Bypassing school SSL inspection and DPI

Hi everyone!

Two years ago our school implemented an SSL inspection tool called ContentKeeper. It’s super annoying; it’s an allow list, not a block list, so we can’t even access legitimate websites like HackerRank (a lot of computer science websites are blocked, which is exactly my major -_-). I’ve been able to get around it through a WireGuard VPN running port 53, however in the past few days they blocked that too. I’ve tried for 2 days, and I think I’m almost out of options. Before I attempt to implement my own VPN protocol (without encryption, just to break past the block on everything for now), do you guys have any suggestions on how to bypass such a restricted network?

Here are some details and things that I’ve tried:

• ContentKeeper normally requires you to install a certificate so they can perform the MITM that they need to filter out content. When you install it, it gets rid of SSL errors only on a handful of websites
• ssh -D as a SOCKS proxy does indeed remove the SSL errors, however it doesn’t get past the blocked websites (administration is super reluctant to allow anything so we just gave up trying). This workaround doesn’t work on iOS, however.
• Shadowsocks doesn’t work*. The asterisk is because I’ve gotten it to randomly work a few minutes some times, then it’s back to blocked. I’ve heard about trying on port 443 and I’ll try it tomorrow.
• WireGuard is blocked by ContentKeeper, but I’m not sure if it is a firewall. Here’s a screenshot of what I get as soon as I stop using it:

What the block page looks like

When the school blocked all outbound UDP ports except port 53, this page would come up when WireGuard disconnected. We can still use wireguard, however, even while blocked (“isolated” for a minute), and even on the guest login-required WiFi. Therefore I suspect ContentKeeper is not blocking wireguard, it’s just a straight up all UDP port blocking firewall. I don’t know if this is true, nor can I conform that all UDP outbound ports are blocked, but I tried some common ones and WireGuard still does not work.

• OpenVPN, even with port 443, does not work
• There is limited signal inside the building so data doesn’t work in most places
• Outbound ping is blocked
• ZeroTier is detected and blocked
• Edit: all Remote Desktop software that I know of are blocked
• Edit: I want to avoid cloud-based remote desktops as much as possible, especially VNC. They’re too difficult to use effectively, but if everything else fails, I will resort to it

Do you guys have any suggestions on how to deal with this? Hopefully I’m not violating any rules on the subreddit, I’ve never done anything illegal with unrestricted network access, I promise. If you need me to test anything, I’ll be doing that tomorrow in school.

Edit: Thanks for all of your suggestions! I’ll be trying these today, I’ll update each one if it works:

• TOR (will probably get called down to office LOL) (u/pass-the-word) (Blocked, but interestingly it did successfully discover an exit node)
• Shadowsocks on port 80 (u/thebighuski), or 443 (yay both ports appear to be working with Outline Server, works across mobile devices as well)
• OpenVPN + tls-crypt + scramble patch over port 443 (u/MyCalculations) (having issues setting this up)
• IPV4 tunnel through DNS (u/Azz0uzz)
• TrojanVPN protocol (u/lacksfor) Does not work with CDN since unknown domain names are blocked by default. Might try CloudFront that gives me a custom amazon-based URL.
• SSH Port Forwarding for RDP (u/atl-hadrins) Works, but only for laptops and is expensive
• WireGuard over port 123 (u/kahr91), 443 (failed) (u/regorsec) (Unless there are more ports that might work, WireGuard has been completely blocked)
• Tunneling DNS over SSH (u/glockfreak)
• Switching DNS servers (u/pkx616) Didn’t do anything when combined with an ssh -D socks proxy
• Softether VPN (u/xnyg)
• Microsoft SSTP
• v2ray (web socket + TLS + Cloudflare CDN) (u/Heclalava) Cloudflare does not work since custom DNS is blocked.

Edit [some number n>10]: I’ve found that Shadowsocks (with Outline Server) on port 80 or 443 works perfectly, so I’m considering this network successfully bypassed. However I’ll keep testing things (and responding to comments) if anyone sees this and has the same issue!

Again, thanks for all of your help!

I’m sure Google/Amazon is trusted. Have you tried using a free google/amazon EC2 HTTPS Proxy? If that fails, try ssh SOCKS to Google/Amazon. Of course you’d have to configure it. Or maybe RDP/VNC into a cloud hosted machine and then access the website. If you don’t get a cert with your box, try installing a legit one from letsencrypt. Probably only issuing certs (DPI) that are from a trusted url.

A proxy through an allowed site/IP block is your easiest bet. u/BlueSteel54 has good recommendations.

A partial fix would be if the Waybackmachine (https://web.archive.org/) is allowed, then you could view webpages through that.

You could try TOR considering it was made to bypass authoritarian restrictions.

It seems like your firewall is blocking domains and protocols since you could access sites that were not allowed. This leaves the potential for tunneling or protocol wrapping, but your destination would have to know how to handle the packets. It’d be easier to proxy.

I see many articles mention Ultrasurf (Windows-only) free proxy. I don’t know how safe it is or if they keep logs though: UltraSurf Security, Privacy & Unblock VPN - Microsoft Edge Addons

Run a shadow socks server on google could server on port 80, then use outline to access it that would work, also works on Windows, iOS and Android devices

I used to run OpenVPN + tls-crypt + scramble patch (you have to compile openvpn yourself) over power 443 on a gcp instance. That worked for any school firewall I had to deal with.

Launch a denial of service attack on the school network and demand that they remove the blocker as ransom. Or don’t, because that’s stupid.

Nothing will work permanently. They will actively monitor and will find whatever you’re doing to get round their systems and block it. I saw someone else mention DDoSing. Dont. A kid done that to our network and we found out who it was within 2 days. It’s a school, they’ll have a shit ton of monitoring to keep you safe and they will find your attempts to bypass it. We had another kid ask if he could put his Kali Linux laptop on the WiFi. We declined. He did it anyway and was caught within the hour.

Source: Worked at a large private school for 4 years. We monitored everything. I’ve seen it all.

You could try an ipv4 tunnel through dns queries using GitHub - yarrick/iodine: Official git repo for iodine dns tunnel I’d be curious if this works. The gateway might allow valid dns queries and relay your data bypassing the firewall.

Just have the entire campus bombard them with legit site requests to be added. Then when it takes time have them daily log complaint after complaint until it becomes a bigger deal and they reverse policy.

There is a difference between a vpn like wireguard and one that is obfuscated. There are a few protocols out there that are, can’t think of them off the top of my head. I am pretty sure trojanVPN protocol is tho, cause it’s mae for the Chinese GFW.

Going through a safe domain like Google or aws or something is a good bet tho. Even better figure out what hosting your school uses and use the same one

crazy idea, but vpns built into browsers seem to get past a lot of stuff. my school’s wifi is similarly locked down a ton, and opera and opera gx’s built in vpns get around everything flawlessly, while other vpns I’ve tested can’t.

Few tricks used to work to bypass inspection:

• Force usage of TLS 1.3. Proxy may not understand it and let it through (TLS fail open). (Only worked some years ago for me)
• Tunnel SSH traffic over the proxy. SSH server on port 443 (again fail open, but not TLS). You can use SSH together with connect-proxy or cntlm if proxy Auth is required. (This works quite often, I’ve even seen companies officially recommending SSH+cntlm for their developers)

You may also try wireguard on port 443. As HTTP 3 quic becomes more popular, proxies/firewalls are starting to let through UDP on port 443.

This is a good way to put your degree at risk. I would stop what you are doing and just tether to your phone or something instead. Your professor should know how big of an issue this is and would likely be on your side with petitioning the administration to ease up. Odd that a college (assuming this is a college since you mention a major) is citing CIPA for blocking internet though since that’s for minors and minors aren’t generally found in college campuses.

Just use the wifi hotspot on your phone.

Are you able to use ping from a command line to ping hosts? Ping packets can also carry data and can be used with specialized applications to bypass firewalls

Try outline, it is self hosted but works brilliantly at my school.

Also try NordVPN. They have some stuff in order to work in China. As you might know, china’s firewall is sorta superior in terms of blocking and yet they still manage to get internet working.

​

Not really what you are asking, but how about software such as Parsec for remote desktop streaming? Teamviewer? So you can use your PC “at home”.

I’m mentioning this as an option for your consideration, as I haven’t seen anyone else suggest it. Create some tunnel to some host over IPv6 to your Unix box at home or where ever.

A lot of places that lock down IPv4 over-extensively, frequently do poorly, or neglect IPv6 all together.

Hope you post some type of summary or update on how you progress on this.

You are up against an issue a lot of people experience in shitty countries. But there are many ways to get around it but know the school might go after you criminally.

Have you asked for an exception? Or ask if you can try to find ways to bypass and make it a learning experience for everyone. Most likely won’t work, but it did for me when I was a young lad.

The school most likely publishes the allow list somewhere; you should write a program to process the list looking for an expired domain and buy it, then proxy everything using that. This is the easiest and safest way.

Lookup domain fronting can be used with TOR as well.

The goal with any tunnel is to encode your web request and send it to a server that you control that reads the request and performs the request, encodes the response, and sends it back to you.

With that in mind: You can tunnel through lots of protocols; ssh, ping/ICMP, DNS, SMTP, keyboard lights through RDP, Google drive, Twitter, Slack, GRE, etc.

Since you are going into computer science, a custom tunnel would be an excellent project to work on. I am going to rant for a bit below, showing my thought process.

Depending on what you want to tunnel, some things make more sense than others.
DNS Tunneling uses TXT records, and the max length is 255 characters. But you can use a bunch of them. There will be a crazy amount of requests for a simple webpage, so this will show up in the SOC.

ICMP has a max of 65MB. Sending large ICMP packets like that, the SOC will catch it; it’s a common rule. Plus, ICMP gets filtered/blocked often.

So you are going to want something unique so remove ICMP/DNS options. SMTP is a good choice, it’s often not blocked at companies, but your home ISP might block it Tunnel HTTP through SMTP

I wrote a google drive tunneler. Mount Google drive on the client and server. Then set up two FIFO files, one for TX and one for RX. This was to tunnel traffic through google drive because all data to google was free (as in it didn’t count towards data used).

Another thing you can try is ZeroTier it’s kind of like a VPN but works differently in that its client ↔ client VPN with the central server acting as a broker only.

Edit: I thought of some more.
QUIC is a new protocol from google. They use it for video, but it’s UDP with all the TCP features moved into the application layer plus some other fun stuff. anyways this might work https://tools.ietf.org/id/draft-piraux-quic-tunnel-00.html

WebRTC https://www.webrtc-experiment.com/pdf/On-Demand-WebRTC-Tunneling-in-Restricted-Networks.pdf
and a project around the idea RTCTunnel: Building a WebRTC Proxy with Go | doxsey.net GitHub - rtctunnel/rtctunnel: build network tunnels over WebRTC

Best of luck

Reverse ssh tunnel is your best bet mate. Open a port on your home PC, route your school traffic to your home PC. If you’ve setup the tunnel correctly you’ll have unlimited access or atleast if your home PC has access you’ll have it too. Here’s a nice little article which should get you started: