On 2014-05-13 23:09, grarpamp wrote: [..]
*But we can bind to it and let users find it with their own openvpn scans close to (one up or down from) our OR IP.* Just use the standard openvpn TCP port on it.
Thank you for suggesting the GFW folks now scan and/or directly block these IP addresses too.
[..]
The point is, we already own these extra IP's, and legitimate people are being blocked from services for no reason other than kneejerk or blind reactions to Tor via blocking services. Ahem, cloudflare, et al and other blocking 'services' well known to us.
You are mixing the difference between an operator of a site selecting who their viewers are and a man-in-the-middle selecting that for both the user and the server. Don't mix those up.
I am pretty-much-completely pro-Tor as there are good uses, but for controlling who logs in and who abuses you, Tor is a bad thing as you don't know what the source is. As an operator of a (server) site, being able to say "sorry, we do not accept connections from Tor" is a good thing, as there are situations where that is needed.
[..]
Yes, blocklists could try the 'one IP up/down' scan method and list this project of ours too
As it can be done automatically, it is not "more work" for them.
And actually, they are likely already scanning every IP in the /24 where a relay is located (well, actually they just scan the whole IPv4 space anyway, with zmap it is done very very quickly)
but it's more work for them and they're unlikely to do it in any sort of global fashion. Especially since they can't prove it's part of Tor (because we don't publish the IP's as such).
If the address space (eg the /24) does not contain anything "normally useful" they will just block it based on that.
Instead of doing OpenVPN (which Wireshark knows and thus is easily detected by port number but also protocol itself), look at the variety of Pluggable Transports[1] people have been developing and deploy these.
They are typically scan and protocol analysis resistant which will give much better bang for your buck.
Of course, using BridgeDB is a good thing there to publish these details, or you could invent some new method of passing details to people (puzzle game solving ala captchas being a good start though defeatable by having slaving-away people getting paid for solving them).
Greets, Jeroen
[1] = https://www.torproject.org/docs/pluggable-transports.html.en