In this discussion, we will delve into the technology of the VPN Gate distributed network, which has gained notoriety as a tool against Internet censorship in China. Although SoftEther VPN has been extensively covered in the Internet, there is a lack of comprehensive technical articles about the distribution network.
VPN Gate
VPN Gate originated as an academic experiment by Daiyu Nobori in 2013. This project is an Internet research service that operates from the Graduate School of the University of Tsukuba in Japan. The objective of this research is to enhance understanding of “Global Distributed Open VPN Relays”.
Feature
The network’s unique feature is its swarm-like functioning, where users can voluntarily contribute their bandwidth to others. Although it may sound like another failed blockchain-based dVPN PR, this project has already gained 8634 nodes and 534 petabytes of traffic. In comparison, TOR nodes only have 7,000.
This network is popularly used by Chinese users because of its successful architecture in bypassing the Great Firewall of China.
To install a GUI client, a server with a built-in plugin can be obtained from VPN Gate’s website. Every zip build of the program is different in size complicates DPI analysis of the data. Furthermore, random VPN server addresses are stored if the original VPN Gate servers become blocked.
However, what I believe to be the project’s most significant achievement is the successful implementation of NAT Hole Punching, allowing every user to share their bandwidth without the need for a white IP or registration.
Fighting the firewall:
To understand why the Great Firewall of China (GFW) has yet to block it, we must examine the ongoing battle between good and evil:
When the project launched, the first four days saw a massive influx of users from China, with 5,000 users flooding the service at once.
On the fifth day, the GFW blocked the primary VPN Gate website. However, users continued to share installers through portals such as Weibo.
Following that, the GFW began blocking VPN servers obtained from the project’s main page. However, they made a crucial error and failed to verify the IP addresses’ legitimacy. The project team quickly capitalized on this mistake and presented the following evidence.
Following
The project team took action by introducing a mix of random IP addresses into the list. Within three days, they gained complete control over what GFW was blocking, effectively breaking into Chinese internal sites.
The GFW quickly realized its mistake and began checking each IP address using powerful DPI technology called active probing. This involved sending a random GFW bot (from a random IP) to each remote IP address requested by the user with a test request. If the response contained words prohibited by the filter, the remote IP address was blocked.
However, since the number of VPN Gate servers is vast, the network had the advantage of clients sending logs of every short-term request from nodes that attempted to connect to them for verification.
The group began to process such logs automatically on their own server. Due to the large pool of addresses that providers in China have. Individual servers are not always able to identify the IP address of the bot that scanned them and reported them to the GFW for blocking. Additionally, many people connect using obfuscated VPN protocols, which can be heuristically detected.
More participants – stronger defense
However, if the statistics from all nodes that have connected and disconnected to an IP in a short interval are taken into account, they can be identified and blocked. Therefore, the network is able to detect and reflect GFW bot attempts to find them. Furthermore, users are given only a limited list of servers, which makes it difficult for the 16 million (according to some reports, there are even foreign pools). GFW IP addresses attempting to scan the network to succeed. In conclusion, the more participants there are, the stronger the network’s defense becomes.
The technology we are discussing operates through a distributed network. Which benefits from the dynamic IP addresses of its participants behind NAT. The network uses four protocols for its VPN servers: SSL-VPN, OpenVPN, L2TP/IPsec, MS-SSTP.
Internet connection sharing
Those who are willing to contribute and share their internet connection can download the server package and configure it in just a few clicks. The user can specify a message for other users when connecting, and leave an email address for communication. The client stores connection packages for two weeks, and it also allows the customization of speed. And a built-in firewall with security policies to ensure the safety of local addresses. The installation does not require administrator rights.