They don’t blacklist IP addresses generally, though some are certainly blocked. But normally they run deep packet inspections and block traffic that is identified as VPN traffic based on certain header data. That’s what makes the firewall “great” in the first place; many other countries simply block a range of IP addresses, and all it takes is for the VPN provider to switch the IP in their data warehouse. That’s trivial and takes seconds, and many providers rotate their IPs on a regular basis to prevent blocks in the first place.
Because of the deep packet inspection, OpenVPN and wireguard as protocols are entirely useless in China whatsoever, for example. Stealth mode AFAIK is using a modified wireguard protocol that obfuscates certain headers and thereby avoids detection (for now).
Andromxda@lemmy.dbzer0.com 5 months ago
Wait so the “great firewall” doesn’t block Proton VPN IP addresses? That’s interesting.
viking@infosec.pub 5 months ago
They don’t blacklist IP addresses generally, though some are certainly blocked. But normally they run deep packet inspections and block traffic that is identified as VPN traffic based on certain header data. That’s what makes the firewall “great” in the first place; many other countries simply block a range of IP addresses, and all it takes is for the VPN provider to switch the IP in their data warehouse. That’s trivial and takes seconds, and many providers rotate their IPs on a regular basis to prevent blocks in the first place.
Because of the deep packet inspection, OpenVPN and wireguard as protocols are entirely useless in China whatsoever, for example. Stealth mode AFAIK is using a modified wireguard protocol that obfuscates certain headers and thereby avoids detection (for now).