search

HirbodBehnam / Shadowsocks-Cloak-Installer

A one-key script to setup Cloak plugin with Shadowsocks on your server
GNU General Public License v3.0
420 stars 88 forks source link

Cloak Not Working In Iran #24

Closed Abdipour closed 4 years ago

Abdipour commented 4 years ago

Hi. I run cloak2 script without any error. But can't connect to server. Base of FAQ I tried to check shadowsocks-server is running, got this error: Unit shadowsocks-server.service could not be found.

Packages in /lib/systemd/system/, there are several service files related to ss-libev:

shadowsocks-libev.service
shadowsocks-libev-server@.service
shadowsocks-libev-local@.service
shadowsocks-libev-redir@.service
shadowsocks-libev-tunnel@.service

In ReadMe:

Also script creates a service named shadowsocks-server. DO NOT USE shadowsocks-libev service.

Can you help where is the problem and how to solve this issue?

HirbodBehnam commented 4 years ago

Oh dammit i forgot to upgrade the FAQ. Can you run this command instead and give me the output? systemctl status cloak-server

HirbodBehnam commented 4 years ago

Also keep in mind that few days ago, Iran changed some of their censorship techniques. For instance, most of the time, the MTProto Fake TLS does not work anymore. Maybe cloak have faced the same issue. Although I can run and connect to both MTProto proxy and Cloak on my own server.

Abdipour commented 4 years ago

Oh dammit i forgot to upgrade the FAQ. Can you run this command instead and give me the output? systemctl status cloak-server

The cloak-server status is active and running.

Also keep in mind that few days ago, Iran changed some of their censorship techniques. For instance, most of the time, the MTProto Fake TLS does not work anymore. Maybe cloak have faced the same issue. Although I can run and connect to both MTProto proxy and Cloak on my own server.

Thank you. I had shdowsocks and mtproto (installed with your script) same time in this server. Since a few days ago mtproto not connect. But shadowsocks connection is OK. Today I decide to remove all proxy services and install only shadowsocks with cloak.

HirbodBehnam commented 4 years ago

Is there any errors in the log? And what's your client OS?

Abdipour commented 4 years ago

Is there any errors in the log? And what's your client OS?

Jul 10 15:29:28 aykn ck-server[1379]: time="2020-07-10T15:29:28Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:48562" sessionId=0
Jul 10 15:29:29 aykn ck-server[1379]: time="2020-07-10T15:29:29Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:49010" sessionId=0
Jul 10 15:29:59 aykn ck-server[1379]: time="2020-07-10T15:29:59Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:43890" sessionId=0
Jul 10 15:30:00 aykn ck-server[1379]: time="2020-07-10T15:30:00Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:44236" sessionId=0
Jul 10 15:30:00 aykn ck-server[1379]: time="2020-07-10T15:30:00Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:44564" sessionId=0
Jul 10 15:36:33 aykn ck-server[1379]: time="2020-07-10T15:36:33Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="164.52.24.162:60535" sessionId
Jul 10 15:36:37 aykn ck-server[1379]: time="2020-07-10T15:36:37Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="164.52.24.162:37418" sessionId
Jul 10 16:24:46 aykn ck-server[1379]: time="2020-07-10T16:24:46Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="146.88.240.16:57572" sessionId
Jul 10 19:02:09 aykn ck-server[1379]: time="2020-07-10T19:02:09Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="192.35.168.215:43058" sessionI
Jul 10 19:02:09 aykn ck-server[1379]: time="2020-07-10T19:02:09Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="192.35.168.215:32898" sessionI

OS is Ubuntu 18.04 (64bit)

HirbodBehnam commented 4 years ago

Ok, what is your client os? (android,windows,macos)

Abdipour commented 4 years ago

Ok, what is your client os? (android,windows,macos)

Windows and Android Also there is no error in clients.

HirbodBehnam commented 4 years ago

Unfortunately, I do not have much ideas left but the simple ones. Like:

  1. Make sure that the cloak client on Android and windows are up-to-date (Version 2.1.3)
  2. If possible, uninstall, reboot and then re install the cloak on server. If possible, try completely reinstalling the server's OS (this is probably not the solution)
  3. (Censorship test if you like): You can use some tools like wgcl to generate a free wireguard profile. On your client, turn on Cloak and Wireguard simultaneously and check if the cloak is working.
HirbodBehnam commented 4 years ago

We had a small chat in Telegram and found out that the Iran firewall is actively blocking the cloak connection. Somehow, the firewall validates the tls packets and drops them if they are invalid. This also blocks the Fake-TLS protocol in MTProto proxy. Right now, I do not have any work around for this issue. You can switch to Trojan or V2Ray to solve this problem. Also it looks like that my own server is not affected by this issue so the firewall might be watching some special data centers or ip addresses. (My server is from Eonix Corporation) I haven't tested it, but switching from direct mode to CDN mode in cloak might resolve this problem but I haven't tested it. Also you can watch this issue on the main cloak repository for further updates.

felixding commented 4 years ago

We had a small chat in Telegram and found out that the Iran firewall is actively blocking the cloak connection. Somehow, the firewall validates the tls packets and drops them if they are invalid. This also blocks the Fake-TLS protocol in MTProto proxy. Right now, I do not have any work around for this issue. You can switch to Trojan or V2Ray to solve this problem. Also it looks like that my own server is not affected by this issue so the firewall might be watching some special data centers or ip addresses. (My server is from Eonix Corporation) I haven't tested it, but switching from direct mode to CDN mode in cloak might resolve this problem but I haven't tested it. Also you can watch this issue on the main cloak repository for further updates.

Thanks for the update. This is sad.

Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?

cyqsimon commented 4 years ago

@Abdipour If Iran's firewall is indeed able to differentiate between Cloak and real HTTPS, you can try simple-tls. This encrypts your SS traffic with real TLS1.3, so theoretically there's no way to differentiate, or at least it becomes very difficult.

HirbodBehnam commented 4 years ago

@felixding

Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?

Do don't have a single clue. But somehow both fake-tls mode in MTproto proxy and cloak are blocked on-the-fly. (So probably the simple-obfs does not work as well)

@cyqsimon

you can try simple-tls.

Yes, I've also seen it but I haven't tested it. Is the speed and stability good?

Abdipour commented 4 years ago

We had a small chat in Telegram and found out that the Iran firewall is actively blocking the cloak connection. Somehow, the firewall validates the tls packets and drops them if they are invalid. This also blocks the Fake-TLS protocol in MTProto proxy. Right now, I do not have any work around for this issue. You can switch to Trojan or V2Ray to solve this problem. Also it looks like that my own server is not affected by this issue so the firewall might be watching some special data centers or ip addresses. (My server is from Eonix Corporation) I haven't tested it, but switching from direct mode to CDN mode in cloak might resolve this problem but I haven't tested it. Also you can watch this issue on the main cloak repository for further updates.

Thanks for the update. This is sad.

Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?

When you use fake TLS, technically the certificate validation would work but ultimately the key exchange would fail since the “fake” server doesn’t have the private key.

@Abdipour If Iran's firewall is indeed able to differentiate between Cloak and real HTTPS, you can try simple-tls. This encrypts your SS traffic with real TLS1.3, so theoretically there's no way to differentiate, or at least it becomes very difficult.

Thanks for your advise. For now using another plugin with real TLS and behind CDN.

cyqsimon commented 4 years ago

@felixding

Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?

Do don't have a single clue. But somehow both fake-tls mode in MTproto proxy and cloak are blocked on-the-fly. (So probably the simple-obfs does not work as well)

@cyqsimon

you can try simple-tls.

Yes, I've also seen it but I haven't tested it. Is the speed and stability good?

Software stability is flawless. As of speed, I have been using it for a month now, and have not noticed a significant difference compared to SS w/o plugin (SS encryption mode: chacha20-ietf-poly1305). However this is speaking from personal experience, not scientific testing.

HirbodBehnam commented 4 years ago

Cool, thanks!

HirbodBehnam commented 4 years ago

I experienced something today that was interesting. Today on my ISPs (Pars Online and Rightel), I had problems connecting to my Cloak server. The log of cloak was filled with:

level=info msg="failed to read anything after connection is established: read tcp x.x.x.x:443->x.x.x.x:2304: i/o timeout" remoteAddr="x.x.x.x:2304"

(Note that there was no New session) I assumed that Iran's firewall was blocking Clock's connection on-fly because there was no problem connecting to it with Openvpn.

But I found a really easy way to fix this: I just changed the browser signature from Chrome to Firefox and it started to work. This thing reminded me of someone in some MTProto forum that said something like

They might have blocked the protocol because the mtproto proxy is mimicking old Chrome's client hello.

I checked the history of Cloak's code that mimics the Chrome and it looks like that it have not been updated in a while (more than a year and also the other commits are just refactoring code). If that is the case and the Chrome's client hello signature has been changed, maybe Cloak needs to update the Chrome (and maybe Firefox) signatures. I will open an issue on Cloak's repository and ask the owner if they need some updates.

Edit: I found out that my server is whitelisted

aboka2k commented 4 years ago

Great find and hope with the new signature update, it will works. TQ.