How to bypass content filter?

Georganization. Got cable new. Running some sort of content filter that dumps the blocked sites page with a list of laws banning access to the resource and a black cat.

The computers are configured to connect:
IP: 10.64.[hid].6
gateway: 10.64.[hid].1

In the settings of the LAN settings is a proxy server for your LAN

Already tried all. Even GoodbyeDPI. Nothing helps. When you connect a VPN or TOR doesn't open the pages at all.

The ping and tracert commands as well lead nowhere.

How to win?
April 7th 20 at 10:59
4 answers
April 7th 20 at 11:01
Not knowing the "specifics" it is difficult to suggest a specific solution. Here is a knowledge base on the topic of Habra block bypass RKN:
Program guide type of blocking sites from PR... 2014
* Knowledge of the type of lock that helps to find optimal solution around it.

Investigation of the mechanism of blocking of sites "... rotelec 2015
Transparent bypass locks on a home network 2015
Offline way to bypass DPI and effective way to ... 2017
Configuring BGP to bypass the lock, or "I ne... , 2018
Mikrotik soul vs soulless ILV and such...well , 2019
Bypass locks ILV with DNSTap and BGP 2019

- Rostelecom already uses DPI to block, so you need to watch methods against him.

- Cut VPN port number and type of packages they don't have - violated all corporate remote offices. Can only block access to certain VPN providers. But nobody forbids to rent a server on Amazon and raise the VPN through it.

PS: As always on habré - the most interesting is not the article, and the comments to it.

PPS: a magic link with the addition of at the end - gives 99% of answers to any technical questions.
Thanks for the compilation.
And what "specifics" needed?

Blakjak chased: he was not able to identify the lock.
The Pro version of VPN fully support, because for example it's works without problems. Will means to find a suitable VPN. - Lewis51 commented on April 7th 20 at 11:04
@Mckenna4, the specifics - the type used by Rostelecom lock:

1. Blocking, DNS blocking does not-the provider of the DNS servers, forwarding DNS queries from provider DNS servers to the provider. A provider already fake DNS A-record from DNS server, while blocking of banned domains.

2. blocking by IP address in the register is prohibited

3. blocking using a DPI, but only on certain IP and port 80

4. blocking using DPI on all IP and all ports (the worst case)

If time (and desire) to experiment there, try a VPN, for a free test period. They argue that penetrate even the Chinese firewall is the VPN masking under ordinary https traffic.
On Tele2 and Novotelecom he just bypasses all the blocking, I checked myself.

There already will be clearer in which direction to move on. - noble55 commented on April 7th 20 at 11:07
@Rebecca_Ward, very grateful. Will experiment of course, since most interesting to solve the puzzle. About the process, I will unsubscribe.

Of course was hoping for a test solution, therefore, indicated as a sign that the time lock gives a page with a list of laws and out from below a black cat. Who can already faced a similar. Note that this filter is for educational institutions (schools). I know that it was installed some certificates, and basic cable out of the box with a large switch and other bespereboynik.

PS She issued page has the address, whether that, whether something Like that. - Lewis51 commented on April 7th 20 at 11:10
Cutting VPN port number and type of packages they don't need

Port number - Yes, usually do not cut. Cut to the src ip. Ozersky the computer is unable to install any VPN, Point.
(However, if TeamViewer works means not so smart this filter :) TeamViewer is switched off. Not to say that elementary, but muted. - ettie.Satterfie commented on April 7th 20 at 11:13
Note that this filter is for educational institutions (schools). I know that it was installed some certificates, and basic cable out of the box with a large switch and other bespereboynik.

so it's not a lock ILV (I'm stupid), and content filter Rostelecom. In 2015, he worked on the basis WebFilter Entensys.

And their certificates they put to monitor https traffic using a MItM attack by spoofing the ssl certificate.

Therefore, the filter WebFilter Entensys has the ability to:
The "inject script" that allows you to insert the necessary code into all web pages viewed by a user before the tag

even encrypted over https.

For educational institutions they have the right to cut and VPNs and anything. And it's bad that they have everything is logged, and the fact that bypassing the filter will sooner or later be recorded that can have unpleasant consequences in the form of violations of law 139-FZ and 436-FZ.

It might be easier to use the Internet MTS/Tele2/Beeline through the access point smartphone? - noble55 commented on April 7th 20 at 11:16
@Rebecca_Ward, with the layouts really easy with your smartphone to give away. - Lewis51 commented on April 7th 20 at 11:19
In the Internet writethat in educational institutions regularly receive "aunties" from the Prosecutor's office and entered in the search all sorts of forbidden words to check that the content filter. Look your browser history, etc.
According to the results prescribed protocols and regulations.

If you do not interfere in the work of the "black boxes", the claim will be not to you but to Rostelecom.
This ensures that you will not disappear from our community for 5-6 years. And it will be doubly frustrating to realize that we are their "tips" indirectly could contribute to this. - noble55 commented on April 7th 20 at 11:22
@Rebecca_Ward, of course everything You say will take note and unnecessary movements will try not to do it.

In the box no tinkering yet. Interesting of course, but it was either then or never...) - Lewis51 commented on April 7th 20 at 11:25
April 7th 20 at 11:03
I understand that You desperately want to know how efficient in that your state organizations working office of it security (and if it is not just the security)? The knowledge gained might affect the award/career/further work - depending on what office and what is your position on the inside thereof.
It may well be that You allowed all traffic to the outside - I would have done so. Internal mail server internal proxy, and to the outside - just nothing at all.
From the question it is clear that this is a school that participates in the project "a Digital country" and the author risks nothing. - Meghan.Grant commented on April 7th 20 at 11:06
@buddy45question nichrome is not clear - this time. You - admin of this project, You know exactly what data by whom and how are you going to be here and so to say? Not? Then I wouldn't. - ettie.Satterfie commented on April 7th 20 at 11:09
No, You misunderstand. Security here there are no as-such. Just came from Rostelecom, put the box and left. All. Here is not a defense plant. People used free time to go on the favorite, and I need those resources, many of which are now not available. And filter this works really awkward - one-de the website may be accessible now, but tomorrow is not. And Vice versa. - Lewis51 commented on April 7th 20 at 11:12
@Mckenna4, I somehow just know. Including what you do not understand You :) You know how this box works? As it filters the data collected and where to send them? - ettie.Satterfie commented on April 7th 20 at 11:15
April 7th 20 at 11:05
Why don't you contact Rostelekom?
April 7th 20 at 11:07
Likely to use a fake certificate for content filtering with secure connection..

Find more questions by tags Computer networks