VPN blocking

Last updated
Screenshot from Wikipedia: IP of VPN blocked by some Wikimedia Foundation projects Evidence-VPNChina IP blocked by enwikipedia.jpg
Screenshot from Wikipedia: IP of VPN blocked by some Wikimedia Foundation projects

VPN blocking is a technique used to block the encrypted protocol tunneling communications methods used by virtual private network (VPN) systems. Often used by large organizations such as national governments or corporations, it can act as a tool for computer security or Internet censorship by preventing the use of VPNs to bypass network firewall systems.

Contents

Description

Blocking VPN access can be done a few different ways. Ports that are used by common VPN tunneling protocols, such as PPTP or L2TP, to establish their connections and transfer data can be closed by system administrators to prevent their use on certain networks. Similarly, a service can prohibit access by blocking access from IP addresses and IP address ranges that are known to belong to VPN providers. [1] [2] Some governments have been known to block all access to overseas IP addresses, since VPN use can involve connecting to remote hosts that do not operate under that government's jurisdiction. [3]

As organizations have ramped up efforts to block VPN access which bypasses their firewalls, VPN providers have responded by utilizing more sophisticated techniques to make their connections less conspicuous. For instance, as the Chinese government began using deep packet inspection to identify VPN protocols, the firm Golden Frog began scrambling OpenVPN packet metadata for its popular VyprVPN service in an attempt to avoid detection. [4]

Government use

China

Chinese internet users started reporting unstable connections in May 2011 while using VPNs to connect to overseas websites and services such as the Apple App Store. [5] Universities and businesses began issuing notices to stop using tools to circumvent the firewall.

In late 2012, companies providing VPN services claimed the Great Firewall of China became able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems.

In 2017, telecommunications carriers in China were instructed by the government to block individuals' use of VPNs by February 2018. [6]

In 2024, VPNs were frequently inaccessible during the Two Sessions. [7]

India

In 2022, the government of India stated VPN providers must log a variety of user data for a minimum of five years. Due to the new ruling, many VPN service providers removed their physical servers from India and instead operate virtual servers, allowing users to still connect to India locations but without falling under the jurisdiction of Indian law. [8]

Iran

The government of Iran began blocking access to non-government sanctioned VPNs in March 2013, [9] a few months prior to the 2013 elections, to "prosecute users who are violating state laws" and "take offenders to national courts under supervision of judiciary service". Use of VPNs approved by the government reportedly led to surveillance and inspection of private data. [10]

Russia

In July 2017, the State Duma passed a bill requiring the Internet providers to block websites that offer VPNs, in order to prevent the spreading of "extremist materials" on the Internet. [11] [12] It is unclear exactly how Russia plans to implement the regulation; though it seems like both the Federal Security Service (FSB) and ISPs will be tasked with identifying and cracking down on VPNs. In November 2017, BBC made it clear that Russia has not banned VPN usage entirely. VPN usage is only banned when attempting to access sites already blocked by Roskomnadzor or Russia's governing body for telecommunications and mass media communications. [13] Using a VPN for business or personal reasons to access legal sites in Russia is permitted. [14]

Russia has banned various VPN service providers in 2021 [15] and forced Google to delist VPN websites even while Russians continue to download VPNs. [16]

Syria

The government of Syria activated deep packet inspection after the uprising in 2011 in order to block VPN connections. [17] The censorship targeted different VPN protocols like OpenVPN, L2TP and PPTP.

Pakistan

The government of Pakistan issued a notice to VPN providers to register their IPs, otherwise their VPN service will be blocked like in China.

Turkey

In an attempt to curb the use of social media by its citizens, the government of Turkey has considered the complete ban of VPN apps. The Nationalist Movement Party proposed a bill covering such a ban in July 2020. [18] [19] [20]

VPN blocking by online services

Hulu

In an attempt to stop unauthorized access from users outside the US, Hulu began blocking users accessing the site from IP addresses linked to VPN services in April 2014. In doing so, however, the company also restricted access from legitimate U.S.-based users using VPNs for security reasons. VPN providers such as VikingVPN, NordVPN and TorGuard stated that they would seek ways to address this issue for their customers by speaking directly to Hulu about a resolution and rolling out more dedicated IP addresses, respectively. [21]

Netflix

Netflix came under pressure from major film studios in September 2014 to block VPN access, as up to 200,000 Australian subscribers were using Netflix despite it not being available yet in Australia. [22] VPN access for Netflix has, like other streaming services, allowed users to view content more securely or while out of the country. Netflix users have also used VPNs as a means of bypassing throttling efforts made by service providers such as Verizon. It is also important to note that all VPNs might slow down internet connection when trying to stream Netflix; however, there are cases where using a VPN might improve connection if a user's ISP has been throttling Netflix traffic. As of June 2018, the Netflix VPN and proxy ban is still active. The CEO of Netflix, Reed Hastings made a comment in 2016 about the VPN market as a whole; “It’s a very small but quite vocal minority. It’s really inconsequential to us.” [23]

BBC iPlayer

The BBC started blocking users connecting via VPNs in October 2015. [24] The BBC is able to detect VPN connections by monitoring the number of simultaneous connections coming from each IP address. If the number of connections from the same IP becomes abnormal the BBC will block future connections from the offending IP address.

BBC iPlayer remains unavailable to UK TV Licence holders connecting from other EU countries. [25] The BBC said that it was "interested in being able to allow UK licence fee payers to access BBC iPlayer while they are on holiday, and welcome the European Union regulation to help make this feasible." [26]

Threads

Meta's Threads platform started blocking users from the European Union who used VPNs to bypass the access restriction to the service stemming from the privacy concerns of the app. [27] However, as of December 14, 2023,[ needs update ] the platform was accessible to users in the European Union. [28]

See also

Related Research Articles

An Internet filter is software that restricts or controls the content an Internet user is capable to access, especially when utilized to restrict material delivered over the Internet via the Web, Email, or other means. Such restrictions can be applied at various levels: a government can attempt to apply them nationwide, or they can, for example, be applied by an Internet service provider to its clients, by an employer to its personnel, by a school to its students, by a library to its visitors, by a parent to a child's computer, or by an individual user to their own computers. The motive is often to prevent access to content which the computer's owner(s) or other authorities may consider objectionable. When imposed without the consent of the user, content control can be characterised as a form of internet censorship. Some filter software includes time control functions that empowers parents to set the amount of time that child may spend accessing the Internet or playing games or other computer activities.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

Virtual private network (VPN) is a network architecture for virtually extending a private network across one or multiple other networks which are either untrusted or need to be isolated.

China censors both the publishing and viewing of online material. Many controversial events are censored from news coverage, preventing many Chinese citizens from knowing about the actions of their government, and severely restricting freedom of the press. China's censorship includes the complete blockage of various websites, apps, and video games, inspiring the policy's nickname, the Great Firewall of China, which blocks websites. Methods used to block websites and pages include DNS spoofing, blocking access to IP addresses, analyzing and filtering URLs, packet inspection, and resetting connections.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is often used for baselining application behavior, analyzing network usage, troubleshooting network performance, ensuring that data is in the correct format, checking for malicious code, eavesdropping, and internet censorship, among other purposes. There are multiple headers for IP packets; network equipment only needs to use the first of these for normal operation, but use of the second header is normally considered to be shallow packet inspection despite this definition.

The Great Firewall is the combination of legislative actions and technologies enforced by the People's Republic of China to regulate the Internet domestically. Its role in internet censorship in China is to block access to selected foreign websites and to slow down cross-border internet traffic. The Great Firewall operates by checking transmission control protocol (TCP) packets for keywords or sensitive words. If the keywords or sensitive words appear in the TCP packets, access will be closed. If one link is closed, more links from the same machine will be blocked by the Great Firewall. The effect includes: limiting access to foreign information sources, blocking foreign internet tools and mobile apps, and requiring foreign companies to adapt to domestic regulations.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

Network address translation traversal is a computer networking technique of establishing and maintaining Internet Protocol connections across gateways that implement network address translation (NAT).

An ICMP tunnel establishes a covert connection between two remote computers, using ICMP echo requests and reply packets. An example of this technique is tunneling complete TCP traffic over ping requests and replies.

An application-level gateway is a security component that augments a firewall or NAT employed in a mobile network. It allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer "control/data" protocols such as FTP, BitTorrent, SIP, RTSP, file transfer in IM applications. In order for these protocols to work through NAT or a firewall, either the application has to know about an address/port number combination that allows incoming packets, or the NAT has to monitor the control traffic and open up port mappings dynamically as required. Legitimate application data can thus be passed through the security checks of the firewall or NAT that would have otherwise restricted the traffic for not meeting its limited filter criteria.

<span class="mw-page-title-main">Internet censorship</span> Legal control of the internet

Internet censorship is the legal control or suppression of what can be accessed, published, or viewed on the Internet. Censorship is most often applied to specific internet domains but exceptionally may extend to all Internet resources located outside the jurisdiction of the censoring state. Internet censorship may also put restrictions on what information can be made internet accessible. Organizations providing internet access – such as schools and libraries – may choose to preclude access to material that they consider undesirable, offensive, age-inappropriate or even illegal, and regard this as ethical behavior rather than censorship. Individuals and organizations may engage in self-censorship of material they publish, for moral, religious, or business reasons, to conform to societal norms, political views, due to intimidation, or out of fear of legal or other consequences.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

Internet censorship circumvention, also referred to as going over the wall or scientific browsing in China, is the use of various methods and tools to bypass internet censorship.

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

Geo-blocking, geoblocking or geolocking is technology that restricts access to Internet content based upon the user's geographical location. In a geo-blocking scheme, the user's location is determined using Internet geolocation techniques, such as checking the user's IP address against a blacklist or whitelist, GPS queries in the case of a mobile device, accounts, and measuring the end-to-end delay of a network connection to estimate the physical location of the user. The IP address location tracking, a field pioneered by Cyril Houri, the inventor of one of the first systems capable of identifying a user's geographical location via their IP address. is typically used for geo-blocking. This technology have become widely used in fraud prevention, advertising, and content localization, which are integral to geo-blocking applications. The result of the checks is used to determine whether the system will approve or deny access to the website or to particular content. The geolocation may also be used to modify the content provided, for example, the currency in which goods are quoted, the price or the range of goods that are available, besides other aspects.

A virtual private network (VPN) service provides a proxy server to help users bypass Internet censorship such as geo-blocking and users who want to protect their communications against data profiling or MitM attacks on hostile networks.

<span class="mw-page-title-main">Snowflake (software)</span> Anti-censorship software

Snowflake is a software package for assisting others in circumventing internet censorship by relaying data requests. Snowflake relay nodes are meant to be created by people in countries where Tor and Snowflake are not blocked. People under censorship then use a Snowflake client, packaged with the Tor Browser or Onion Browser, to access the Tor network, using Snowflake relays as proxy servers. Access to the Tor network can in turn give access to other blocked services. A Snowflake node can be created by either installing a browser extension, installing a stand-alone program, or browsing a webpage with an embedded Snowflake relay. The node runs whenever the browser or program is connected to the internet.

References

  1. "VPN and Proxy Detection API". www.focsec.com. Retrieved 2021-05-01.
  2. "IP2Proxy™ IP-ProxyType-Country Database [PX2]". www.ip2location.com. Retrieved 2016-06-12.
  3. Lam, Oiwan (13 May 2011). "China: Cracking down circumvention tools".
  4. Toombs, Zach. "China's Censors Take on Virtual Private Networks" . Retrieved 13 November 2014.
  5. Arthur, Charles (13 May 2011). "China cracks down on VPN use". The Guardian.
  6. China Tells Carries to Block Access to Personal VPNs by February. Bloomberg. 2017-07-10
  7. "China Tightens Grip Over Internet During Key Political Meeting". Voice of America . 2024-03-10. Retrieved 2024-03-26.
  8. Singh, Manisha (17 June 2022). "Explainer: New VPN rules, why companies are upset and what they mean for you" . Retrieved 16 August 2022.
  9. Torbati, Yeganeh (2013-03-10). "Iran blocks use of tool to get around Internet filter". Reuters.
  10. Shwayder, Maya (2013-03-11). "Cyber-Rebels See Way To Get Around Iran's VPN Internet Block". International Business Times .
  11. Russian parliament bans use of proxy Internet services, VPNs. ABC.
  12. "Russia: New Legislation Attacks Internet Anonymity". Human Rights Watch. 2017-08-01. Retrieved 2017-08-01.
  13. "Explainer: What is Russia's new VPN law all about?". BBC News. 2017-11-01. Retrieved 2020-12-06.
  14. Idrisova, Ksenia (2017-11-01). "What is Russia's new VPN law all about?" . Retrieved 2019-05-13.
  15. "Russians' demand for VPNs skyrockets after Meta block". Reuters. 2022-03-14. Retrieved 2022-04-07.
  16. Forbes (2022-03-21). "Russia Forcing Google To Delist VPN Websites, But 400,000+ Russians Are Downloading VPNs Daily". Forbes. Retrieved 2022-04-10.
  17. Kim, Kuinam J.; Chung, Kyung-Yong (2012-12-12). IT Convergence and Security 2012. Springer Science & Business Media. ISBN   9789400758605.
  18. "Turkey plans to restrict social media and block VPN services". VanillaPlus. 2020-07-30. Retrieved 2020-10-19.
  19. "Turkey's ruling coalition partner calls for block on VPN services ahead of vote on social media bill". Ahval. Retrieved 2020-10-19.
  20. "Turkey plans to restrict social media and block VPN services". The EE. 2020-07-30. Retrieved 2020-10-19.
  21. Van Der Sar, Ernesto. "Hulu Blocks VPN Users Over Piracy Concerns".
  22. Maxwell, Andy. "VPN Users 'Pirating' Netflix Scare TV Networks".
  23. "Canada Netflix users complain as access to U.S. service blocked". Reuters. 2016-04-20. Retrieved 2019-05-13.
  24. Thomson, Iain (19 Oct 2015). "BBC shuts off iPlayer to UK VPNs, cutting access to overseas fans". www.theregister.co.uk. Retrieved 2019-05-13.
  25. Smith, Mat (2 April 2018). "Brits (still) can't stream BBC iPlayer abroad". Engadget. Retrieved 2019-05-13.
  26. Sweney, Mark (2018-04-02). "From sofa to sunbed: holidaymakers can see British pay-TV abroad". The Guardian. ISSN   0261-3077 . Retrieved 2019-05-13.
  27. Mehta, Ivan (2023-07-14). "Meta confirms it is blocking EU-based users from accessing Threads via VPN". TechCrunch. Retrieved 2023-07-14.
  28. "Threads: Meta's rival to Elon Musk's X launches in EU". BBC News. 2023-12-14. Retrieved 2023-12-19.