We will discuss this problem in a later section. This has implication on how our server must differentiate between a normal HTTPS request and VPN connection attempt, so that even an active attacker can’t identify our server as a VPN provider. Other things to consider Impossibility of SNI ConfidentialityĪn important thing to note is that we cannot protect the request SNI as it is in the plain text part of the TLS handshake. After all people in Turkey have gone to jail for equally ridiculous reasons. Way more important perhaps: if you are on vacation in for example Turkey, then assuming that the government analyzes your traffic, flag you for using a VPN, block it and/or blacklist your server, might not be so unreasonable. Lastly, even if DPI is a far less common blocking mechanism (and also kinda illegal in my country), it is an inbuilt feature in some commercially available firewalls, and I know of at least one public hotspot in my area which seems to recognize and block VPN connections over ports 80 and 443 (presumably based on DPI).
CONFIGURING NGINX TO WORK WITH STUNNEL PLUS
Such leaked information would for example be the Server Name Identification (SNI), which could leak from an unencrypted DNS-request or the server’s certificate or the TLS handshake itself), plus the fact that a VPN-service answers on such a leaked sub-domains. But assuming someone cares enough, may it just be a bored admin, a second threat model is an active attacker that attempts to find out, if a given server provides a VPN, based on information the server or client leaks. Now obviously we are starting to leave the realm of coffee-shop-next-door-blocking. Targeted blocking of your server due to information leakage However since we will set up our own small VPN server, it is safe to assume that we aren’t in any such blacklist (yet). Not quite as common, but still sometimes observable in public hotspots is the blocking of specific IPs - which may include servers of big VPN providers. In extension, some public WLAN-hotspots may even block all ports except 80 (HTTP) and 443 (HTTPS). The most common way of blocking VPN connections - or really any connections of well known services - is by blocking it’s default port(s). Also, if you can hide the information that you are using a VPN, shouldn’t you just do it for the sake of it? Threat models Blind blocking of ports (or IPs) Blocking VPNs is a common practice nowadays, be it on ISP/Government level or just the local coffee shop.
0 kommentar(er)
