How to connect to a very hostile network?

[Guest]

Hello, I recently bought AirVPN and everything went smoothly. Recently though, the VPN stopped connecting. I've tried reinstalling the TAP driver on multiple versions, I've reinstalled Eddie (both experimental and stable), and tried multiple protocols. The VPN works perfectly on my home network. Any suggestions?

 

I can supply logs when I get them.

[LZ1 672]

Hello!
 

Did the protocols you tried, include TCP 443 (SSL/SHH)?

[Guest]

Yes I did. I've tried nearly all protocols including TCP 443 (SSH and SSL).

 

Here are my logs: 

 

I 2016.11.09 07:22:48 - Session starting.

. 2016.11.09 07:22:48 - IPv6 disabled with packet filtering.

I 2016.11.09 07:22:48 - Checking authorization ...

! 2016.11.09 07:22:49 - Connecting to Yildun (United States, Miami)

. 2016.11.09 07:22:49 - OpenVPN > OpenVPN 2.3.12 x86_64-w64-mingw32 [sSL (OpenSSL)] [LZO] [iPv6] built on Sep  5 2016

. 2016.11.09 07:22:49 - OpenVPN > Windows version 6.2 (Windows 8 or greater) 64bit

. 2016.11.09 07:22:49 - OpenVPN > library versions: OpenSSL 1.0.2h  3 May 2016, LZO 2.09

. 2016.11.09 07:22:49 - OpenVPN > MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:3100

. 2016.11.09 07:22:49 - OpenVPN > Control Channel Authentication: tls-auth using INLINE static key file

. 2016.11.09 07:22:49 - OpenVPN > Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

. 2016.11.09 07:22:49 - OpenVPN > Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

. 2016.11.09 07:22:49 - OpenVPN > Socket Buffers: R=[65536->262144] S=[65536->262144]

. 2016.11.09 07:22:49 - OpenVPN > Attempting to establish TCP connection with [AF_INET]173.44.55.178:80 [nonblock]

. 2016.11.09 07:22:50 - OpenVPN > TCP connection established with [AF_INET]173.44.55.178:80

. 2016.11.09 07:22:50 - OpenVPN > TCPv4_CLIENT link local: [undef]

. 2016.11.09 07:22:50 - OpenVPN > TCPv4_CLIENT link remote: [AF_INET]173.44.55.178:80

. 2016.11.09 07:23:23 - OpenVPN > [uNDEF] Inactivity timeout (--ping-exit), exiting

. 2016.11.09 07:23:23 - OpenVPN > SIGTERM[soft,ping-exit] received, process exiting

! 2016.11.09 07:23:23 - Disconnecting

. 2016.11.09 07:23:23 - Connection terminated.

I 2016.11.09 07:23:25 - Cancel requested.

. 2016.11.09 07:23:25 - IPv6 restored with packet filtering.

! 2016.11.09 07:23:25 - Session terminated.

[zhang888 1066]

Maybe udp/53 will work.

[Guest]

No sadly, none of the methods seem to work. I am on a school network that blocks nearly all websites unless already allowed. It also gives SSL errors whenever you try and connect to a website. Is there a way I can make this work? The only thing I've found to work is connecting using psiphon, then, while connected, go into Eddie and use the port number that Psiphon is currently using. Not even SSL 443 will work. 

 

The weird thing is, it was working just a few days ago. But I was only using 3 different servers. Now all of a sudden, all of AirVPN's servers are blocked.

[Staff 9973]

The weird thing is, it was working just a few days ago. But I was only using 3 different servers. Now all of a sudden, all of AirVPN's servers are blocked.

 

 

Have you tested alternative entry-IP addresses? It's easy to block all the VPN servers entry-IP addresses because they can be taken just by resolving one name. Alternative entry-IP addresses, instead, are not public and "the censorship lovers" would need to generate a configuration file for each server to get them all. At least you would make them earn properly the money they get to censor your school connections.

 

Kind regards

[Guest]

Yes. Like I said. Every single method doesn't work. The network I am on is very restricted and only gives access to about 100-200 websites. Is it possible to disguise AirVPN as a certain type of traffic? Even the SSL method doesn't work.

[muelli 2]

Do they whitelist based on IP or DNS?

If DNS, maybe you are "friend" with one of the whitelisted sites admins who can set up a A RR for you in their dns....

 

I think if they whitelist IPs only, then you might habe a hard time.

 

edit: Alternatively it might be worth trying if they check the PTR for an IP you want to connect to.

if they whitelist google.com for example and you want to connect to a plain IP, have the owner of that IP set up a PTR RR like www.google.com.

[Guest]

I would imagine they white list DNS because every AirVPN server is blocked even though I've used maybe 5 servers. But at the same time, they could be white listing IP's because some websites are blocked while others aren't. Sadly I know no one from the IT department so I might just be screwed. How would I check if they are checking the PTR? And how would I get the owner of the IP to set up a PTR RR. Sorry for my noobieness.

 

Also, some websites that should be fine give SSL errors saying that the certificate is invalid, such as google.com. 

[muelli 2]

>>How would I check if they are checking the PTR?

 

You would have to know details/manufacturer of their system and browse the web for manuals.... or go by try and error.

 

>>And how would I get the owner of the IP to set up a PTR RR.

 

The "owner" of an (fixed) IP usually has control over an associated DNS server and hence can set up a PTR RR very easily. In that case this will most likely be airVPN. I am sure they can set up such an "innocent" looking PTR RR on their namservers

 

>>Also, some websites that should be fine give SSL errors saying that the certificate is invalid, such as google.com.

 

That is an indicator for a man in the middle "attack"/system, which replaces the original SSL certs with some bogus ones from the firewall/"security system", so they can read/decrypt the SSL traffic.

[Guest]

So what should I do right now? Ask AirVPN to setup a PTR RR?

[zhang888 1066]

Your only solution then is Tor with pluggable transports such as meek and obfsproxy4, then VPN on top.

 

https://trac.torproject.org/projects/tor/wiki/doc/meek