Outline gets detected in Iran

[cornzzy]

I have been trying every possible combination of configuration options:

• All prefixes in the reddit wiki plus other protocols first bytes such as RTSP, SMTP, POP, ... ("RTSP/1.0 ", "DATA ", ...)
• Different ports, random or protocol specific like 443, 123, ...
• Different server providers, major ones like DigitalOcean, Linode, Vultr and some no name providers and Azure. Azure was the only one that didn't get blocked easily but they charge ~$60 per TB of outbound. It seems like GFW treats it's IP's differently.
• TCP-only connection. This one delays the detection for a couple of days but still gets detected.
• Dynamic prefixes, this one can be achieved by a custom backend service which selects a random prefix from a pool of prefixes every time the end-user connects; still gets blocked. For example TLS ClientHello and TLS Application Data prefixes.
• Different encryption methods such as aes-256-gcm and chacha20-ietf-poly1305

There are different kinds of blockages:

1. Outline client connects successfully but bandwidth gets limited to 0. This happens mostly on mobile providers and prefix choice has an effect on it.
2. Outline client doesn't connect with an error of "Server unreachable" and "Server credentials are invalid", again mostly on mobile providers while the same config works on some cable providers.

The two-hop solution Creating a tunnel like client -> Iran server -> foreign server works but it makes no sense to use it with Outline because two-hop works with anything such as OpenVPN and WireGuard and doesn't get blocked.

I've spent countless resources for the above statements. My strongest guess is it's coming from the end-user's usage.

[ParsaJR]

me too . But I did not test any of those reddit wiki methods . My outline server was working perfectly fine for twenty days . Today it is blocked for all ISPs. I feel that its just depends on the amount of internet usage of the users ( Not just for ShadowSocks, for all protocols ) . If less than ~100 gigs of traffic is consumed per month, the probability of blocking is less. Anyway... this is just a guess . do v2ray or hysteria work better in Iran? I i don't know what to do . Should I buy a server with outline or ...

[cornzzy]

@ParsaJR If it's for personal/family usage, read this https://github.com/Jigsaw-Code/outline-server/issues/1319 It won't get blocked on a clean IP.

[ParsaJR]

@cornzzy Thanks . Are you saying that it can be solved with prefix? So why did you say if it is for personal or family use? What did you mean by this?

[cornzzy]

The TLS ClientHello prefix works for personal use and you should use it. It becomes different when clients connect from many different ISPs.

[ParsaJR]

alright thanks

[ParsaJR]

I used much less traffic and applied prefix. But surprisingly, it was closed earlier than the previous ones. Shadow-socks doesn't seem to work well for us ( at least for me ) . I went to the hysteria protocol ... just so you know

[pedinil]

I believe we need to be cautious about exposing ports, as attackers can easily identify a server with abnormal ports open.

There are two types of ports to consider:

1. Management port: This port cannot be changed, but I am researching ways to do so.
2. Access key port: This port can be modified.

Additionally, it is crucial to block access from all Iran domains on your server. I have provided a script to help with this: https://github.com/pedinil/IRiptables

adding customize port sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/Jigsaw-Code/outline-apps/master/server_manager/install_scripts/install_server.sh)" install_server.sh \ --keys-port=80 --api-port=443

[cornzzy]

The issue is not with port or Iranian websites. Good luck, hope you can get it to work for you.

[pedinil]

Thank you for your comment. This issue happened to me before, and I was able to resolve it by changing the port. However, I want to clarify that using an unusual port is not recommended.

But there should be more factors

[cornzzy]

Random port takes hours to get detected. TCP only connection on 443 with TLS prefix on a clean IP can give you a week or two for family usage. If money isn't an issue, Azure IP doesn't get blocked at all but it's $80 per TB (GFW treats it differently).

[ParsaJR]

Guys, I have since switched to Hysteria 2. Still not blocked after 3 months of use. I used about 2 terabytes of traffic... I just wanted to say that hysteria2 seems to be more reliable for Iranians. (Maybe there is a solution for Outline too, which I didn't test, but anyway)

[pedinil]

Guys, I have since switched to Hysteria 2. Still not blocked after 3 months of use. I used about 2 terabytes of traffic... I just wanted to say that hysteria2 seems to be more reliable for Iranians. (Maybe there is a solution for Outline too, which I didn't test, but anyway)

does it have the managment portal ? and which protocol it is using

[ParsaJR]

does it have the managment portal ? and which protocol it is using

management portal? Do you mean to create users and such? I don't think it has. I don't use it for commercial purposes. I started it manually with the configuration of the yaml file exactly according to its own document. https://v2.hysteria.network/docs/getting-started/Server