Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Enderman Profile picture
@endermanch
Aug 30 29 tweets 7 min read Read on X
Don't worry, Brazilians, we, and our Chinese colleagues have got your back. There have been a lot of anti-censorship advancements in the past couple of years. There are solutions superior to a simple VPN. Let's get ready to connect in the upcoming fragmented world! 🧵
1. No VPN necessary! State restrictions are commonly implemented via DPI (Deep Packet Inspection). The software on the ISP's routing devices filters out packets based on certain conditions, and most of the time they are hardcoded. Which means there's room to contest it.
Passive DPI cannot block the packets, but can inject them. Usually an RST packet. If it is being injected client-side, it's possible to configure iptables to drop it, but the conditions are different for different ISPs. If RST is sent to the server, iptables are not enough.
Active DPI, which is used in Russia and China (Passive DPI times are over for us), on the other hand, can block the packets. The only way to bypass it is by breaking its detection algorithm. It's possible to break by sending data the DPI doesn't expect to process.
For example, by spec, you can split an HTTP request into TCP segments. "GET / HTTP/1.1\r\nHost: ..." -> "GET /", " HTTP/1.1\r\nHost: ...". You can also alter the case of the header keys, as it's case insensitive: "Host:" -> "hOst:"google.com
google.com
There are many ways to break the DPI algorithm, and the cases above are just an example. That's the optimal way to avoid state censorship. Luckily, there's open-source software that already does it for you!



github.com/ValdikSS/Goodb…
github.com/dovecoteescape…
github.com/bol-van/zapret
As time goes on, the states will eventually fix their DPI software, so it's preferrable to know how the bypass strategies work to cook up fresh combinations they haven't defeated yet. Not guaranteed to work, but if it does, it's significantly faster than any VPN. So try it out.
2. The VPNs. If the above does not work, your next best option is a VPN. The VPNs aren't magic, they're virtual networks that coincidentally allow delegating sending packets to a different gateway. Image
Yes, the figure above is fucking dumb. Don't murder me, network guys. It's a vast oversimplification. The problem with a VPN is that it adds a whole bunch of hops and overhead that comes with them for your packets to overcome. 99% of the time it slows the connection down.
Personally, I have network-wide split tunnelling set up with the VPN interface used solely to bypass regional blocks. That's really advanced, and I suggest you starting by simply setting up a client and a server.
A VPN client! Which one should you use? Well. Forget the free VPNs. These sell your data, show you ads, install malware and do other unspeakable things to keep their service free. The best way out is to host a VPN server yourself. The client and server always go in conjunction.
The biggest problem with hosting a VPN server yourself is that it costs money. However, you can find a cheap VPS ($3-5/mo range) with a 100Mbit/s throughput practically anywhere right now. If you can't afford it, unfortunately, you have to use a free VPN.
The VPN servers only differ by protocol. So, the suggestions off the top of my head are WireGuard, OpenVPN, Outline. You'll need to read a lot and understand the UNIX terminal basics. There's one automated option I know of right now. AmneziaVPN

github.com/amnezia-vpn/am…
It's free, open-source and based on WireGuard. It uses Docker to completely automate the process, which allows even your grandma to set it up easily. There are also options when the state goes hog wild and blocks connections per protocol — as an example, Russia and China.
3. Advanced VPNs. When the state goes rogue as described in a tweet above, the protocols separate out into three categories: easily detectable, detectable, and undetectable. All common protocols are easily detectable, thus easily bannable. A more complex solution is required.
Detectable protocols are usually obfuscated versions of the common protocols, e.g. AmneziaWG (WG + garbage packet spam during handshake initiation), OpenVPN over Cloak, Shadowsocks. They require much more scrutiny to be sifted out by the censorship systems.
Undetectable protocols in reality aren't 100% safe, but they're state-of-art as of 2024 and work as a bypass for the Great Firewall of China. Most of these aren't documented in English. You likely won't need those for at least the next 10 years, but let's go over them anyway.
There's no decent nomenclature for them, but:
• VMess
• VLess
• Naive
• Trojan

The whole idea behind these protocols is to mask your VPN traffic as HTTPS. It is considerably slower than any of the VPN solutions shown before, but you gotta do what you gotta do.
The bottom of the barrel, where everything else is literally banned:
• Hysteria
• KCP
• Meiru
• TUIC
• Brook
• Pingtunnel

The state-of-art censorship circumvention is achieved by masking your VPN traffic as browsing a web page. There's almost no way to detect that.
Umm, yea. You probably won't ever need those. But keep that in mind, there's no way to censor the internet.
4. Let's talk about DNS. It's a very important subject, because a DNS server is what resolves domain names for you, and censorship can also be applied to it.

That's what DNS does:
-> 104.244.42.129
-> 108.177.14.139x.com
google.com
Chances are you are using a DNS server provided by your ISP free of charge. Let's say the state asked the ISP to block shitter(.)com. The ISP might use DPI, but it also might resolve the domain name to localhost, for example. Image
Now it should be apparent the DNS server is also a weak link. Well, the best case scenario — you can directly set custom DNS-servers (1.1.1.1, 1.0.0.1, 8.8.8.8, 8.4.4.8) either network-wide or per device. Problem solved. However, this might not work!
An ISP may very well hijack your DNS requests server-side and redirect them to their server. Or, they could just block any outgoing UDP traffic on port 53 without their servers as an endpoint.

The solution to both of these digital rape cases is DNS over HTTPS or DNS over TLS.
Now the idea is strikingly similar to that in the «undetectable» VPNs. The tools are also open-source and freely available, I'll list them here (OpenWRT as an example):
• DNSCrypt-proxy
• Stubby
• HTTPS-DNS-proxy
Okay, that should be it for the thread. I'm out. Your digital freedom is important to the Internet.

Please ask your questions under the first post of the thread if you have any. Also just in case, I am not suicidal.
@Rohan_Furries anti-censorship. They may be used domestically, and the endpoint IP might be in a subnet of a different state, yet lead to a domestic resource. A legal precedent like this would be devastating to the entire country's network infrastructure. So I assume it's safe. Not legal advice
@_iabdllah There is no way to generalize DPI bypass. It's always individual per ISP and, at times, has to be specifically tweaked per protocol and sometimes even per route. Routes change, too. That knowledge IMO would be pointless, brute forcing the strategy still seems like the best way.
Cloned this thread to 🦋
Share with your Brazilian friends who have been forcefully migrated out of here.

bsky.app/profile/enderm…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Enderman

Enderman Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @endermanch

Enderman Profile picture
Jun 2
My thoughts about MrBeast 🧵
(warning: reality check)
Jimmy's videos are pretty obviously fake. His secondary channels are a cheap clickbait content farm. However, he does seem to actually help people out. I'm yet to see a random person from his video celebrate their huge win online, though.
I have a strong feeling it's a show now, and the random people appearing in his videos are paid actors (the pay is really good, though). Remember the Hide & Seek situation, where the prize spots were shuffled to cater to the audience? That must be the tip of the iceberg.
Read 10 tweets
Enderman Profile picture
Apr 21
⚠️ IMPORTANT SCAM PSA ⚠️

There's a new scam going around that's not very obvious and can be easy to fall for! If you see an implication, do NOT infer the reverse.

(more info in thread 🧵) p, q, p → q / q → p
Do NOT let the tiny p overshadow a complex n. n, p, n ∧ ¬p → q / q
Do NOT allow logical noise to ruin your conclusion. m1...n, m1 ∨ … ∨ mn → ¬q / q
Read 6 tweets
Enderman Profile picture
Mar 25
⚠️ Stardock scams their customers!

The «lifetime license» scam.🧵
An invalid product key was entered. Please try again or click here to have your key emailed to you.
«Start11 v1» product key
Way back in February 2022 I purchased a «lifetime» 1 PC license for Start11. Back then, the product was called Start11 and I had a lifetime license for it.

Turns out, not too long ago they bumped the version number up and made it into a «separate» product.
The lifetime license I purchased is now only applicable to «Start11 v1», and if I want the «v2» — the same product, I must pay full price for yet another «lifetime» license.

Sounds good on paper, but that's ridiculously scummy. The price has also substantially increased. SINGLE — €8.99
Read 6 tweets
Enderman Profile picture
Feb 24
🧵 A collection of my favorite pieces from the Windows XP source code.

\windows\core\ntgdi\test\teff\poo.txt poo.txt — shit
\com\published\idlole\oleext\oleext.idl oleext.idl — Keep random shit OUT of this subdirectory, or die.
\base\ntsetup\opktools\oformat\msfor.asm msfor.asm — DO NOT DO THIS ALARMINGLY STUPID IDIOT STUFF AND TRASH THE MBR!!!!!!!
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(