Install Psiphon
Magali Swinderman
Here I used -dataRootDirectory because without this argument psiphon would create a folder named ca.psiphon.PsiphonTunnel.tunnel-core at current working directory every time it starts, this argument prevents it.
I have Psiphon 2.5 installed on my computer (Ubuntu 10.04) and it works fine. However, my friend in China says that he can not watch any video. I tried myself on a regular computer (Ubuntu 10.10) and found out that I can not watch any video either when logged in my Psiphon. However, using the same computer and the same browser, I can watch videos without any problems when I go directly to their site without using Psiphon. It's only when using Psiphon that the videos don't show. The message I get depends on the site. For example, on rael.org I get:
Hi Damien. By default and for the safety of our users we disable javascript and flash content (which is usually used for playing video on web pages). We also have special capabilities for allowing certain javascript content through (rewritten of course to be proxied). If you install Psiphon 2.6 (which was just recently released), you should get youtube compatibility. Try it out.
Dear Admin,
I met the same problem as the user above. I surf youtube page with video but Psiphon 2.6 service cannot let my browser watch the video. The youtube page said flash player must be installed first.
I downloaded the latest .sql from the trunk, but was wondering how these files can be executed...? I tried looking around, and ran a few commands, but I still don't think the file was merged because even after recompiling Psiphon, I get the same result on YouTube - a black box. Flash IS installed, and the same video works when not running through Psiphon. I'm on Ubuntu 11.04.
NOTE: If you actually see "#psiphon_mysql_password#" on those lines, then you're looking at the raw source code and not at the installed location -- that's just a placeholder that gets replaced during installation.
in your firewall rules do you have any rule with allow all for ports? In you general access rule you should only allow http/https, maybe ping, icmp. In the web tab have you enabled block invalid certificates and unrecognised SSL protocols?
I have different firewall rules for different subnets. So, I am testing one rule on one particular IP address. Even after limiting the services from ANY to HTTP, HTTPS and ICMP in the Destination & services, Psiphon is still able to connect. And, as you mentioned Block unrecognized SSL protocols and Block invalid certificates are ticked.
I have managed to block Psiphos finally, but still maintaining device access to the network is not as easy as expected. As I mentioned in the main post, I have applied web filtration and application filtration which wasn't enough. On the destination services I have added apart from HTTP, HTTPS and ICMP the following services:
I don't have an AD. I built a seperate firewall rule for my phones until I could workout how to get hem to work with the https scanning. I have one iPhone and an iPad working with https scanning at this stage.
You might want to put the DNS and SMTP into separate rules where the destination is a specific site, also the SMTP you might use the mail business rule. The device DNS need to be pointing at the XG so it is part of the application verification path otherwise the XG has no idea about the classification of the application you are using.
Sincerely, I am almost giving up. I have noticed, that with other VPN applications if you exclude Sophos Agent from them, they will still be able to connect (Some applications). Also, not all devices are allowing the installation of Sophos certificate (Mobile devices and tablets), which means either you switch off Decrypt & scan HTTPS or you keep the device disconnected.
I have installed CAs on my iPad and iPhone successfully, but that doesn't stop Psiphon. Tor I can stop. The problem with using the firewall only is that people can take their phones and tablets outside of your secure network and install the software where as devices fixed to your network cannot install the software.
Hi. I think we are in the same country and I know what you want to achieve. Well, I guess you already know a lot about this, but in my opinion you are using too much resources to achieve it (I guess including your phone for psiphon). It is up to you, but if I may suggest you could use another method such as wireguard in the router. For me, I only need 4G modem and this AR300M for all devices to have internet at good speed, without need of proxy setup, and very much stable.
Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you with uncensored access to Internet content. Your Psiphon 3 client will automatically learn about new access points to maximize your chances of bypassing censorship.
Psiphon 3 for Windows is never distributed as an installable package. Each Psiphon 3 for Windows client is a single executable file (".exe") that is digitally signed by Psiphon Inc. Windows automatically checks this signature when you run the client. You can also manually inspect the signature before running the client by invoking the Properties dialog for the file and inspecting the Digital Signatures tab.
Psiphon 3 automatically starts connecting when you run it. While it is connecting, a spinning icon is displayed. You may select one of the following tunnel modes: VPN (L2TP over IPSec), SSH, or SSH+ (SSH plus obfuscation, a randomized layer on top of SSH to avoid protocol fingerprinting).
In SSH and SSH+ modes, Psiphon 3 automatically sets the Windows system proxy settings and traffic for applications that respect these settings tunnel through Psiphon 3. These settings are respected by default by all major web browsers.
An APK may be validated by (1) extracting the certificate from the archive and checking that its fingerprints matches the value above and (2) verifying that the APK is signed with the certificate. For example, using Unix and Java command-line tools: $ unzip -p PsiphonAndroid.apk META-INF/PSIPHON.RSA keytool -printcert $ jarsigner -verbose -verify PsiphonAndroid.apk
Once the app has connected to the network, it will launch the built-in Psiphon browser. Psiphon 3 for Android does not automatically tunnel the traffic for the default Android browser or other apps. By default, only the Psiphon browser is tunneled through the Psiphon 3 network.
We collect the following data to find out how well Psiphon is working, what sites are popular and what propagation strategies are effective. This information is shared with our partners so that they can see, for example, how often their sites are visited through Psiphon and from which countries.
Event logs include timestamps, region codes (GeoIP country code) and non-identifying attributes including sponsor ID (determined by which Psiphon client is used), client version, and protocol type. Page views are aggregated by time and/or session before being logged.
When you choose to submit feedback through Psiphon you will have the option of including diagnostic data. We use this data to help us troubleshoot any problems you might be having and to help us keep Psiphon running smoothly. Sending this data is entirely optional. The data is encrypted before you send it, and can only be decrypted by us. The information in the data varies by platform, but it may include:
From time to time Psiphon may have to record additional information in order to resolve a problem with our service. When this occurs, we will add an entry here describing what was recorded, how long it was kept, and why.
A: Psiphon 3 restricts DNS traffic to white-listed, vetted DNS servers. The Psiphon 3 client automatically configures your VPN DNS server settings. If you're getting errors related to DNS, check that you're not infected by the "DNS Changer" malware, which tries to change your DNS server settings. More info can be found here.
A: Psiphon 3 will automatically configure your system to use a local HTTP/HTTPS proxy at 127.0.0.1:8080 and a local SOCKS proxy at 127.0.0.1:1080. Windows applications that use the System Proxy Settings will automatically be proxied. You may manually configure other applications to use these local proxies. Both Psiphon 3 for Windows (SSH modes) and Psiphon 3 for Android run these local proxies.
A: The local HTTP proxy could not run. You might have another process running that is using the default port. Try using a different port. See the question "Q. Can I run the local HTTP proxy on a different port than 8080?"
A: Yes, on Windows. Click Run, and type "regedit" to open the Registry Editor. Find and open "HKEY_CURRENT_USER\Software\Psiphon3", and on the right side you will see "UserLocalHTTPProxyPort". Set it's value to the port (in Decimal) that you would like to use.
A: Click Run, and type "regedit" to open the Registry Editor. Find and open "HKEY_CURRENT_USER\Software\Psiphon3", and on the right side you will see "UserSkipProxySettings". Set this value to 1 and Psiphon 3 will not automatically configure the system proxy settings.
I work with a High School and some of the students are using Psiphon to get around our web filter. So I believe we were having a similar issue. We found that A third party managed firewall and web filter filled our needs better than closing so many ports that have important services running on them. We used iboss for our web filter and firewall and we were able to curtail the problem with Psiphon.
Psiphon can mount proxy HTTP/SOCKS via tunnels. All the traffic of this application will bypass the port TCP 80 by default. So you must to have a firewall capable to inspect your packets to see which packets are real HTTP packets and HTTP proxy packets.
To be Honest, with my experience using and testing Psiphon, As long as the user has any kind of internet, no matter the block (even if though), Psiphon seems to manage it's way in anyway. It's lightweight setup make you able to use on a flashdrive (so it doesn't need to be installed on the PC at all, just need to plug in thumbdrive) and versatility makes it very hard to block, even temporally. not to mention that if it even get a ping from any open sever, it automatically updates itself, makes a backup copy, and gets new sever list. The reason why it's like this is because, it's designed to allow you access even in a another country where blocks are really strict... Basically, you're trying to march though the jungle but, up against an army that specializes in guerrilla warfare...
03c5feb9e7