10 Tips for Effective Web Unblocking With A VPN
The list of VPN user tips geven here have developed out of experience traveling to many countries and using VPN services to maintain connectivity to sites and services in the webmaster's home country. In particular, using the internet in China has been a struggle. Rather than adapt to barriers like the Great Firewall of China, the webmaster has chosen to fight internet censorship. Suggestions given below are considered effective means of using VPN services in non-permissive environments.
- Subscribe to a service with many gateways. If you run your own servers, have them on many IP addresses, and be prepared to abandon IPs as they are blocked by the adversary sysadmin / government.
- Use ports that are most inconspicuous. Ports 443 and 1194 are well known to carry VPN traffic in addition to their other common uses (SSL and online gaming, respectively), and are often blocked by countries like China or Saudi Arabia.
Here are some common ports with enough traffic to make your presence harder to detect:
|TCP or UDP||6970-6969||BitTorrent|
|TCP||3389||Windows Remote Desktop|
|UDP||123||Network Time Protocol|
|UDP or TCP||531, 5190-5193||AOL Instant Messenger|
|UDP||666||Doom, Online Game|
|UDP or TCP||749||Kerberos Administration|
|UDP or TCP||1503||Windows Live Messenger|
|TCP||4664||Google Desktop Search|
|TCP||16080||MAC OS X Server|
Other randomly chosen ports between 1025 and 64000 will work as long as your firewall will permit the traffic and the remote server is configured to accept data on that port. Here is a very good list of ports and applications.
- Whenever you attempt to access sites with sensitive content, use the VPN. Never go to such pages in the clear, then try the VPN after finding them blocked. That merely gets the attention of traffic analysts and makes denial of access more likely. Some countries will detect this and cut off your access. You may even be visited by police.
- Use the VPN only whe needed. Deep packet inspection can be used to detect VPN traffic, and when constant usage is found, access is often restricted for the user's IP address. Adversaries can't easily determine what was in the data, but they can block the connection.
- Two hop VPNs sound sophisticated, but offer limited increases in security. For better security, use better encryption and stronger keys. OpenVPN does a very good job with 256 bit Blowfish and 2048 bit RSA keys. Don't expect the NSA to crack your codes during the lifetime of the world.
- Don't forget to use a trustworthy DNS server. Google DNS and OpenDNS are great, and there are others as well. Continuing to use the internet service provder's DNS, in countries such as Iran, Syria, or China, will result in denied access.
- Avoid VPN services claiming to have their own, special, uncrackable encryption. The best providers do not make such claims, but newer companies, offering a cheaper product have been known to make this ridiculous claim. Note that OpenVPN is free, uses protocols known to be strong, proven robust through peer review. Why take risks with a proprietary system closed to professional scrutiny?
- For highest speed, use a server located near you, for access to the world. For access to systems sensitive to location and IP address (Facebook, Google, banks, etc), stay with one server near the remote system. Sending your internet data packets on long, world spanning round trips will reduce your bandwidth.
- For the most secure protection of your internet traffic, use a service with OpenVPN SSL tunneling. As a secondary choice, LT2P is widely used and almost as secure.
- Always bear in mind that security and anonymity are two different things. Your VPN provides security between your computer and the distant gateway server. It also provides anonymity to the extent that your traffic enters and exits the internet at a remote IP address and not your actual address. The VPN doesn't time-shift your traffic, nor does it prevent your other software from giving you away. If you publish an expose of your local perverted, cannibalistic, bestial dictator on the net, please remember to not let your software sign the document with your actual name!
- A bonus tip: Use your "hosts" file to directly access blocked websites without the need for DNS lookups. Facebook and many others have SSL secured pages that are difficult to block, since the data is encrypted and resistant to blacklist screening. You can access them by IP address.
- Another bonus tip: In countries most hostile to VPNs, consider using additional software to obvuscate or hide the protocol from deep packet inspection. Stunnel and Obfsproxy are effective add-ons which make VPN data packets difficult to detect and isolate.