OPENCONNECT PATH

Daniel Lenski dlenski at gmail.com
Mon Oct 5 01:55:39 EDT 2020


On Tue, Sep 29, 2020 at 10:53 AM Maksim Karamushko <max at lifetm.net> wrote:
> I understand that, but isp can made additional check, simple collect
> domain which pass him and use openssl s_client --connect domain:443 then
> apply "GET /" then if result contain ***some openconnect xml text**** -
> collect and apply some blocks  (I think that checks possible write on
> python + some database in one day)
> I hope you understand what I mean, and that why i ask how change default
> path.

Ah. What you're describing should probably not be described as deep
packet inspection, which normally refers to a passive technology, but
rather as "active probing". (That's the term used by the Tor project:
https://blog.torproject.org/learning-more-about-gfws-active-probing-system)

It might be possible to temporarily circumvent this kind of
censor/interference by changing the default path for ocserv… but there
will remain many other relatively trivial methods to detect an ocserv
server via active probing. I wrote what-vpn for scanning/surveying
TLS-based VPNs. It uses a different method which can reliably
distinguish different ocserv from other types of VPN servers
(https://github.com/dlenski/what-vpn/blob/master/what_vpn/sniffers.py#L97-L123),
and which would not be affected in any way by a change in the default
path for the authentication page. It'd probably also be pretty easy to
detect VPN gateways running ocserv simply by TLS fingerprinting (since
ocserv is one of the most common server applications that use GnuTLS).

Preventing active probing from detecting VPN gateways will pretty
quickly become a cat-and-mouse game if you're dealing with an
ISP/government that's determined to block them. It seems that even
Tor, which puts a lot of its resources into this, is struggling to
come up with reliable and usable ways to make Tor endpoints
undetectable to the Great Firewall of China.

I'm unsure how much the ocserv developers are interested in going down
this path of making ocserv hard to detect… interested in the
discussion though.

Dan



More information about the openconnect-devel mailing list