I set up WireGuard server for my family back in Russia in the first days of the war and since then provided VPN access to a few more families. It’s been a lot more stable than relying on popular VPN providers who get banned one after another.
Any advice on alternatives to WireGuard, if Russian gov manages to ban it on protocol level with DPI?
While working in an environment where VPN connections were pretty much all blocked⁰ a friend of mine had success using https://guacamole.apache.org/ to access a remote machine¹. Not quite the same as a direct VPN connection but worth a try if nothing else functions, it looks enough like normal HTTPS traffic that he got away with it.
I once tinkered with https://github.com/yarrick/iodine and successfully connected to resources over the wireless on a train, bypassing its traffic capture and sign-up requirement, so that might be an option, though I think fully blocking external DNS is more common now so this is less likely to work²³.
--
[0] practically only HTTP(S) permitted, not even SSH, DPI in use that detected just using SSH or OpenVPN over port 443
[1] NOTE: be careful breaching restrictions like this, you are at risk of an insta-sacking if discovered, or worse if operating in some securiry environments!
[2] and the latency when it does work is significant!
[3] and that much traffic over port 53 might get noticed by the heuristics of data exfiltration scanner, encouraging sysadmins to notice and implement a way to block it
Most of these nation-state-run blocking attempts tend to block known VPNs but allow ssh through. So, my suggestion would be ppp over ssh. See https://tldp.org/HOWTO/pdf/ppp-ssh.pdf for more details. You'll need a Linux-ish server, and you'll need to fiddle with routing tables on both the server and the client to get the incoming VPN connections to be able to contact the wider internet. But it's probably the least likely to be blocked.
Using Links+ to proxy all info into that not leaking everything should be mandatory. TOR, I2PD, anything.
If you are using a JS based browser, you don't deserve security in first place.
If any, you can always use torosocks and yt-dlp to fetch all media.
If I had time I could set up a tutorial not to use SSH as a proxy, but as a client to a remote VPS/tilde to use the offpunk client there to browse web/gemini and gopher sites anonymously. OFC you won't get images, but at least you could be able to read news nicely formated either from gemini://gemi.dev or natively from offpunk.
Non-techie Russians can use Lagrange in Android and gemini://gemi.dev to read most media through an HTTP->Gemini proxy which makes a great job on reformatting the sites and cutting down the bandwitdh.
Basic English it's required, but if you can read "News Waffle" and copy the URL into that dialog box, you can get lots of interesting sites.
> If you are using a JS based browser, you don't deserve security in first place.
In some cases, that is true, but not all, and I suggest not even most. In many cases, I think people are just as culpable for being unwilling to use Whonix.
> If I had time I could set up a tutorial not to use SSH as a proxy, but as a client to a remote VPS/tilde to use the offpunk client there to browse web/gemini and gopher sites anonymously.
Aside, it's a shame that it's not common practice to provide resource gleanings in the form of such access to random others from one's VPS. An easily reproduced NixOS environment in VM with locked down containers proxying through a local tor instance(s) would scale up alright and significantly limit risks for the donor. I find very few people take up the offer to even use another's VPS though.
Any advice on alternatives to WireGuard, if Russian gov manages to ban it on protocol level with DPI?