expressvpn lightway-tcp getting blocked on sni-based filtering firewalls
sheharyaar opened this issue · 2 comments
Expected Behavior
Expressvpn should bypass SNI-based filtering in firewalls.
Current Behavior
Expressvpn gets blocked on SNI-based filtering firewalls.
Possible Solution
ExpressVPN should add a feature for ESNI (encrypted server name indication) or ECH (encrypted Client Hello) or it should spoof the SNI and ignore the field on its servers.
Steps to Reproduce (for bugs)
Here is a screenshot of the wireshark packet capture
I can attach a link to the filtered packets pcapng file if needed.
Your Environment
- Version used: expressvpn version 3.53.0.0 (537580b2e)
- Operating System and version: Linux 6.5.3-arch1-1 SMP PREEMPT_DYNAMIC x86_64 GNU/Linux
My firewall uniformly blocks udp hence I cannot use lightway udp and for TCP it uses sni-based filtering.
I have tested the sni bypass using stunnel on a remote azure server, it works.
I am facing the same issues, would be great to obtain some feedback!
Lightway itself doesn't actually use SNI. As our clients and servers are explicitly configured to work with each other, there's no benefit in Lightway announcing which domain it wants to connect to as it wouldn't be used by the server anyway.
So the SNI filtering is probably not affecting the Lightway connection itself. I've raised the connectivity issue internally for investigation, but as it's related to ExpressVPN and not Lightway, I'll close out this issue. We do really appreciate you taking the time to report this and supplying the network capture information!