VPS' IP Address will be blocked in Iran and China after using Outline VPN

[kalhori124]

Recently, Iran and China's firewalls detect Outline VPN protocol then IP address of the server will be blocked after a while ( it depends on volume of traffic between Clients and server ).

Unfortunately, after blocking I cannot connect to the server even with SSH protocol and I have to delete the VPS and create a new VPS with new IP address ! I created and deleted 4 VPSs in a week !

Is it possible to obfuscate Outline VPN protocol ?

[fortuna]

@faridcboy thanks for the feedback. I hear that migrating servers is not easy. As a mitigation, you may set up a domain hostname for your server, so you don't need to resend invites if the IP gets blocked. You can specify the hostname in the manual installation. Example:

sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh)" install_server.sh --hostname=myserver.com --keys-port=443

With that, the invitations will have "myserver.com" and you can update the IP freely. In many cloud providers you can change the IP address of a server without having to recreate. On Google Cloud, you can create a new IP address and assign to the GCE instance. On DigitalOcean, you can use floating IPs.

[sysk]

+1 for using v2ray, it seems to work much better in China and it has the ability to route traffic through Cloudflare which means China would be forced to start blocking Cloudflare IPs if it managed to detect it (unlikely)

[kalhori124]

@fortuna Hi,

Can we have WebSocket and HTTP/2 in Outline for transferring data through a third-party gateway like Cloudflare or other CDN providers?

With this, we can escape from the government firewall because they cannot block CDN providers.

[fortuna]

We could, but that would be a different protocol that is not backward compatible. We've been considering HTTP-based proxying, but one problem there is that you lose the performance benefits of UDP.

We haven't prioritized changes to the protocol because since we launched single port for all access keys the reports of blocked servers dropped dramatically.

[kalhori124]

@fortuna I agree with you that UDP has performance benefits but we can't use the Outline in Iran, China and a few other countries as they block VPS IP address!

This week I set up three VPSs from different locations and providers ( Vultr, DigitalOcean, Linode ) after installing Outline-Server and using Outline clients on a mobile phone and a PC the IP address of the VPS blocked by the Internet censorship firewall after one day with a little bandwidth usage about 500MB

After that, I cancel those VPS and create three new VPS again and set up OpenConnect, Stunnel, and V2ray and everything is OK as they use TCP

[Xananax]

I'm in Dubai, and I have very faint knowledge of how networks work (I do know my way around managing a VPS through ssh though, no problem). I've set up Outline both through the manager, on a droplet, and through the docker on my Linode VPS.

If I'm talking through Whatsapp/Skype/etc, any of my Outlines work for a couple of minutes, then all internet traffic gets cut off, through either of them (disconnecting my local Outline client restores internet).

Is there any set of instructions as to what to do for a n00b like me? Is there an alternative to Outline, even if the setup is more complex? As I said, I do not care much for ease of installation, as I have no trouble running software on my VPS or editing config files; all I hope for is not having to take decisions regarding options I don't have the faintest idea about, and have no time to learn either.

[stonedreamforest]

add v2ray please!

[x0r2d2]

I have switched to v2ray, because shadowsocks get blocked quickly.

[privetryan]

Just saw V2Ray mentioned here, and come for some advertisement 😉

V2Ray provides transport methods such as WebSocket and HTTP/2, that can transfer data through a third-party gateway. A common usage is to tunnel through CloudFlare using WebSocket, when proxy client can't talk to proxy server directly.

@VictoriaRaymond Your V2Ray advertisement while reading this issue caught my eye so I compared its speed with outline and I'm surprised with the result, V2Ray is faster. Refer below for the test details:

Test Environment
Client Machine	Android 10 Mobile
Client Country	European
VPS Country	European
Speedtest Tool	Speedtest by Ookla
Speedtest Country	Asian
Outline Installation	Default
V2Ray Installation	CloudFlare + WebSocket + nginx
V2Ray Client	v2rayNG

Test Steps:

1. Run Speedtest by Ookla 5x without VPN.
2. Run Speedtest by Ookla 5x with Outline VPN.
3. Run Speedtest by Ookla 5x with V2Ray VPN.
4. Run Speedtest by Ookla 5x with V2Ray VPN.
5. Run Speedtest by Ookla 5x with Outline VPN.
6. Run Speedtest by Ookla 5x without VPN.

Test Result Summary:

Config	DL	⬇️	UL	⬇️	LAT	⬇️
No VPN 1	16.5971248		8.5629184		243.6
No VPN 2	16.8656208		10.6983904		240
No VPN Average	16.7313728		9.6306544		241.8
Outline 1	6.9494752		6.846184		476.6
Outline 2	9.5022432		8.99792		243
Outline Average	8.2258592	-50.84%	7.922052	-17.74%	359.8	-48.80%
V2Ray 1	9.7733984		9.3156864		271
V2Ray 2	7.9912592		9.7194416		311.2
V2Ray Average	8.8823288	-46.91%	9.517564	-1.17%	291.1	-20.39%

Comments:

1. V2Ray is faster at least in my environment
2. Outline is the easiest to setup both for server and client(s) maybe because the main/initial target audience are journalists
3. V2Ray over CDN (e.g. CloudFlare) has the advantage of using the CDN's features like Analytics (e.g. request/country) aside from the mentioned indirect talking to proxy.

[fortuna]

This is an issue from 2018 and a lot has changed since then. Outline has implemented many protections against detection, including those reported by https://gfw.report/talks/imc20/en/.

We have reports that Outline is working a lot better now. Keep in mind that Outline is not the exact same as Shadowsocks. We have our implementation, configured in a specific way. That makes a difference.

Even if Outline still has some issues, we need fresh data. So I'll close this bug and we can discuss on a new thread if needed. Thanks all for the input.

[DonZheng]

Dear @fortuna ,

Sorry for asking a dump question. As you mentioned above that We have our implementation, configured in a specific way., could you please advise that the major improvements are on the outline server side or client side?

Genuinely curious here, as I'm assuming outline as a smart server with 'dumb' client solution.

sincerely

[fortuna]

As shown in the research How China Detects and Blocks Shadowsocks, the censor uses active probing to detect Shadowsocks servers. The probing may be triggered by packet sniffing, but that's not how the servers are detected.

Even though Shadowsocks is a standard, it leaves a lot of room for choices on how it's implemented and deployed.

First of all, you must use AEAD ciphers. If you are using stream ciphers, you are doing it wrong. It's very easy to break your encryption and detect your server. Outline has banned all stream ciphers, since people copy old examples to set up their servers. In fact, Outline picks the cipher for you, since people don't know how to pick it.

Second, you need probing resistance. Both shadowsocks-libev and Outline have added that. In the past, an invalid byte would trigger different behaviors whether it was inserted in positions 49, 50 or 51 of the stream, which is very telling. That behavior is now gone, and the censor can no longer rely on that.

Third, you need protection against replayed data. Both shadowsocks-libev and Outline have added such protection, which you may need to enable explicitly on ss-libev, but it's the default on Outline.

Fourth, Outline and clients using shadowsocks-libev now merge the SOCKS address and the initial data in the same initial encrypted frame, making the size of the first packet variable. Before the first packet only had the SOCKS address, with a fixed size, and that was a giveaway.

The censors used to block Shadowsocks, but Shadowsocks has evolved, and for now it's ahead again in the cat and mouse game.

[lgg]

@fortuna can we add this info to README or another docs? It's very valuable and useful.

I can create a PR if needed.

[fortuna]

@lgg under way: https://github.com/Jigsaw-Code/outline-server/pull/843