This summer, the Egyptian government started to block access to news websites. At last count, it had blocked more than 400 websites. Realising that citizens are using Virtual Private Network (VPN) services to bypass such censorship, the government also started to block access to VPN websites.
In addition to this, Internet Service Providers (ISPs) have started using deep packet inspection (DPI) techniques in order to identify and block VPN traffic. Egypt blocked the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) VPN protocols in August. However, until now OpenVPN, worked fine. This allowed ordinary Egyptians to access the uncensored internet.
On 3 October, however, the situation changed. It was reported on reddit that Egypt has now blocked OpenVPN as well. It seems that ISPs are using DPI techniques to detect OpenVPN packets. Once detected, the ISP drops these packets before the Transport Layer Security (TLS) handshake occurs.
To put it another way, OpenVPN is nerfed. Tor is also blocked.
How to Bypass the VPN Block from Egypt
This is not good news. However, it should still be possible to access the open internet using some of the tactics outlined below. Note that not all of these may work, but at least some of them should.
OpenVPN over TCP Port 443
Transmission Control Protocol (TCP) port 443 is used by HTTPS, the encrypted protocol that secures all secure websites. Without HTTPS, no form of online commerce, such as shopping or banking, would be possible. Running OpenVPN over TCP port 443 is therefore usually a good way evade censorship because governments very rarely block this port.
Egyptian ISPs, though, are using DPI to detect OpenVPN packets – not blocking ports. However, VPN traffic on TCP port 443 is routed inside the TLS encryption used by HTTPS. This makes it much harder to spot using DPI.
Routing OpenVPN over TCP port 443 is one of the most common anti-censorship features that VPN providers offer. It is, therefore, an easy first port of call if your VPN connection is blocked. Apparently Egypt has blocked both OpenVPN User Datagram Protocol (UDP) and OpenVPN TCP. However, it’s not clear if this also applies to TCP port 443.
Even if a VPN service doesn’t support TCP port 443 using its software, many do actually support it at the server level. You can switch to it with a simple edit to your OpenVPN configuration (.ovpn) file.
It is therefore worth asking your VPN provider about this (if you can contact it). Another option is to use the Secure Socket Tunneling Protocol (SSTP) (if available), which uses TCP port 443 by default.
stunnel is an open source multi-platform program that creates TLS/Secure Sockets Layer (SSL) tunnels. TLS/SSL is the encryption used by HTTPS, so VPN connections (usually OpenVPN) routed through these TLS/SSL tunnels are very difficult to tell apart from regular HTTPS traffic.
This is because the OpenVPN data is wrapped inside an additional layer of TLS/SSL encryption. As DPI techniques can’t penetrate this “outer” layer of encryption, they are unable to detect the OpenVPN encryption “inside.”
SSL tunnels are usually made using the stunnel software. You have to configure this on both the VPN server and your computer. It is therefore necessary to discuss the situation with your VPN provider if you want to use SSL tunneling (a setup guide is available here for reference).
AirVPN is the only VPN provider I know of to offer stunnel functionality “out of the box” using its custom open source software. I am not otherwise familiar with Anonyproz, but it can be configured for stunnel. Other providers might also offer this feature.
Obfsproxy and Stealth Servers
Obfsproxy is a tool designed to wrap data into an obfuscation layer. This makes it difficult to detect the use of OpenVPN (or any other VPN protocol).
To work, obfsproxy needs to be installed on both the client’s computer (using, for example, port 1194), and the VPN server. However, all that is then required is that the following command line is entered on the server:
obfsproxy obfs2 –dest=127.0.0.1:1194 server x.x.x.x:5573
This tells obfsproxy to listen on port 1194 (for example), to connect locally to port 1194 and forward the de-encapsulated data to it (x.x.x.x should be replaced with your IP address or 0.0.0.0 to listen on all network interfaces). It is probably best to set up a static IP with your VPN provider so the server knows which port to listen in on.
Compared to stunnel and Secure Shell (SSH) tunneling, obfsproxy is not as secure. This is because it doesn’t wrap the traffic in encryption. It is, however, somewhat easier to set up and configure. It also has a much lower bandwidth overhead, since it isn’t carrying an additional layer of encryption.
This “is an open-source proxy application, widely used in mainland China to circumvent internet censorship.” It is an open source anti-Great Firewall tool/protocol/server created by a Chinese developer. Basically it’s a Socket Secure (SOCKS5) proxy that is available for most major platforms. It is reported that Shadowsocks still works in Egypt.
This is similar to Shadowsocks, but is only available for iOS.
Derived from Tor, Lahana is designed to solve Tor’s problem, with easily blocked exit nodes by making it “stupidly easy” to set up new nodes. Lahana was designed to defeat censorship in Turkey, but should also work well in many other censorship situations, including Egypt.
This uses a combination of VPN, SSH, and obfuscation technologies to bypass censorship. If you encounter a block when using VPN, for example, you can switch to SSH or obfuscated SSH (SSH+) instead. One of the best things about Psiphon is that if you find the Psiphon website blocked, you can request the software be sent to you via email (contact firstname.lastname@example.org).
In fact, most VPN providers are happy to let you sign up and download their software via email. Just ask.
Set up Your Own VPN Using WireGuard, AnyConnect, or SoftEther
If you have access to a computer outside Egypt, or know someone who does and is willing to help, you can set up a home PC to act as your personal VPN server. Alternatively, you can rent and configure a Virtual Private Server (VPS) to do the same.
The problem, of course, is that most VPN protocols are blocked in Egypt. This applies just as much if you run your own VPN server as it does using a commercial VPN service. WireGuard, however, is a lean and mean new VPN protocol that is not currently blocked in Egypt.
The main problem with this approach is that it requires a fairly high level of computer know-how. If your skills are up to it, Streisand is probably the easiest way to set up such a personal VPN server.
Note that it is possible Egyptian ISPs might get around to blocking these protocols at some point too.
The Egyptian government is trying to shut down dissent by preventing access to information that is vital to the interests of the Egyptian people. VPNs are a good way to bypass such censorship, so it is very worrying to hear that they are being blocked.
There are ways, however, to get around these blocks. Most of these will also hide the fact that you are trying to evade government censorship, and should therefore help keep you from getting into trouble with the authorities.
Do please be aware, however, that nothing is risk-free. It is therefore important to make an informed decision when balancing the need for an objective understanding of what is going on, with the need to ensure your personal safety. So be careful.