Reports of WireGuard blocking in Russia, September 3–8, 2021

[David Fifield <david@bamsoftware.com>]

Last week, between about 2021-09-03 and 2021-09-08, there were reports
of failures to establish WireGuard sessions by some users in Russia. I
have not confirmed these reports personally. Tests by users found
connection failures in some ISPs and not others, and even different
conditions in a single ISP at different times. Self-hosted WireGuard as
well as commercial VPN services were apparently affected.

Discussion is happening (in Russian) in various places:
https://ntc.party/t/vpn/1107/13
https://ntc.party/t/rkn-will-try-to-block-the-following-vpn-services/1022/45
https://ntc.party/t/nordvpn/1249
https://www.opennet.ru/openforum/vsluhforumID3/125174.html#9
https://qna.habr.com/q/1043670

I tried to write a synthesis in English:
https://github.com/net4people/bbs/issues/76#issuecomment-915544316

Of note, Roskomnadzor, the Internet regulator in Russia, has, since
early this year, been implementing a long-term plan to block a list of
VPN services, and giving advance notice to entities such as banks.
WireGuard and OpenVPN are mentioned in a letter sent by the Ministry of
Education and Science on 2021-06-15, later posted to the Roskomsvoboda
Tech Talk Telegram channel.
https://github.com/net4people/bbs/issues/76#issuecomment-868088553

During the same time period as the problems with WireGuard, the Russian
ISP Rostelecom was reportedly blocking various BitTorrent protocols.
https://github.com/net4people/bbs/issues/83
This is potentially significant because a possible pattern for matching
uTP, one of BitTorrent's UDP-based protocols, is `^\x01\x00.+`, which
would also match the first initiator-to-responder message in WireGuard.
The uTP explanation is not fully satisfactory, though, because as I
understand it, users of multiple ISPs were having trouble with
WireGuard, while it was only Rostelecom blocking BitTorrent.

In general the Internet situation in Russia seems especially volatile at
the moment, perhaps because of upcoming elections. A news article about
a one-hour block of certain DNS/DoH/DoT servers that happened on
2021-09-08 incidentally mentions a block of the WireGuard protocol:
https://vc.ru/tech/291648-it-specialisty-zayavili-o-testirovanii-roskomnadzorom-massovoy-blokirovki-publichnyh-dns-servisov-google-i-cloudflare
> О частичной блокировке DNS-сервисов Google и Cloudflare также сообщил
> своём Telegram-канале эксперт «Общества защиты интернета» Михаил
> Климарёв. Он отметил, что полностью был заблокирован и VPN-протокол
> WireGuard.
>
> The partial blocking of Google and Cloudflare DNS services was also
> reported on his Telegram channel by Mikhail Klimarev, an expert of the
> Internet Defense Society Mikhail Klimarev. He noted that the WireGuard
> VPN protocol was also completely blocked.