Smart bypass locks in Ukraine

image
The article describes how to set up a free service Zaborona.Help to bypass block sites in Ukraine.

Feature configuration that is routed through the VPN traffic to blocked networks, other sites work directly. Works on all major platforms: Windows, Linux, iOS, MacOS, Android.

VPN does not affect the speed of the Internet is not replacing the IP for the other sites, and does not interfere with online gaming, voice traffic, etc.

Problems popular tools to bypass locks


the

    Browser plugins — do not work for mobile apps, pokeroot through their servers all the traffic. Have access to page content and threaten security.

    Common VPN — marshrutizator through their servers all the traffic. Affect the Internet speed, increase delay, substitute the IP for all sites.

    Browser proxy — do not allow to bypass the lock mobile apps.


The configuration process described in the example OpenVPN and can be easily repeated for a few minutes.

Settings on the client side are performed using a single configuration file and does not require manual input of addresses and passwords.

the

server Selection


The VPN server needs to have good connectivity at the network level with your provider that delays were minimal, and with the resources that you plan to visit through this VPN. Data centers in USA, China, Japan — not the best choice.

I will give you some options that I chose for the service Zaborona.help:


Linode.com — a tough and reliable hosting with good channels.

Pros:

the
    the
  • Gigabit channel, good connectivity in Europe
    • the
  • Routed /64 block of IPv6 addresses. You can give the VPN clients real IP directly.

Cons:

the
    the
  • Minimum value of $5
    • the
  • 1TB outgoing traffic at the minimum rate of
    • the
  • $20 per TB limit is reached


Scaleway.com — cheap hosting with unlimited bandwidth.

Pros:

the
    the
  • Minimum price per server $ 3
    • the
  • Unlimited bandwidth, 200Mbit/s
    • the
  • data Center in Poland (close to Ukraine)

Cons:

the
    the
  • Single IPv6 address to the server (what nonsense!)
    • the
  • better connectivity with locked resources


For reliability, multiple servers from two different providers. Balancing is performed in the primitive level of the DNS.

A service domain to which clients connect in the vpn.zaborona.help has multiple A records to all servers at once. This allows you to evenly spread customers on the servers. The minimum TTL of the records allows you to quickly remove the problem server from the list and redirect the client.

the

the List of blocked services


Of the the decree of the President of Ukraine №133/2017 known list of companies that fall under blocking. Knowing this list, you can make a list of all IP ranges belonging to these companies

You can use the service bgp.he.net
Here are the BGP announcements Yandex bgp.he.net/AS13238#_prefixes
We have all ranges. Neighboring networks merge into one range in order to reduce the number of routes on the client.

The output is a list excluding the IPv6 ranges are:

List of networks routed through servers VPN Zaborona
# Vkontakte
— 87.240.128.0/18
93.186.224.0/20
95.142.192.0/20
95.213.0.0/18
185.29.130.0/24
185.32.248.0/22

2a00:bdc0::/36
2a00:bdc0:e003::/48
2a00:bdc0:e004::/46
2a00:bdc0:e008::/48
2a00:bdc0:f000::/36

# Yandex
— 5.45.192.0/18
5.255.192.0/18
37.9.64.0/18
37.140.128.0/18
77.75.152.0/22
77.75.159.0/24
77.88.0.0/18
84.201.128.0/18
87.250.224.0/19
93.158.128.0/18
95.108.128.0/17
100.43.64.0/19
109.235.160.0/21
130.193.32.0/19
141.8.128.0/18
185.32.185.0/24
185.32.186.0/24
185.71.76.0/22
199.21.96.0/22
199.36.240.0/22
213.180.192.0/19

2001:678:384::/48
2620:10f:d000::/44
2a02:6b8::/32
2a02:5180::/32

# Mail.ru
— 5.61.16.0/21
5.61.232.0/21
79.137.157.0/24
79.137.183.0/24
94.100.176.0/20
95.163.32.0/19
95.163.248.0/21
128.140.168.0/21
178.22.88.0/21
178.237.16.0/20
185.5.136.0/22
185.16.148.0/22
185.16.244.0/22
188.93.56.0/21
194.186.63.0/24
195.211.20.0/22
195.218.168.0/24
217.20.144.0/20
217.69.128.0/20
178.22.91.0/24
178.22.92.0/23
185.16.244.0/23
195.211.128.0/22
208.87.94.0/24

2a00:1148::/32
2a00:b4c0::/32

# Kaspersky Lab
— 77.74.176.0/22
77.74.181.0/24
77.74.183.0/24
93.159.228.0/22
185.54.220.0/23
185.85.12.0/24
185.85.14.0/23
77.74.176.0/21
91.103.64.0/21
93.159.224.0/21

2a03:2480::/33

This list changes very rarely, so not difficult to update it if necessary.

the

OpenVPN configuration


On server OpenVPN 2.4 will be used. It is recommended to use this version. In the Ubuntu LTS version of OpenVPN 2.3, so the correct version can be installed by connecting to the official repository openvpn.

the

certificates


To generate certificates, it is easiest to use the utility easy-rsa. This fork from ValdikSS allows you to generate certificates at the same time suitable and for OpenVPN and Ipsec.

Generate keys using easy-rsa
$ git clone https://github.com/ValdikSS/easy-rsa-ipsec.git
$ cd easy-rsa-ipsec/easyrsa3
$ ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.

$ ./easyrsa build-ca nopass
Generating a 2048 bit RSA private key
...
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Cool VPN Server
...

$ ./easyrsa build-server-full zaborona.help nopass
Generating a 2048 bit RSA private key
...
Write out database with 1 new entries
Data Base Updated

# In this case the public is the client name. It can be anything.
$ ./easyrsa build-client-full public nopass 
Generating a 2048 bit RSA private key
...
Write out database with 1 new entries
Data Base Updated


After generating the certificates have such a list necessary files:

server:

easyrsa3/pki/ca.crt — the root certificate
easyrsa3/pki/issued/zaborona.help.crt — server certificate
easyrsa3/pki/private/zaborona.help.key — the key of the server certificate

client:

easyrsa3/pki/ca.crt — the root certificate
easyrsa3/pki/issued/public.crt — the client certificate
easyrsa3/pki/private/public.key client key

the

Server configuration


Obtained in the previous step, a list of networks you add to the config server. Therefore, when you connect client will install a route to blocked networks via the VPN server. The default route 0.0.0.0 this will not be changed.

Since many providers in Ukraine is blocking DNS requests to blocked sites, it is important to establish to our client resolvers, and to make access to them was through a VPN.

the Config of the OpenVPN server
mode server
proto tcp

dev-type tun # the driver Type tun, as we don't need L2 level
dev zaborona # name of the tun interface on the server

topology subnet
server 192.168.224.0 255.255.252.0 # IP Range issued to the customers. Select the mask bigger, as customers plan a lot 
server-ipv6 2a01:7e01:e001:77:8000::/65 # Range of IPv6 addresses. Remove if you do not have a separate routable ipv6 network on the server

push "dhcp-option DNS 8.8.8.8" #Set the DNS resolvers
push "route 8.8.8.8" # the Route to this address through the VPN

push "dhcp-option DNS 74.82.42.42" # HE.net DNS as a secondary 
push "route 74.82.42.42" # Route to HE.net DNS

txqueuelen 250
keepalive 300 900
persist-tun
persist-key

cipher AES-128-CBC
ncp-ciphers: AES-128-GCM

user nobody
duplicate-cn

# log logs/openvpn.log
#logs status/status.log 30

ca ca.crt
cert zaborona.help.crt
key zaborona.help.key
dh dh2048.pem


# Routes

# Yandex network
push "route 5.45.192.0 255.255.192.0"
push "route 5.255.192.0 255.255.192.0"
push "route 37.9.64.0 255.255.192.0"
push "route 37.140.128.0 255.255.192.0"
push "route 77.88.0.0 255.255.192.0"
push "route 84.201.128.0 255.255.192.0"
push "route 87.250.224.0 255.255.224.0"
push "route 93.158.128.0 255.255.192.0"
push "route 95.108.128.0 255.255.128.0"
push "route 100.43.64.0 255.255.224.0"
push "route 130.193.32.0 255.255.224.0"
push "route 141.8.128.0 255.255.192.0"
push "route 178.154.128.0 255.255.128.0"
push "route 199.21.96.0 255.255.252.0"
push "route 199.36.240.0 255.255.252.0"
push "route 213.180.192.0 255.255.224.0"

push "route-ipv6 2620:10f:d000::/44"
push "route-ipv6 2a02:6b8::/32"

# Mail.ru network
push "route 5.61.16.0 255.255.248.0"
push "route 5.61.232.0 255.255.248.0"
push "route 79.137.157.0 255.255.255.0"
push "route 79.137.183.0 255.255.255.0"
push "route 94.100.176.0 255.255.240.0"
push "route 95.163.32.0 255.255.224.0"
push "route 95.163.248.0 255.255.248.0"

push "route 178.22.88.0 255.255.248.0"
push "route 178.237.16.0 255.255.240.0"
push "route 185.5.136.0 255.255.252.0"
push "route 185.16.148.0 255.255.252.0"
push "route 185.16.244.0 255.255.252.0"
push "route 188.93.56.0 255.255.248.0"
push "route 194.186.63.0 255.255.255.0"
push "route 195.211.20.0 255.255.252.0"
push "route 195.218.168.0 255.255.255.0"
push "route 217.20.144.0 255.255.240.0"
push "route 217.69.128.0 255.255.240.0"

push "route-ipv6 2a00:1148::/32"
push "route-ipv6 2a00:a300::/32"
push "route-ipv6 2a00:b4c0::/32"

# VK.com network
push "route 87.240.128.0 255.255.192.0"
push "route 93.186.224.0 255.255.240.0"
push "route 95.142.192.0 255.255.240.0"
push "route 95.213.0.0 255.255.192.0"
push "route 185.32.248.0 255.255.252.0"

push "route-ipv6 2a00:bdc0::/36"
push "route-ipv6 2a00:bdc0:e006::/48"

# Kaspersky network
push "route 77.74.176.0 255.255.252.0"
push "route 77.74.181.0 255.255.255.0"
push "route 77.74.183.0 255.255.255.0"
push "route 93.159.228.0 255.255.252.0"
push "route 185.54.220.0 255.255.254.0"
push "route 185.85.12.0 255.255.255.0"
push "route 185.85.14.0 255.255.254.0"


Put all the files on the server in folder /etc/openvpn

zaborona.conf — configuration server
ca.crt — the root certificate
zaborona.help.crt — server certificate
zaborona.help.key — the key of the server

the

Client configuration


To configure the connection on the client side, you need to generate a configuration file that will be written in settings and authentication keys.

Client configuration file .ovpn
nobind
client

# The server address. Use the domain name for balancing via DNS.
remote vpn.zaborona.help

remote-cert-tls server
cipher AES-128-CBC
setenv opt ncp-ciphers: AES-128-GCM
setenv opt block-outside-dns
dev tun
proto tcp

<ca>
the contents of the file easyrsa3/pki/ca.crt
</ca>

<cert>
The contents of the file easyrsa3/pki/issued/public.crt
</cert>

<key>
the contents of the file easyrsa3/pki/private/public.key 
</key>


the

Connect


The process of setting up the connection on the client consists of two steps: to install the OpenVPN client and import the settings file.

We have written instructions with pictures for all popular operating systems:

Windows
MacOS
iOS
Android

The source code of the entire project, including site Github. If any information on the website is missing, I would appreciate a pull request.

For those who want to setup my own VPN server to bypass the lock, happy to help. You can ask any questions here or in the comments on the site.
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

March Habrameeting in Kiev

Изображение
March Habrameeting in Kiev. More under the cut The meeting will be held on March 23, from 11:00 until 16:00 , coworking journal on Lev Tolstoy square. On Saturday (for those who are in the calendar have got): It is assumed seven reports (one specified). List of speakers: Ilya Kowalewski "What is Qt and what you can do with him", Namespace Oleksandr Krakovetskyy, "where's the money in mobile development?", sashaeve MS MVP Denis Aramov "cryptography Algorithms — everything is simple and how to use in practice for clients", working in EPAM Systems Ukraine Sergey Imirek "project management Methodology PRINCE2: overview and comparison with PMBOK", PM at Ciklum Dmitry Kostyuk, "the Creation of clouds — a personal experience", kostyukdv , technical Director of HostPro Dmitry Bulanov "the directory Service is: standard-standard tasks", hb860 MS MVP Andrew Cheredaryk "HP-UX platform fo
Далее...

PostgreSQL load testing using JMeter, Yandex.Tank and Overload

Изображение
a Few words to start so, this manual is suitable for those looking for a versatile Toolkit for testing large pool of systems and solving most problems on stress testing. This article is intended for beginners in this business, so I will try to Refine and simplify the process. Discuss briefly each of the elements in our bunch and move on to their primary installation and configuration: the Apache JMeter – load testing tool, which is able to carry out tests for JDBC connections, FTP, LDAP, SOAP, JMS, POP3, IMAP, HTTP and TCP out of the box and many other protocols and solutions using various plugins. the Yandex.Tank is a cloud – based tool for load testing uses different load generators, including and JMeter. the Yandex.OverLoad – the service for easy monitoring and analysis of servers under load. the Installation and configuration the key to success for proper installation of JMeter is the correct java installation. At this stage it is worth saying that all the manip
Далее...

Monitoring PostgreSQL with Zabbix

Изображение
PostgreSQL is a modern, dynamic DBMS with a very large set of possibilities which allow to solve a wide range of tasks. Using PostgreSQL as a rule refers to a very critical segment of the it infrastructure associated with the processing and data storage. Given the special place of the DBMS infrastructure and the criticality of tasks, the question of monitoring and appropriate control of the DBMS. In this respect, PostgreSQL has a wide internal means of collecting and storing statistics. Collected statistics allows to obtain quite a detailed picture about what is happening under the hood during operation of the DBMS. These statistics are stored in special system tables, views, and constantly updated. Performing regular SQL queries to these tables it is possible to obtain a variety of information about databases, tables, indexes and other DBMS subsystems. Below I describe the method and tools for monitoring PostgreSQL monitoring system Zabbix. I love this monitoring system becaus
Далее...