🌐 @echo.%0^|%0>$^_^.c^md&$_>nul

⛔️ Bypassing Internet censorship

In light of the recent events taking place in 🇧🇷, I decided to compile a list of state-wide Internet censorship bypass methods. Let's get ready to connect in the upcoming fragmented world!

🔻 DPI Bypass. A VPN might be unnecessary! While a virtual private network may be a solution, state restrictions are commonly implemented via DPI (Deep Packet Inspection). The software on the ISP's routing devices filters out packets based on certain conditions, and most of the time they are hardcoded. Which means there's room to contest it.

There are two kinds of Deep Packet Inspection:
▪️ Passive DPI cannot block the packets, but can inject them. Usually a TCP RST (connection reset) packet. If it is being injected on the client side, it's possible to configure the iptables to drop it, but RST might also be sent directly to the server, rendering the iptables method pointless.
▪️ Active DPI (used in 🇷🇺 and 🇨🇳) is an upgrade — it's a physical box, and it is capable of blocking the packets. The only way to bypass it is to break its detection algorithm. The algorithm is possible to break by sending data the inspection software doesn't expect to encounter and process.

For instance, by spec, you can split the application-layer HTTP request into TCP segments: GET / HTTP/1.1\r\nHost: google.com ... → GET / + HTTP/1.1\r\nHost: google.com .... It's also possible to alter the case of the header keys, as the header is case insensitive: Host: → hOst:. As a final example, a «DNS root» dot after the hostname is also allowed by spec, but may break the algorithm: Host: google.com..

There is a myriad of ways to break the DPI algorithm aside from the ones I've mentioned. That's the optimal way to avoid state censorship. Naturally, it doesn't work for direct IP set blocks, but it's destructive and not all too common (at least in 🇷🇺). Luckily, there's open-source software that already does it for you!
▪️ zapret 🐧
▪️ GoodbyeDPI 🪟
▪️ ByeDPI 📱

As time goes on, the states will eventually fix their DPI software to account for all the edge cases, so it's preferrable to know how the bypass strategies work to cook up fresh combinations they haven't defeated yet. It may quite literally be considered hacking, so it's not guaranteed to work, but if it does — it's significantly faster than any VPN, so give it a whirl.

🔻 Simple VPNs. If the above does not work for you, your next best option is a VPN. The VPNs aren't magic, they're virtual networks that coincidentally allow delegating sending packets to a different gateway. The problem with a VPN is that it adds a whole bunch of hops and overhead that comes with them for your packets to overcome. Almost 100% of the time it slows the connection down.

Personally, I have network-wide split tunnelling set up with the VPN interface used solely to bypass regional blocks. That's extremely advanced, and I suggest you starting by simply setting up a client and a server. Speaking of it, which one should you use? Well. Forget the free VPNs. These sell your data, show you ads, install malware and do other unspeakable things to keep their service free. The best way out is to host a VPN server yourself. The client and server always go in conjunction.

The biggest problem with hosting a VPN server yourself is that it costs money to rent a server. However, you can find a cheap VPS ($3-5/mo range) with a 100Mbit/s throughput practically anywhere right now. If you can't afford it, unfortunately, you have to resort to using a free VPN. I morally cannot recommend any free VPN, as you're being the product, but a decent pick would be ProtonVPN.