I don't think anyone outside the Chinese government knows exactly how the Great Firewall blocks VPNs, but deep packet inspection alone doesn't get very far with secure end-to-end encryption as used by any competent VPN protocol. https://en.wikipedia.org/wiki/VPN_blocking#China I believe what the Great Firewall is doing is basically assigning scores to TLS connections to assess the likelihood that it's a VPN or some other anti-censorship connections. How do they do the scoring? - known VPN gateway IPs - connection duration - packet timing distribution - packet size distribution - TLS implementation fingerprinting (ciphersuite choice, TLS flags, etc. can distinguish common VPN clients like Cisco AnyConnect from general-purpose HTTPS browsers like Chrome) … and then the GFW injects persistent blocking/interference between the endpoints if the score is high enough. Similar for SSH. Dan On Tue, Dec 3, 2019 at 6:56 AM H <agents@xxxxxxxxxxxxxx> wrote: > > On 12/01/2019 01:07 PM, Siyuan Ren wrote: > > Sadly I do need Cisco client compat. Guess there is simply no way around it. > > > > On Sun, Dec 1, 2019 at 2:18 PM Nikos Mavrogiannopoulos > > <n.mavrogiannopoulos@xxxxxxxxx> wrote: > >> Yes. You will need to turn of the cisco client compatibility though and the behavior should change to what you described. > >> > >> Regards, > >> Nikos > >> > >> On December 1, 2019 3:19:02 AM UTC, Siyuan Ren <netheril96@xxxxxxxxx> wrote: > >>> Hi, > >>> > >>> I don't want people (well, more specifically, China's great firewall) > >>> to find out that my VM has an openconnect server running. > >>> > >>> Currently I only allow login via client certificate. I expected when > >>> users do not present a valid client certificate, the TLS connection is > >>> never established, so no one can find out what exactly is protected by > >>> the TLS connection. But in reality, my ocserv responds with > >>> > >>> ``` > >>> <config-auth client="vpn" type="auth-request"> > >>> <version who="sg">0.1(1)</version> > >>> <auth id="main"> > >>> <message>Please enter your username.</message> > >>> <form method="post" action="/auth"> </form> > >>> </auth> > >>> </config-auth> > >>> ``` > >>> > >>> which clearly tells others that it is a VPN. > >>> > >>> Is it possible for ocserv to outright close the endpoint if client > >>> certificates are not present or valid? > >>> > >>> _______________________________________________ > >>> openconnect-devel mailing list > >>> openconnect-devel@xxxxxxxxxxxxxxxxxxx > >>> http://lists.infradead.org/mailman/listinfo/openconnect-devel > >> -- > >> Sent from my mobile. Please excuse my brevity. > > _______________________________________________ > > openconnect-devel mailing list > > openconnect-devel@xxxxxxxxxxxxxxxxxxx > > http://lists.infradead.org/mailman/listinfo/openconnect-devel > > Out of interest - would this bypass scrutiny by the Great Firewall? Do they also not conduct packet inspections of connections that would reveal a VPN connection? > > > _______________________________________________ > openconnect-devel mailing list > openconnect-devel@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/openconnect-devel _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
