Open hadifarnoud opened 1 year ago
Hadi, I think Lantern has been working for at least some folks in Iran - maybe you can give that a try? https://lantern.io
@hadifarnoud, can you be more specific about what you mean by multi-hop? My interpretation is:
Client A makes a Shadowsocks connection to Server A. (No national border crossed in this hop.) Then Server A makes a separate Shadowsocks connection to Server B. (Across the border.) Is that right?
Hi Hadi, I assume you wanted a "multi-hop Shadowsocks" setup because you cannot connect to your Shadowsocks server directly from home; but you can connect to it from some Iranian datacenters. It has been observed before that traffic from Iranian datacenters was allowed, but traffic from the residential network was blocked.
If this is the case, this forwarding plan by Shadowsocks community may work for you. Note that this forwarding plan works for other application-layer circumvention tools other than Shadowsocks as well because it works on IP- and transport-layer.
Below is a tutorial using Outline as an example:
Say you have an Outline server (2.2.2.2
) listening on port 22222
outside of Iran; however, since you cannot connect to the server (2.2.2.2
) directly from home, you want to setup a relay server (1.1.1.1
) listening on port 11111
in the Iranian datacenter to relay your traffic:
Outline Client (home in Iran) <---> Relay Server (1.1.1.1:11111, Iranian datacenter) <---> Outline Server (2.2.2.2:22222, outside of Iran)
Then all you need to do is:
DST_SERVER_IP
, DST_SERVER_PORT
, RELAY_SERVER_IP
, RELAY_SERVER_PORT
with the actual values:#!/bin/bash
set -x
set -e
## Replace DST_SERVER_IP and DST_SERVER_PORT with actual value
DST_SERVER_IP="2.2.2.2"
DST_SERVER_PORT="22222"
## Replace RELAY_SERVER_IP and RELAY_SERVER_PORT with actual value
RELAY_SERVER_IP="1.1.1.1"
RELAY_SERVER_PORT="11111"
sudo iptables-save > "iptables-rules-backup-$(date '+%Y-%m-%d-%H:%M:%S').v4"
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A PREROUTING -p tcp --dport "${RELAY_SERVER_PORT}" -j DNAT --to-destination "${DST_SERVER_IP}:${DST_SERVER_PORT}"
sudo iptables -t nat -A PREROUTING -p udp --dport "${RELAY_SERVER_PORT}" -j DNAT --to-destination "${DST_SERVER_IP}:${DST_SERVER_PORT}"
sudo iptables -t nat -A POSTROUTING -p tcp -d "${DST_SERVER_IP}" --dport "${DST_SERVER_PORT}" -j SNAT --to-source "${RELAY_SERVER_IP}"
sudo iptables -t nat -A POSTROUTING -p udp -d "${DST_SERVER_IP}" --dport "${DST_SERVER_PORT}" -j SNAT --to-source "${RELAY_SERVER_IP}"
1.1.1.1
) as forwarding.sh
.sudo bash forwarding.sh
.sudo cat iptables-rules-backup-2022-09-20-00:00:00.v4 | sudo iptables-restore
. (Your filename will be different.)Finally,
ss://Y2hhY2hKMjAtaWV0Zi1wb2x5MTMwNTp0aEltbzE3ZzZDTzM@2.2.2.2:22222/?outline=1
to ss://Y2hhY2hKMjAtaWV0Zi1wb2x5MTMwNTp0aEltbzE3ZzZDTzM@1.1.1.1:11111/?outline=1
.one solution that currently works is v2ray
.
I use the following schema to bypass restrictions:
Client (v2ray or shadowsocks) -> v2ray shadowsocks inbound (Iran) -> v2ray shadowsocks/VMess outbound (Iran) -> v2ray shadowsocks/VMess inbound (DE) -> freedom
There are plenty of obfuscation/encryption options but I think the simplest way is to use shadowsocks with HTTP obfuscation
.
Iran config:
{
"log":{
"logLevel": "warning"
},
"inbounds": [
{
"tag": "in-shadow",
"port": "1470",
"listen": "0.0.0.0",
"protocol": "shadowsocks",
"settings": {
"method": "aes-256-gcm",
"password": "secret",
"network": "tcp"
}
}
],
"outbounds": [
{
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"address": "Free VPS ip",
"port": 1472,
"method": "aes-256-gcm",
"password": "super_strong_secret"
}
]
},
"streamSettings": {
"network": "tcp" ,
"tcpSettings": {
"header": {
"type": "http",
"request": {
"version": "1.1",
"method": "GET",
"path": ["/"],
"headers": {
"Host": ["www.softqloud.com", "aws.amazon.com"],
"User-Agent": [
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36" ,
"Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/53.0.2785.109 Mobile/14A456 Safari/601.1.46"
],
"Accept-Encoding": ["gzip, deflate"],
"Connection": ["keep-alive"],
"Pragma": "no-cache"
}
}
}
}
},
"tag": "out-shadow"
},
{
"protocol": "blackhole",
"settings": {
"response": {
"type": "http"
}
},
"tag": "blockout"
},
{
"protocol": "freedom",
"tag": "direct"
}
],
"dns": {
"servers": ["8.8.8.8","https://1.1.1.1/dns-query", "localhost"]
},
"routing": {
"domainStrategy": "IpOnDemand",
"rules": [
{
"type": "field",
"ip": ["geoip:ir"],
"domain": [
"regexp:\\.ir$"
],
"outboundTag": "direct"
},
{
"type": "field",
"ip": ["geoip:private"],
"outboundTag": "blockout"
},
{
"type": "field",
"inboundTag": ["in-shadow"],
"outboundTag": "out-shadow"
}
]
}
}
DE (anywhere with free internet access):
{
"log":{
"logLevel": "warning"
},
"inbounds": [
{
"tag": "direct_shadow",
"port": 1472,
"listen": "0.0.0.0",
"protocol": "shadowsocks",
"settings": {
"method": "aes-256-gcm",
"password": "same as super_strong_secret",
"network": "tcp"
},
"streamSettings": {
"network": "tcp" ,
"tcpSettings": {
"header": {
"type": "http",
"response": {
"version": "1.1",
"status": "200",
"reason": "OK",
"headers": {
"Content-Type": [
"application/octet-stream",
"video/mpeg",
"application/x-msdownload",
"text/html",
"application/x-shockwave-flash"
],
"Transfer-Encoding": [
"chunked"
],
"Connection": [
"keep-alive"
],
"Pragma": "no-cache"
}
}
}
}
}
}
],
"outboundDetour": [
{
"protocol": "blackhole",
"settings": null,
"tag": "blocked"
}
],
"outbound": {
"protocol": "freedom" ,
"tag": "direct"
},
"dns": {
"servers": ["8.8.8.8","https://1.1.1.1/dns-query", "https://dns.google/dns-query", "localhost"]
}
}
You can elaborate this config however you like, for example use VMess for VPS communication or add TLS. But I think UDP protocol will be blocked, so don't use any transport with UDP as backend(mKCP or QUIC).
Also, these configurations are for v2ray version 4.x.x
I've documented a similar setup for a tor bridge here: #127
I assume the situation in Iran will drag on. Do you also expect authorities to ultimately and systematically enforce the same censorship rules on all providers? Or do we know that certain networks will be spared from such measures (due to financial reasons for example, or some other considerations...)?
Currently, mobile networks are affected the most by censorship. At certain times of day (normally 5 pm - 12 am) these networks can only access internal services. Residential networks (home and organizations) have only limited access (UDP traffic is widely blocked and most famous VPN protocols are blocked with DPI). Some data centers have stable connections to the internet, but they are affected by VPN protocol blockage as well. The situation has only gotten worse in the past few days.
things got worse now only multi-hub ssh tunneling works on mobile carriers
Currently, mobile networks are affected the most by censorship. At certain times of day (normally 5 pm - 12 am) these networks can only access internal services. Residential networks (home and organizations) have only limited access (UDP traffic is widely blocked and most famous VPN protocols are blocked with DPI). Some data centers have stable connections to the internet, but they are affected by VPN protocol blockage as well. The situation has only gotten worse in the past few days.
so sad :( do you have any suggestion ? looking for new config that works on mobile carriers. i can set up relay
I provided a v2ray config
one solution that currently works is
v2ray
.
It's not perfect, but it will allow you to bypass network restrictions.
hello guys right now i have access to internet without restriction trough ssh tunneling to my VPS and speed is awesome , my problem is i cant use ssh tunneling with UDP protocol , do u have any idea how can i use use udp over ssh regards
I provided a v2ray config
one solution that currently works is
v2ray
.It's not perfect, but it will allow you to bypass network restrictions.
I tried to setup v2ray with Iran IPs going directly to ISP, but failed with geoip.dat error. If all my traffic goes to one IP address, they will block it
I provided a v2ray config
one solution that currently works is
v2ray
.It's not perfect, but it will allow you to bypass network restrictions.
I tried to setup v2ray with Iran IPs going directly to ISP, but failed with geoip.dat error. If all my traffic goes to one IP address, they will block it
run a torrent seedbox (with deluged) on the same server and things will look much more normal.
Hello As you may know, Iran blocked access to free internet a few days ago due to unrest. As a result, they are aggressively blocking all VPN servers.
The only way we found working was a multi-hop setup with one server in Iran and the other outside Iran.
I cannot find any tutorial for that anywhere. Having a censorship-resistant multi-hop setup would work for situations like today.
I lack technical knowledge for this kind of setup. Please consider publishing a tutorial
Thank you, Hadi