Have you ever wondered what's actually happening on the internet when your VPN stops working? Have you ever wondered why the Great Firewall can block VPNs seemingly whenever it chooses to do so, but not always? No? I thought so, here's a thread on why anyways. 1/16

At the most basic level the internet is a game of hot potato. You stick a message (called a packet) a with a destination on it and a series of routers will estimate which direction they think its in and throw it off that way as quickly as they can until it gets there. 2/16

Notice that there is no guarantee that every packet will use the same path, nor even that they will arrive in the order you sent them because each router is only making estimates, and those estimates can change during a conversation. 3/16

Even without any interference there's no guarantee that your packets will even make it to the other side at all! The internet protocol (IP) just says it'll try as hard as it can but can't make any promises, sorry! 😢 4/16

But that's no good! We need to know that the other side got our packets and we need to know they got there in order! We want "cat videos" not "eosat div"! That's where the Transmission Control Protocol (or TCP) comes in. 5/16

If you wish to know more here is the full graphical representation of how TCP turns "I dunno lol" into the connections you are used to. I have highlighted the points that are important for us though, namely the reset or RST packet. 6/16

It's a packet that tells the other computer to close the connection (going to the CLOSED state for your desktop, and the LISTEN state for servers who expect others to open new connections). 7/16

But notice it's only expected before you can make it to the connection ESTABLISHED state. Why, if you UNEXPECTEDLY get one during a different part of the connection, you might get an error that looks like this! 8/16

And that's in fact what is happening when the Great Firewall hits you. It prefers to kill the connection by pretending to be the other party closing the connection. Your computer assumes something went wrong and eagerly complies, ignoring anything that comes in afterwards. 9/16

Closing connections to websites on the blacklist as well as when requests contain sensitive words combined with simple delisting of DNS addresses (that is the service that translates a human readable URL to a computer readable IP address) forms the basis of the firewall. 10/16

I can here both of you still listening saying "But Peter, how does it block my VPN? VPN traffic is encrypted and unreadable until it reaches its destination outside China!" 11/16

And that's true! VPNs can be very tricky to block because their encryption protocols disguise traffic and make it look innocuous, but they still have their fingerprints. 12/16

VPNs tend to use a certain range of ports to connect which can be blocked, they tend to have characteristic patterns in their startup messages, and other repeatable behavior, making them vulnerable to deep packet inspection. 13/ 16

Basically (and extremely oversimplified), certain patterns can still show up in encrypted traffic because you tend to see the same kinds of messages repeated over and over again, and those same types of messages tend to get encrypted in exploitable ways. 14/ 16

The trade off though is that such analysis is extremely expensive to do on the entirety of all internet traffic, and it can slow down the routers considerably if they have to perform the extra computation on everything, so the firewall typically does not use it everywhere. 15/16

But on politically sensitive dates the slowdown is worth it, so the firewall is put on full blast, effecting the internet speeds of even those without VPNs as collateral damage in the fight to stamp out VPNs. 16/16