💾 Archived View for clehaxze.tw › gemlog › 2022 › 08-18-likely-indonesian-network-survelience.gmi captured on 2023-03-20 at 17:48:14. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
So, recently I was on a business trip to Indonesia. I made major security and OpSec preparations due to being forced to use airport and hotel WiFi for a large chunk of my time. Also some physical defence, but that's more personal paranoia, my main goal is to evade large scale, automated attacks. And that's how I find something wrong with the Indonesian internet.
Before departing to Indo, I set up 2 WireGuard accounds on 2 physical servers running on TANET (Taiwan Academic Network). Got a very good mobile roaming package from my telecom provider. And setup spiped[1] on my homelab as an absolute backup.
[1]: spiped the secure piping daemon
First I arrived at Manila Airport waiting for my plane to Indo. As expected I had to use airport WiFi there. What's not expected is how bad the place is. There's free WiFi for sure. But what's more avaliable is commerical paid WiFi that requires your phone number. And is only free fofficial or 15 minutes. And most store there does not accept Credit Card. Anyways, I connected to the free WiFi and fired up WireGuard. Nice, things work correctly and I have a secure connection.
Then I arrived at Indonesia. At hotel, I also connected to their free WiFi. But this time WireGuard cannot establish a secure connection. That's not good. I tried my backup options. My secondary WireGuard also fails. While SSH tunneling works, Tor works even spiped works. Upon more debugging, I found that the WG server never replies to client initializtion handshake. How sus is that.
More debugging. I tried to connect via my mobile network. It's running under roaming. So "in conception" it should route my traffic to my origin ISP before leaving the core network. Basically a trusted VPN directly in the routing layer. Which should, in principle, bypass whatever is causing WG to fail.
That legit works. So something is up with the WiFi. Later I tried to connect to WG in a cafe and a mall. Both also failed with the same symptom. Maybe TANET blocked UDP connections from Indonesia? Not that either, HTTP/3 works.
I think it's fair to assume a country or at least an ISP level firewall is blocking WG. But DuckDuckGo-ing turns up nothing about that. Espically after the recent news of Indo banning Steam. It's safe to assume that a protocal level VPN ban will be on the news everywhere. To check my sanity, I ran the mobile version of OONI[2] to check for known censorship. Everything is squeeky clean.
[2]: OONI - Open Observatory of Network Interference
_But_ OONI explorer does show some interference[3]. Tests in middlebox detection and circumvention tests shows consistant errors. Furthermore, I'm able to get WireGuard working by wrapping it inside Shadowsocks[4].
[3]: OONI explorer - Indonesian Web Connectivity test plot around 2022-08-16
[4]: Shadowsocks - A fast, secure tunnel proxy that helps you reach Internet
There's something going on with Indonesia's Internet. But it's stealthy. None of my SSH got MITM'd. Gemini doesn't show TOFU violations. spiped preshared key matches. etc.. Whatever it is, I don't like it.