• INTRODUCTION
• INTRODUCTION
• ABOUT THIS MANUAL
• BACKGROUND
• WHAT IS CIRCUMVENTION
• AM I BEING CENSORED?
• DETECTION AND ANONYMITY
• HOW THE NET WORKS
• WHO CONTROLS THE NET
• FILTERING TECHNIQUES
• FIRST TECHNIQUES
• SIMPLE TRICKS
• USING A WEB PROXY
• USING PHProxy
• USING PSIPHON
• USING PSIPHON2
• USING PSIPHON2 OPEN NODES
• RISKS
• ADVANCED TECHNIQUES
• ADVANCED BACKGROUND
• HTTP PROXIES
• INSTALLING SWITCH PROXY
• USING SWITCH PROXY
• TOR: THE ONION ROUTER
• USING TOR BROWSER BUNDLE
• USING TOR IM BROWSER BUNDLE
• USING TOR WITH BRIDGES
• USING JON DO
• TUNNELLING
• WHAT IS VPN?
• OPENVPN
• SSH TUNNELLING
• SOCKS PROXIES
• HELPING OTHERS
• INSTALLING WEB PROXIES
• INSTALLING PHProxy
• INSTALLING PSIPHON
• SETTING UP A TOR RELAY
• RISKS OF OPERATING A PROXY
• APPENDICES
• FURTHER RESOURCES
• GLOSSARY
• CREDITS

What are VPN and Tunneling?

VPN (virtual private network) and tunneling are techniques that allow you to encrypt the data connections between yourself and another computer. This computer might belong to your organization, a trusted contact or a commercial VPN service. Tunneling encapsulates a specific stream of data within an encrypted protocol, making everything that travels through the tunnel unreadable to anyone along the way. VPNs are very commonly used by corporations to allow employees who need access to sensitive financial or other information to access the companies' computer systems from home or other remote locations over the Internet.

Using a VPN or other kinds of tunnels to encrypt your information can be a good way of ensuring it is not seen by anyone but yourself and people you trust. It has the additional effect of making all your different kinds of traffic look similar to an eavesdropper or to a system that is trying to block your traffic. Since many international companies use VPN technology, it is not very likely to be blocked.

These techniques create a tunnel from your computer to another computer somewhere on the Internet. Your data can travel through this tunnel and then continue to a final destination on the Web. The integrity and privacy of the traffic inside the tunnel are protected by encryption.

If the tunnel ends outside the area where the Internet is being restricted, this can be an effective method of circumvention, since the filtering entity/server sees only encrypted data, and has no way of knowing what data is passing through the tunnel.

It is important to note that the data is only encrypted as far as the end of the tunnel, and then travels unencrypted to its final destination. If, for example, you set up a tunnel to a commercial VPN provider, and then request the Web page news.bbc.co.uk through the tunnel, the data will be encrypted from your computer to the VPN provider's computer at the other end, but from there it will be unencrypted to the servers run by the BBC, just like normal Internet traffic. This means that the VPN provider, the BBC and anyone with control over a system between these two servers, will, in theory, be able to see what data you have requested.

Tunneling

The main difference between a VPN connection and a tunnel is that a VPN system is set up in such a way that it encrypts all data from your computer to the Internet, while a tunnel is set up to encrypt only traffic from specific applications, either based on the port numbers they use or by requiring you to specify which tunnel to use within each application. Unlike a VPN, tunnels require each application, such as a Web browser, e-mail client or Instant Messaging program, that needs to use the encrypted tunnel, to be configured individually to use the tunnel. Significantly, not all applications are capable of being passed through common types of tunnels. Most Voice over IP (VoIP) systems, for example, use the UDP protocol, which is not supported in many common tunneling systems. Also, some common applications such as the Opera web browser do not have built-in support for SOCKS proxies which are the most common type of tunneling software. In this case you have to use an extra application like FreeCap for Windows (http://www.freecap.ru/eng/) or tsocks for Linux (http://tsocks.sourceforge.net/).

Once a tunnel is established and applications have been configured, they will run through the encrypted tunnel to the computer with the  tunneling software, which forwards your requests and responses transparently. Users with contacts in a non-filtered country can set up private tunneling services while those without contacts can purchase commercial tunneling services, usually by monthly subscription for about 5 US Dollars a month (usually requiring a credit card payment).

Various free tunneling services are also available. When using free tunneling services users should note that they often include advertisements. Requests for the advertisements sometimes are conducted through unencrypted plain text HTTP requests, which can be intercepted by any intermediary who can then determine that the user is using a tunneling service. Moreover, many tunneling services rely on the use of SOCKS proxies which may leak domain name requests. Some commercially available tunneling systems which also provide a (slow) free service are:

•   http://www.http-tunnel.com/
  
•   http://www.hopster.com/
  
•   http://www.htthost.com/
  

VPN

Unlike tunnels, VPN systems transport all data over the encrypted network, including Voice over IP (VoIP) and communications from applications with no built-in support for SOCKS. Once VPNs are set up, they are much more comprehensive tools than tunnels, but they are more complicated to set up and configure than most tunneling applications.

There are a number of different standards for setting up VPN networks, including IPSec, SSL/TLS and PPTP, that vary in terms of complexity, the level of security they provide, and which operating systems they are available for. Naturally, there are also many different implementations of each standard within software that have various other features.

• While PPTP is known to use weaker encryption than either IPSec or SSL/TLS, it may be useful for bypassing Internet blocking, and the client software is conveniently built into most versions of Microsoft Windows.
• SSL/TLS-based VPN systems are relatively simple to configure, and provide a solid level of security.  
• IPSec runs at the Internet level, responsible for packet transfer, in the Internet architecture, while the others run at the Application level. This makes IPsec more flexible, as it can be used for protecting all the higher level protocols. Applications do not need to be designed to use IPsec, whereas SSL/TLS or other higher-layer protocol functions must be built into an application.

VPNs are frequently used by companies and organizations as private communication channels to connect securely over the Internet. Because of their popularity there are many commercial providers of VPN services, which allow you to purchase access to a VPN service for a fee. Using such a service requires you to trust the owners of the service, but provides a simple and convenient method of bypassing Internet filtering for a monthly fee of about 5-10 US Dollars. There is a list of commercial VPN providers available at http://en.cship.org/wiki/VPN.

As an alternative to paying for commercial VPN services, users with contacts in unrestricted locations may have these contacts download and install software that sets up a private VPN service. This requires a much higher level of technical knowledge, but it will be free. Also the private nature of such a setup means it is less likely to be blocked than a commercial service that has been available for a long time. One of the most widely used free and open source programs available for setting up this kind of private VPN is OpenVPN (http://openvpn.net/), which can be installed on Linux, MacOS, Windows and many other operating systems.

Advantages

Tunneling applications and VPNs provide encrypted transfer of your data. They generally have the ability to securely proxy many different functions, not just web traffic. So it is one of the safest ways to bypass Internet censorship. Once configured it is also easy to use.

Tunneling applications and VPNs are best suited for technically capable users who require secure circumvention services for more than just web traffic and do access the Internet from their own computer where they can install additional software. Commercial tunneling services are an excellent resource for users in censored locations who do not have trusted contacts in non-filtered locations, VPN technology is a common business application that is not likely to be blocked.

Some, but not all, commercial tunnel and VPN services advertise anonymity, which privately set up services generally can't achieve. This anonymity protection can be fairly effective if the commercial VPN or tunnel operator is trustworthy.

Disadvantages and Risks

Commercial tunneling services and commercial VPNs are publicly known and may already be filtered. They normally cannot be used by users in public access locations where users cannot install software, such as Internet cafés or libraries. Use of tunneling applications and especially VPNs may require a higher level of technical expertise than other circumvention methods.

A network operator can detect that a VPN is being used and determine who the VPN provider is. The network operator should not be able to view the communications sent over the VPN unless the VPN is set up incorrectly.

The VPN or tunnel operator (much like a proxy operator) can see what you're doing unless you use some additional encryption for your communications; when you don't use additional encryption, you have to trust the VPN or tunnel operator not to abuse this access.

---

EDIT