Proxies being banned in Iran. CHANGE TO TLS PLZ

[FreedomPrevails]

I am the dev of JSMTProxy : https://github.com/FreedomPrevails/JSMTProxy

As I had guessed it before, Iran's DPI filtering equipment has detected this custom encryption method of MTProto Proxy protocol and they have started to ban the proxy IPs. It is is the end of MTProto Proxy in Iran. I am pretty sure they are doing it automatically. I had an unpublished proxy running on a server which I was not even using it ! but it was blocked ! may be the telegram client has pinged it in the background. Why dont you use the standard TLS encryption the same way as HTTPS protocol ? why have you reinvented the wheel ? you need to make the traffic indistinguishable from white listed traffic, not make it different ! yes, current implementation is secure, but it can be detected ! we need something secure and undetectable !

PLEASE CHANGE THE ENCRYPTION TO TLS. PLEASE UPVOTE THIS FOR VISIBILITY.

[stek29]

Why dont you use the standard TLS encryption the same way as HTTPS protocol ? why have you reinvented the wheel ?

Because most of MTProxy related stuff was already implemented in apps. Also, mtproto proxies are distributed through configsimple via dns/domain fronting, so that’s another reason for mtproxy to exist.

However, MTProto has an HTTP based transport component (and HTTPS in webogram), so theoretically making an HTTPS reverse proxy for telegram shouldn’t be that hard either.

[aprosvetova]

I think detection by DPIs could be eliminated if Telegram would use random padding in their obfuscation scheme that's also used in MTProxy. Otherwise it's possible to detect reqPQ packets, for example, they always consist of 105 bytes, so maybe this is the marker and then they analyze these packets deeper (maybe even deobfuscating them). But still lots of respect for Telegram team. I'm sure we'll win as a result.

[ValdikSS]

It could be that your country blocks connectivity based on the size of the first packet. As far as I know, obfuscated OpenVPN (--tls-crypt option) was blocked in such way in Egypt not so far ago. Could you please provide pcap (wireshark/tcpdump) file with data exchange between your PC and mtproxy?

[MTO50]

Governments are starting to block IPs. They do not check packages like Socks5 at MTProto Proxy. Anyway, I think the decentralized system should be used. Like Tor

[ValdikSS]

Telegram developers should take a look at Snowflake project. This is a WebRTC transport from Tor project, which works both in browser and in standalone client. With Snowflake you can run a proxy server right in any browser (not fully autonomous though, but still).

Snowflake allows to use any user surfing your website as a proxy node. With the website sufficiently huge and popular, we'll get lots of constantly rotating IP addresses. It also works behind NAT.

[seega]

@FreedomPrevails where can I see the list of blocked addresses? is it publicly available?

[FreedomPrevails]

@stek29 It is true, but as you know MTProxy adds another layer of encryption on top of MTProto. They could have used TLS instead of this custom AES-256-CTR method with 64 byte random buffer. I dont think there is a shortage of TLS libraries anywhere ! Actually it is very easy to implement. If you want to bypass DPI, you should blend in your traffic. not make it distinct.

@aprosvetova Yeah, it is possible. we dont know how exactly they analyze the traffic and I dont think they are willing to share, we can play with padding and etc. but I think the definitive answer would be to blend in the traffic by using TLS so telegram proxies would look like busy webservers to firewalls.

@seega There are tons of blocked proxies here. for a starter this one : https://t.me/proxy?server=62.210.93.229&port=7272&secret=c53a3eae90544e68a37cbe41c5d31442

[MTO50]

@FreedomPrevails This IP has been blocked. And there is currently no problem detecting the packet. This package problem can be solved by updating the telegram

[stek29]

I’ve just contacted an Iranian I can trust, and according to him:

• proxies are banned in a couple of days after being found and used by public
• proxies with domain names and not ips with a couple of switching A records live even longer (probably related to the way Android/Desktop apps resolve proxy domains)

I’ve made a proxy I haven’t shared with anyone else and send it’s credentials to him, waiting for possible block.

However, I still agree that random padding is necessary to make MTProxy harder to detect.

[seega]

Where i can check my ips for ban in Iran? Like @rkn_block_check_bot for Russian block list or web site.

[FreedomPrevails]

@stek29

• The ban is different on different ISPs. some ISPs ban proxies very fast. others may take longer to apply them.
• I had 2 new proxies rotating on a DNS record, both were banned in just few hours on my ISP. while they were still accessible on some other ISPs. From bandwidth usage on my servers I could observe that the ban was getting wider every hour.
• So it is not a question that if they can detect it or not, the banning time is different. probably there is a central detection system which sends the detected IPs to ISPs to be banned and ISPs apply the ban in different time frames.
• I am not sure if they detect the protocol by packet size or not. it depends on the sophistication of their DPI system.we can try to change the padding randomly, but I think the definitive answer would be to use the TLS so the proxy would seem as a busy webserver to firewalls. we should try to blend in the traffic with something that they can not afford to ban. anything other than legitimate traffic (from their perspective) is expandable.

[ghost]

@FreedomPrevails There is currently no DPI equipment in Iran which can detect MTProto's Obfuscated2 protocol. They just keep blocking IPs of publicly spread MTProto proxies. and have even threatened admins of a channel that was providing these proxies to the public. If you keep your proxy private, it won't be blocked.

There are many anti-censorship utilities with non-TLS protocols used in Iran, which get blocked only by IP-blocking and not DPI. A good example of such are Shadowsocks, Obfs4, etc.

[FreedomPrevails]

@astonished98 If there is no DPI, then explain to me how my personal private mtproto proxy was blocked ? and how have they blocked the openvpn protocol on most ISPs ? it doesnt matter which port or IP you try, if it is openvpn, it wont connect. Let me tell an interesting story, sometime ago I wanted to connect to OPENVPN and it was blocked so I used udp2raw to re-encrypt the packets so DPI cant detect them. first I used the udp2raw AES method and to my disbelief, DPI still blocked the packets ! so I changed the encryption method to XOR and then it worked ! their DPI somehow could detect AES encryption in UDP packets but when I changed it to something as stupid as a simple XOR, it got undetectable. They definitely have some kind of DPI system.

[danog]

This is blasphemy, kindly stop.

[euphoria360]

@FreedomPrevails @astonished98 I'm also from Iran and I'm trying to help my friends and the ones around me to circumvent censorship. I had set up lots of different tools over the years to do so and here is my experience:

how have they blocked the openvpn protocol on most ISPs ?

Well, they didn't block OpenVPN. They have blocked ciphers. They use some sort of port:cipher combination, so some ports are allowed to have some ciphers and others not. Like you, I had a personal OpenVPN server with tls-crypt enabled. It was fine until few weeks ago, when Telegram started to get blocked in Iran. Initially, like you I thought OpenVPN is done, but after a bit of fiddling with the cipher options, I figured it out and right now both TCP and UDP is working for me. I had to disable tls-crypt and even tls-auth was hit and miss, but by making it look like normal HTTPS traffic, I was good again. This is the same for OpenConnect, Shadowsocks, and guess what! best of them is STunnel which is a simple SSL wrapper. I use it as a wrapper for simple HTTP Proxy and over the years, it never failed me. So I believe anything that makes mtproto distinctive will eventually fail.

There are many anti-censorship utilities with non-TLS protocols used in Iran, which get blocked only by IP-blocking and not DPI. A good example of such are Shadowsocks, Obfs4, etc.

Actually shadowsocks uses tls encryption by "method" argument. and obfs4 is blocked by DPI here, as it was blocked before.

[FreedomPrevails]

@euphoria360 I agree with every word you said. well said bro. by blocking OpenVPN, I exactly meant blocking ciphers. it is impossible to detect ciphers without DPI. I would appreciate if you send me your OpenVPN secret sauce to this email: freedomp@trashmail.ws I definitely can use it ;)

[euphoria360]

@FreedomPrevails Sure.

One note I need to mention: For your servers, if you can't use port 443, use common ports that have SSL/TLS enabled on them, like IMAP/POP3/SMTP ... . Ports like 8888 or 8080 are more probable to get flagged.

[BahmanFarshbaf]

@astonished98

They just keep blocking IPs of publicly spread MTProto proxies. and have even threatened admins of a channel that was providing these proxies to the public.

It's possible they can find admins of channels?

[euphoria360]

@astonished98 not directly from the bot or proxy.

Lots of admin channels are lousy and they usually give out some info when ads are involved.

Also when you setup a proxy, you publish a public IP which can be traced fairly easily for a government.

[stek29]

So, 5 days later, proxy from https://github.com/TelegramMessenger/MTProxy/issues/35#issuecomment-393772804 is still working fine. I'm still sure that Iranian govt just monitors public channels/groups where people can find proxies and blocks them this way.

[danog]

The next logical step is creating govt honeypots ;)

[FreedomPrevails]

@stek29 I will create another personal proxy and test it again.

[Frak8]

I think if Telegram use https protocol or QUIC(chrome browser protocol ) like Cisco any connect, UTM can't find and ban it. Most of IP's MTproto proxy server banned. but my ocserv servers (Cisco any connect server) can work well for some years. Can you use QUIC or not ? Is it possible ?

[xhdix]

We need to find a centralized method for blocking government IPs. As soon as the scan starts, its IP will be blocked and all servers will be immediately secured against this IP.

[Frak8]

Some guys said

_"There is a simple way to make proxies unbannable! register your domain from Cloudflare , then add a record of your subdomain to your server from Cloudflare panel :) in this way, no one can find your real server IP address."_

I tested this scenario , but I have a problem and telegram client can't connect to MTproto proxy.Cloudflare can pass HTTP or HTTPS data and it work well but MTproto can't connect . I don't know exactly why. Maybe I made mistake in setting rule, records or cloudflare unable to pass speciale TCP trafic .Could you help me ?

[euphoria360]

@farahaniamir08 I've tried this too and it's not possible. As stek said, cloudflare caches requests and messes up with proxying. Currently, it seems there is no way to hide your ip.

[websaz2000]

my private proxy ip blocked today. i am from iran. i did not publish my proxy ip. i can still telnet ip but its not my server and when i surf it by browser it shows service unavailable message.

[euphoria360]

Where did you get your VPS from!?

[websaz2000]

hetzner

[euphoria360]

From an Iranian reseller!?

[websaz2000]

no, I have 3 dedicated servers in hetzner datacenter, I setup nodejs mtproto on one of them for personal use but yesterday my ip blocked. I should order a new ip address now.

[euphoria360]

My question was, how did you rent those Hetzner servers? Did you directly buy the service from Hetzner website or was there a reseller getting your Rial and buying the server for you?

[websaz2000]

I Directly buy service from Hetzner website, My server ip address is ----- (removed),

[euphoria360]

Did you try connecting to the server from other sources, like different ISP's?

[websaz2000]

Yes, in HamrahAval and irancell and Respina ISP, my ip is blocked,

[FreedomPrevails]

MTProto proxy is a failed project. I warned Telegram about this happening. all of personal proxies are being detected and blocked.

[xhdix]

@websaz2000

First, Remove IP from here. Second, use the prefix dd for the secret and don't use the old version (nodejs).

Update: Your IP is accessible from the Mazandaran ISPs.

[websaz2000]

my secret was 1234, using dd prefix for secret solves the problem?

[xhdix]

see: https://twitter.com/xhdix/status/1020242650081955840 and https://twitter.com/skynet_acc/status/1021459858376314880

[Behrouz-m]

My server's IP got blocked because of using mtproto. I disabled the service and after about 10 days my server is not blocked anymore!

[xhdix]

@ray-pixar All users used the "dd" prefix?

[FreedomPrevails]

@ray-pixar I am using it with dd prefix privately and server has not been blocked.

[kooran]

hey guys, any new suggestion to make mtproto proxies live longer? im new to making mtproto, i want to make it live atleast for 2 weeks, i've started with domains and dd prefix, what more can i do?

[euphoria360]

@kooran ,well, my personal Mtproto proxy server is live and working for more than 6 month. And I don't see any reason for it not to last longer.

And I've happily helped lots of friends and family to circumvent censorship.

My server is simple and there is nothing special about it, except secrecy. You should try your best to not expose it to wrong eyes. I specifically ask everyone using my server to not share it with anyone.

Thats it.

[kooran]

@euphoria360 thanks, actually i do have a private server and it's working fine , but im working on another server to make public proxies, and i want to make it last longer, my first published proxy got blocked after just 24 hours! i need to make it live longer, not 6 months! but atleast a week, ive seen few public proxies those are working good for a month now! i wonder, whats the secret?

[FreedomPrevails]

@kooran I think they are monitoring telegram proxy channels using some bots and automatically block the proxies that are published. if you use the dd secret, your proxy will live privately forever. the public proxies that live long use a domain name and change their IP everyday. I think thats the secret.

[euphoria360]

@kooran, in that case, there is not much you can do with your server to make it resilient!

Its all IP and DNS! You can change them but its a cat and mouse game. same as what happened to all free VPN services out there.

Iran already has DNS poisoning in place, and IP blocking is very common too.

One good option would be the ability to hide our servers behind CDN's such as cloudflare, but unfortunately Mtproto doesn't support this.

[kooran]

@FreedomPrevails @euphoria360 im trying to do that as well, playin with IP and DNS! but what would happen if i purchase a server from iran, install mtproto on it, then tunnel it to another server in Germany, when PPTP and L2TP VPN's was blocked in iran, we reopened it this way, does this make it harder for gov to block proxies? (in mtproto case, it will be only one ip (iran server) that connects to mtproto, and all other clients are connecting to a server from iran)

[euphoria360]

@kooran, It doesn't matter how you would route your connection, when you choose an Iranian server as your clients public end point, You will shoot yourself in the foot!

Not only your Iranian Service provider will ban you, but also will have your registration documents and bank info available for the authorities, in case they need to find you.

[kooran]

@euphoria360 good point! but there has to be a way, there always is!