The Critical Engineering Working Group Julian Oliver
Danja Vasiliev

Vending Private Network (2018)

Virtual Private Networking as Publicly Funded Infrastructure



INTRODUCTION

Virtual Private Networks (VPNs) have come into increasing demand in recent years, providing route encryption through hostile networks. In China, Vietnam, Turkey and Pakistan they also serve to mitigate government censorship, such that foreign sites otherwise blocked by state firewalls are made available to VPN users (Twitter, Facebook, Wikipedia, activist sites and digital libraries being the most common).

Vending Private Network takes the form of a condom vending machine, such as those typically seen in public toilets, nightclubs and bars. Equipped with mechanical buttons, a coin-slot and USB ports, it offers 4 VPN routes, each with an animated graphic depicting the route as a fantasy destination.

Audiences are invited to insert a USB stick into the slot, a coin (1 pound or euro) into the machine, and to select a VPN destination by pressing a mechanical button. In doing so, a unique VPN configuration file is then written to the USB stick. Special instructions (in the form of a README.txt) are also copied, explaining how to use the VPN in a special ‘sheathed’ mode that evades detection methods (namely Deep Packet Inspection, or DPI) used by corporations and state-controlled infrastructure administrators. This is the only means known to work against state controlled firewalls.


Vending Private Network is especially designed for use in wealthy countries; only then can its ulterior motive come into play: leveraging economic and cultural privilege to benefit those less fortunate. With each VPN config paid for, another 'shadow config' is generated, to be later shipped to dissidents, activist organisations and others in Turkey, China, Vietnam, Afghanistan, Iran (other countries to be confirmed) such that those that need it most can enjoy protection and access to the open web.

The coins inserted into the vending machine also directly fund the VPN running costs, whose tally is displayed on each screen of the vending machine. Should a particular VPN not have enough money deposited to pay for monthly server hosting costs, it is shutdown, with a white on black notice on the display that it no longer functions due to insufficient public funding. Should money sufficient to cover costs be donated the dormant server will boot back to life and public service continues.

Just as one might expect to see on a condom vending machine, Vending Private Network is adorned with the sticker "Get Protected".

Vending Private Network at Transnationalisms, Furtherfield, London. Photographs by Guillaume Querard, 2018. Sticker design by Jo Caussimon.

VPN LOCATIONS

The VPNs are located in the following locations. They were created, and are solely administered, by the Critical Engineering Working Group. These countries were chosen on the basis of their geographical distribution, and that they are not within the Five Eyes (codename FVEY) mass-surveillance partnership.



VIDEO



Video by Guillaume Querard.
Background music courtesy Blawan, 'Klade' (intro), from album Wet Will Always Dry, (2018)

README.txt

A README.txt accompanies the VPN configs copied to each USB stick.

                       ___                           _             __     
 _   _____  ____  ____/ (_)___  ____ _   ____  _____(_)   ______ _/ /____ 
| | / / _ \/ __ \/ __  / / __ \/ __ `/  / __ \/ ___/ / | / / __ `/ __/ _ \
| |/ /  __/ / / / /_/ / / / / / /_/ /  / /_/ / /  / /| |/ / /_/ / /_/  __/
|___/\___/_/ /_/\__,_/_/_/ /_/\__, /  / .___/_/  /_/ |___/\__,_/\__/\___/ 
                             /____/  /_/                                  
               __                      __  
   ____  ___  / /__      ______  _____/ /__
  / __ \/ _ \/ __/ | /| / / __ \/ ___/ //_/
 / / / /  __/ /_ | |/ |/ / /_/ / /  / ,<   
/_/ /_/\___/\__/ |__/|__/\____/_/  /_/|_|                 

                _________________
               /                /|
              /                / |
             /________________/ /|
          ###|      ____      |//|
         #   |     /   /|     |/.|
        #  __|___ /   /.|     |  |_______________
       #  /      /   //||     |  /              /|                  ___
      #  /      /___// ||     | /              / |                 / \ \
      # /______/!   || ||_____|/              /  |                /   \ \
      #| . . .  !   || ||                    /  _________________/     \ \
      #|  . .   !   || //      ________     /  /\________________  {   /  }
      /|   .    !   ||//~~~~~~/   0000/    /  / / ______________  {   /  /
     / |        !   |'/      /9  0000/    /  / / /             / {   /  /
    / #\________!___|/      /9  0000/    /  / / /_____________/___  /  /
   / #     /_____\/        /9  0000/    /  / / /_  /\_____________\/  /
  / #                      ``^^^^^^    /   \ \ . ./ / ____________   /
 +=#==================================/     \ \ ./ / /.  .  .  \ /  /
 |#                                   |      \ \/ / /___________/  /
 #                                    |_______\__/________________/
 |                                    |               |  |  / /       
 |                                    |               |  | / /       
 |                                    |       ________|  |/ /________       
 |                                    |      /_______/    \_________/\       
 |                                    |     /        /  /           \ )       
 |                                    |    /OO^^^^^^/  / /^^^^^^^^^OO\)       
 |                                    |            /  / /        
 |                                    |           /  / /
 |                                    |          /___\/
 |                                    |           oo
 |____________________________________|

Thank you for purchasing a Vending Private Network configuration. Your
contribution to public privacy infrastructure keeps the server you chose
running. More so, a sister-key has been generated and will be anonymously gifted
to someone very much in need of a VPN in the near future. 

Please note that your configuration is valid for 5 years, one device at a time.
Should you lose your key, please let us know by emailing
██████@████████████.███ and we will revoke it and generate you a new one.

The remainer of this README is written across the following sections.

               __  _             
  ___ ___ ____/ /_(_)__  ___  ___
 (_-</ -_) __/ __/ / _ \/ _ \(_-<
/___/\__/\__/\__/_/\___/_//_/___/
                                 

1. WHAT IS A VPN? - if you've never used a VPN before, read this first

2. DNS LEAKS - your ISP knows every site you visit, unless you stop them

3. USE THE VPN - tips on loading your config, VPN software to use, etc
 
4. VPN SHEATHING - read this to go full stealth, evading VPN detecting firewalls

  ___           __        __    _                           ___ 
 <  /   _    __/ /  ___ _/ /_  (_)__   ___ _  _  _____  ___/__ \
 / /   | |/|/ / _ \/ _ `/ __/ / (_-<  / _ `/ | |/ / _ \/ _ \/__/
/_(_)  |__,__/_//_/\_,_/\__/ /_/___/  \_,_/  |___/ .__/_//_(_)  
                                                /_/             


A Virtual Private Network is an encrypted network laid over existing network
infrastructure.  In most cases, that infrastructure is that network of networks
we call The Internet. 

With that said, perhaps the best way of understanding VPNs is through how
they're used:

VPNs have two typical use cases. The original use of VPNs was to connect a whole
lot of devices to each other regardless of their network context. Imagine you
want to be able to privately and securely log into either a laptop you left at
home or another you left at the studio while travelling, accessing files without
having to worry about modifying settings on routers, etc.  For this you'd need
two computers on the same VPN.  As there are so many Vending Private Network
supporters, with varying needs and threat models, this use case is not one that
your Vending Private Network configuration supports.

The second and increasingly most popular use case however is to tunnel through
hostile network infrastructure to a VPN server in another location (typically
another country), and onto the Internet, in turn. This use case is what your
Vending Private Network configuration does support: your basic right to privacy.
For instance, if you don't want your ISP, your boss, your government or any of
the numerous privately owned devices your Internet traffic passes through to
know what you're uploading and downloading online, you might use a VPN to
encrypt your traffic such that they can't see it. 

Privacy, however, is not to be mistaken for Anonymity! While those many
companies and interests along your route to the VPN destination might not be
able to see what you're doing, the final site you're visiting can still know
who you are. To be anonymous too, you'll need to take extra precautions.


   ___      ___  _  ______  __         __      
  |_  |    / _ \/ |/ / __/ / /__ ___ _/ /__ ___
 / __/_   / // /    /\ \  / / -_) _ `/  '_/(_-<
/____(_) /____/_/|_/___/ /_/\__/\_,_/_/\_\/___/
                                               

Each time you click on a link or request a site by its name and not its IP, a
process of 'domain name resolution' occurs. That is, to find what actual IP
address - which machine - the domain name (eg. theintercept.com) refers to.
This is handled by special servers on the Internet called Domain Name Servers
whose only job is to do just this. 

However, Internet Service Providers tend to like placing themselves in this
role, by taking those requests and passing them onto actual DNS servers.  This
is another way of saying that your home/studio/office service provider knows
every site you visit, unless you're specifying an alternative DNS configuration.

When using the Vending Private Network VPN service, you can avoid 'leaking DNS' to
your ISP by setting your DNS to that of the Vending Private Network server you
have chosen. That way, all your DNS queries will also pass through the VPN onto
trusted and transparent DNS hosts in Iceland, with absolutely no one along the
way able to read, log and redistribute your browsing habits.

The addresses to use as your DNS servers are as follows:

    TAIWAN
    Normal:     10.2.1.1
    Sheathed:   10.2.2.1

    ICELAND 
    Normal:     10.3.1.1
    Sheathed:   10.3.2.1

    MEXICO
    Normal:     10.4.1.1
    Sheathed:   10.4.2.1

    SOUTH AFRICA
    Normal:     10.5.1.1
    Sheathed:   10.5.2.1

To change your DNS sever in the command line on a Linux system using the Iceland
VPN, you would:

    sudo echo "nameserver 10.3.1.1" > /etc/resolv.conf

OS X:
    sudo networksetup -setdnsservers 10.3.1.1

At any time you can test to see if you're leaking DNS using a service like:

    https://dnsleaktest.com

   ____                    __  __                      
  |_  /    __ _____ ___   / /_/ /  ___   _  _____  ___ 
 _/_ <_   / // (_-</ -_) / __/ _ \/ -_) | |/ / _ \/ _ \
/____(_)  \_,_/___/\__/  \__/_//_/\__/  |___/ .__/_//_/
                                           /_/         

All our Vending Private Network servers run OpenVPN server, the most popular free and
open source VPN solution. So it follows that to use the configs, you'll need to
install OpenVPN compatible software, or app for your phone. 

We recommend using a software 'client' from the OpenVPN project itself, but you
can find OpenVPN clients in app stores for Apple and Android devices, alongside
the 'openvpn' program for OS X packaged for Homebrew and MacPorts. On Linux
systems, just use your package manager.

In any case, you'll need to download the config you bought from the USB stick
onto your device, and load it in which ever way the software you use wants it.

If you'd like to use it via the command line on OS X and Linux, simply download
it to the device, noting the path. For instance, if you'd downloaded
'VendingPrivateNetwork_Iceland456.ovpn' to your Downloads directory, start up a
terminal and:

    sudo openvpn Downloads/VendingPrivateNetwork_Iceland456.ovpn

Whichever way, be sure to test it's up and running by checking your IP online,
using a service like:

    https://wtfismyip.com

To stop OpenVPN in your terminal (OS X/Linux), hit CTRL-C.

Please note that our VPN configs use a special security key known as the
'ta.key' that (at the time of writing) is known to not be supported on some
versions of the OS X client Tunnelblick. We suggest you use another client.

  ____                          __            __  __   _          
 / / /    _  _____  ___    ___ / /  ___ ___ _/ /_/ /  (_)__  ___ _
/_  _/   | |/ / _ \/ _ \  (_-</ _ \/ -_) _ `/ __/ _ \/ / _ \/ _ `/
 /_/(_)  |___/ .__/_//_/ /___/_//_/\__/\_,_/\__/_//_/_/_//_/\_, / 
            /_/                                            /___/  

VPN sheathing is a relatively new technique for evading an advanced form of VPN
detection called Deep Packet Inspection, used by firewalls like The Great
Firewall of China, and many other non-net-neutral networks encountered in
large hotels, universities, city-wide wireless deployments, etc.
What it does is 'hide' the VPN traffic in a layer of SSL encryption, such that
it looks pretty much like online banking, mail or another other "https://"
traffic. Vending Private Network offers such a service with each config bought,
such that if you're up against a particularly formidable firewall, you can
tunnel through it to the open web.

To do this however you'll need to install an extra package for your laptop,
router or desktop computer called 'stunnel':

    https://www.stunnel.org/downloads.html

Once installed, unzip the zip file provided with 'Sheath' in the name onto the
device you'd like to use. If you're using Windows, be sure to open up the file
and comment out the first line, such that:

    chroot = /var

.. becomes:

    #chroot = /var

Once done, just start stunnel using the config provided. For instance, if using
Linux or OS X with stunnel.conf downloaded alongside the stunnel.pem to the
Downloads directory, you would start stunnel using the terminal like so:

    sudo stunnel Downloads/stunnel.conf

Once stunnel has started, start up OpenVPN with the sheath config provided. For
instance, if you chose Taiwan as your destination and the config you downloaded
ends in '456', you would:

    sudo openvpn Downloads/VendingPrivateNetwork_Taiwan-sheath456.ovpn

After doing so, we need to be sure that traffic is routed properly. To do this
we need to know the gateway we're working with. We also need to know the IP of
the VPN server we're using. Here are those IPs:
                
                    Internet IP         VPN IP
                    ----------------------------
    Taiwan:         60.245.61.66        10.2.1.1
    Iceland:        82.221.100.90       10.3.2.1
    Mexico:         191.96.145.66       10.4.2.1
    South Africa:   160.119.248.157     10.5.2.1

So, if our local gateway to the Internet is 192.168.1.1 (commonly so), and you
were using the Mexico VPN, you would:

Linux: 

    sudo route add -net 191.96.145.66/32 gw 192.168.1.1

OS X:

    sudo route -n add -net 191.96.145.66/32 192.168.1.1

Be sure to avoid DNS leaks by changing your DNS server (see above).

Thank you for your support,

---

The Critical Engineering Working Group
https://criticalengineering.org




VENDING PRIVATE NETWORK was commissioned by Aksioma (SI), Drugo more (HR), Furtherfield (UK), Institute for Network Cultures (NL) and +NeMe (CY).

Supported by the Creative Europe programme of the European Union.

Realised in the framework of State Machines / www.statemachines.eu.




17 September 2018, criticalengineering.org