HTTP/3 Support over QUIC with Kwik (Feature Request)

[DRSDavidSoft]

Description

Hi there, and thanks for developing PowerTunnel!

Since the availability of http3, many sites offer their services in both the older HTTP/1.1 and HTTP/2 (which are TCP bases), and the newer HTTP/3 which uses UDP as for the transport layer.

This is both faster, and also not blocked by censorship agencies in many regions. Meaning it'd possible to bypass censorship by using the QUIC transport protocol. This is because the traffic on port 443 UDP is not being filtered in these regions the same as it's being done on port 443

Popular websites that use HTTP/3 include YouTube, Reddit, and all Cloudflare-based domains.

Currently there are no proxy software that support making http/3 requests, so since PowerTunnel is already doing MITM in order to figure out the outgoing request, it can forward it over Kwik, a pure Java-based QUIC implementation in order to make http/3 requests. Additionally, it can allow incoming http/3 requests as well with Kwik since it supports both QUIC requests and being run as a server.

This will lead to significant performance boosts if the website supports the HTTP/3 protocol, and an easier censorship bypassing in regions where the UDP traffic is not filtered.

[krlvm]

Thank you, I'll check it later this month

[Alyaqdhans]

Does this mean UDP packets (games) will be able to be bypassed if implemented? or is it just for websites?

[DRSDavidSoft]

@Alyaqdhans it appears that your mixing up two distinct concepts, you are probably referring to capturing udp packets from games by PowerTunnel, while while QUIC is not about capturing anything. It is rather the method of transportation of HTTP data (which you referred to as "websites").

QUIC is used to transfer the already captured data over UDP, instead of the traditional TCP method that is used in HTTP and SSL.

[Alyaqdhans]

@DRSDavidSoft Will the feature of capturing UDP packets be added to PowerTunnel? It would be awesome if it did!

[DRSDavidSoft]

@Alyaqdhans I'm not the developer of PowerTunnel, @krlvm is.

I understand the importance of UDP for gaming purposes, and indeed it would be awesome if PowerTunnel could do that. However bear in mind that PowerTunnel is not a VPN and it doesn't involve any solution to bypass DPI inspection and bypass government blockages.

This is because PowerTunnel is specifically written for HTTP and websites, and uses known tricks that would make the traffic passable through government and ISP routers' inspection.

The same can not be said for UDP, mostly because UDP traffic is not inspected the same way as TCP and HTTP are. In fact UDP may not be inspected at all since it does not contain any HOST name or domain name inside it. I believe the government and ISPs simply block the destination IP range (CIDR) of popular gaming servers who they deem illegal in the country.

This means that the tricks that are used in PowerTunnel to bypass HTTP traffic doesn't apply to UDP. You'll have to look for new tricks specifically made for UDP and to the best of my knowledge, there are none. As I said, the block method differs. In HTTP, the IP endpoint of the request may be shared by hundreds of websites, so PowerTunnel can make the traffic seem like they're intended for another domain. UDP has no concept of "domains". They're simple packets in nature.

I suspect in your case you will need a VPN or a server to re-route the UDP traffic. I know it sucks and causes increase in lag, but that's the only way I can think of.

In any case, PowerTunnel is not a real tunnel. It's simply a collection of tricks aimed towards HTTP only. I suspect it will ever be useful on any non-HTTP traffic. Even TCP. Because everything it's designed to do is some modification to the HTTP request.

[Alyaqdhans]

@DRSDavidSoft But somehow PowerTunnel-Android achieved this by using the device vpn service or somewhat, and also GoodByeDPI works for games (not very well sometimes it cannot handle the amount of packets). So, if it's done in android, and windows has a built it VPN too, isn't it possible? or they're just built completely different from each and another?

[DRSDavidSoft]

The Android version of PowerTunnel has a VPN mode, which is only used to capture the traffic and do modifications on them. The end result is the same as the proxy mode. The difference is that Android doesn't work nicely with proxies without root or some kind of manual setup. I think PowerTunnel simply passes through any kind of traffic that it can't handle.

I don't know how GoodByeDPI works, but I'd be surprised if has some tricks to apply to UDP that works. It means your region don't block UDP packets by their destination, rather by their content.

In this case, maybe PowerTunnel can incorporate the same kind of modification technique that is used in GoodByteDPI.

And Yes, the VPN infrastructure in Windows is indeed very different to Android, even though the same kind of functionality may be achieved on Windows, there is no reason to. PowerTunnel doesn't touch the UDP traffic.

I suspect it would be best to open a new issue to ask the author for some R&D and request implementing such as feature into PowerTunnel if possible.

Good luck!

[Alyaqdhans]

@DRSDavidSoft See this #123

[krlvm]

@DRSDavidSoft is absolutely correct, PowerTunnel is an HTTP proxy, while VPN on Android is used to capture and redirect all apps' traffic through it. UDP is being passed through without any processing.

[Alyaqdhans]

@DRSDavidSoft @krlvm GoodByeDPI uses this WinDivert

[DRSDavidSoft]

@krlvm You closed this issue but the previous discussion was off-topic.

Does this mean the original feature request in question, QUIC support using Kwik, is also not planned?

[krlvm]

@Alyaqdhans, WinDivert has absolutely nothing to do with this

@DRSDavidSoft, yes, QUIC is UDP-based and PowerTunnel (more precisely, LittleProxy) is an HTTP proxy - UDP can't be proxied via HTTP - there's a draft though.

Support will be added if PowerTunnel ever migrates to, for example, SOCKS5.

[DRSDavidSoft]

@krlvm These are two different matters, the confusion stems from the request by @Alyaqdhans

The original topic for this issue is not proxying UDP over HTTP. It's vice versa. QUIC allows you to send a HTTP request over UDP.

Which means LittleProxy + Kwik can receive a regular TCP-based HTTP request, then transmit it over UDP! This has many benefits because in many regions the government and ISP are only interested in the TCP traffic for blocking website access.

QUIC is not a draft anymore since the introduction of HTTP/3 and today many providers (including Google and Cloudflare) support it. Think of the addition of the Kwik as a HTTP/1.1 → HTTP/3 upgrader inside LittleProxy.

Oh, if there is ever the possibility of stripping the SNI and sending an ESNI or ECH -- that would be awesome! Then the governments and ISPs can never guess what hostname the request is intended for! All they see is the shared IP destination, which can be any website.

This last one is super useful for visiting YouTube in certain regions where Google owned IPs are not blocked. Or visiting any Cloudflare-hosted website, as Cloudflare supports QUIC and HTTP/3 in general. This amounts to about 20% of all websites that exist and about 80% of the total web traffic, according to external statistics.

Additionally, Apache, Nginx and IIS (popular web servers) all support HTTP/3 today. Unfortunately it is not the default configuration, but many content providers do make use of them.

I hope with the global move towards HTTPS in general as opposed to plain HTTP and encryption, the hands of governments and ISPs will be cut off in snooping in user's data and privacy. They can still see the source and destination of the traffic, although by using CDN providers like Cloudflare, all they'll be seeing is that someone is connecting to Cloudflare, not which website they're connecting to (and since it's HTTPS, what content is being transferred).

This means that they will not be able to block any request without affecting the other services on the provider as a whole!

The problem is that LittleProxy can only capture TCP-based HTTP and forward it to a TCP-based endpoint. However, all major browsers (which are Chromium based or Firefox at this point) support all QUIC and HTTP/3 drafts and so the content providers are making great use of this. Using proxies such as Squid or LittleProxy causes this chain to fail so the client will need to revert back to TCP-based HTTPS.

Integration of something like Kwik with LittleProxy will allow PowerTunnel to receive the request from the client, perform the modifications to the SNI and then transmit it not over TCP but UDP which will instantly bypass the limits in place by the governments and ISP. Not only that, UDP is in general faster than TCP. It provides higher bandwidth for media transfer which is a necessity in applications like YouTube which stream media.

I haven't yet found any proxy software that supports receiving regular TCP-based HTTP traffic and forward it to UDP-based QUIC. That would be super awesome if PowerTunnel could do it.

I can confirm that YouTube works with this method in this region. By utilizing such a method it would be unnecessary to use any VPNs to forward traffic to external servers, think of all the energy that is being wasted for this. Incorporating this will allow PowerTunnel to easily and efficiently bypass YouTube restrictions as long as the government and ISPs don't block UDP traffic to the entire Google CIDRs.

Whoa, sorry for the long rant!

[krlvm]

This makes sense, thank you for writing this.

Regarding ESNI, it should be supported not only by client, but also by the server, and besides Cloudflare, it seems that almost no one supports it right now.