replace Shadowsocks with ShadowsocksR or V2Ray

[hadifarnoud]

Iran just blocked Shadowsocks, making Outline unusable. I just tried ShadowsocksR and it works just fine (on port 443) in Iran. Not sure about China though

the addition of ShadowsocksR or V2Ray can help.

[sailosha]

please NO SSR! ssr is NOT open source, you can build it by yourself and use it.(even though I used it long time). ss is using random port, same as SSR. I suggested you should try google cloud platform and build new VPN server from google. Then if outline failure, please post the error and ping command.

==================================== here is my own experience, I didn't setup static IP on GCP or AZURE, one day I wake up our government blocked my server port and ip. Then I shut down the server, request new IP, and rebuild outline. It works fine. But in the recent days, China increase filter level due to political problem. But in the major time, SS +KCPTUN, outline works fine for me

[hadifarnoud]

unfortunately, GC blocks all Iranian IPs. so all the Google Cloud servers are blocked from Iran. How can I replace SS with SSR in Outline Server?

I think the rewrites of SSR are open source? if not, what about V2Ray?

[sailosha]

You can't replace it. How about azure(mircosoft) and aws(amazon). I suggest azure,cuz aws is little bit hard for the beginner. I don't know about V2Ray, sorry. can't u run standalone ssr servers on the cloud? Even though your gov blocked gcp ip, it doesn't mean u cant connect them. I am using azure server which blocked by China,(ping error). There is no proof shows shadowsocks can be blocked. Only China had a research for sniff ss communcation in the past.

[hadifarnoud]

Azure is fine I guess.

Just to be clear, Iranian government did not block GCP IPs. it's the other way around Google blocked Iranian IPs. so the clients of yours can't access GC servers either! more info here

my server became useless after three weeks! there must be something they do. as I understand, SSR is harder to detect as it obfuscates the traffic. hence the reason I asked for SSR support

[hadifarnoud]

and the reason I wanted to use Outline with SSR is ease of use. as I give others access, Outline is perfect

[sailosha]

.....cuz there is a stupid issue for ssr. A group of Chinese against the developer for serval reasons. They did cyber bullying and person attack on the Internet. So the developer said: she decided to close ssr project forever. That is why I didn't suggest ssr, it doesn't update anymore. Can't u changed ip address for the servers? btw, keep two vpn works all the time, so u can use one to access cloud when they blocked another one.

[hadifarnoud]

I guess that's what I have to do.

[sailosha]

@hadifarnoud btw, try to use BBR to speedup servers. It require linux kernal 4.6+

[sailosha]

It is a google project for the linux kernal, it can boost up speed for the tcp/udp package. https://github.com/iMeiji/shadowsocks_install/wiki/%E5%BC%80%E5%90%AFTCP-BBR%E6%8B%A5%E5%A1%9E%E6%8E%A7%E5%88%B6%E7%AE%97%E6%B3%95 You can translate it into English and use it. (btw you need setup su account for some command in this page)

[fortuna]

@hadifarnoud, thanks for the report! We need to better understand the nature of the blocking.

Did you create the server, or were you using someone else's server?

• If from someone else:
  • Can you check if the admin revoked your access key?
  • If the server was shared publicly, maybe it had the IP blocked
• If your own:
  • Did you use the DigitalOcean option or the advanced mode with the command line?
  • Can you try creating a new access key? Can you access the server with the new key?
  • Have you tried connecting to the server from different networks? is it consistently blocked? The client may be in a network with a "fascist firewall" that whitelists few ports. In that case we can try using a different port number (it seems 443 works for you).
  • Can you try creating a new server? Is the new server also blocked?

If you are open to it and prefer, we can debug it in more detail in private. I'm on Keybase chat.

[NightMachinery]

@fortuna I just installed this today, though I had installed some SS servers some days ago. They won't work. SSR works perfectly. I used a US-hosted VPS bought from an Iranian company. I know of no method to buy a server from Western companies; Not only paying them is very expensive because of sanctions (dollars in a credit card are sold much more expensively than plain dollars here in Iran.), even using their free services is very hard because they block Iranian IPs, they demand phone call verification (obviously they don't accept +98 Iranian numbers), and a credit card.

2. I created multiple keys, but I used my SSR VPN when doing so.
3. This is not the case. I can connect to SSR just fine with any port whatsoever.
4. I didn't, but since I just created it today, it presumably wouldn't help.

[SquirrelCoder]

No, Shadowsocks is not blocked, at least for now. It works perfectly, without any problem whatsoever.

I think you shared the keys publicly, and this got the server's IP blocked!

And I would also advice against using SSR. Apparently the maintainer abandoned the project some time ago.

I think there was a thread in shadowsocks-libev issues, which showed how vulnerable SSR is!

من رو ٢ تا اپراتور تست کردم و هیچ مشکلی نداره. احتمال خیلی زیاد، اومدن آی‌پی سرور رو بستند!

[hadifarnoud]

@fortuna it was my servers.

It stopped connecting to the server for some time. it was working on some networks but blocked on most. I think it would eventually become blocked on all networks as the process takes some time.

• Did you use the DigitalOcean option or the advanced mode with the command line? I did manual installation like I did on other providers.

• Can you try creating a new access key? Can you access the server with the new key? unfortunately, I deleted that server. if you let me know how to change the access key, I will on our new test.

• Have you tried connecting to the server from different networks? is it consistently blocked? The client may be in a network with a "fascist firewall" that whitelists few ports. In that case we can try using a different port number (it seems 443 works for you). I tried it on mobile networks which does not have any firewall at all. It was not working on Rightel and Irancell but was working on MCI (which would've been blocked too because the process is a bit slow).

• Can you try creating a new server? Is the new server also blocked?

I can definitely do that. will report back when it gets blocked again. please do share your email address with me.

[manizand]

@SquirrelCoder My private server Blocked for lot of my friends, but not for all of them, it seems outline doesn't blocked on all ISPs...

[SquirrelCoder]

@manizand yeah, as I mentioned above, there is no problem with outline (to be more precise: Shadowsocks), hence I don't understand these blockage reports! (But I've not tested Outline on all ISPs)

the situation could change in the future, but for now, it's stable.

[NightMachinery]

@squirrelcoder No, I didn’t share any keys. I had just created them. 🙄 And no, the ip is not blocked. My SSR on that same ip works with any ports. I use Irancell MTM and perhaps Mokhaberat, too (Do they call themselves ICT or sth? Lol). I don’t remember that.

[manizand]

I destroyed the old server and created the new one (in the same location). the new one works fine...

[SquirrelCoder]

@NightMachinary sadly I can't say anything about ICT (مخابرات), but on Irancell it does work for me (and 2 other people too), maybe we are in different cities and they're enforcing different rules to different cities (not sure though 😀)

---

I would advice, setting up ss-libev on your server (first with port 443, and then change it, also use AEAD ciphers), an test, whether it works or not.

[NightMachinery]

Strangely, my Outline server works today (Via Irancell). (I am sure my server wasn’t down when it didn’t work. I could connect to the wireguard service set up on it just fine.)

On Sat, Jun 9, 2018 at 9:27 AM The Real Squirrel notifications@github.com wrote:

@NightMachinary https://github.com/NightMachinary sadly I can't say anything about ICT (مخابرات), but on Irancell it does work for me (and 2 other people too), maybe we are in different cities and they're enforcing different rules for different cities (not sure though 😀)

I would advice, setting up ss-libev on your server (first with port 443, and then change it, also use AEAD ciphers), an test, whether it works or not.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/Jigsaw-Code/outline-server/issues/165#issuecomment-395940240, or mute the thread https://github.com/notifications/unsubscribe-auth/Aii--t_ynM8MWlSA0GjNzsTLyWosfbghks5t61W-gaJpZM4UdyJg .

[max4444]

hey guys, my server got blocked too, i changed the IP but it got blocked again in a few hours! Wonder how they find the IP address! Are they checking the type of traffic or what?

[max4444]

Have you guys found a workaround? Are they detecting and blocking the shadow traffic? @hadifarnoud @NightMachinary @manizand

[manizand]

@max4444 I repeatedly destroy the blocked server and create new one, It work for few days and then it's blocked again 😞

P.S: I use DO servers and Outline Manager for macOS

[max4444]

@manizand So there should be something make it detectable for the gov. if you haven't posted your IP/KEY anywhere public :-?

I've been using it since 2015, there were no issues until the past few days, the IP got blocked and i changed it, but it took like 24hours for the new IP to get blocked :|

[hadifarnoud]

it can be quite easy to detect if you tunnel all your traffic through shadowsocks. they can find out if all traffic is going to one IP address.

I'm not using Outline anymore. installed ShadowsocksR. I use a custom PAC to pass thru proxy only for blocked sites. It's working well but even with that it sometimes stops working and I have to use another server. I switch between two servers and IPs didn't get blocked.

it would be great if we figure out how they detect shadowsocks. Outline is super easy for non-techies to use.

[ghost]

Maybe we need some load-balance?

client ---[firewall]--- relay servers --- access server

client send encrypted data to one of relay servers. relay server relay traffic to access server. access server send unencrypted data to Internet.

This can avoid 'all traffic to one IP', but configure and maintenance many server will be a challenge.

If Shadowsocks really get blocked. I suggest V2Ray, SSR seems not as active as v2ray. And, SSR protocol is modified SS protocol, it might be a hidden trouble.

Hadi Farnoud notifications@github.com 于 2018年6月13日周三 14:49写道：

it can be quite easy to detect if you tunnel all your traffic through shadowsocks. they can find out if all traffic is going to one IP address.

I'm not using Outline anymore. installed ShadowsocksR. I use a custom PAC to pass thru proxy only for blocked sites. It's working well but even with that it sometimes stops working and I have to use another server. I switch between two servers and IPs didn't get blocked.

it would be great if we figure out how they detect shadowsocks. Outline is super easy for non-techies to use.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Jigsaw-Code/outline-server/issues/165#issuecomment-396832620, or mute the thread https://github.com/notifications/unsubscribe-auth/AQVHEr4iTImLzdxP0tgvZydXAYSiuaDyks5t8LYLgaJpZM4UdyJg .

[hadifarnoud]

V2Ray is probably the way forward, I agree @studentmain

[ghost]

See Jigsaw-Code/outline-client#132.

[NightMachinery]

I was mistaken. Outline isn’t blocked in Iran. The problem was that whenever I connected to Outline using a non-Outline SS client, the server would just get corrupted for a time, and even the Outline client couldn’t use it.

On Sat, Jun 16, 2018 at 12:40 PM Yegor Ievlev notifications@github.com wrote:

See #176 https://github.com/Jigsaw-Code/outline-server/issues/176.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Jigsaw-Code/outline-server/issues/165#issuecomment-397796165, or mute the thread https://github.com/notifications/unsubscribe-auth/Aii--t1h474HDnEUuIS1sIOz_ehyEiY7ks5t9L18gaJpZM4UdyJg .

[ghost]

You may want open another issue about it.

NightMachinary notifications@github.com 于 2018年6月18日周一 14:55写道：

I was mistaken. Outline isn’t blocked in Iran. The problem was that whenever I connected to Outline using a non-Outline SS client, the server would just get corrupted for a time, and even the Outline client couldn’t use it.

On Sat, Jun 16, 2018 at 12:40 PM Yegor Ievlev notifications@github.com wrote:

See #176 https://github.com/Jigsaw-Code/outline-server/issues/176.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub < https://github.com/Jigsaw-Code/outline-server/issues/165#issuecomment-397796165 , or mute the thread < https://github.com/notifications/unsubscribe-auth/Aii--t1h474HDnEUuIS1sIOz_ehyEiY7ks5t9L18gaJpZM4UdyJg

.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/Jigsaw-Code/outline-server/issues/165#issuecomment-397958701, or mute the thread https://github.com/notifications/unsubscribe-auth/AQVHEoJ31ee_8n8s5Kghygyg3Yq9NZmNks5t907XgaJpZM4UdyJg .

[ghost]

@studentmain I think the blocking works on a very simple algorithm, all user traffic goes to one IP => block. We need load balancing and background noise. If I'm wrong, it's most likely the blocking measures the entropy of packet sizes. Shadowsocks will need to stop randomizing it then. V2Ray isn't as much tested as Shadowsocks, so I'm not sure about using it (maybe it will be actually easier to block). Using KCP may also make Shadowsocks harder to block.

[hadifarnoud]

my outline-server does not work at the moment. I tried on many different connections and devices.

interesting enough, I can't SSH or ping the server. in case of ping, it works for the first two pings then stops working (I masked server IP)

ping ***
PING ***** (****): 56 data bytes
64 bytes from ****: icmp_seq=0 ttl=45 time=177.256 ms
64 bytes from ****: icmp_seq=1 ttl=45 time=165.207 ms
Request timeout for icmp_seq 2
^C
--- **** ping statistics ---
4 packets transmitted, 2 packets received, 50.0% packet loss
round-trip min/avg/max/stddev = 165.207/171.231/177.256/6.025 ms

$ ping ****
PING **** (****): 56 data bytes
64 bytes from ****: icmp_seq=0 ttl=45 time=174.074 ms
64 bytes from ****: icmp_seq=1 ttl=45 time=170.719 ms
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- **** ping statistics ---
5 packets transmitted, 2 packets received, 60.0% packet loss
round-trip min/avg/max/stddev = 170.719/172.397/174.074/1.677 ms

no matter how many times I try, the first two pings goes through, the rest will not. I can keep this server for debug. let me know what I should try. tested on Irancell, Mobinnet, and Rightel networks.

btw, I think it could be super helpful if I can backup users and import in new server. or, if I can simply change server IP and that basically is like setting up a new server. if the latter is possible, a quick guide will help

[hadifarnoud]

UPDATE: it now works. SSH, Ping and Outline are working.

I'm not sure if this was an issue with outline or my server. But if even ping doesn't work, it may be Iran's smart firewall blocking it. please do let me know any debug thing I should do next time it happened so we can understand what's going on a bit more

[ghost]

Maybe you need record connection speed on your server. High connection speed (10 Mbps) may cause problem. GFW only check the connection speed at some time. When found high speed unknown type connction, block it.

Hadi Farnoud notifications@github.com 于 2018年6月27日周三 13:59写道：

UPDATE: it now works. SSH, Ping and Outline are working.

I'm not sure if this was an issue with outline or my server. But if even ping doesn't work, it may be Iran's smart firewall blocking it. please do let me know any debug thing I should do next time it happened so we can understand what's going on a bit more

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/Jigsaw-Code/outline-server/issues/165#issuecomment-400552143, or mute the thread https://github.com/notifications/unsubscribe-auth/AQVHEtSqupvyFmY0A4xBHqcSRVpciJ6Hks5uAx9FgaJpZM4UdyJg .

[SquirrelCoder]

@hadifarnoud how can this be Outline's fault, when after only 1 day your issue is resolved?

The problem clearly resides on your side! Change your ISP/Operator.

PS: Mask your IP-Address in your post.

[hadifarnoud]

didn't say it's Outline's fault. something happened there. GFW (which is what Iran is using too) detected the server somehow

OR

Something wen't wrong with my server which could have been Outline issue since I have nothing else installed

[fortuna]

@hadifarnoud there's another thread discussing blocking: https://github.com/Jigsaw-Code/outline-server/issues/193. It seems that servers are blocked if there's a lot of traffic to it, and then they get unblocked after 3 days. I think that explains why your server was working again.

We don't have a definite solution yet, but have some ideas that might help (selective proxying, change ports, close UDP, ...)

[fortuna]

I added a proposal to remove UDP from the client at https://github.com/Jigsaw-Code/outline-server/issues/201#issuecomment-407550074

Hopefully we'll be able to work on that soon (Full system VPN on windows and single port are higher priority).

[hadifarnoud]

got it. anyway, if there is any debugging needed I can help.

[hadifarnoud]

for everyone following this thread, see #210. They (Iran firewall) block the IP now. not entirely sure if this is based on traffic footprint (all traffic going to one IP for a while).

[fortuna]

FYI, I found this work on detecting ShadowsocksR: https://github.com/madeye/sssniff It seems ShadowsocksR is actually easier to detect than Shadowsocks because you can simply look at the entropy of the packet sizes. That's cheap and relatively precise.

To detect Shadowsocks you need to compute the entropy of the packet data, which leads to "high false positive rate and is very expensive". From what I understood, you can really only tell it's an encrypted connection, but not necessarily SS, though you may try to use the low entropy of TLS handshakes to differentiate them.

[rezamay80]

I am planning to travel to Iran soon and trying to use Outline with Digital Ocean to use when I am there. For those using it inside Iran, which server is the better option to set up in Outline Manager? I chose Amsterdam one and my friend inside the country who is testing now complains about its performance. Should I use the servers located in US to get better speed?

[hadifarnoud]

Try Frankfurt

On Fri, 14 Sep 2018 at 03:10, Reza notifications@github.com wrote:

I am planning to travel to Iran soon and trying to use Outline with Digital Ocean to use when I am there. For those using it inside Iran, which server is the better option to set up in Outline Manager? I chose Amsterdam one and my friend inside the country who is testing now complains about its performance. Should I use the servers located in US to get better speed?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Jigsaw-Code/outline-server/issues/165#issuecomment-421175172, or mute the thread https://github.com/notifications/unsubscribe-auth/AAj_8LKIDpVaoqmA3Rh7VhMLSI0Gwwg6ks5uat7ogaJpZM4UdyJg .

--

http://camva.ir/

Hadi Farnoud / CEO hadi@kamva.ir / +98 (0)920 301 7490

Kamva +98 (0)21 2842 7490 https://kamva.ir

[fortuna]

Closing this old bug.

We would rather make Shadowsocks stronger than to switch protocol for now. A lot has changed since this bug was open and Outline is a lot harder to detect and block now.

We may switch protocol in the future, but it must work well with UDP, be resistant to probing and require little resources from the server, which is not the case for V2Ray.