We use bridges against Tor browser blocking. How Tor works and can it be blocked All tor net is blocked what to do

Why do you need a VPN?

Using VPN services, you can bypass blocking of sites that do not work in Russia (for example, Spotify). But that's not the only reason they are needed. Remote workers and branch employees connect via VPN to corporate services, thereby not putting company data at risk. People who access the Internet via public Wi-Fi and are afraid that their data will be intercepted also use a VPN to protect themselves from intruders.

How does it work? If your computer usually connects to the Internet through the provider’s server, then the VPN service sets up a tunnel between your computer and the remote server. This way you access the Internet in a roundabout way. All data inside the tunnel is encrypted, so the provider and hackers do not know where you go under the VPN connection or what you do on the Internet. In this case, sites do not see the true IP address of your computer, since you are working under someone else's address. VPN (Virtual Private Network) creates a secure private network within the unsecured Internet.

How will it be blocked?

Sarkis Darbinyan: “There are many ways that a person can use: research the issue and easily set up your own VPN, use other solutions such as Psiphon, Tor, browser turbo modes, plugins, purchase another VPN service that cares about users and takes prompt action.” .

What will the blocking lead to?

Artem Kozlyuk: “Almost all business is tied to VPN. Virtual private networks of any enterprise, from small to large, are at risk. VPN malfunctions can occur at any time due to incorrect operation on enforcement of the new law. We see an endless number of times how Roskomnadzor implements these laws. Firstly, they are poorly written from the technical side, and secondly, in the process of law enforcement, Roskomnadzor increases this technical illiteracy to new proportions.”

Markus Saar: “It is still not clear how verification and control will take place. VPN, as opposed to a form of anonymizer, is closed network, and to access it you must purchase paid subscription and install the software. Moreover, some services do not have their own software, and you need to configure the connection manually using configuration files, keys and certificates. The second question is how rational it is to “hit” tech-savvy users who have reached the point of using VPN, Tor and other tools. After all, if they once found the strength and desire to bypass censorship, they will do it again and again.”

Sarkis Darbinyan: “Blocking VPN traffic by telecom operators clearly means colossal damage to the entire corporate sector, digital economy countries and reducing the security of Russian citizens in the global digital environment in the face of foreign intelligence services, corporations and attackers using vulnerabilities for surveillance and data theft. No one has ever been able to completely block the ability to transmit and receive information via VPN, even in Asian and Muslim countries with repressive regimes. Providers have lists of IP addresses of the most popular VPNs, which they update and block at some intervals. But VPN traffic has also learned to disguise itself. The VPN provider can create new IP addresses at least every minute (plus endless IPv6), so this will become increasingly difficult and expensive.”

A decree has been issued in Belarus on ways to restrict access to websites. From it it became known that in case of violation of the law, everything can be blocked for everyone.

Among other things, it is planned to limit access to proxy servers and networks such as Tor, through which users will try to access blocked sites.

There is no way to find out which site a user is trying to access through a proxy server. If the technology is done properly, the channel will be encrypted, and no one will know which site the user is visiting through a proxy, Tor or VPN. So you won't be able to catch him by the hand. Therefore, we can conclude that only all proxies and VPNs can block.

Catching those who go through proxies to prohibited sites is almost impossible and expensive. This means that either everyone will be blocked, or history will repeat itself, as with Decree 60. It will be spelled out in the law, but in practice no one will block all proxies, VPNs and Tor. Until a certain point...

You can block the Tor browser, but not for everyone and not for long

There are several technologies for circumventing censorship on the Internet. Tor browser is the most popular. Blocking it is difficult, but possible at the right times for most people. There are several ways.

Prevent downloading of Tor browser

You can close sites for downloading the program itself. And create fake download sites where you can post a version of the browser with a virus. This will make it difficult for users to get it.

Block addresses built into the browser

The Tor browser changes ports and uses a whole network of computers to access sites. The site for downloading movies, music and Torrent programs works on the same principle - you download a file from several different computers at once. Naturally, it is difficult to block them all.

But for the first access to the Internet, certain addresses are registered in the browser, which are easy to find by studying the browser and block them. China is doing this with varying degrees of success. Of course, computer specialists will be able to quickly register new addresses, but for most users the Tor browser will stop working for some time until the browser developers release an update that solves the problem.

You can also block VPN

There are three VPN technology options. Some are easy to block because they access the Internet through certain ports that can be easily recognized and closed.

OpenVPN, for example, is not so easy to block. The program can pretend to be a regular browser that accesses the Internet via an encrypted channel.

There are about 100 of the most common VPN providers. It’s not difficult to block them, just according to the list. Rewrite all server addresses and block. China uses this quite effectively.

Businesses and computer geeks will be able to find VPN servers that are not blocked. But this is not an option for everyone.

It's easy to block web proxies

The third option for accessing sites is a web proxy. In fact, web proxies are also websites. By typing them into the search, you can find the most popular ones and limit access to them in the same way as to all other sites. There are programs that can “raise” proxies, but most Internet users will not be able to master them.

There are projects that can bypass censorship

Project lantern designed as effective method bypass censorship. The principle of its operation is such that users become proxy servers for each other. But there are no simple solutions yet. If new law will be performed with enthusiasm, it can cause problems with this method. If not, it will be easy to bypass it.

Creating a block for a limited time is easy for most users. But the law can be kept in one's pocket simply to be used at a certain time.

Website blocking is a commercially available technology. Belarus can buy a ready-made solution and launch it fairly quickly. Companies in Europe and Russia are engaged in the production of such solutions.

On February 26, the document was adopted by the Operational Analytical Center under the Presidential Administration and the Ministry of Communications in agreement with the Ministry of Information.

What if you want to surf the web without far-fetched restrictions, but you don’t want to change the proxy every time in your browser? What if you want to access both prohibited sites and normal ones, and at the same time, the speed at which regular sites open does not suffer? What if you are interested in knowing what is going on in remote parts of the global network?

Based on these considerations, we need to:

Regular sites opened as usual
Prohibited sites opened via Tor without settings
All sites in the .onion zone also open without settings

On the one hand, the requirements are contradictory. On the other hand, what can’t you do for the sake of convenience!

One could remember various ways and tools for bypassing DPI, but if you don’t want to think about anything like that, or rather even want to set it and forget it, then analogues of Tor to solve the problem in part easy access no to blocked sites.

You will not get complete anonymity by following these instructions alone. Anonymity without OPSEC measures is impossible. The instructions only imply bypassing restrictions.

What do we need?

To begin with, we need either a router or a server that works as a transparent bridge that passes all traffic through it. This could be an existing server, or it could be a box with a Raspberry Pi. Ordinary compact routers with Linux may also be suitable, if in principle it is possible to install the necessary packages on them.

If you already have a suitable router, then you don’t need to configure the bridge separately and you can.

If installing Tor on your router is a problem, then you will need any computer with two network interfaces and Debian Linux on board. You will ultimately connect it to the network gap between the router, which faces the outside world, and your local network.

If you don’t care about servers and routers, then maybe.

Let's set up a bridge

Setting up a bridge in Debian is not a problem. You will need the brctl program, which is included in the bridge-utils package:

apt install bridge-utils

The permanent configuration for the bridge is set in /etc/network/interfaces. If you are making a bridge from interfaces eth0 and eth1, then the configuration will look like this:

# Mark the interfaces as manually configured iface eth0 inet manual iface eth1 inet manual # The bridge rises automatically after a reboot auto br0 # Bridge with IP acquisition via DHCP iface br0 inet dhcp bridge_ports eth0 eth1 # Bridge with static IP iface br0 inet static bridge_ports eth0 eth1 address 192.168 .1.2 netmask 255.255.255.0 gateway 192.168.1.1

You need to choose one configuration for the bridge: with dynamic IP or static.

Please note that at this stage it is not necessary to include the server in the network break. You can get by with just one connected interface.

Let's ask the system to apply the new settings:

service networking reload

Now you can check the existence of the bridge with the brctl show command:

# brctl show bridge name bridge id STP enabled interfaces br0 8000.0011cc4433ff no eth0 eth1

You can view the issued IP address, and generally check whether an IP was issued via DHCP or statically, using the ip command:

# ip --family inet addr show dev br0 scope global 4: br0: mtu 1500 qdisc noqueue state UP inet 192.168.1.2/24 brd 192.168.1.255 scope global br0

If everything is in order with the IP addresses, then you can already try to include the server in the network break...

In the end, all devices on your network, being turned on through the server, should have full access to the global network as if there was no server between them and the external router. The same applies to the operation of DHCP and other things. All this is worth checking before moving on setting up Tor.

If something does not work the same as before, or does not work at all, you should first solve the problems, only then move on to setting up Tor itself.

Let's set up the Tor daemon

Installing Tor performed normally. Let's also install a country binding database:

apt install tor tor-geoipdb

At the end of the configuration file /etc/tor/torrc you need to add directives to enable the proxy server function:

VirtualAddrNetworkIPv4 10.0.0.0/8 AutomapHostsOnResolve 1 TransPort 0.0.0.0:9040 DNSPort 0.0.0.0:5300

Let's restart Tor and check that the DNS in our configuration works on some well-known site:

# service tor restart # dig +short facebookcorewwwi.onion @localhost -p 5300 11/10/127.156

Last command should bring the IP out of the 10.0.0.0/8 subnet.

When restarted, Tor complains about using public IP for TransPort and DNSPort, which in fact can be accessed by outsiders. Let's correct this misunderstanding by allowing only connections from local network(in my case it is 192.168.1.0/24):

iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 9040 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 5300 -j ACCEPT iptables -A INPUT -p tcp - -dport 9040 -j DROP iptables -A INPUT -p udp --dport 5300 -j DROP

The last two rules can be skipped if you have the default DROP rule for the INPUT chain.

Let's set up access for the entire local network

In order for all devices on the network to be able to access sites in Tor, we need to redirect all requests to the dedicated network 10.0.0.0/8 to the built-in port Tor proxy servers:

iptables -t nat -A PREROUTING -p tcp -d 10.0.0.0/8 -j REDIRECT --to-port 9040 iptables -t nat -A OUTPUT -p tcp -d 10.0.0.0/8 -j REDIRECT --to- port 9040

We add two rules for the PREROUTING and OUTPUT chains so that the scheme works not only from devices on the network, but also from the server itself. If this scheme is not required to work from the server itself, then adding a rule to the OUTPUT chain can be skipped.

Forwarding DNS requests to the .onion zone

This problem could be solved either by replacing the DNS server with your own in DHCP responses to clients, or, if it is not customary for you to use a local DNS server on your network, by intercepting everything DNS traffic A. In the second case, you won’t need to configure anything at all, but all your clients, including you, will lose the ability to make arbitrary requests to arbitrary servers. This is an obvious inconvenience.

We will only forward DNS requests that mention the .onion domain to the port of the built-in DNS server, leaving all other requests alone:

iptables -t nat -A PREROUTING -p udp --dport 53 -m string \ --hex-string "|056f6e696f6e00|" --algo bm -j REDIRECT --to-ports 5300 iptables -t nat -A OUTPUT -p udp --dport 53 -m string \ --hex-string "|056f6e696f6e00|" --algo bm -j REDIRECT --to-ports 5300

The magic string 056f6e696f6e00 is associated with the peculiarities of transmitting a period in DNS queries: it is transmitted as the length of the line following it. Therefore, at the beginning of our magic line there is 0x05 for five characters in the word onion. At the end of the line there is a zero byte 0x00 because the root domain (dot) has zero length.

This approach allows your users (and yourself) to use whatever DNS servers are convenient for them, as well as request information from any DNS servers without intermediaries. However, no requests in the .onion zone will reach the open Internet.

Now try to reach some popular site on the Tor network from any device on the local network. For example, like this:

$ curl -I facebookcorewwwi.onion HTTP/1.1 301 Moved Permanently Location: https://facebookcorewwwi.onion/

Debugging and solving possible problems

If you want to make sure that no DNS requests to .onion go further than the server, then you can check their absence like this:

ngrep -q -d br0 -q -W byline onion udp port 53

Normally, this command, executed on the server, should show a complete absence of packages - that is, not output anything, no matter what you do.

If Firefox doesn't see .onion

If this bothers you, and the prospect of accidental de-anonymization does not bother you (after all, we no longer allow DNS queries to .onion on the open Internet), you can disable this setting in about:config using the key network.dns.blockDotOnion .

Mobile Safari and .onion

iOS programs, including Safari and Chrome, generally ignore .onion when working according to this scheme. I don’t know how to fix this problem within such a scheme.

The provider replaces the IP in the DNS

Some providers, for economic reasons, instead of blocking sites by IP or via DPI, only replace the IP for DNS queries using a list of prohibited sites.

The simplest solution to this problem is to switch to Google Public DNS servers. If this does not help, which means your provider redirects all DNS traffic to its server, then you can switch to using Tor DNS, in turn redirecting all traffic to it:

iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 5300 iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5300

My network uses IPs from 10.0.0.0/8

No problem! In all directives above, use some other subnet from those intended for this, excluding the reserved ones. Seriously, pay attention to the reserved ones.

In addition, it is not necessary to use the entire range at once - you can limit yourself to a subnet. For example, 10.192.0.0/10 will do.

Bypassing blocks via Tor

To access blocked sites via Tor, first of all, you need to make sure that you are not making a fool of yourself by using exit nodes that are subject to the same restrictions as you due to your geographic location. This can be done by indicating in torrc the output nodes in which countries cannot be used.

ExcludeExitNodes (RU), (UA), (BY)

Updating the registry

The registry does not stand still and the list of blocked sites is growing. Therefore, you need to download the current IP list from time to time and add it to ipset. The best way to do this is not by downloading the entire list each time, but by downloading only the changes, for example, from here from GitHub.

#!/bin/bash set -e mkdir -p /var/local/blacklist cd /var/local/blacklist git pull -q || git clone https://github.com/zapret-info/z-i.git. ipset flush blacklist tail +2 dump.csv | cut -f1 -d \; | grep -Eo "{1,3}\.{1,3}\.{1,3}\.{1,3}" | tee /var/local/blacklist/blacklist.txt | xargs -n1 ipset add blacklist

It is possible to delete and add only IPs that have changed in the list, for which you may find git whatchanged useful.

If the script above suits you, then the place for it is /etc/cron.daily/blacklist-update . Don't forget to give this file executable permissions.

chmod +x /etc/cron.daily/blacklist-update

Saving the settings

apt install iptables-persistent

dpkg-reconfigure iptables-persistent

Unfortunately, there is no such convenient package for ipset yet, but this problem is solved by the /etc/network/if-pre-up.d/ipset script:

#!/bin/sh ipset -exist create blacklist hash :ip cat /var/local/blacklist/blacklist.txt | xargs -n1 ipset add -exist blacklist

You must also give this script execution rights:

chmod +x /etc/network/if-pre-up.d/ipset

On the next reboot, this script will be executed and restore the list of blocked IPs.

If we forget about servers...

Okay, you tell me, what if I want to get the same convenient access to .onion, but without servers - locally, on one computer?

No problem! In this case, everything is even simpler. Stop adding these three lines to torrc:

AutomapHostsOnResolve 1 TransPort 9040 DNSPort 5300

Then these two rules for iptables:

iptables -t nat -A OUTPUT -p tcp -d 127.192.0.0/10 -j REDIRECT --to-port 9040 iptables -t nat -A OUTPUT -p udp --dport 53 -m string \ --hex-string " |056f6e696f6e00|" --algo bm -j REDIRECT --to-ports 5300

And you can check. Access to blocked sites is configured according to the instructions above.

A spoon of tar

Despite its simplicity and convenience, this approach inherits some of the disadvantages of the Tor network.

You access prohibited sites on the Internet under the name output nodes, which gives exit node administrators the fundamental ability to monitor your traffic and your passwords if encryption is not used to access the target site (there must be https at the beginning of the address or a green padlock 🔒 in address bar).

You would hope that the administrators of such sites would not spy on you for the sake of their own good night's sleep, but...

If you access a site over an unsecured connection, whether through Tor directly, you should always keep in mind that your logins and passwords basically may end up in a folder with letters on the desk of a person in uniform.

That's all!

Is there anything still unclear? Is there anything you need to fix or is there something you especially liked? Write below in the comments.

With such an initiative, the free Internet is becoming less and less before our eyes. At the same time, most users are sure that Tor and VPN cannot be limited in any way. We asked advice on this from Mikhail Lisnyak, the creator of the meditative service for tracking currency quotes and oil prices Zenrus and a teacher at Moscow Coding School, whose course registration started today.

VPN - in a nutshell - is a creation virtual network over another network, such as our Internet. That is, an encrypted channel is created between the user and the VPN server, through which the user connects to another network, and it turns out that a person from Moscow accesses the Internet as if he were from, for example, Amsterdam. We are now considering one of the VPN options, which relates to the news feed, in general various types and there are many more applications, but their operating principles are absolutely the same.

Tor is a routing system based on encryption and a distributed network of intermediary nodes (they can also be ordinary Tor users). When connecting to Tor, the client collects a list of available intermediary nodes, selects several of them, and in turn encrypts each sent packet with the keys of the selected nodes. Next, this packet, encrypted with several keys, is sent to the first (input) intermediary node. The latter decrypts its key and sends the packet further, the second node decrypts its own, and so on. At the end, the last node decrypts the last “layer” and sends the packet out to the Internet. You can think of it as an onion, with each subsequent node peeling off a layer. Actually, this is what Tor stands for - The Onion Routing, that is, “onion routing”. Since almost the entire path of the packet is encrypted and no one except the input node knows the sender of the packet, the system ensures anonymity and security of traffic.

But you can block Tor. First, the Tor client must somehow obtain a list of entry nodes. To do this, the client connects to the root registry of these nodes. If you block access to this root server, the client will not be able to obtain a list of input nodes on the network and, of course, will not be able to connect to the network. Eat manual method receiving nodes (for example, via mail), but this, firstly, is not very convenient, and secondly, if the supervisory authorities discover the addresses of these nodes, they can still be immediately blocked.

In addition, there is such a system as DPI - a packet analysis and filtering system. Now this system is gradually being implemented in Russia by providers. It is quite expensive, so not all providers use it. But that's it for now. I think that in the near future all backbone providers will install it. This system can analyze traffic at a low level, determine the type of this traffic (even encrypted, but without receiving the content itself), filter it and, if necessary, send it for blocking. Now these systems are already able to identify Tor traffic based on certain characteristics. Tor responded by coming up with a traffic masking system (obfsproxy), but gradually they are learning to detect it too. And using all this is becoming more and more difficult for the average user.

If the authorities want, they will block everything for the vast majority of users. Particularly stubborn geeks will be able to find loopholes, but for the average user this is not an option

That is, Tor can be banned in an entire country using the same DPI. When they introduce criminal liability for the use of such software, several show trials will quickly be held, and that will be the end of it for the most part. There are no sane replacements for Tor yet. The same i2p is banned in exactly the same way. Now blocking Tor is not easy, it is expensive, but it is quite feasible if the state really wants it.

In general, everything has already been invented and is used, for example, in glorious China. Known nodes are blocked, traffic is analyzed by DPI, and identified packets are blocked (and information about the sender is sent to the right place). Plus, there is a “forward connection” system, when a suspicious packet to some server on the Great Firewall is “suspended”, and the firewall itself makes the same request to this server and analyzes the response. And then, based on various criteria, it is determined whether it is possible or not.

If the authorities want, they will block everything for the vast majority of users. Of course, especially stubborn geeks will be able to find loopholes, they will be covered, new loopholes will be found - this is an eternal process, as happens with viruses and antiviruses. But for the average user this is not an option. In addition, there is always the opportunity to introduce white lists or simply close the entire external Internet completely. But I hope it doesn't come to that.

Many offices have been blocked for quite some time social media, video services, file hosting services and entertainment sites. Some even block popular anonymizer services. In this way, employers try to force employees to engage in their immediate responsibilities, rather than waste working time on entertainment. In this article I will tell you step by step how we can ordinary users, bypass this block and enjoy unlimited Internet access.

In fact, everything has already been thought out for us and we will use a ready-made solution.

Meet Tor.

Tor is a system that allows you to install anonymous network connection, which organizes data transfer in encrypted form. By using Tor Users can remain anonymous when visiting websites, posting content, sending messages, and using other applications that use TCP protocol. Technology Tor also provides protection against traffic analysis mechanisms that compromise not only user anonymity, but also data confidentiality.

System Tor was created in research laboratory Federally contracted by the US Navy. In 2002, they decided to declassify this development, and the source codes were transferred to independent developers who created a client software and published source under a free license so that everyone can check it for bugs and backdoors.

Let's finish the theory here and move on to installing and configuring the system.

We go to the Tor system download page, where we select the option with the Russian interface and download the installation file. The file size is about 25 megabytes.

Run the downloaded file, select the installation location and click the Extract button

After the installation is complete, no new shortcuts will appear on our desktop, so we open the directory in which we installed the system and run the Start Tor Browser.exe file from it