On Tue, Sep 29, 2020 at 10:53 AM Maksim Karamushko <m...@lifetm.net> wrote: > I understand that, but isp can made additional check, simple collect > domain which pass him and use openssl s_client --connect domain:443 then > apply "GET /" then if result contain ***some openconnect xml text**** - > collect and apply some blocks (I think that checks possible write on > python + some database in one day) > I hope you understand what I mean, and that why i ask how change default > path.
Ah. What you're describing should probably not be described as deep packet inspection, which normally refers to a passive technology, but rather as "active probing". (That's the term used by the Tor project: https://blog.torproject.org/learning-more-about-gfws-active-probing-system) It might be possible to temporarily circumvent this kind of censor/interference by changing the default path for ocserv… but there will remain many other relatively trivial methods to detect an ocserv server via active probing. I wrote what-vpn for scanning/surveying TLS-based VPNs. It uses a different method which can reliably distinguish different ocserv from other types of VPN servers (https://github.com/dlenski/what-vpn/blob/master/what_vpn/sniffers.py#L97-L123), and which would not be affected in any way by a change in the default path for the authentication page. It'd probably also be pretty easy to detect VPN gateways running ocserv simply by TLS fingerprinting (since ocserv is one of the most common server applications that use GnuTLS). Preventing active probing from detecting VPN gateways will pretty quickly become a cat-and-mouse game if you're dealing with an ISP/government that's determined to block them. It seems that even Tor, which puts a lot of its resources into this, is struggling to come up with reliable and usable ways to make Tor endpoints undetectable to the Great Firewall of China. I'm unsure how much the ocserv developers are interested in going down this path of making ocserv hard to detect… interested in the discussion though. Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
