While people launch planes from a window, practice proxy server settings, or even install dante on VPS , a multi-caliber business is faced with the real consequences of mass blocking in its processes.

You can have a different attitude to what is happening, but when G Suite or the cloud structure stops working, it resembles a natural disaster. And to quickly rake up the consequences have ordinary system administrators. Therefore, in this article I share options for survival and rethinking business processes - a kind of chronicle from the fields.

A variety of options can be used to solve the problem, up to renting an apartment in Svetogorsk and installing a 4G modem with a Finnish SIM card there. Or bribing a familiar provider to install in its data center a server connected bypassing the “Inspector” system. But I will focus on a couple of reasonable and legal options.

Virtual private network

When monitoring reports on the unavailability of your servers, and in the process of clarifying the situation, you understand that the subnet of a foreign data center is blocked, the first censored thought will be about deploying a VPN. Virtual "droplets" for $ 5 completely save the situation. Although their addresses may also fall under the distribution.

Let me remind you that you can check the IP address for blocking on the official website of Roskomnadzor. You can use bots - they are abundant in the vast search.

If you suddenly have to “jump” over the data centers of a network capacity provider (while a normal solution is being sought), here is a little tip to simplify the process: you need to create a snapshot of the virtual machine, make it available for the desired region and create a new virtual machine in the target region based on the old snapshot.

Select the available regions for the virtual machine image.

I was lucky, and until the blocked address was caught on the third attempt.

You can use anything as a VPN solution. OpenVPN is quick and easy to configure, but it may require the installation of additional software. L2TP \ IPSec is more complicated, but supported on the latest versions of iOS and Android.

Below is a list of ready-made solutions in case you need to act quickly and have no time to understand:

• Streisand . All-in-one VPN server, including Shadowsocks and Tor. At the same time it will help to begin to understand Ansible.
• The VPN algo . Without OpenVPN and Tor, but with IKEv2.
• The install-openvpn . A simple script to install OpenVPN.
• The VPN the IPsec . A simple script to install L2TP \ IPSec server.

Now that the organization has gained some kind of access to its services, you need to think about what to do next - after all, at any time, our VPN virtual machine may fall under the distribution.

IP sixth version

The transition to IPv6 was announced as one of the options for restoring health, since modern data centers provide this protocol. In addition to accessing cloud servers, IPv6 will help restore the work of Google services - such as the G Suite - on which the business processes of many organizations are tied.

If you are lucky and your provider supports the new protocol, half of the work is done. If you are not so lucky, then one of the options is to configure the 6to4 \ 6in4 tunnel.

The list of providers supporting IPv6 can be found on the version6.ru wiki portal .

Most routers support such tunnels. In particular, IPv6 configuration on MikroTik equipment is described in the article “ MikroTik - 6in4 or IPv6 without provider support ”. The general principle is extremely simple: register with a broker, create a tunnel, assign an address, prescribe routes, use it. You can check the operation on one of the sites for checking IPv6 .

IPv6 Verification - Now Google services will work again.

An important point to consider when setting up IPv6 is that the protocol works without NAT, and all devices on the local network are on the "big Internet". If you turned off the firewall at workstations, now is the time to turn it on and configure it. Setting up a firewall on the router will help provide a little more protection. For example, on MikroTik I used the following settings:

/ipv6 firewall filter
#ограниченный входящий ICMP-трафик
add chain=input limit=100,5 protocol=icmpv6
add action=drop chain=input protocol=icmpv6
#ограниченный исходящий ICMP-трафик
add chain=forward limit=100,5 protocol=icmpv6
add action=drop chain=forward protocol=icmpv6
#Разрешаем входящие соединения типа established и related
add chain=input connection-state=established,related
#Вместо этой строки можно вставить правила для доступа по SSH\etc
#Запрещаем прочий входящий трафик на туннеле
add action=drop chain=input in-interface=**StF**
#Разрешаем исходящие соединения типа established и related
add chain=forward connection-state=established,related
#Вместо этой строки можно вставить правила доступа наружу для локальных серверов
#Блокируем все остальное
add action=drop chain=forward in-interface=**StF**

Where StF is the name of the 6to4 tunnel.

An alternative to configuring IPv6 on a router is setting up a tunnel on a workstation, since Windows systems support the Teredo protocol . The configuration option is described in the article “ Configuring IPv6 / Teredo in Windows 7 ”. A feature of this protocol is its ability to work due to NAT.

IPv6 at work.

Unfortunately, the drawback of tunnels is the potential blocking of tunnel brokers, and constantly changing servers is not the most elegant solution.

Business Process Reorganization

When everything works, it's time to think about creating an infrastructure that will not be afraid of all these disasters. Of course, if the company has enough funds to organize a geo-distributed cluster with one or even several nodes in the Russian Federation, then this will be a good solution.

But if there are no funds, then you have to look for analogues of G Suite. The same Mail.ru and Yandex offer both text collaboration and mail services for the domain.

Other organizations are increasingly thinking about a step backward towards their own infrastructure. Clouds are good, but accessibility in modern realities is more expensive. Therefore, a good option is to purchase your server on lease, or rent colocation in domestic data centers.

By the way, share your news from the fields - suddenly in the bright future it will come in handy.