A country can and absolutely will block known VPN ingress points. There are two tricks that we can use to circumvent this:

- Host on a piece of infrastructure that's so big that you can't effectively block it without causing a major internet outage (think: S3, Cloudflare R2, etc). Bonus points if you can leverage something like ECH (ex-ESNI) to make it harder to identify a single bucket or subdomain.

- Keep spawning new domains and subdomains to distribute your binaries.

There are complications with both approaches. Some countries block ECH outright. Some have no problem shutting the internet down wholesale for a little bit. The domain-hopping approach presents challenges w/r/t establishing trust (though not insurmountable ones, much of the time).

These are thing that have to be judged and balanced on a case-by-case basis, and having partners on the ground in these places really helps reduce risk to users trying to connect from these places, but then you have to be very careful talking to then since they could themselves get in trouble for trying to organize a VPN distribution network with you. It's layers on layers, and at some point it helps to just have someone on the team with a background in working with people in vulnerable sectors and someone else from a global affairs and policy background to try and keep things as safe as they can be for people living under these regimes.

▲

geokon 8 days ago | parent | next [-]

you can also throttle

for instance AWS hosted things in China are typically just severly throttled and flaky. Github is the best example. it works but webpage assets often either dont load or load incredibly slowly. this pushes people to local services without breaking the web entirely

▲

shawa_a_a 9 days ago | parent | prev | next [-]

I've heard of domain fronting, where you host something on a subdomain of a large provider like Azure or Amazon. Is this what you're talking about when you say

> - Host on a piece of infrastructure that's so big that you can't effectively block it without causing a major internet outage (think: S3, Cloudflare R2, etc).

How can one bounce VPN traffic through S3? Or are you just talking about hosting client software, ingress IP address lists, etc?

▲

_verandaguy 9 days ago | parent | next [-]

That's generally for distribution, but yeah, it's a form of domain fronting.

There are some more niche techniques that are _really_ cool but haven't gained widespread adoption, too, like refractive routing. The logistics of getting that working are particularly challenging since you need a willing partner who'll undermine some of their trustworthiness with some actors to support (what is, normally, to them) your project.

	▲	jart 9 days ago \| parent [-]
		If I understand correctly, refractive routing basically just gets big trustworthy cloud providers to host the VPNs so that third world governments can't block them without blocking the cloud too. It's an unfortunate solution since tech platforms are international entities that should be neutral. When America asks them to take sides and prevent other countries from implementing their desired policies, America is spending the political capital and trust that tech companies worked hard to earn. It's also really foolish of those countries to just block things outright. They could probably achieve their policy goals simply by slowing down access to VPN endpoints.

▲

incrediblesulk 9 days ago | parent | prev [-]

I thought a lot of the domain-fronting approaches have largely been closed from policy changes at major CDNs (e.g. https://techcommunity.microsoft.com/blog/azurenetworkingblog...) . Or is it still possible through other approaches?

	▲	sterlind 9 days ago \| parent [-]
		ECH (Encrypted Client Hello) brings back a kind of domain fronting, except you don't need to front anything at all. the Client Hello itself is encrypted, so the SNI is hidden. hopefully ECH will catch on. I suspect the corporate backlash over domain fronting was them not wanting to be caught in the crossfire if their domain was used as a front. if e.g. Signal used "giphy.com" as a front, Russia might block giphy to block Signal. but if Signal is hosted on, say, AWS, and ECH was used, Russia would have no option other than blocking the entirety of AWS, since all TLS handshakes to AWS would look the same. though cloud providers (other than CloudFlare, respect!) don't seem to care about censorship or surveillance anymore, and might decline to adopt ECH if some lucrative market complains.

▲

hsbauauvhabzb 9 days ago | parent | prev [-]

Sorry I’m referring to WireGuard/ovpn server IPs, not the binaries/configs used to setup a client. Unless you’re talking about fronting for both, but I imagine it is not economical to run a commercial -scale privacy vpn via a cloud provider.