- Network
- A
Building a VPN Resistant to Spyware
In the previous article, we discussed some measures users can take against spyware that detects VPN usage and leaks data to "Big Brother."
If we judge by the comments (and the author generally agrees with their logic), then in conditions of total snitching, there are almost no options left except to have two smartphones (and possibly two desktops as well!). At first glance, this does seem to be the case.
However, if you think a little more, it turns out that there is still a technical solution. Yes, it is relatively expensive (the minimum costs are about 1000-1500 rubles per month), but it exists!
If you are interested in the architecture of a VPN service that is resistant to the presence of spyware on the client side, then this article is for you!
Introduction
The internet buzzes with the fact that Big Brother is constantly changing strategies and tactics in the fight against the freedom of information dissemination. In recent days, informants have come into play. They may be digital, but that’s exactly why they will perform their duties reliably – because you cannot negotiate with them.
And since that’s the case, we will have to look for a way to live in an environment where electronic snitching cannot be eradicated.
Yes, we can try to relocate malicious programs to an electronic dump (as suggested in the previous article), but this is not a panacea. Sooner or later, the informant will raise their technical literacy, and after that, they will overcome this barrier as well.
It may seem that there is no other solution than to keep two smartphones (one for yourself and one for Big Brother). Many commenters on the previous article came to this very conclusion.
However, there is no need to despair! There is a solution. At least for today and perhaps for the next few years, it exists. By reading this article, the reader will be able to build their own VPN service in such a way that blocks avoid it for as long as possible.
Well then. It's time to finish with the advertisement and move on to the architecture. But to understand the proposed strategy for building such a technical service, I want first to convey to the reader the rationale: why and from where the various logical assumptions on which this architecture is built follow.
So, let’s start by determining:
What do we know about the opponent?
Once the opponent switched to using spyware on the client, the question immediately arises: “Why did this happen?”
The first and obvious explanation is that:
Other methods of combating have largely exhausted themselves. They do not provide reliable results.
Why is that? Because modern VPN solutions like xray are quite good at disguising their traffic as harmless, appearing like ordinary websites. Moreover, today almost all connections are encrypted, which makes it extremely difficult to mass and reliably identify VPNs simply by monitoring traffic at the provider.
Is it possible to assume the presence of a VPN on the client? – Yes.
Is it possible to assume a high probability of a VPN on the client? – Again yes.
Can we answer the question: “Does the client use a VPN?” – No.
Thus, the mechanism with informants is perhaps one of the last truly effective technical methods.
If this also fails, then later, likely, some administrative and criminal repressions will begin. But for now (still for now!) we live in a technological world where we can build an architecture that will be maximally resistant to the current model of pressure – to the presence of informants.
So, what do we know about the opponent?
He cannot massively and reliably identify VPNs solely based on traffic;
However, he can receive information from informant programs on the client’s phone;
Moreover, he has currently concentrated his equipment right here – with mobile operators.
This leads to a simple conclusion: if it weren't for spyware, citizens would probably already be winning this war.
Thus, we can formulate:
Requirements for a Resilient VPN
For a VPN to be resilient to informants:
Its functionality must cease to depend on the compromise of the exit point.
Well, the big brother knows the outgoing IP – that should not affect work!It must be resistant to traffic monitoring by mobile operators. After all, this is where the identification of many VPN nodes takes place. Here, as shown above, big brother has already lost this round.
If you look at this list, the components of the solution become immediately visible. Some of them have already appeared in various articles on Habr, but usually not all together.
Let's try to eliminate this shortcoming.
The first thing we will need is a stationary VPN node within a sovereign state.
Why is it needed?
so that local traffic is routed within the sovereign state and does not lose speed;
so that we have complete control over the software on this node (without informants);
so that proposals to charge foreign traffic, punishing the VPN user with fines, are cut off at this stage.
But I am getting a bit ahead of myself, so let's first consider:
The worst case scenario
The meaning of it is simple: the client directly crosses the border of the country to a single external VPN node, and from there reaches the internet.
It’s cheap, it’s simple, it’s convenient.
But this scheme is bad, and it is bad for two reasons.
Firstly, the external exit point in such a scheme is accessible for analysis literally at the level of cellular operators (I repeat: this is where the big brother has gathered the maximum monitoring equipment).
Secondly, this scheme is obviously unstable to spyware on the client, but we will talk about this in more detail a little later.
Game over. But the community responded to this by complicating the architecture:
Resistant to traffic analysis, but not to spyware
To partially meet the second requirement, we need an intermediate point within the state. The goal here is simple: to confuse mobile traffic analyzers and keep internal traffic within.
It includes:
the client's phone;
a VPN server in the sovereign state:
MY.VPN;a VPN server outside the sovereign state:
FREEDOM.VPN;the internet we are trying to reach.
In this scheme, MY.VPN takes on two roles.
First: routing traffic to local resources (for example, government services) directly within a sovereign state.
Second: routing all external traffic through
FREEDOM.VPNtowardsclaude.com,chatgpt.com,youtube, and other resources that exist beyond the border.
From the perspective of centralized traffic analysis, this is already a noticeably more resilient scheme. To the operator, it seems as though you are primarily working with the same node within a sovereign state.
But there is a problem. This scheme is still vulnerable to spyware on the client side.
After all, what does a snitch do? Very simply. Instead of engaging in the activity for which it is intended (for example, providing access to a bank account), it makes a request to its agent outside the sovereign state.
This agent sees that the request came from FREEDOM.VPN and thus learns the address of your external exit point. After that, the snitch reports this address up the hierarchy.
Then Big Brother comes and cuts off access to FREEDOM.VPN for all citizens of the sovereign state without exception.
The problem is that our VPN system requires access to FREEDOM.VPN, and this address is easily discoverable.
Important: the snitch doesn’t even need to have an agent abroad. It can make requests to public websites, like ifconfig.me.
Let's try to improve our VPN to achieve
The system is resistant to spyware on the client side
To prevent the snitch from doing its dirty work, we will add another node, placing it outside the sovereign state.
In total, the scheme will be three-tiered:
the client's phone, on which we assume the presence of spyware;
VPN server in the sovereign state:
MY.VPN;first external VPN server:
FREEDOM.VPN1;second external VPN server:
FREEDOM.VPN2;target websites on the internet.
Features:
MY.VPN, as before, routes local traffic within the sovereign state, while redirecting external traffic outward.
But now there is an important difference.
The exit point to the world is
FREEDOM.VPN2. Since the connection to it is not direct, it is not required for this point to be accessible from a sovereign state.Data crossing the border is carried out through the node
FREEDOM.VPN1, and information about it is known to few: you, the nodeMY.VPN, and no one else.
In summary.
MY.VPNis needed so that the mobile operator sees that you have no activities outside the sovereign state.FREEDOM.VPN1is a secret node that no informant will learn about. Therefore, the connection to it is conditionally protected from the watchful eye of big brother.FREEDOM.VPN2is the exit point, access to which big brother can prohibit, deriving moral or other pleasure from it.
In summary: This scheme is resistant to the compromise of the exit point.
Disadvantages
High cost. You have to pay for three VDS nodes.
Big brother can access all data centers of the sovereign state. But it’s complicated: for this, he will have to seriously analyze the traffic of the data centers of the sovereign state. And that is already a task of a different scale, which will affect the operation of many large websites, services, and portals.
Therefore, I believe that such a scheme, if established today, could last for several years. For the main enemy of this architecture is just one – white lists. Cheburnet.
Additionally, the following can be noted as disadvantages:
Sometimes big brother bans various parts of the internet by subnets. They found that the address 1.2.3.4 contains something suspicious, and instead of blocking the address 1.2.3.4, they blocked the subnet 1.2.0.0/16. This happens. But it is unlikely to be a bug of the proposed architecture.
Cost
Let’s calculate the cost of the issue.
server
MY.VPNinside the sovereign state: 400 – 500 rubles per month;servers
FREEDOM.VPN1andFREEDOM.VPN2outside the sovereign state: 2 – 7 dollars per month each.In total, on average about: 1500 rubles per month.
Is it expensive or cheap? – It’s unpleasant. But for access to modern global developments in the field of AI, to the base of global knowledge – YouTube, to a normal human internet, and the ability to live without constantly looking over your shoulder at electronic informants, this is, in my opinion, quite acceptable.
Conclusion
Unfortunately, there is no silver bullet. This solution works under the conditions of the current situation. What tomorrow will bring – only the war itself will show.
For the struggle is a process. As is well known, a samurai has no goal, only a path. Since the big brother does not articulate his ultimate goal, in some sense, he is also a samurai.
Well, let it be so.
But if he is our brother, then he is still a relative, right? And that means we can and we must correspond to him. In perseverance – certainly.
Write comment