Closed Abdipour closed 4 years ago
Oh dammit i forgot to upgrade the FAQ.
Can you run this command instead and give me the output?
systemctl status cloak-server
Also keep in mind that few days ago, Iran changed some of their censorship techniques. For instance, most of the time, the MTProto Fake TLS does not work anymore. Maybe cloak have faced the same issue. Although I can run and connect to both MTProto proxy and Cloak on my own server.
Oh dammit i forgot to upgrade the FAQ. Can you run this command instead and give me the output?
systemctl status cloak-server
The cloak-server
status is active and running.
Also keep in mind that few days ago, Iran changed some of their censorship techniques. For instance, most of the time, the MTProto Fake TLS does not work anymore. Maybe cloak have faced the same issue. Although I can run and connect to both MTProto proxy and Cloak on my own server.
Thank you. I had shdowsocks and mtproto (installed with your script) same time in this server. Since a few days ago mtproto not connect. But shadowsocks connection is OK. Today I decide to remove all proxy services and install only shadowsocks with cloak.
Is there any errors in the log? And what's your client OS?
Is there any errors in the log? And what's your client OS?
Jul 10 15:29:28 aykn ck-server[1379]: time="2020-07-10T15:29:28Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:48562" sessionId=0
Jul 10 15:29:29 aykn ck-server[1379]: time="2020-07-10T15:29:29Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:49010" sessionId=0
Jul 10 15:29:59 aykn ck-server[1379]: time="2020-07-10T15:29:59Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:43890" sessionId=0
Jul 10 15:30:00 aykn ck-server[1379]: time="2020-07-10T15:30:00Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:44236" sessionId=0
Jul 10 15:30:00 aykn ck-server[1379]: time="2020-07-10T15:30:00Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:44564" sessionId=0
Jul 10 15:36:33 aykn ck-server[1379]: time="2020-07-10T15:36:33Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="164.52.24.162:60535" sessionId
Jul 10 15:36:37 aykn ck-server[1379]: time="2020-07-10T15:36:37Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="164.52.24.162:37418" sessionId
Jul 10 16:24:46 aykn ck-server[1379]: time="2020-07-10T16:24:46Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="146.88.240.16:57572" sessionId
Jul 10 19:02:09 aykn ck-server[1379]: time="2020-07-10T19:02:09Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="192.35.168.215:43058" sessionI
Jul 10 19:02:09 aykn ck-server[1379]: time="2020-07-10T19:02:09Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="192.35.168.215:32898" sessionI
OS is Ubuntu 18.04 (64bit)
Ok, what is your client os? (android,windows,macos)
Ok, what is your client os? (android,windows,macos)
Windows and Android Also there is no error in clients.
Unfortunately, I do not have much ideas left but the simple ones. Like:
We had a small chat in Telegram and found out that the Iran firewall is actively blocking the cloak connection. Somehow, the firewall validates the tls packets and drops them if they are invalid. This also blocks the Fake-TLS protocol in MTProto proxy. Right now, I do not have any work around for this issue. You can switch to Trojan or V2Ray to solve this problem. Also it looks like that my own server is not affected by this issue so the firewall might be watching some special data centers or ip addresses. (My server is from Eonix Corporation) I haven't tested it, but switching from direct mode to CDN mode in cloak might resolve this problem but I haven't tested it. Also you can watch this issue on the main cloak repository for further updates.
We had a small chat in Telegram and found out that the Iran firewall is actively blocking the cloak connection. Somehow, the firewall validates the tls packets and drops them if they are invalid. This also blocks the Fake-TLS protocol in MTProto proxy. Right now, I do not have any work around for this issue. You can switch to Trojan or V2Ray to solve this problem. Also it looks like that my own server is not affected by this issue so the firewall might be watching some special data centers or ip addresses. (My server is from Eonix Corporation) I haven't tested it, but switching from direct mode to CDN mode in cloak might resolve this problem but I haven't tested it. Also you can watch this issue on the main cloak repository for further updates.
Thanks for the update. This is sad.
Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?
@Abdipour If Iran's firewall is indeed able to differentiate between Cloak and real HTTPS, you can try simple-tls. This encrypts your SS traffic with real TLS1.3, so theoretically there's no way to differentiate, or at least it becomes very difficult.
@felixding
Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?
Do don't have a single clue. But somehow both fake-tls mode in MTproto proxy and cloak are blocked on-the-fly. (So probably the simple-obfs does not work as well)
@cyqsimon
you can try simple-tls.
Yes, I've also seen it but I haven't tested it. Is the speed and stability good?
We had a small chat in Telegram and found out that the Iran firewall is actively blocking the cloak connection. Somehow, the firewall validates the tls packets and drops them if they are invalid. This also blocks the Fake-TLS protocol in MTProto proxy. Right now, I do not have any work around for this issue. You can switch to Trojan or V2Ray to solve this problem. Also it looks like that my own server is not affected by this issue so the firewall might be watching some special data centers or ip addresses. (My server is from Eonix Corporation) I haven't tested it, but switching from direct mode to CDN mode in cloak might resolve this problem but I haven't tested it. Also you can watch this issue on the main cloak repository for further updates.
Thanks for the update. This is sad.
Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?
When you use fake TLS, technically the certificate validation would work but ultimately the key exchange would fail since the “fake” server doesn’t have the private key.
@Abdipour If Iran's firewall is indeed able to differentiate between Cloak and real HTTPS, you can try simple-tls. This encrypts your SS traffic with real TLS1.3, so theoretically there's no way to differentiate, or at least it becomes very difficult.
Thanks for your advise. For now using another plugin with real TLS and behind CDN.
@felixding
Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?
Do don't have a single clue. But somehow both fake-tls mode in MTproto proxy and cloak are blocked on-the-fly. (So probably the simple-obfs does not work as well)
@cyqsimon
you can try simple-tls.
Yes, I've also seen it but I haven't tested it. Is the speed and stability good?
Software stability is flawless. As of speed, I have been using it for a month now, and have not noticed a significant difference compared to SS w/o plugin (SS encryption mode: chacha20-ietf-poly1305). However this is speaking from personal experience, not scientific testing.
Cool, thanks!
I experienced something today that was interesting. Today on my ISPs (Pars Online and Rightel), I had problems connecting to my Cloak server. The log of cloak was filled with:
level=info msg="failed to read anything after connection is established: read tcp x.x.x.x:443->x.x.x.x:2304: i/o timeout" remoteAddr="x.x.x.x:2304"
(Note that there was no New session
)
I assumed that Iran's firewall was blocking Clock's connection on-fly because there was no problem connecting to it with Openvpn.
But I found a really easy way to fix this: I just changed the browser signature from Chrome to Firefox and it started to work. This thing reminded me of someone in some MTProto forum that said something like
They might have blocked the protocol because the mtproto proxy is mimicking old Chrome's client hello.
I checked the history of Cloak's code that mimics the Chrome and it looks like that it have not been updated in a while (more than a year and also the other commits are just refactoring code). If that is the case and the Chrome's client hello signature has been changed, maybe Cloak needs to update the Chrome (and maybe Firefox) signatures. I will open an issue on Cloak's repository and ask the owner if they need some updates.
Edit: I found out that my server is whitelisted
Great find and hope with the new signature update, it will works. TQ.
Hi. I run cloak2 script without any error. But can't connect to server. Base of FAQ I tried to check
shadowsocks-server
is running, got this error:Unit shadowsocks-server.service could not be found.
Packages in
/lib/systemd/system/
, there are several service files related to ss-libev:In ReadMe:
Can you help where is the problem and how to solve this issue?