Hello, I don’t know if this is the right place to ask this question, but maybe someone here would be able to explain the phenomenon and how it all works because the whole trick made me very curious. (If you know any other subreddit where I could get answers too please tell me!)
For context, my father works as a trucker and there are several people who offer free internet through this trick. The matter is as follows: there are two guys in the romanian trucking community (actually there are more, but my father works with these two) who share unlimited internet, using a vpn application: Npv Tunnel, and prepaid cards. The “customers” receive from them a code that looks something like this (e2b08a6c-9d61-44be-ab67-6196a39a2916) and enter it in “import cloud config” on the application. What I find interesting again, they also do accounting and can meter everyone’s internet, and they know exactly how long each customer is allowed, after that they are interrupted and forced to pay again. It only works on certain prepaid cards, from Vodafone UK/RO, Tesco, and others (but not on Lebara, for example), and they are told to have several prepaid cards at hand in case said phone number is blocked, because it can be detected, and continue with another card (maybe a clue to how the thing works?)
Something I find interesting and I thought it would be another clue, despite the fact that dad uses that Vodafone UK card, he can access digi online (an app on your phone given by Digi , an internet/TV cable/SIM provider in Romania, which lets you watch TV channels through it) which usually cannot be accessed outside Romania (so they have a server in Romania?). I did knew in fact that by using an expensive router, you could host an IP/VPN to which you could connect to have a Romanian IP and access digi online or use a Raspberry Pi + Router/Computer to do the same thing, maybe these people have a server or something? (but as an idea they have ~600 subscribers, so at what scale should you have such a setup).
I hope to arouse the curiosity of someone who knows what it is about
This “(e2b08a6c-9d61-44be-ab67-6196a39a2916)” appears to be a cloud configuration,the guy sent cloud config so it makes it harder to decrypt.
Freenet is good but some ISPs are dumb and close the bughosts
It’s just a VPN someone has managed to setup on a domain that’s not included in this prepaid cards Internet meter. There is another post on Reddit today who almost gives the game away. Imagine the prepaid card has “pay for internet except Zoom” and you somehow manage to set something up at zoom.us that forwards to your VPN entrance…
Thanks for explaining, I learned something new.
Once I understood it, I imagined it wasn’t very smart of those ISPs to whitelist based on a user-supplied field, however that’s usually the case with hindsight. I have to admit I love learning about these little workarounds and holes that can take some creativity to find.
Would whitelisting based on SNI + checking that DNS of the host in the SNI matches the IP destination work for the ISP?
I guess the trick will only work as long as ESNI/ECH isn’t standard, since at that point the ISP will have to find a different way of whitelisting traffic.
Could you link me that post on Reddit in private?
Op mentioned icloud - could iCloud be considered data not metered seems an odd form of forcing vpn to client?
It’s in a sub we don’t link. A quick search would find it. It won’t help
Thanks again for the info.
I realized the DNS issue but figured the ISP and the service they’d like to exempt could just figure out a way to ensure the ISP always has all possible IPs for the service. That may be too restrictive for the service, though. I never considered the ISPs internal CDN, but now that you mention it… I remember reading about Netflix providing ISPs with cache services at some point.
I think ISPs will never ask users to disable something like ECH, that would be a lot of effort for customer support. I do think ISPs would fight against it becoming an on-by-default thing. I hope the main drivers of changes like this (OSes and browsers, I think) have enough independence to enable it by default regardless. There Google controls a huge part (Android and Chrome), unfortunately…
Firefox has DoH as default in some regions, but they honor opt-out signal
It’s like I’m back in school today, never knew there was a DoH opt-out signal, nor that Firefox would honor something like that! I found this page describing it. I wonder how many ISPs break use-application-dns.net resolving in order to disable DoH? Without more info, I’d think that’s a small minority, or perhaps only if the ISP customer activated some child safety feature?
I don’t expect browser makers to upset the status quo, they already got enough flak for DoH.
DoH is only a half measure without ECH or ESNI, though, on a high level they serve the same goal. I’m still hopeful at least Mozilla would try.