This is a re-blog of the original article written by Riyadh Al Balushi (aka @blue_chi) here.
Essentially, The Regulatory Authority (TRA) have decided that too many people are circumventing the filtering system imposed on net users here via Virtual Private Networks. If you read Arabic, here is the draft proposal being tabled by TRA for banning all VPN's in the Sultanate.
According to Riyadh's translation, those found privately using a VPN will be fined RO 500, and those found commercially using a VPN will be fined RO 1000.
Now this is a double-edged sword, because many companies here use VPN's to conduct their business. In fact, as a business, you must pay an absolute fortune for a leased line here - the only way to get a static IP with Omantel (Omantel conveniently decided that ADSL connections could not have static IP's, even though all it would take is a few clicks of a mouse - Nawras offer static IP's on their connections for a reasonable RO 50 a month). To give you an idea, an 8MB ADSL (and 0.5mb up) residential line is RO 99 a month. A 1MB leased line (that's full duplex, up and down) is RO 1,725 a month (after RO 400 setup fee) (this falls to RO 1,294 a month if you commit to 3 years usage). You read that correctly - to get a Fixed IP (which is required by many corporate networks architecture) you need to spend between US$3,364 and $4,485 a month! And that is only for a 1MB connection - you can look at Omantel's rates here. Alternatively, you could go to Nawras and get a Fixed IP on a 16MB down and 2MB up connection for a rather frugal RO 369 ($959) a month. It's a wonder why Omantel continues to refuse to offer static IP's on it's Business ADSL packages. Stupidity does come to mind.
So now then, the rest of us. Many people have been using VPN's to circumvent the restriction policies in effect. Some people use VPN's to get their skype working, others use them to look at porn, others to access regional-specific websites (Such as the BBC's iPlayer), and further more people use VPN's to access educational institutions. Some people just don't want their browsing to be monitored and so choose to encrypt it. OpenVPN is the software of choice for these people (it's the defacto standard because it's available for free, you just need to connect to a host machine - which is where companies charge). Omantel have blocked the standard ports that OpenVPN use, thus knocking out a large swath of VPN users in one swipe. Nawras have throttled these ports, to a point where a stable VOIP connection cannot be achieved, but browsing can still continue.
It seems that this move by TRA is more about stopping people from VOIPing than protecting the moral fibre of internet users here in the Sultanate.
The point of this argument is this: Where do you draw the line? To ban VPN's because people are using them to enable their Voip connections, that's one thing, but to ban VPN's because people are encrypting their traffic and big brother is not happy (which is the reason being spouted at the moment) is just a slippery slope. What happens when I want to do online banking, or access email, or visit any website which is SSL encrypted (thats https:// as opposed to http://) - following that line of thought from TRA, they will want to stop ALL of that because it's encrypted traffic.
I find this just another example of how draconian the policy makers at TRA really are, and I wonder what will happen next? The filtering hardware and software already imposed on us by TRA slows our internet traffic down significantly already, and for those people that game online (pc or console) they'll tell you the same thing - finding other players that they can play with without a significant lag (delay) is proving to be harder and harder these days.
The fine, if you are caught, is significant - RO 500 for personal users, and RO 1000 for commercial users of VPN's. That's a large chunk of change. TRA will grant licenses for educational institutions and businesses, but you may not apply for a VPN license if you are a private user. There is no word on pricing from the TRA, nor is there any word on how long it will take to get a license granted, or how they will apply those licenses to the ISP's filtering processes. Smart money says it'll be done via a whitelist of IP's - except that wont work for Omantel ADSL business customers, or Nawras Business customers that do not have static IP's. There's a lot left to the imagination here.
To detect whether someone is using a VPN, there are a number of methods that can be employed to do this. The most obvious one is to just simply block the common ports that are used by popular VPN providers, which has already been done. After that it get's technical, and essentially what can be done is that a profile is looked for in the pattern of your internet traffic coming from your account. For example, if all the traffic coming from your account is being funnelled through one port, then that's an easy guess that you are using a VPN. It gets very technical very quickly and thus over my head, but suffice to say - YES, it is entirely possible to detect when people are using VPN's.
One does have to ask the question - when does internet access here become so limited, that it's just not worth the already high prices charged for access?
le fin.
Essentially, The Regulatory Authority (TRA) have decided that too many people are circumventing the filtering system imposed on net users here via Virtual Private Networks. If you read Arabic, here is the draft proposal being tabled by TRA for banning all VPN's in the Sultanate.
According to Riyadh's translation, those found privately using a VPN will be fined RO 500, and those found commercially using a VPN will be fined RO 1000.
Now this is a double-edged sword, because many companies here use VPN's to conduct their business. In fact, as a business, you must pay an absolute fortune for a leased line here - the only way to get a static IP with Omantel (Omantel conveniently decided that ADSL connections could not have static IP's, even though all it would take is a few clicks of a mouse - Nawras offer static IP's on their connections for a reasonable RO 50 a month). To give you an idea, an 8MB ADSL (and 0.5mb up) residential line is RO 99 a month. A 1MB leased line (that's full duplex, up and down) is RO 1,725 a month (after RO 400 setup fee) (this falls to RO 1,294 a month if you commit to 3 years usage). You read that correctly - to get a Fixed IP (which is required by many corporate networks architecture) you need to spend between US$3,364 and $4,485 a month! And that is only for a 1MB connection - you can look at Omantel's rates here. Alternatively, you could go to Nawras and get a Fixed IP on a 16MB down and 2MB up connection for a rather frugal RO 369 ($959) a month. It's a wonder why Omantel continues to refuse to offer static IP's on it's Business ADSL packages. Stupidity does come to mind.
So now then, the rest of us. Many people have been using VPN's to circumvent the restriction policies in effect. Some people use VPN's to get their skype working, others use them to look at porn, others to access regional-specific websites (Such as the BBC's iPlayer), and further more people use VPN's to access educational institutions. Some people just don't want their browsing to be monitored and so choose to encrypt it. OpenVPN is the software of choice for these people (it's the defacto standard because it's available for free, you just need to connect to a host machine - which is where companies charge). Omantel have blocked the standard ports that OpenVPN use, thus knocking out a large swath of VPN users in one swipe. Nawras have throttled these ports, to a point where a stable VOIP connection cannot be achieved, but browsing can still continue.
It seems that this move by TRA is more about stopping people from VOIPing than protecting the moral fibre of internet users here in the Sultanate.
The point of this argument is this: Where do you draw the line? To ban VPN's because people are using them to enable their Voip connections, that's one thing, but to ban VPN's because people are encrypting their traffic and big brother is not happy (which is the reason being spouted at the moment) is just a slippery slope. What happens when I want to do online banking, or access email, or visit any website which is SSL encrypted (thats https:// as opposed to http://) - following that line of thought from TRA, they will want to stop ALL of that because it's encrypted traffic.
I find this just another example of how draconian the policy makers at TRA really are, and I wonder what will happen next? The filtering hardware and software already imposed on us by TRA slows our internet traffic down significantly already, and for those people that game online (pc or console) they'll tell you the same thing - finding other players that they can play with without a significant lag (delay) is proving to be harder and harder these days.
The fine, if you are caught, is significant - RO 500 for personal users, and RO 1000 for commercial users of VPN's. That's a large chunk of change. TRA will grant licenses for educational institutions and businesses, but you may not apply for a VPN license if you are a private user. There is no word on pricing from the TRA, nor is there any word on how long it will take to get a license granted, or how they will apply those licenses to the ISP's filtering processes. Smart money says it'll be done via a whitelist of IP's - except that wont work for Omantel ADSL business customers, or Nawras Business customers that do not have static IP's. There's a lot left to the imagination here.
To detect whether someone is using a VPN, there are a number of methods that can be employed to do this. The most obvious one is to just simply block the common ports that are used by popular VPN providers, which has already been done. After that it get's technical, and essentially what can be done is that a profile is looked for in the pattern of your internet traffic coming from your account. For example, if all the traffic coming from your account is being funnelled through one port, then that's an easy guess that you are using a VPN. It gets very technical very quickly and thus over my head, but suffice to say - YES, it is entirely possible to detect when people are using VPN's.
One does have to ask the question - when does internet access here become so limited, that it's just not worth the already high prices charged for access?
le fin.
TRA to ban VPN's in Oman
Reviewed by Sythe
on
Sunday, August 29, 2010
Rating:
My guess is that the internet has become so ingrained in the way we do business and live our personal lives that we simply cannot live without the internet anymore...and I'm pretty sure ISP's know that.
ReplyDeleteWhat really pisses me off is that they charge so much for internet here and for what?
In most civilised countries you can unlimited up and down 1/3 of the price and no one will ever say that you can't look at whatever you want to.
If you want to talk about the effect of what the ISP blocks in terms of moral fiber I agree with you, I think it's a moot point.
There's still rape, murder, assults and thefts going on in the Sultanate so does it seem like blocking morally questionable websites has any effect on human nature?
Not really. (but I'm not saying that watching porn leads to rape)
It's truly disgusting how much they charge for internet here and how much they censor, all the while they must be rolling in cash...it really makes me sick.
-Not a fan of ISP's in Oman
Is this why I can no longer do my online banking? I notice that since June I cannot log on to a number of perfectly innocent websites, including Barclays. Is it the encryption issue?
ReplyDeleteRather than getting any error message, it just hangs. Other sites work normally (ie slowly!).
Simon
Try re-installing your browser, or trying a different one (ie firefox / chrome / safari)
ReplyDeleteCurrently I've no problems logging into online banking.
Thanks for the suggestion Scythe, but Firefox and Opera were the same. This is now resolved however - it turned out to be a MODEM DNS setting/gremlin I think.
ReplyDeleteSimon
PS Le Fin? If French should be "La" non?
I don't think Omantel or Nawras are blocking standard ports on OpenVPN, because my 'regular' openvpn connections that go through port 443 (akin to https) are also blocked.
ReplyDeleteWhat they are doing is performing denial of service attacks during the key negotiation and handshake when openvpn is setting up a tunnel.
However, OpenVPN configs allows you to set up some extra parameters that specifically work to counter such things. You just need to find a provider that has them configured. Or you can roll your own.
Thanks for the comments everyone. Let's not talk about how to circumvent the blocks though, okay gang!?
ReplyDeleteSimon, it's Sythe, a name, not a tool.
And "le fin" is a tag-line, not an attempt to be grammatically correct in French. I believe the correct term would just be "fin".
OpenVPN works best when couple with unicorn fairy dust :)
ReplyDeleteI am really tired, frustrated and angry at ISPs in Oman.
ReplyDeleteI can understand the need to block VPNs in order to prevent people from looking at 'naughty' pics online (this is so important, by the way, because it's not as if you can get an Indian worker to come to your flat, install a 'black box' with a new satellite dish for, like, 50 OMR, and watch ALL the smut you want to all day long on your big screen ... ah, sarcasm ...)
BUT WHAT IS SOOOO WRONG ABOUT SKYPE??? Block VPNs if you want, but WHY, oh WHY, block things like Skype in the first place?
Guess what, Nawras and OmanTel, us expats, yes those of us that are not Omani that work and live in Oman to help YOU and YOUR country - WE also happen to have FAMILY that we LOVE and want to talk to / see. Maybe if your telephone rates were acceptable, there would be no problem. But we are not made of gold and diamonds - it costs me 10 OMR for 3.5 minutes of conversation with my family!!! Not to mention how much it would cost if I, God forbid, had to call my foreign bank ...
About how ridiculously overpriced both Nawras and OmanTel are, how POOR their service is and how little knowledge their staff has, I don't even want to get into.
I hope the decision makers at TRA, at Nawras and OmanTel, and all others involved in making these ridiculous, cruel, and, to some of us, heartbreaking decisions are enjoying Ramadan with their families. I hope they enjoy spending time with the family they love, talking and sharing their lives and love. I wish them a very sincere Ramadan Kareem.
My family and other expat families, will just have to wait until our annual leaves.
Hypocrites.
this is to get rid of all the expats?? can't you see, they want to lie under the bush again.
ReplyDeleteThis is Cheney, from VPNGates.com
ReplyDeleteDon't worry about that, if your ISP blocked VPN connection please contact us, we can help you to resolve this issue.
well, but how can we contact you if VPNGates.com is blocked too?
ReplyDeletePPTP AND L2TP IS BLOCKED IN OMAN?
ReplyDeleteif 1194 is blocked then which ports are available there?
ReplyDeleteHI ALL,
ReplyDeleteIF YOU WANT TO UNBLOCK OMAN, PLEASE JOIN WITH THE WWW.ASHVPN.COM. IT IS WORKING IN OMAN.
I have noted that Omantel and Nawras are the 2 companies showing profit. Why ? Because of monopoly. Remove the monopoly and see what happens. The internet charges are already one of the highest in the world and the government is turning a blind eye to make the country internet literate.
ReplyDeleteI wish government protected all industries and the people like this. TRA come one. Be realistic. All countries around the world allow VOIP but the telecom companies there make profits also.
TRA Oman learn new. Think New
This comment has been removed by the author.
ReplyDeletehelp..!!! everything is getting blocked..... :( vpn links all blocked... even ultrasurf , kepard, etc
ReplyDeleteIs there a new program available to unblock skype? My ultrasurf is no longer working.
ReplyDeleteGreat job buddy. But is all the issue is positive. Thanks for your posting.
ReplyDeletepoint 2 point
I live in qatar and i was shocked after this news but after some days i found a working VPN For Qatar and i am still using it without any issues.
ReplyDelete