2025-07-03 08:15:00 by MediaNama.com

“They do have Deep Packet Inspection (DPI) systems, and currently, they are incorporating AI, obviously,” said Mazay Banzaev and Ana D, of Amnezia VPN, in an interview with MediaNama’s managing editor, Sashidhar KJ. They were referring to the advanced methods of internet censorship and surveillance that governments are using, especially against several VPN (Virtual Private Network) service providers. The DPI level of surveillance is different from the traditional blocking of IP addresses by Internet Service Providers (ISPs). “DPI is a technology that allows one to recognize what is inside the traffic. This technology is not about recognizing what an IP address is doing. It’s an entirely different way to block something, regardless of whether it’s a VPN or not—it’s a different approach,” they said, highlighting the pattern-based detection of internet traffic, which is then used to block at the protocol level. Why Access to VPN Matters:  VPNs are essential for enhanced security, online privacy, and accessing restricted websites. Recently, the Indian government instructed Apple’s App Store and Google’s Play Store to remove several VPNs from their platforms. Earlier in 2022, the popular VPN service provider Surfshark shut down its servers in India. ExpressVPN followed suit. These exits came after directives from the Indian Computer Emergency Response Team (CERT-In), mandating the retention of user data for five years and web activity logs for nearly six months. Governments around the world are trying to crack down on VPN service providers. China, Russia, Iran, Myanmar, and Turkey are just a few examples of countries attempting to restrict free access to the internet. Amnezia VPN, founded by Mazay Banzaev in 2020, aims to combat online restrictions imposed by governments and promote internet freedom. The VPN company claims to provide unrestricted access to the internet, including sites banned by governments or ISPs. Unlike many other VPNs, Amnezia VPN uses open-source software, and the company claims it does not collect or store any user data, including logs or analytics. Amnezia VPN’s Founder, Mazay Banzaev, and Ana D, Amnezia VPN’s Product Manager have spoken to MediaNama about how they are fighting the internet censorship, not only of the website URLs but also the VPN networks. The interview has been edited for brevity and clarity.  Excerpts from the interview with Mazay  How is it different from other VPNs? We basically only had a self-hosted option. That means you find a host yourself, with any provider that you like and install a ready-to-go VPN on the server that you either rented or bought. So, you are basically in control of everything. You can see what’s going on the server. Last year, we launched our Premium plan, which follows the same principles. This means no logging. We are not replying to any government’s requests to provide information about our users because we simply don’t have that information. It’s completely pointless, you know. Additionally, for our Amnezia Premium plan, we are currently integrating the XRay VLESS protocol, which is undergoing testing. XRay VLESS significantly enhances obfuscation by making VPN traffic indistinguishable from regular HTTPS traffic. Unlike traditional protocols, XRay VLESS doesn’t leave recognizable metadata, improving resilience against DPI detection and sophisticated censorship techniques. Note: VLESS refers to the lightweight, stateless transport protocol designed to facilitate communication between Xray clients and servers. Stateless transport protocol refers to the communication system that doesn’t save any session information in any state or form.  If you want a simple solution and don’t have deep knowledge of how to control your server, you can just use our VPN, rent a server, click a few times, and that’s it—you’re ready to go. Or, if you don’t want to do that, we also have a Premium plan where we’ve already chosen the providers. We have a really good infrastructure, and as I said, we don’t reply to government demands. That’s basically the main thing. On top of it, it’s also an open-source app, which is important because you can go and check for yourself what’s actually happening inside the code. It’s completely open, and you are free to confirm that our principles are the real deal. On giving access to banned websites: Amnezia Free plan provides limited access to banned websites. However, if you purchase Amnezia Premium, you will have full access to any website. It works like any regular web VPN service. Note: In February 2024, after the coup, Myanmar’s internet providers blocked access to internet services, including social media like Facebook and WhatsApp, and information-based websites like Wikipedia. Reportedly, they have also blocked access to several VPN service providers. Despite this, Amnezia said it could unblock the websites in Myanmar. With the free version, we’re only routing access to banned resources in specific countries. All other parts of the internet will be accessible, as long as they are not banned in your country. You’ll also be able to access most of the content that is banned in your country. Dealing with removals from app stores: Yes, there is an issue in many countries, especially Russia, where the government requests that our app be removed. For instance, the app on the Apple Store is inaccessible, but we do have a plan to handle it. We’ve proactively developed several strategies. For example, we’ve launched white-label clones to make identification and blocking more difficult for authorities. We also have instructions on our official website, where users can change their region in the App Store or Google Play Store to download the app. This bypasses regional restrictions without issue. Additionally, we are distributing our app through alternative platforms like GitHub, Uptodown, APKPure, and others. Restrictions in countries other than Russia: I would definitely like to recall Iran. There are definitely more restrictions there than in Russia. They are successfully blocking IP addresses of the hosters, and they do it much more often. I would also mention Myanmar, Turkey, and Kyrgyzstan. What kind of content is being blocked in these countries? I would say it’s pretty much the same as in Russia. It’s like social media on news resources, social networks. In Iran, news media is the most restrictive environment; maybe GitHub is also blocked, as well as Wikipedia, or at least knowledge bases. In Myanmar, I think the list is almost similar to Iran. Most social networks are also blocked but GitHub is working, I know. Social networks and media resources. WhatsApp as well as Twitter, messengers, and other VPNs could be blocked after 2021. Also, they’re blocking cryptocurrencies and the crypto market. DPI-level of Detection and Surveillance: Well, mostly, technology-wise, it’s pretty much the same. They’re blocking IP addresses of the hosting providers, mostly a bunch of IP addresses from networking media and so on.  Of course, they do have DPI systems, and currently, they are incorporating AI — obviously. And yeah, we kind of caught it in a way because, for example, initially, we were using the WireGuard protocol, which is the most common protocol for VPNs. At some point, we had to start developing a new protocol or find something that would work and avoid DPI detection, because otherwise, it would be pointless, right? So, you have to grow; you have to research constantly to stay ahead of the government’s technology. We have to develop faster. There’s no other way. That’s why we came up with our own protocol — AmneziaWG — which retains all the best aspects of the original WireGuard protocol. On top of that, we added a layer of obfuscation that helps avoid DPI detection, which is actually working really well. Note: WireGuard is also an open-source protocol that creates secure Virtual Private Networks (VPNs) by encrypting the data within a WireGuard’s tunnel using advanced cryptographic methods.  On top of that, we’re actively working on the next version of the protocol, called AmneziaWG 2.0, which is currently in testing. It builds upon the original AmneziaWG by introducing additional parameters that allow users to configure junk packets using regular expressions. This provides greater control over obfuscation, further complicating DPI detection. How does Amnezia obfuscate DPI detection? AmneziaWG is a modified version of WireGuard. It adds randomized packet-size junk packages. There are three main modifications: Before initiation, AmneziaWG sends random junk packets. In the handshake packet, we add some junk bytes before the main data. We modify the magic headers so that, if the packets are inspected, they no longer resemble WireGuard’s identifiable headers. These measures help make the protocol stable and virtually undetectable, as it resembles random UDP traffic. It becomes impossible to determine whether it’s VPN traffic or just unknown data. Note: The User Datagram Protocol (UDP) is a communication protocol used on the Internet for time-sensitive transmissions, such as video playback or DNS lookups (process of looking for read-able alphanumeric names of original cryptic IP addresses). This protocol accelerates communication by transferring data without establishing a formal connection.  How is DPI surveillance different from IP address blocking? If we’re talking about DPI, it’s not about banning IP addresses. DPI is a technology that allows one to recognize what is inside the traffic. This technology is not about recognizing what an IP address is doing. It’s an entirely different way to block something — regardless of whether it’s a VPN or not; it’s a different approach. When DPI is used, the system can block a protocol, such as a VPN protocol, based on specific signatures. It’s like a pattern of traffic. When network hardware detects this pattern, it blocks the flow. However, if authorities try to block IP addresses or networks, it involves the analysis of providers. For example, in Russia and Iran, many hosting providers are blocked, such as DigitalOcean and Amazon’s AWS. In Iran, Amazon’s AWS is also blocked. On Governments using machine learning for blocking: You know, machine learning is a very expensive technology. However, network hardware, such as routers and network switches, handles billions of packets of bytes, and it depends on the speed of the hardware.Advertisements At the moment, it’s almost impossible to use advanced machine learning algorithms to detect and block VPN traffic for widespread use because it’s too expensive. Most technology is based on patterns and regular expressions. What does VPN traffic look like to detect? Detection can be based on specific signatures or constant byte patterns. For example, with WireGuard, it’s very easy to implement this regular expression because WireGuard is a well-known protocol, and there are predictable bytes that are constant. However, there are more advanced patterns, and there are engineers, such as those in Roskomnadzor in Russia, who are trying to implement new patterns that allow them to detect more advanced VPN protocols. Note: Roskomnadzor is The Federal Service for Supervision of Communications, Information Technology and Mass Media. This government body responsible for monitoring, controlling, and censoring mass media But new patterns are also being developed, such as patterns of network usage. For example, when using a VPN, you send traffic through a VPN application, trying to send all packets to a single destination. This can also be considered a pattern. How does Russia censor the internet?  In Russia, we have a government structure called Roskomnadzor, for example, that controls things like blocking DPI and so on. They basically install devices called the TMCT inside the ISP. These devices are responsible for handling DPI.  Note: TMCT refers to Technical Means of Countering Threats, where the network operators are required to share the routing information to the regulator, Roskomnadzor. They analyze HTTP, HTTPS requests, and responses, as well as DNS requests, and they’re able to check what is going through that device. If there is any other protocol, it’s easy to see what protocol you’re using and even what content is being transmitted. That is very concerning, I would say, for sure. So, the main thing is to be able to avoid recognition by those devices. There should be different headers, different patterns, and so on. On Honeypots: I think it’s a really important one because we believe that honeypots are serious threats, especially when it comes to user trust. Yes, there is an issue with honeypots, particularly in heavily censored regions. And that’s why our app is open source. So, you can verify its code and ensure that there is no hidden surveillance mechanism. I would recommend choosing open-source VPN solutions. Otherwise, it’s all about trust, and it seems hard to trust due to the presence of honeypots nowadays. Well, I meant not the protocol being open source, because there are a bunch of different protocols. What I meant is that the app itself, the code of the app, should be open-sourced. So it should be posted, for example, on GitHub, where you can actually build the app. You can download the repository and build the app yourself to see how it works. You can check its code from top to bottom, and you can even take the code, throw it into ChatGPT, for example, and ask, “Are there any honeypots? Is there anything hidden that I should know about?” And it will tell you no. In our case, for example, there should also be no collected logs, and so on. In my opinion, that is also important. On measures to protect the infrastructure: There are many measures in place to protect our infrastructure and some of our metrics. It’s private technology, how we defend our backend, and how we manage these things. But overall, you can read our audit reports and check how we approach security. All data is available. It’s almost impossible to explain everything in 30 minutes. The audit took about one month to detect our vulnerabilities, and we regularly fix all vulnerabilities. The audit was made by 7A security. On VPN Censorship in India: Yes, we read about certain directives in India, and as far as I know, the requirements are to collect and store user data and logs, which we believe is completely unacceptable. It definitely contradicts the purpose of a VPN. We have no plans, for example, to register or host infrastructure in this case because of these demands. We refuse to compromise on user privacy and security because that is the cornerstone of our principles. Since we do not collect any user data, information, logs, or traffic, we would refuse to comply with such requirements. It’s not good to collect all that information. So, we would continue to develop new solutions to avoid censorship. If an app is blocked in certain stores, there are ways to work around that, like changing regions. There are things you can do to access the apps you need. On Government demands for user data: We would refuse because, as I mentioned earlier, we would refuse to collect data. So, they would have to send requests to Google, and the app would eventually become inaccessible from India. In that case, we would recommend the same methods to download the app as we do in Russia and other countries by changing regions in the App Store or Google Store. There are other platforms where you can download the app, such as GitHub, APKPure, or Uptodown. Additionally, there is more we are working on. Well, it’s inevitable, you know; you have to make peace with it. What other options are there? It’s either you agree to these demands and stay, but in doing so, you’ll lose all the trust that users have placed in you over time. That’s not going to work because it’s all about trust, all about reputation, and we are not going to do that. So yes, if they remove it, that’s fine. There are other options to download and distribute the app. If they ban it on those platforms as well, then yes, we will work on it and upload it elsewhere. On ISP’s blocking IP addresses without government order: Oh, they do, of course; it’s a pretty common thing. But, for example, when we talk about WireGuard, the original protocol no longer works in most parts of Russia at all. And as we mentioned earlier, that’s why we created AmneziaWG, an enhanced version of WireGuard. And yes, obviously, technologies will continue to develop, which is why we have an incoming second iteration. Essentially, all of this with the protocol is a race to see who will do it first, right? But yes, it’s a pretty common thing. We’ve sort of gotten used to it, not going to lie, but we have to stay ahead. On governments regulating self-hosted VPNs? That’s a tricky question. Well, I would say that there are options, for example, where a VPN protocol can mimic normal traffic, such as HTTPS. XRay VLESS does that, and I would consider that as an option to explore. I think the problem of criminalization is not the VPN protocols being detected, because XRay VLESS and AmneziaWG are undetectable, like a regular VPN tunnel. The most important risk is detecting VPN applications on devices. For example, in Turkmenistan, there are very strong laws that prohibit the use of VPNs, and users try to hide how they use VPN applications. If the police check your mobile phone and find a VPN application, you can be charged in Turkmenistan. So, that’s the most important issue. For example, in Russia, when you’re using bank apps and so on, they actually check the processes on the phone to see if you’re using a VPN. If they detect it, they will ask you to turn it off, saying, “Please don’t use VPN.” I would say that is not a good sign for the future. So, we will, I would say, have to mimic the app to something else as well. On advice to using VPNs in high risk areas: Well, I would suggest maybe using two phones. Don’t use a fingerprint to unlock your phone, so the government authorities won’t be able to unlock it with your finger, and don’t use Face ID either, as that is not safe. There are also options on Android phones, for example, where you can hide apps. In most cases, police officers aren’t very tech-savvy, so they’re not likely to dig deeply into your phone. You can try hiding the apps you’re using, putting a password on them, or changing the icon, changing the name, and so on. There are options available to help you stay safe. On challenges to VPN providers from governments: It’s a constant technological battle to see who will do it first. The one who does it first is often followed by others catching up, and switching places is just part of the process. The government blocks first, creates something new, and we catch up. Or we get ahead by creating something truly innovative and undetectable, such as the protocol we already have. Now, for example, the government is trying to catch up, but so far, it’s difficult for them to do so. We are ready for it, and everyone should be ready for it, both now and in the future. First and foremost, it should be completely transparent to users. That’s the key. Ideally, it should be open source. Open-source VPNs will evolve towards complete decentralization and increased flexibility because, as I mentioned, it’s a battle. You have to either catch up or stay ahead. What I mean by this is that you can’t hold your infrastructure in one place; you can’t store payment data, for example, in one location because it can be blocked at any time. Protocols, of course, should be capable of rapid adaptation to censorship, as this will become critical.  The threats are increasing, with the sophistication of DPI growing, and on top of that, AI is being incorporated. This will make metadata analysis by governments more widespread. While it’s still an expensive process, as I mentioned earlier, it will become cheaper over time. Advice before using VPNs: I would advise that there should be full transparency from the VPN service providers, because otherwise, you cannot trust it, especially due to honeypots. That’s a critical issue. If it doesn’t have open code, you cannot know what’s actually going on. So, I would advise being careful, researching the matter, and being really cautious. It is most important for users to stay updated on what is happening in the field of VPN blockages by governments and the overall situation in various countries. Understanding what’s going on in different regions is crucial. Stay informed about censorship and related matters. Reading sources like Medianama is a good way to stay updated. Also Read: Summary: Indian government staunchly defends its rules for VPN providers  Who Is In Charge Of Regulating VPNs In India? IFF Questions VPN Apps Ban in India Over Security Risks