VPN Blocking in Russia: Current Situation and How to Fight Back

On November 1, 2019, the “Sovereign Runet” law came into effect in Russia, requiring the Russian segment of the internet to be “centrally managed by Roskomnadzor.” The agency has since been working to establish full control. Standing in the way are VPN services, which provide Russians with access to websites blocked in Russia.

Roskomnadzor has repeatedly attempted to crack down on VPNs that refuse to filter user traffic and block access to sites listed in the government’s blacklist (which is fundamentally at odds with the purpose of VPNs). Throughout the summer of 2021, media reports surfaced about various VPN services allegedly being blocked by the authorities. However, in most cases, users did not notice significant disruptions. Roskomnadzor clearly intends to continue its efforts, including using new technical means (TSPU) to block such services. The risks of VPN blocking or other sanctions for non-compliant VPNs are now higher than ever.

This article will answer questions about how real the threat of VPN blocking is, who can carry out such blocks, how modern VPN services work, and how they can defend themselves and their users from Roskomnadzor’s actions. We’ll start with an up-to-date overview of VPN protocols: which ones work, which are outdated, and what features they offer.

Glossary of Terms

• Private network — A computer network using reserved IP address ranges for internal addressing, isolated from the internet. Examples include a home network with several devices connected to a router, or a school’s internal network. To connect to the internet, a private network uses gateways—nodes with multiple network interfaces, one connected to the internal network and another to the external network.
• Virtual Private Network (VPN) — A network that allows nodes to exchange data without being directly connected by wire, but instead operating over another network (usually the internet). Originally used in business for remote work and connecting company branches, VPNs are now popular among regular users for anonymity and bypassing access restrictions. VPNs use tunneling technologies.
• Tunnel — A technology that establishes a connection between two nodes over a network and transmits other applications’ data within that network. This is achieved through protocol encapsulation. The encapsulated protocol is usually at a lower level in the network model than the tunneling protocol. For example, TCP inside HTTP, or Ethernet inside TCP/UDP. Normally, TCP and UDP run over Ethernet, and HTTP over TCP. Tunneling can result in double use of some protocols.
• Encryption protocol — Provides (de)encryption of data transmitted over the network. Examples: TLS (formerly SSL), Noise, and others.
• TCP/IP network model — Describes the relationship of protocols used for internet data transmission. It has four layers:
  • Link layer — The lowest level, responsible for physical data transmission (wired or wireless). Examples: Ethernet (wired), IEEE 802.11 (wireless).
  • Internet layer — Handles addressing and routing between networks. Main protocol: IP (Internet Protocol).
  • Transport layer — Establishes connections between two nodes and transmits data. Main protocols: TCP (guarantees data integrity but is slower and heavier) and UDP (faster, but no delivery guarantees). Other protocols include SCTP (Stream Control Transmission Protocol) and ICMP (used for technical info, e.g., ping).
  • Application layer — Where application protocols operate, such as HTTP, SMTP (email), SSH (remote command line access, TCP tunneling), and many others.

Popular VPN Protocols

1. L2TP/IPsec — A combination of two protocols: IPsec establishes a secure channel, and L2TP creates a secure tunnel inside it. This combo is considered outdated due to security concerns and low performance.
   • IPSec (Internet Protocol Security) — Developed by the IETF for IPv6 (originally mandatory, now recommended). Can be used as a tunneling protocol (tunnel mode), but with L2TP is used in “transport mode.”
   • L2TP (Layer 2 Tunneling Protocol) — A tunneling protocol published in 2000, evolving from L2F (Cisco) and PPTP. It does not provide encryption by itself.
2. IKEv2/IPsec — An alternative combo offering higher speeds than L2TP/IPsec and supports seamless switching between networks (important for mobile apps). Not the most secure, but fast and stable.
   • IKEv2 (Internet Key Exchange) — A key exchange protocol that establishes a secure preliminary connection so nodes can safely exchange info needed for a full secure connection (encryption algorithm, key, etc.).
   • In this combo, IPsec is used as the tunneling protocol.
3. OpenVPN — Open-source software for secure connections between clients and servers.
   • Uses its own protocol, including SSL/TLS for encryption.
   • Open source code allows anyone to audit it for backdoors.
   • Has a reputation as a reliable, time-tested solution.
4. WireGuard — A modern protocol designed as a replacement for OpenVPN.
   • Small codebase makes auditing easier than OpenVPN.
   • Leads in speed and uses modern encryption. Some cryptanalysts criticize its lack of extensibility compared to IPSec.
   • NordLynx — A proprietary WireGuard variant used by NordVPN, claiming to solve WireGuard’s issue of storing client IP addresses on the server.

Other VPN Protocols

1. PPTP (Point-to-Point Tunneling Protocol) — Outdated and does not provide reliable encryption.
   • SSTP (Secure Socket Tunneling Protocol) — Microsoft’s proprietary protocol, allows PPTP with SSL/TLS encryption.
   • MPPE (Microsoft Point-to-Point Encryption) — Used for encrypting data in PPTP and PPP.
2. SoftEther — Used by the SoftEther VPN app (which also supports other protocols).
   • Provides strong DPI (deep packet inspection) protection by encapsulating Ethernet inside HTTPS.
   • Supports VPN over ICMP and VPN over DNS, allowing connections through networks that block TCP/UDP traffic.
3. Cisco AnyConnect — VPN connection technology that can use UDP and SCTP for data transfer. Sometimes uses DTLS (Datagram Transport Layer Security) for security.
   • OpenConnect — Open-source implementation of this connection method.
4. Lightway — ExpressVPN’s proprietary alternative to WireGuard, with a minimal codebase and, according to developers, stable operation when switching between networks.

Related Technologies

1. TLS (formerly SSL, Transport Layer Security, Secure Sockets Layer) — A widely used cryptographic protocol (used in HTTPS). Commonly used in VPN connection protocols (OpenVPN, SoftEther, Cisco AnyConnect).
2. SSH (Secure SHell) — Primarily a remote management protocol. The popular OpenSSH implementation allows tunneling and provides a SOCKS interface for connections over the tunnel, similar to VPN anonymization but not the same. This method is suboptimal, as TCP over TCP leads to poor connection quality.

Popular VPN protocols are vulnerable to blocking via DPI (Deep Packet Inspection), which analyzes network traffic and blocks packets identified as VPN protocols. However, there are technologies that can further disguise VPN traffic as other types, making DPI detection more difficult.

Obfuscation Technologies

1. Shadowsocks — An encryption protocol based on SOCKS5, allows hiding VPN usage by routing traffic through an intermediate SOCKS5 proxy server, helping bypass VPN blocks.
   • SOCKS — A protocol for data exchange via a proxy server. SOCKS5 adds authentication.
2. obfs4 (obfs4proxy) — A Pluggable Transport (PT) implementation from the Tor project. Can also be used with OpenVPN and other technologies. PTs disguise Tor (or VPN) traffic as other types, helping bypass provider or government blocks.
3. Cloak — Another PT variant that disguises other protocols’ traffic as HTTP, making it harder to block.
4. Stunnel — A tunneling technology that can disguise traffic as HTTPS (i.e., TLS), making VPN traffic harder to block.
5. OpenVPN Scramble (XOR Obfuscation) — Uses XOR cipher to obfuscate traffic so DPI algorithms can’t recognize it.
6. Chameleon — VyprVPN’s proprietary protocol that disguises OpenVPN traffic.
7. V2Ray — Part of Project V (a privacy toolkit), provides proxy server support and various protocols, including Shadowsocks.

In practice, commercial VPN services most often offer the following protocols:

• OpenVPN as a proven, reliable solution
• WireGuard as a modern alternative
• IKEv2/IPsec as a legacy option (being phased out)
• Proprietary solutions

We also remind you where to find secure and trusted VPNs that help ensure privacy and restore access to censored information online — check out the service vpnlove.me.