.Win9x.CIH/Chernobyl Destroying a Physical Computer YouTube video by danooct1

Happy 27 years of the CIH virus! This anniversary sees my video on the virus officially becoming a teenager. Maybe that's a sign to get back to the video business.

youtu.be/RrnWFAx5vJg?...

Run this in your Chromium browser:
chrome://inducebrowsercrashforrealz

???

...

I've been seeing mixed reports about the blockage in Brazil. Some say the Twitter IP set is banned (which can't be fixed by a DPI bypass), while others say the DPI bypass helped. Another group of users claim switching from the provider's DNS was the solution.

Trial and error. It depends on an ISP.

Okay, that should be it for the thread. I'm out. Your digital freedom is important to the Internet.

Please ask your questions under the first post of the thread if you have any. Also just in case, I am not suicidal.

Now the idea is strikingly similar to that in the «undetectable» VPNs. The tools are also open-source and freely available, I'll list them here (OpenWRT as an example):
• DNSCrypt-proxy
• Stubby
• HTTPS-DNS-proxy

An ISP may very well hijack your DNS requests server-side and redirect them to their server. Or, they could just block any outgoing UDP traffic on port 53 without their servers as an endpoint.

The solution to both of these digital rape cases is DNS over HTTPS or DNS over TLS.

Now it should be apparent the DNS server is also a weak link. Well, the best case scenario — you can directly set custom DNS-servers (1.1.1.1, 1.0.0.1, 8.8.8.8, 8.4.4.8) either network-wide or per device. Problem solved. However, this might not work!

Chances are you are using a DNS server provided by your ISP free of charge. Let's say the state asked the ISP to block shitter(.)com. The ISP might use DPI, but it also might resolve the domain name to localhost, for example, or in this case, RFC-private IPv4 10.20.30.40, as shown in the figure.

4. Let's talk about DNS. It's a very important subject, because a DNS server is what resolves domain names for you, and censorship can also be applied to it.

That's what DNS does:
x.com -> 104.244.42.129
google.com -> 108.177.14.139

Umm, yea. You probably won't ever need those. But keep that in mind, there's no way to censor the internet.

The bottom of the barrel, where everything else is literally banned:
• Hysteria
• KCP
• Meiru
• TUIC
• Brook
• Pingtunnel
The state-of-art censorship circumvention is achieved by masking your VPN traffic as browsing a web page. There's almost no way to detect that.

There's no decent nomenclature for them, but:
• VMess
• VLess
• Naive
• Trojan
The whole idea behind these protocols is to mask your VPN traffic as HTTPS. It is considerably slower than any of the VPN solutions shown before, but you gotta do what you gotta do.

Undetectable protocols in reality aren't 100% safe, but they're state-of-art as of 2024 and work as a bypass for the Great Firewall of China. Most of these aren't documented in English. You likely won't need those for at least the next 10 years, but let's go over them anyway.

Detectable protocols are usually obfuscated versions of the common protocols, e.g. AmneziaWG (WG + garbage packet spam during handshake initiation), OpenVPN over Cloak, Shadowsocks. They require much more scrutiny to be sifted out by the censorship systems.

3. Advanced VPNs. When the state goes rogue as described in a tweet above, the protocols separate out into three categories: easily detectable, detectable, and undetectable. All common protocols are easily detectable, thus easily bannable. A more complex solution is required.

It's open-source and based on WireGuard. It uses Docker to completely automate the process, which allows even your grandma to set it up easily. There are also options when the state goes hog wild and blocks connections per protocol — as an example, Russia and China.

GitHub - amnezia-vpn/amnezia-client: Amnezia VPN Client (Desktop+Mobile) Amnezia VPN Client (Desktop+Mobile). Contribute to amnezia-vpn/amnezia-client development by creating an account on GitHub.

The VPN servers only differ by protocol. So, the suggestions off the top of my head are WireGuard, OpenVPN, Outline. You'll need to read a lot and understand the UNIX terminal basics. There's a single free one-click automated option I know of right now. AmneziaVPN

github.com/amnezia-vpn/...

The biggest problem with hosting a VPN server yourself is that it costs money. However, you can find a cheap VPS ($3-5/mo range) with a 100Mbit/s throughput practically anywhere right now. If you can't afford it, unfortunately, you have to resort to using a free VPN.

A VPN client! Which one should you use? Well. Forget the free VPNs. These sell your data, show you ads, install malware and do other unspeakable things to keep their service free. The best way out is to host a VPN server yourself. The client and server always go in conjunction.

Personally, I have network-wide split tunnelling set up with the VPN interface used solely to bypass regional blocks. That's really advanced, and I suggest you starting by simply setting up a client and a server.

Yes, the figure above is fucking dumb. Don't murder me, network guys. It's a vast oversimplification. The problem with a VPN is that it adds a whole bunch of hops and overhead that comes with them for your packets to overcome. 99% of the time it slows the connection down.

2. The VPNs. If the above does not work, your next best option is a VPN. The VPNs aren't magic, they're virtual networks that coincidentally allow delegating sending packets to a different gateway.

As time goes on, the states will eventually fix their DPI software, so it's preferrable to know how the bypass strategies work to cook up fresh combinations they haven't defeated yet. Not guaranteed to work, but if it does, it's significantly faster than any VPN. So try it out.

GitHub - bol-van/zapret: DPI bypass multi platform DPI bypass multi platform. Contribute to bol-van/zapret development by creating an account on GitHub.

There are many ways to break the DPI algorithm, and the cases above are just an example. That's the optimal way to avoid state censorship. Luckily, there's open-source software that already does it for you!

github.com/bol-van/zapret
github.com/ValdikSS/Goo...
github.com/dovecoteesca...

For example, by spec, you can split an HTTP request into TCP segments. "GET / HTTP/1.1\r\nHost: google.com ..." -> "GET /", " HTTP/1.1\r\nHost: google.com ...". You can also alter the case of the header keys, as it's case insensitive: "Host:" -> "hOst:". You can also add a dot after the host.

Active DPI, which is used in Russia and China (Passive DPI times are over for us), on the other hand, can block the packets. The only way to bypass it is by breaking its detection algorithm. The algorithm is possible to break by sending data the DPI software doesn't expect to process.

Passive DPI cannot block the packets, but can inject them. Usually an RST packet. If it is being injected client-side, it's possible to configure iptables to drop it, but the conditions are different for different ISPs. If RST is also sent to the server, configuring iptables will not be enough.