New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
VPN server listening on port 443? Wont survive through dpi though
Do it @ home and learn something in school
You're wrong, if you do TCP 443 for VPN, it will past most DPI firewalls. It will only fail
in the event that the IP address it's attempting to connect to is blocked.
If anything you can always use TOR
Edit: If you find a VPN provider like Tor Guard that offers Stunnel, you can use that with TCP 443 to hide your traffic
I somewhat doubt that at least OpenVPN TCP packets will look even remotely like HTTPS.
Doesn't matter it bypasses most DPI systems
use proxy pass,
forward https access from cpanel.bla.blabla.blablabla.com to your real cpanel address
Interesting. I thought the main idea behind DPI was to actually inspect the packets.
Yeah, but they are encrypted. Encryption is an enemy of the DPI.
True but at least the handshake should stick out i think. Not sure how hard it would be to mark a TCP connection based on the first data packet(s) but it should at least be doable i guess. Still even if possible i see how many setups would probably be to lazy to try at all.
No it wouldn't, cause the encryption would just look like it's making a TCP connection to another IP. For all the firewall knows, this could be a website. It can't look at the raw data of the packet unless the client installs the SSL certificate from the firewall, which I doubt many system admins will force upon due to the security and privacy risk.
Easy, OpenVPN over chisel (a TCP over websockets tunnel).
Learn about how TLS handshake works (and looks like). For starters, it's not all magically encrypted from byte zero, first the client and server need to agree on which algorithms to use, which certificate, etc. All of this is readable to DPIs. If you didn't know, even the hostname is sent in the clear via SNI (this is changing in TLS 1.3), so your ISP or whoever knows which websites you visit, but only down to the domain name, not URL.
I don't know if OpenVPN tries to emulate any of that to look like HTTPS (I guess it doesn't). Tor should, to an extent. Tor bridge protocol should try for being as close as possible, but even that is not enough, as it's detected (from regular HTTPS) and blocked e.g. by the China GFW.
As others have said, OpenVPN on port 443. Otherwise (if you're connecting from a Windows machine) you could run an SSTP server on port 443, which I believe has been specifically designed to traverse difficult firewalls
Good answer guys. Will try open VPN through 443. And nobody will inspect my traffic.
My high school had deployed this, and OpenVPN was subsequently blocked -- however, a simple SSH tunnel and running OpenVPN over it got through it.
Get a data plan. Think inside the box, the bigger box, which is outside the smaller box.
Are you sure you know what DPI is? ssh traffic on https ports will not "bypass most DPI systems".
@yokowasis there are also web-based ajax-ish terminals. e.g., you'd connect to the web page and an in-browser terminal would appear. It's been a while since I played with them, but that's essentially what various panels' consoles are.
e.g.: https://askubuntu.com/questions/57730/is-there-a-web-based-terminal-ssh-client
You have to be careful between "there is a chrome extension which runs ssh for you" which isn't what you want. You want an HTML-based terminal emulator.
gotossh.com is a commercial service
Alternatively, a hotspot is cheap and if all you're doing is ssh, then you won't use much data. See your phone provider or FreedomPop, etc.
Yes and no. For a start DPI is whatever the firewall implements and the admin configures. Plus an ssl session establishment is a ssl session establishment, no matter what higher up protocol the connection will transport.
That said, a determined admin with a good fw will usually still have chances to spot you; one simple give away is when a vpn server simply doesn't serve web content.
I guess (and I mean "guess" because I'm panel stupid) that @yokowasis problem is due to the panel using javascript stuff which tries to connect to other ports. Again, just a guess.
Does everyone forgot GoAgent?
The code is gone from the original repo on Github due to of course you know why, but you can always find download elsewhere.
Free, fast, no root required, IT Admin does not dare to block... you have all the benefits.
I am happy to say, that I have deployed VPN trough port 443. And it works fine. Now I can connect to cpanel and ssh from my school. Yay For Me, Kudos to you guys.
Never suggested SSH that was someone else. But OP says it worked.
It somehow does get through most DPI firewalls. Don't believe it? Go to your local high school or college that blocks VPNs and try it. It'll get through.
I wouldn't be surprised if a school blocked TCP 443 that doesn't go via their proxy. That'll beat your VPN without any DPI.
On the other hand though schools don't tend to attract top quality IT folk...
When the salary is only $30 a month you bet it doesn't.
As someone who manages a network in a school, there are a few very good reasons for only allowing 80/443.
Schools are underfunded (and that's just getting worse) and usually can't afford appropriate amounts of bandwidth. So letting students run rampant wastes valuable finite resources that are required for other students to learn. Years ago I remember seeing students bring laptops in and when they turned on they continue downloading whatever torrent they had going the night before. All outgoing bandwidth consumed by a few students.
Schools are required to implement content filtering to qualify and receive (sometimes vital) government funding. This means every website you access on a school computer or using the school's internet connection needs to be filtered. I wouldn't be surprised if your school's router drops traffic not from your internal content-filter or to your school's outsourced cloud-based content-filter (depending on their setup). It also wouldn't surprise me if DNS traffic gets dropped if not from official school resolvers on the way out.
Only allowing clean traffic from a content filter is another layer of security against things like viruses and other nastyware.
probably more, but it's early and I'm still half asleep...
So I would suggest you follow the rules and if you need to do something that is otherwise blocked, use your own device and internet connection (like tether to your phone). These policies aren't put in place to annoy students or restrict them for the fun of it, it's to ensure the network works for everyone the best it possibly can. You're at school to learn and prepare for the real world. At your future job, if you get caught evading security measures, there's a very real possibility you'll be fired on the spot.
Actually I am the teacher and also the one who manage the school Network. The blocking is imposed by the ISP. Not by the school. There are a lot of school things that can only be done using non 80 and 443 ports. Managing school website, accessing school web apps that use non standard http port and bunch of others. So I am pretty sure the thing I do is justified.
Interesting, your original post read like a 13 year old trying to manage his VPS during study hall...
If your ISP is doing the blocking, call your ISP. Maybe they can setup a whitelist for your specific IP (depending on the setup) or whitelist just a few required ports.
Too much hassle. Easier using VPN. It's not like i am at the school all the time , or needed to open cpanel all the time. Just once in a while. But it has become annoying to tether whenever I want to connect to non standard port.
You've spent more time on this thread than you would've just calling them...
Try a DNS proxy
https://github.com/yarrick/iodine
Clearly you don't know how my ISP works.