1. 28

I live in a country with internet censorship, and I have bypassed it with a VPN. While it’s not hard to setup one, the number of solutions overwhelmed me. Currently I’m using dsvpn and it works great, but it was a random choice. Now that I have a working VPN, it’s a good time to carefully weigh each option against my specific use case.

I tried to make a comparison table by reading the documents, but I’m no expert in networking, so don’t expect it to be accurate. The table also fails to include popular solutions like OpenVPN/WireGuard, as I have never used them. You are more than welcome to improve it.

     Name       Need root?   Mobile clients     Tunnel              Over           
 ------------- ------------ ---------------- ------------ ------------------------ 
  ssh -D        No           NA               SOCKS        TCP                     
  sshuttle      No           NA               TCP          SSH(which is over TCP)  
  dsvpn         Yes          NA               Everything   TCP                     
  shadowsocks   Yes          Android/iOS      SOCKS        TCP/UDP    

However, even though the table is accurate and comprehensive, I will still be clueless about which one to pick: does tunneling over TCP or UDP make a big difference? What are the pros and cons of the SOCKS protocol? In which case do I need to tunnel non-TCP traffic?

I thought a VPN works simply by wrapping packages from low layer in high layers packages, but there appears to be a lot of complexity involved in this process. Let’s get less technical and more practical: which VPN should I use, if I want to visit Google/Wikipedia/Youtube in a country that blocks them?

  1. 26

    Use Algo, which is a set of ansible scripts that properly sets up new virtual machine in various cloud providers with Wireguard and generates profiles for mobile devices as well.

    1. 11

      The first important question to think about is whether the country you live in might one day persecute individuals who use VPNs / censorship avoidance software. If this is a risk, none of the solutions above are effective*, nor are Wireguard/OpenVPN/IPSec. The only potentially viable option is Tor, configured with a bridge and a good pluggable transport and even that is not without risk.

      If persecution is not a risk, I would highly recommend Wireguard. It’s entry in your table would be: Yes, Android/iOS, Everything, UDP. Additionally, it is exceedingly simple to configure (as easy as SSH, if not easier), it has first class security and is extremely performant.

      *All of these solutions either transmit a protocol identifier in the clear (e.g. a magic number) or can easily be detected from basic statistical analysis when used as a VPN (SSH).

      1. 1

        Former VPN engineer here…

        Tor invests a lot into obfuscation as one prong of its circumvention around censorship. I highly recommend checking into obfsproxy and in particular obfs4.

        That said, recommending a circumvention technology is also impossible without knowing context. @nalzok, given your Github username, are you in China?

        If I’m correct, I’m surprised dsvpn is working well for you. Most ISPs have switched to ratelimiting encrypted traffic to any IP outside the firewall; the last time I was there, only a few landbased fiber ISPs hadn’t updated their tech yet. Furthermore, 10/1 was a huge firestorm for VPN blocks.

        Please be careful!

        1. 1

          A steganographic VPN could posssibly work, too, I’ve seen some on github before, but can’t find any right now. Using a Tor bridge uses some steganography, but I don’t know how advanced it is. IIRC it just tunnels through HTTPS.

        2. 10

          Happy to answer questions about WireGuard from the lobste.rs crowd, by the way.

          1. 1

            Is there something like Algo for WireGuard?

            1. 3

              Algo VPN is a set of Ansible scripts that simplify the setup of a personal Wireguard and IPSEC VPN.

              From the first sentence of the readme for algo.

              1. 1

                yup, my fault, saw algo long time ago

          2. 3

            Following the table in my answer.

            Wireguard No.(Unless you want to use kernel module) Android/iOS/Windows clients Everything UDP

            Tunneling TCP over TCP is generally slower than tunneling TCP over UDP.

            In which case do I need to tunnel non-TCP traffic?

            What do you mean by this? I am sorry, I didn’t get this bit.

            I am a huge fan of wireguard and if it works in your suggestion(As in, It can carry packets without your ISP blocking it), I’ll definitely recommend it.

            If you use a custom kernel on your phone that has built-in wireguard kernel module, You can keep the tunnel enabled 24x7 with negligible battery consumption. The wireguard-go module(that is used by default in android/iOS clients) is a bit slower but still not a deal breaker or anything.

            Wireguard tunnels can be enabled within 4-500ms compared to few seconds it takes on stuff like OpenVPN.

            It supports 6-to-4 or 4-to-6 tunnels. So, If your ISP only has IPv4 support and you want IPv6 on your clients, You can do it with wireguard. Same goes in the other direction. i.e. If your ISP uses CG-NAT(on IPv4) + IPv6 and you want your wireguard clients on the ISP network to be accessible from outside at any moment. You can create a wireguard tunnel that connects over IPv6 and assigns clients IPv4 and IPv6 addresses. This typically isn’t reliable with just IPv4.

            There is tons of stuff I use it for and I can go in more specifics if you have questions.

            1. 1

              In which case do I need to tunnel non-TCP traffic?

              Sorry for the confusion, but I was wondering which common application layer protocols are UDP-based. Among others, DNS is probably the most notable application, but I can visit google.com with sshuttle and shadowsocks (both AFAIK tunnel TCP traffic only) without problems, while Google’s DNS is blocked in my country. Can you explain this?

              There is tons of stuff I use it for and I can go in more specifics if you have questions.

              Actually, I have a question: how do you troubleshot performance issues? The CPU usage of my Linode VPS is around ~5%, and there are thousand of miles between it and me, so I guess bandwidth is the bottleneck, but I would like to get some diagnose information about it to be sure. If that is the case, can I improve the performance by, say, making it transmitting more packages per second to compensate for the high packet loss rate?

              1. 1

                DNS can work over both UDP and TCP. But what’s happening most likely with SOCKS is that your browser does not resolve DNS at all, it just sends the hostname as is to the proxy. That’s what the “use remote DNS” flag does in Firefox.

            2. 1

              Am I the only one running IPsec/L2TP?

              I do so for three reasons: server software comes preinstalled on my gateway (Mikrotik RouterOS), client software is included with iOS/macOS/Android/Windows, and AFAIK is secure (please let me know if not).

              I’ve looked into Wireguard and I want to try it, but I don’t like my VPN server running on a host inside the network itself, which is much more probable to go offline and lock me out of the network, as opposed of it running on the very gateway to the network.

              Any thoughts? I don’t have strong opinions regarding VPNs. Keep in mind I use them both for traffic encryption and for access to my network’s internal services.

              1. 5

                Your setup may or may not be secure. No one can really say without looking at in detail, because the configuration for IPSec is pretty complex. Worse the protocol complexity induces complex client/server software which is prone to hard to spot implementation mistakes.

                This is one of the main reasons I try to push people to Wireguard where there are no security relevant config options and the code base is very small. IIRC, Wireguard is about 4000 lines of code vs ~400 000 for an IpSec implementation.

                As a quick example, CVE-2017-6297 was a bug in MikroTik’s L2TP client where IpSec encryption was disabled after a reboot. In general, I am quite sceptical of the security of dedicated devices like routers. They have fewer ‘good’ eyes on them due to the relative difficulty of pulling apart their hardware/firmware/closed source software and yet their uniformity makes them an attractive target for well resourced attackers.

                1. 3

                  L2TP/IPsec can be problematic with hotel wifi and other braindead networks. Not even NAT-T and IKEv2 always help. OpenVPN will cheerfully work even with double (or quadruple) NAT. Nothing against Wireguard, but I didn’t find it nearly as easy to manage and unproblematic as OpenVPN, especially when performance is not a big concern.

                  I wonder if the future is self-hosted VDI rather than VPN. It’s convenient for use on the road (just reconnect to a session), and much harder to ban, regulate, or persecute people for in countries with censorship.

                2. 1

                  I ended up settling on OpenVPN because of the ease of use on Android and Windows. The downside is that, because I lack the specific expertise, it’s quite possible that I have configured it in an insecure way.

                  1. 1

                    I’m going to go off on a tangent… the additional complexity largely comes from

                    • what to do when the vpn connection dies (how long to wait? which end reconnects?)
                    • dealing with devices that change address (neither end? one end? both?)
                    • what to do when packet transmission takes longer than usual (will the packets arrive? has the connection died?)
                    • supporting different OSes
                    • dealing with old versions of the same software (with, perhaps, different crypto)
                    • dealing with attacks, including replay attacks (can the clocks be trusted?)
                    • whether the VPN admin has root access on either end, or even both

                    Many of these things aren’t really crypto/VPN factors. Dealing with devices that change address and recovering from a sudden change of address isn’t a crypto matter, but it may be important to the practical usability of the package, for example. IMO it’s another example of the general rule that writing software is hard. There are usually many minor problems to solve, problems that don’t have much to do with the core purpose of the software.

                    FWIW I used tappet for years, but might choose wireguard now if I needed a VPN.

                    1. 1

                      I use openvpn since it can run on tcp port 443 or at least made look like like it with sslh. It works great for esp. awful wifi Hotspots that do port filtering. It will not pass DPI, but that is luckily not a problem I have to work around.

                      1. 1

                        Where the physical hardware hosting your VPN? If it’s a cloud machine that you pay for outside your country’s borders, what does self-hosting get you over paying for a reputable VPN from a company also located outside your borders?

                        1. 1

                          Probably, the IP address of the machine not being on a list of Known VPN Providers