search

cbeuw / Cloak

A censorship circumvention tool to evade detection by authoritarian state adversaries
GNU General Public License v3.0
3.41k stars 302 forks source link

Shadowsocks-rust/OpenVPN + Cloak does not work on some net in rus #279

Closed unixs closed 2 weeks ago

unixs commented 1 month ago

I think today censorship devices have been updated. Cloak does not work on only one specific network. Yesterday everything was good.

The problem occurred sequentially. First, the "plain" mode stopped working. A few days later, the encrypted mode stopped working.

cloak-server-1   | time="2024-09-18T18:56:04Z" level=warning msg="error reading first packet: read error after connection is established: read tcp 1.2.3.4:443->188.65.247.135:62419: i/o timeout" remoteAddr="188.65.247.135:62419"
cloak-server-1   | time="2024-09-18T18:56:04Z" level=warning msg="error reading first packet: read error after connection is established: read tcp 1.2.3.4:443->188.65.247.135:43785: i/o timeout" remoteAddr="188.65.247.135:43785"
cloak-server-1   | time="2024-09-18T18:56:04Z" level=warning msg="error reading first packet: read error after connection is established: read tcp 1.2.3.4:443->188.65.247.135:30731: i/o timeout" remoteAddr="188.65.247.135:30731"
cloak-server-1   | time="2024-09-18T18:56:04Z" level=warning msg="error reading first packet: read error after connection is established: read tcp 1.2.3.4:443->188.65.247.135:13623: i/o timeout" remoteAddr="188.65.247.135:13623"
LindaFerum commented 1 month ago

I think you might want to change you server's IP

Also, by "plain" you mean Cloak's plain? Why use that in prod at all?

unixs commented 1 month ago

According to readme:

EncryptionMethod is the name of the encryption algorithm you want Cloak to use. Options are plain, aes-256-gcm ( synonymous to aes-gcm), aes-128-gcm, and chacha20-poly1305. Note: Cloak isn't intended to provide transport security. The point of encryption is to hide fingerprints of proxy protocols and render the payload statistically random-like. You may only leave it as plain if you are certain that your underlying proxy tool already provides BOTH encryption and authentication (via AEAD or similar techniques).

I will check it with new ip ASAP

LLIycTpbIu commented 1 month ago

Same here, ss+cloak with aes-256-cfb cypher, doesn`t work on network of my mobile operator anymore

cbeuw commented 1 month ago

One probable way to detect Cloak has been monitoring packet sizes for encapsulated TLS handshakes, so that could be what's happening here. The latest release (v2.10.0) could help as I've added random padding

LLIycTpbIu commented 1 month ago

@cbeuw Now it works at release (v2.10.0) builded from sources, downloaded version of binary doesn`t work. Thank you!

cbeuw commented 1 month ago

Huh that's very strange, the releases are built by CI. Could you upload the binary you built? I'm curious about the difference.

LLIycTpbIu commented 1 month ago

here ck-server_2.10.zip

LLIycTpbIu commented 1 month ago

It works, but randomly, I tried many times to connect and disconnect client on Android, 2/10 - connected, 8/10 connectrion refused.

unixs commented 2 weeks ago

All works fine with same provider. Server and client version 2.10.0 from github.