Mullvad is adding QUIC, a UDP-based network protocol that keep the speed of UDP while adding the reliability of TCP, as an obfuscation technique.
A year ago, Mullvad only supported UDP over TCP obfuscation, which while working - in advanced censorship such as the GFW - was quite slow and unreliable, especially in mobile connections. The addition of Shadowsocks - a censorship evasion protocol that hides in https traffic- was a great addition for both stability and the strength of the circumvention.
Adding QUIC will enhance speed compared to Shadowsocks and stability compared to UDP over TCP.
But anyway this sounds great. Wireguard inside of QUIC is literally quick, and hopefully strong enough of an obfuscation to easily circumvent lots of firewalls and the like.
It wasnât. Shadowsocks is detectable for a long time now, and it was back when they added it. Thereâs no reason to keep it.
It doesnât work with GFW, Iran, Russia etc. Claiming that QUIC would help against advanced censors is stupid, since Iran, China and Russia all block QUIC. China doesnât do this at scale since it breaks some things, but more harsh censors do. QUIC encapsulation helps in work networks in EU and US at best.
I should add that Mullvad obfuscating connections to known, publicly listed, non-rotating servers is pure theatre. VPNs that work in China constantly rotate servers/hide behind CDNs.
I know from personal experience that UPD-over-TCP did work against GFW, about Quic I never claimed it will work against the GFW, it is best seen as a replacement for UDP over TCP
China doesnât mass block IPs for now as they still need acces to the outside world, ie they donât want to completely break connections with the outside. And I totally disagree with your caracterisation of âtheatreâ.
VPNs that work in China often proxy your traffic to a Chinese server, then connect to the outside, so zero privacy here.
Also, you donât seem to know how Chinese censors operate. They do not work on IP blocking, as this can easily be bypassed by just rotating IPs (especially with IPv6) Instead they intercept your traffic and make a dummy request to a domain they control. If the server that you connect to complies with the request, they will block it.
I already said why. The development is abandoned and it doesnât deliver on its promises.
They do block IP addresses of detected VPN servers, youâre simply uninformed. They do in fact not block cloudflare CDNs which are used for censorship circumvention, but i specifically mentioned that Mullvad doesnât implement such measures, and that their servers are publicly visible. Their servers are IP blocked in China. Thereâs no point in wasting DPI throughput on enumerated servers. This is true for all censored countries.
Both the Android and the Rust Shadowsocks client saw commits this week, with the Rust client even getting a release two weeks ago.
They probably do, but thatâs not their main way of blocking VPNs, it mainly relies on DPI and other more âflexibleâ techniques.
I can only speak from experience when I went to china for more than two weeks, in the province I was mullvad servers werenât IP blocked.
Yes, I agree, but generally speaking I would say China prefers to make it cumbersome and unreliable to access VPNs, not impossible. Because some still need to access outside for âlegitimateâ reasons (scientific research, business, etc.). Completely banning IPs mean you lose that + if IPs rotate there is some chance you block a legitimate service on this adress.
They do probably block some IPs, all I am saying is that it isnât their primary method of firewalling.
Thereâs no beef, i just want you to agree Mullvad doesnât help censored countries in any meaningful way.
The development of censorship resistant solutions has moved elsewhere (V2Ray) long time ago since shadowsocks was architecturally flawed. Shadowsocks Development stalled in a sense of the developers not fixing the inherent problems of the protocol.
Once again, there are multiple ways of enumerating servers. While some VPN providers have lots of rotating servers users can switch from, with obfs4-like mailing list control group distribution (i.e censor has to create a ton of accounts to enumerate all the servers since 1 user canât get the whole list easily), Mullvad publicly lists their servers for everyone. As for the IP blocking part - once the GFW has caught a server to censor, it IP blocks it instead of stupidly analyzing its traffic pipe.
Infrastructure isnât uniform. When we speak of GFW capabilities, we refer to GFW at its peak.
Shadowsocks isnât flawed, as it never was sucesfully blocked AFAIK. This doesnât mean it couldnât be in the future, but itâs still working great.
V2Ray and VMess is definitely a stronger (but more complex) protocol. It definitely would be great if they implemented it, no question about that.
But saying all their obfuscation is useless is a stretch.
Thatâs true (although honestly it would be trivial for them to make accounts). But you can also privately ask Mullvad for non-public IPs.
Source ?
Again, I said this because you talk and say a lot of things without proof, so I would like you to provide evidence or testimony.
Shadowsocks (old and new encryptions and methods): Mostly blocked, occasionally graylisted. Some modifications allow connectivity but with high packet loss and jitter. (Graylist) ⢠ShadowSocks + Cloak: Partially functional. Detected by IRGFW with minimal UL/DL speeds and high jitter (Graylist).
QUIC (Hysteria in this example:
Hysteria2: Requires a QUIC-enabled destination IP (Page 8 - UDP section).
⢠Hysteria2 + Obfs (Salamander): QUIC may be completely disabled to some IPs, but Salamander Obfs can sometimes bypass this restriction if UDP works appropriately.
⢠TUIC/JUICITY: Similar to plain Hysteria2. Gray-listed with limited UL/DL bandwidth and high jitter.
⢠Obfs4 (for any protocols like OpenVPN/ShadowSocks/Tor): Mostly blocked but can work on some ISPs. Gray-listed and has exceptionally high jitter and UL limitations.
GFW report, various usenix presentations: Shadowsocks blocked since 2021, QUIC works, VMESS can be discovered, VLESS can be discovered.
Russia via ntc: Shadowsocks blocked since 2022, QUIC fully blocked.
Thatâs not what i said.
You made various stupid claims without knowing anything about the scene to begin with.
Still reading this thread, but one thing thatâs really interesting about this is that theyâve actually implemented MASQUE and are using it for the QUIC-based obfuscation (GitHub diff)
Itâs great seeing more QUIC-based protocols getting launched, the VPN industry needs to invest in more core innovation and less in FUD-y marketing.
A few points on TCP obfuscation (âthe old wayâ):
TCP obfuscation when done over a reliable/vanilla TCP socket suffers from the TCP-over-TCP meltdown problem (bad performance, jittery-ness)
TCP obfuscation when done by not actually running TCP, but sending IP packets that look like TCP wonât work on networks like airlines where they do TCP re-termination (a la Performance-enhancing Proxy)
This is why QUIC-based is great, it looks like an HTTP/3 connection and doensât suffer from the TCP-over-TCP meltdown problem because the application dictates the congestion control rules (more here).
It doesnât mean that itâll get around IP blocks or port blocks (itâs not magic), it simply makes it:
Far less likely for a network admin to block your access by collateral damage with overly-zealous firewall rules (e.g. âweâre blocking all ports other than 80, 443, and 53!â, unfortunately far more common than youâd expect)
Far trickier for nation-state censors to implement a fine-tuned DPI system (especially with Chaos Protection)
Any VPN that has to work in various network environments need a variety of obfuscation strategies to get around network blocks, and each strategy comes with its tradeoffs. Having QUIC obfuscation in the toolbelt makes it far more likely that youâre successfully connecting in the first place, and that your connection is reliable and non-jittery.
Sidenote: One of our engineers did recently come up with a way to do TCP obfuscation without suffering from the TCP-over-TCP meltdown and work even when being re-terminated. Weâre researching this method internally now
typed and sent over Obscuraâs QUIC-obfuscated tunnel with a Mullvad exit node
One of the easiest ways to do âDPIâ (all relative how âdeepâ it is) is just to look at the SNI hostname in the TLS Client Hello.
In TLS and QUIC without Chaos Protection, middleboxes can sniff the SNI hostname by just reading a fixed offset into the stream.
Chaos Protection for QUIC breaks up the Client Hello into multiple frames and shuffle them (perfectly valid from a real QUIC implementationâs perspective).
So middleboxes would have to jump from âreading a fixed byte offsetâ to âfully implementing QUIC frame reconstruction logic and do that for every streamâ, which is far tricker.
Messed up the date, it was blocked since mid 2018 if i remember correctly.
As it stands now, harsher censors simply block QUIC altogether due to its low adoption and the lack of repercussions due to fallbacks.
While i admire Hysteria2, i think VPN providers should implement AmneziaWG as a starting point. I didnât test your implementation, but Iâm pretty sure AmneziaWG/Cloak are faster.
It doesnât disrupt their current infra and nor require any development. I started to dislike the usually praised Proton, Mullvad and even Tor after learning how useless their solutions are at combatting censorship.
Its sad to see tier 2 vpn providers like ivpn carefully implementing V2Ray protocols (but most importantly financing the developers) while Proton doesnât fix leaks in their Linux VPN client for years and Mullvad grifting misinformed EU&US users about their success in fighting censorship.
opengfw covers both cases with their analyzer AFAIK
Right. The IRGFW report was insightful to many of my friends who were just exploring the censorship scene just recently. It highlighted the need to constantly switch between many strategies and servers. In Russia, Iran and China Tier 2 and Tier 3 VPN providers provide VLESS (WS+TLS to be precise), Trojan (Both TLS and WS+TLS), VMESS (WS+TLS) and Amnezia altogether since itâs common to encounter a heavily censored segment of the internet while traveling for example. I hope Encounter5729 would finally understand how Mullvad adding QUIC obfuscation is certainly a path in the right direction, but nearly not enough to deal with censorship in any meaningful way.
I forgot to mention i asked Mullvad whether they had plans to add V2Ray, AmneziaWG protocols and they said no. I donât want to appear to be hating on them for no reason)
I saw no confirmation of this in their blogs. They simply email you back an unblocked server from the public list last time i emailed them.
