OpenVPN counters censorship

Open Source Software Helps Surmount China's "Great Firewall" Instrument Of Censorship

By

Journalists at the 2008 Olympic Games in Beijing will not have unfettered access to the Internet. However, GPL software OpenVPN can be used to easily circumvent such censorship.

IOC President, Jacques Rogge, was recently forced to back-pedal under a barrage of criticism when it became clear that assurances that the press corps would have "unrestricted" Internet access were no more than piecrust promises. Nevertheless, the technology behind the "Golden Shield Project", which is apparently a means of protecting the Chinese from criminal content and has earned the nickname "Great Firewall of China", is relatively simple. Journalists in the Olympic village, as well as western corporations and even private individuals have a range of tools at their disposal to ensure their Internet access is both full and unmonitored. However, most of these are based on anonymizing services, such as gateways, proxies or web services, that massage the content and smuggle it in under the censor's nose. In the past, the Chinese authorities have regularly blocked web sites that offer such services. Furthermore, mass anonymizer services such as gateways have a bad reputation, since they also provide a safe haven for users wishing to conduct other, potentially illegal or criminal dealings. Courts in Europe have already revealed the darker side of these services.

There is, though, a solution that is available for those running Windows, Linux and Mac systems, which can be implemented in many different ways and which Chinese authorities have a real problem in counteracting - OpenVPN. Since this free (as in beer and as in speech) GPL software uses technologies that are vitally important for many Chinese companies, simply closing down this solution is not really an option to the Chinese government. Users can work on their own servers, without needing to tell any other users about them, in complete security.

At the same time, OpenVPN helps users to surf the web, send and receive e-mail, and use all the usual web services at all times, quickly and with full access to the Internet, away from the eyes of the snoops. Since this is all done under the protection of secure, military-grade encryption, unwanted eavesdroppers such as the Chinese state apparatus, security services, hackers or restrictive local network administrators must stand aside, relatively powerless. Most of the time, they won't even know there is an OpenVPN tunnel on their network.

How the Great Firewall works

An investigation by researchers at Cambridge University has discovered that China's Internet censorship is based on 5 main mechanisms:

  • IP blocking prevents access to blacklisted IP addresses
  • DNS filters prevent domain name resolution for undesirable servers
  • URL filters intercept requests sent to the web for specific keywords, stopping unwanted responses
  • Packet filters shine the spotlight over all Internet traffic, eliminating connections that are sending unwelcome content
  • Connection reset: the Great Firewall can end connections that fall into one of the above categories by sending TCP reset packets.

Methods of circumventing the Great Firewall include:

  • Using proxy servers outside China
  • Onion routing services, such as Tor
  • Web sites that convert HTML into images, such as Picidae

However, the disadvantage of all of these options is that the Chinese government can counteract them relatively easily, and do so regularly. It is usually no longer possible to gain access to known proxy servers or special services like Picidae, which convert banned content into images, since the relevant IP addresses have long been included in the list of blocked servers.

According to the opinions of many experts, encrypted HTTPS connections are not affected by the censors. Research into the "Golden Shield" (see box) advises, therefore, that HTTPS can provide free, unrestricted access to the Internet.

OpenVPN - a solution

Normally, Virtual Private Networks (VPNs) provide field workers and telecommuters with secure access to corporate networks, or use the Internet to connect several branches of the same company. Computers that connect to the VPN then form part of a single, virtual network, on which staff can work as though they were sitting in an office at the company's headquarters. The classic examples of VPN are the many variants of IPSEC, or the PPTP protocol which is often used by Microsoft. However, since these solutions are either unsecure (PPTP) or complex (IPSEC) they do not always live up to expectations. James Yonan, the man behind OpenVPN, experienced this at first hand as he traveled around the countries of the former Soviet Union at the time of the millennium, trying to keep in touch with his employers as he went.

Out of necessity, he initiated Openvp, a software solution that had to be both flexible and simple, yet meet the ultimate demands in terms of security. The project gained momentum rapidly, and now Openvp is the coolest VPN solution there is - and represents the third generation of VPN system. Thanks to the numerous encryption methods that it supports, and the comprehensive program options, users can enjoy fast, secure connections with military-grade encryption almost anywhere.

Since the tool uses the same common mechanisms as are used by HTTPS connections, access to private networks is available from any location at which clients have unrestricted access to URLs that start with the https:// prefix. The broad use of the SSL/TLS libraries in many different fields ensures that programming errors, exploits and bugs are found and fixed immediately by those operating the numerous electronic banking and e-commerce portals that also use the technology.

OpenVPN - as easy as 1-2-3

The way OpenVPN works is extremely simple: The software creates its own virtual network interface on the client system, and establishes an encrypted connection to the server. Any network packets that are sent through the virtual interface (which uses standardized TUN/TAP devices) are sent by the software in encrypted form to the OpenVPN server. If the "redirect-gateway" option is set, then the client routes all traffic via this tunnel, rather than just the packets that are intended for the local network.

A local firewall on the client device (such as a notebook) and a central, corporate firewall on the server provide almost perfect protection for remote employees. Full Internet access can be granted and encrypted through the VPN tunnel. Malicious eavesdroppers in the local network and at all points in between will merely see encrypted packets, while the firewalls prevent undesired connections. In ideal situations, the central firewall will also allow the remote notebook to access the Internet through the tunnel, at best using the technique of IP masquerading.

OpenVPN has also proven itself to be very flexible, especially in comparison with other VPN solutions. It requires just one port and one protocol (either UDP or TCP) to establish a connection - both are freely definable. Users that find themselves on networks on which connections are severely restricted should use port 21 (FTP) or 443 (HTTPS), for example. Whether administrators want to use UDP or TCP is of lesser importance. UDP provides significantly greater performance, but also supports fewer options than TCP.

When it comes to the most demanding requirements, OpenVPN can even offer a simple cluster solution. The client configuration then contains several servers that the software addresses in turn. Any IP address blacklists imposed by suspicious network operators can then be circumvented easily, but if even that is not enough, how about port sharing? Since version 2.1, OpenVPN has supported the option of sharing a port with other software, for example an Apache web server. Users or attackers that access the port with non-OpenVPN packets simply see the web server, while authenticated users end up in the VPN. Anyone snooping on this traffic could only begin to guess what web sites are being visited on the basis of the quantity of data being sent and the traffic profile.

Minimum requirements

In order for this solution to work, the client software requires direct access to the port of a specific server (for example, port 443). In China's case, this is obviously permitted, so that any sports journalist who can access his newspaper's content management system (CMS) via HTTPS from Beijing can also obtain full and uncensored Internet access through an OpenVPN tunnel.

Since OpenVPN uses the standardized TUN/TAP devices, both the VPN server and clients work on Linux, Windows and also Mac systems. Connections are stable, very tolerant of errors and thanks to adaptive compression and freely definable encryption key lengths, both fast and secure. The author has used the software on his laptop for almost five years to surf secretly, without problems and independent of the bandwidth available, using connections as diverse as GPRS, UMTS, Wireless LAN, dial-up or Ethernet.

Occasionally it is necessary to provide OpenVPN with the IP address of a proxy server, for example using the "http-proxy" option in the configuration file. The software is then able to disguise itself, and appear to the proxy as a Mozilla or Internet Explorer web browser of whatever generation you choose. Authenticating proxies that use NTLM, for example, are also supported. As long as the proxy permits direct connection to HTTPS pages, as is required by the operators of secure banking portals, online shops or intranets, then the OpenVPN connection can be established and uncensored surfing is possible.

Available everywhere

An impressive number of GUI tools is available for OpenVPN. The software comes in Windows, Mac and Linux versions, and it has been a standard part of the major Linux distributions for years. Users of Debian, Ubuntu, Red Hat and openSUSE can install the software comfortably using their distribution's package management systems, while more and more appliances are also integrating OpenVPN. Over the course of its development, the VPN software has won over many fans, thanks to its comprehensive functionality and high degree of flexibility. Ease of configuration and great performance and security mean it is a practical tool that can solve a wide range of networking problems with ease. With OpenVPN even able to speed up typical setups considerably, the software is also very popular among those who like to play games online. Perhaps they will soon be joined by the journalists in their fervor for the solution.

See article on configuring openVPN here.

Related content

  • OpenVPN

    Firewalls sometimes prohibit everything but everyday surfing, leaving users with no hope of running IRC or streaming servers through the firewall, unless they use a virtual private networking tool like OpenVPN.

  • Open Source Software Works Around China's "Great Firewall"

    Journalists at the Olympic Games 2008 in Peking report that they do not have unrestricted Internet access. The GPL'd OpenVPN software can easily work around censorship of this kind.

  • OpenVPN

    Wireless networks are practical but dangerous at the same time.WEP encryption is unlikely to stop an attacker. But help is at hand in the form of add-on security measures such as an encrypted OpenVPN tunnel.

  • The sys admin's daily grind: sshuttle

    When he doesn't want to deal with OpenVPN version conflicts or congestion control problems during TCP tunneling, Charly catches a ride on sshuttle.

  • Cross-Platform VPN Connections

    Linux clients sometimes need a little help to connect to Windows VPN servers.

Comments

  • Internet designed to defeat censorship

    The Internet was originally designed to deliver Military messages even during widespread nuclear bombings. It was assumed the communications networks would be the first targets. So the choice of packet based networks with multiple communications routes was selected. The messages would then have a good chance of getting through.

    Fast forward to now. The Internet uses the same basic message packet design features. When censorship is attempted the network is looks for a different way to deliver the messages. This alternative routing has become a part of the culture surrounding the Internet. Not only is the network looking for alternative routes but people are now behaving like the network. They immediately look for ways to use available network resources and software to achieve the free flow of blocked messages.

    Free and Open Source Software(FOSS) plays an important role by providing software that can be molded to new and unanticipated uses. FOSS provides the tools, in this case OpenVPN, to get the messages through the blockages.



  • Been there, done that

    I did this about 2 years ago for a client who went to live in Saudi Arabia. The government controlled ISP had blocked VOIP so they could force their own paid for VOIP on everyone.

    He connected to a UK server with OpenVPN and could use Skype fine over the tunnel.

    Cryptography is the saviour of Internet privacy.
comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News