Closed kalhori124 closed 3 years ago
@faridcboy thanks for the feedback. I hear that migrating servers is not easy. As a mitigation, you may set up a domain hostname for your server, so you don't need to resend invites if the IP gets blocked. You can specify the hostname in the manual installation. Example:
sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh)" install_server.sh --hostname=myserver.com --keys-port=443
With that, the invitations will have "myserver.com" and you can update the IP freely. In many cloud providers you can change the IP address of a server without having to recreate. On Google Cloud, you can create a new IP address and assign to the GCE instance. On DigitalOcean, you can use floating IPs.
+1 for using v2ray, it seems to work much better in China and it has the ability to route traffic through Cloudflare which means China would be forced to start blocking Cloudflare IPs if it managed to detect it (unlikely)
@fortuna Hi,
Can we have WebSocket and HTTP/2 in Outline for transferring data through a third-party gateway like Cloudflare or other CDN providers?
With this, we can escape from the government firewall because they cannot block CDN providers.
We could, but that would be a different protocol that is not backward compatible. We've been considering HTTP-based proxying, but one problem there is that you lose the performance benefits of UDP.
We haven't prioritized changes to the protocol because since we launched single port for all access keys the reports of blocked servers dropped dramatically.
@fortuna I agree with you that UDP has performance benefits but we can't use the Outline in Iran, China and a few other countries as they block VPS IP address!
This week I set up three VPSs from different locations and providers ( Vultr, DigitalOcean, Linode ) after installing Outline-Server and using Outline clients on a mobile phone and a PC the IP address of the VPS blocked by the Internet censorship firewall after one day with a little bandwidth usage about 500MB
After that, I cancel those VPS and create three new VPS again and set up OpenConnect, Stunnel, and V2ray and everything is OK as they use TCP
I'm in Dubai, and I have very faint knowledge of how networks work (I do know my way around managing a VPS through ssh though, no problem). I've set up Outline both through the manager, on a droplet, and through the docker on my Linode VPS.
If I'm talking through Whatsapp/Skype/etc, any of my Outlines work for a couple of minutes, then all internet traffic gets cut off, through either of them (disconnecting my local Outline client restores internet).
Is there any set of instructions as to what to do for a n00b like me? Is there an alternative to Outline, even if the setup is more complex? As I said, I do not care much for ease of installation, as I have no trouble running software on my VPS or editing config files; all I hope for is not having to take decisions regarding options I don't have the faintest idea about, and have no time to learn either.
add v2ray please!
I have switched to v2ray, because shadowsocks get blocked quickly.
Just saw V2Ray mentioned here, and come for some advertisement 😉
V2Ray provides transport methods such as WebSocket and HTTP/2, that can transfer data through a third-party gateway. A common usage is to tunnel through CloudFlare using WebSocket, when proxy client can't talk to proxy server directly.
@VictoriaRaymond Your V2Ray advertisement while reading this issue caught my eye so I compared its speed with outline and I'm surprised with the result, V2Ray is faster. Refer below for the test details:
Test Environment | |
---|---|
Client Machine | Android 10 Mobile |
Client Country | European |
VPS Country | European |
Speedtest Tool | Speedtest by Ookla |
Speedtest Country | Asian |
Outline Installation | Default |
V2Ray Installation | CloudFlare + WebSocket + nginx |
V2Ray Client | v2rayNG |
Config | DL | ⬇️ | UL | ⬇️ | LAT | ⬇️ |
---|---|---|---|---|---|---|
No VPN 1 | 16.5971248 | 8.5629184 | 243.6 | |||
No VPN 2 | 16.8656208 | 10.6983904 | 240 | |||
No VPN Average | 16.7313728 | 9.6306544 | 241.8 | |||
Outline 1 | 6.9494752 | 6.846184 | 476.6 | |||
Outline 2 | 9.5022432 | 8.99792 | 243 | |||
Outline Average | 8.2258592 | -50.84% | 7.922052 | -17.74% | 359.8 | -48.80% |
V2Ray 1 | 9.7733984 | 9.3156864 | 271 | |||
V2Ray 2 |
7.9912592 | 9.7194416 | 311.2 | |||
V2Ray Average | 8.8823288 | -46.91% | 9.517564 | -1.17% | 291.1 | -20.39% |
This is an issue from 2018 and a lot has changed since then. Outline has implemented many protections against detection, including those reported by https://gfw.report/talks/imc20/en/.
We have reports that Outline is working a lot better now. Keep in mind that Outline is not the exact same as Shadowsocks. We have our implementation, configured in a specific way. That makes a difference.
Even if Outline still has some issues, we need fresh data. So I'll close this bug and we can discuss on a new thread if needed. Thanks all for the input.
Dear @fortuna ,
Sorry for asking a dump question. As you mentioned above that We have our implementation, configured in a specific way.
, could you please advise that the major improvements are on the outline server side or client side?
Genuinely curious here, as I'm assuming outline as a smart server with 'dumb' client solution.
sincerely
As shown in the research How China Detects and Blocks Shadowsocks, the censor uses active probing to detect Shadowsocks servers. The probing may be triggered by packet sniffing, but that's not how the servers are detected.
Even though Shadowsocks is a standard, it leaves a lot of room for choices on how it's implemented and deployed.
First of all, you must use AEAD ciphers. If you are using stream ciphers, you are doing it wrong. It's very easy to break your encryption and detect your server. Outline has banned all stream ciphers, since people copy old examples to set up their servers. In fact, Outline picks the cipher for you, since people don't know how to pick it.
Second, you need probing resistance. Both shadowsocks-libev and Outline have added that. In the past, an invalid byte would trigger different behaviors whether it was inserted in positions 49, 50 or 51 of the stream, which is very telling. That behavior is now gone, and the censor can no longer rely on that.
Third, you need protection against replayed data. Both shadowsocks-libev and Outline have added such protection, which you may need to enable explicitly on ss-libev, but it's the default on Outline.
Fourth, Outline and clients using shadowsocks-libev now merge the SOCKS address and the initial data in the same initial encrypted frame, making the size of the first packet variable. Before the first packet only had the SOCKS address, with a fixed size, and that was a giveaway.
The censors used to block Shadowsocks, but Shadowsocks has evolved, and for now it's ahead again in the cat and mouse game.
@fortuna can we add this info to README or another docs? It's very valuable and useful.
I can create a PR if needed.
@lgg under way: https://github.com/Jigsaw-Code/outline-server/pull/843
Recently, Iran and China's firewalls detect Outline VPN protocol then IP address of the server will be blocked after a while ( it depends on volume of traffic between Clients and server ).
Unfortunately, after blocking I cannot connect to the server even with SSH protocol and I have to delete the VPS and create a new VPS with new IP address ! I created and deleted 4 VPSs in a week !
Is it possible to obfuscate Outline VPN protocol ?