search

net4people / bbs

Forum for discussing Internet censorship circumvention
3.22k stars 75 forks source link

Sharing a modified Shadowsocks as well as our thoughts on the cat-and-mouse game #136

Open gfw-report opened 1 year ago

gfw-report commented 1 year ago

Authors: Anonymous, Anonymous Date: Saturday, October 15, 2022 中文版:分享一个修改版的Shadowsocks,兼谈我们对猫鼠游戏的一点想法

In this post, we release and open source a modified version of Shadowsocks that can bypass the current GFW's detection and blocking. We first introduce the reason why this modified Shadowsocks can bypass the detection and blocking. We then share a simple tutorial on how to setup the client and server. We will also cover two other ways that help Shadowsocks and VMess bypass the current GFW's blocking. At the end of the article, we share some of our thoughts on the cat-and-mouse game of censorship. In particular, we start with answering why censor always starts the massive blocking a few days or weeks before politically sensitive period of time in China; we then argue that, comparing to the anti-censorship community, a fundamental weakness of censor is its inflexibility. We further discuss how to exploit censor's weaknesses to achieve better anti-censorship effect with limited resources.

Motivations

We release this modified Shadowsocks tool today for three reasons:

  1. First, we want to provide Chinese netizens with a (temporarily) viable solution to bypass censorship, mitigating the GFW's massive blocking of multiple censorship circumvention tools since October 3rd, 2022.

  2. Second, we would like to take this opportunity to start a discussion among anti-censorship researchers and developers. Our empirical research shows that the current GFW can already accurately identify Shadowsocks, VMess, and Obfs4 and many other full-encrypted protocols. We estimate that the GFW's current traffic detection algorithm has 0.6% false positives, while the false negatives are almost negligible. This finding urgently requires us to brainstorm and discuss how to improve the current protocols collectively.

  3. Finally, we would like to use this release as an experiment to observe both the censor and the anti-censorship community on how fast each side can react to a new (anti-)censorship event.

Why can this modified Shadowsocks circumvent the GFW's current detection and blocking?

We worked with other researchers to discover that the current GFW utilizes a number of different rules to identify fully encrypted protocols like Shadowsocks, VMesss, and Obfs4. One of these rules takes advantage of the fact that the ratio of 0 bit to 1 bit in these encrypted flows is close to 1:1. Therefore, if we add more 0s or 1s to the encrypted traffic and then rearrange the bit sequence, we can achieve the goal of changing the original ratio feature to bypass detection and blocking.

How do I use this modified Shadowsocks?

This modified version of Shadowsocks is based on Shadowsocks-rust, and we also make use of Shadowsocks-android to compile the apk files for Android users. All client and server side software can be found at this branch and this release.

Installing the server

The installation process is the same as installing any other Shadowsocks-rust server.

  1. First you login to your remote server, and then get the server binary with:
wget https://github.com/gfw-report/shadowsocks-rust/releases/download/v0.0.1-beta/shadowsocks-v1.15.0-alpha.9.x86_64-unknown-linux-gnu.tar.xz
tar xvf shadowsocks-v1.15.0-alpha.9.x86_64-unknown-linux-gnu.tar.xz
  1. Then you create a configuration file:

sudo nano server_config.json

Copy and past the following settings to the file. Note that you need to replace the password ExamplePassword with a much stronger one. A handy way to do this from your terminal is: openssl rand -base64 16. You may also want to change the server_port.

{
  "server": "0.0.0.0",
  "server_port": 8388,
  "password": "ExamplePassword",
  "method": "aes-256-gcm"
}

After finishing editing, you type Ctrl + x to exit. The text editor will ask "Save modified buffer?", and you can type y and then hit Enter.

  1. Now you can start running the binary with the configuration file, but to make it work even after you ended your SSH session, you may want to create a tmux session by:
tmux

You then do:

./ssserver -c ./server_config.json

Finally, type Ctrl + b and then type d to detach from the tmux session.

Firewall configuration

We use ufw to open ports for the Shadowsocks server.

To install ufw on a Debian-based server:

sudo apt update && sudo apt install -y ufw

Then open ports for ssh and Shadowsocks-rust. Note that if you set the server_port to a value different than 8388 in server_config.json, you need to change the value 8388 below accordingly:

sudo ufw allow ssh
sudo ufw allow 8388

Now enable ufw:

sudo ufw enable

If it prompts Command may disrupt existing ssh connections. Proceed with operation (y|n)?, type y and hit Enter.

Finally, run sudo ufw status, and the output should look like this:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
8388                       ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
8388 (v6)                  ALLOW       Anywhere (v6)

Client side configuration

Below is a configuration file for Client. Remember to change the server value from ExampleServerIP to your remote server's public IP address. If you used andorid and installed from the apk file we provided, the usage should be the same as usual.

{
    "server": "ExampleServerIP",
    "server_port": 8388,
    "password": "ExamplePassword",
    "method": "aes-256-gcm",
    "local_address": "127.0.0.1",
    "local_port": 1080
}

Limitation of the current implementation

Are you aware of any other ways to circumvent the current blocking?

We know of two other currently viable options, all of which utilize a different traffic detection rule by the GFW.

If you are a V2Ray user, you can turn on the ExperimentReducedIvHeadEntropy option to avoid the GFW's detection and blocking. The advantage of this option is that you do not need to make any changes to your servers.

@database64128 also implemented another way to bypass the censorship. Because the protocol is changed, it requires updating both client and server to use it.

Our thoughts on this cat-and-mouse game

We'd like to take this opportunity to share some of our thoughts on the cat-and-mouse game of censorship. Our views are based on our observations and reflections on both the censor and the anti-censorship community; we have also been deeply influenced by klzgrad, David Fifield, and many other anti-censorship developers and researchers.

Censor's timing choice of new blocking techniques

As many long-time Internet censorship observers have noticed, Chinese censors always start using their new censorship weapons on a large scale a few days or weeks before a politically sensitive event. In fact, such timing choices are no coincident. So what are the specific reasons? We suspect there are at least three reasons, and we encourage everyone to share their thoughts on them.

  1. First, it is an important political task for censors to ensure that they have sufficient control over public opinion and information flow, at least during politically sensitive time periods. This task is often described in official parlance as "protecting the cybersecurity during such-and-such event".

  2. Second, censors are willing to tolerate more collateral damage caused by false positives in detection during sensitive times. This nature provides new censorship weapons a more permissive trial-and-error environment when they are first put into use. Tschantz et al. analyze and summarize a large number of censorship incidents and find that "real censors tend to use vulnerabilities that produce underblocking but not overblocking" (see recommendation 5). And this tendency shifts slightly during politically sensitive times: censors become more tolerant of the collateral damage caused by false positives in detection in trade of a tighter social control. By deploying a new censorship weapon during such period of time, the censor's mistake will be more tolerated even if the tool caused any overblocking accident due to bugs that were not tested out in the prior phases. klzgrad shares a similar view in this comment.

  3. Finally, and most importantly, a often overlooked reason is the fact that the GFW is actually trying to compensate for and cover up its fundamental weakness of inflexibility. In this cat-and-mouse game, the censors know that they are simply no match for the anti-censorship community in terms of responsiveness and flexibility. If they started deploying their new secret weapon long before the sensitive period begins, the anti-censorship community will have more time to study it and find new ways to bypass censorship. At that point, if they can't be flexible and fast enough to improve their censorship weapons, then their attempts to tighten their controls over the Internet during politically sensitive times will fall flat. David Fifield shared a similar point of view in this comment.

Censors have weaknesses

The censor's lack of flexibility is dictated by the nature of itself and the problems it faces. Specifically, it is itself part of a large bureaucracy, which inevitably leads to inefficient internal operations and rigid behaviors. And yet the problem it faces is as complex as monitoring and censoring network traffic on a national scale. It is not hard to imagine that a new censorship weapon always has to go through the procedures of early-phase research, grants application, more formal scientific research, product development, debugging, surveying on real-world traffic, experimental deployment, and then the final nationwide large-scale deployment and use. The length of the process can take quite a long time.

One may be wondering if it indeed takes such a long time for the censor to deploy a censorship weapon. Let's take this release as another experiment to observe how fast the censor and anti-censorship community can react. In particular, let's see how long it takes the censors to block our released tool that has many weaknesses.

How to exploit censor weaknesses?

Exploiting the censor's weakness, we came up with a few principles in hope they can make the anti-censorship efforts more effective.

  1. Be more tolerant of imperfect circumvention solutions and do not give up on an imperfect circumvention solution too soon. As mentioned in the previous section, the fact that the GFW is less flexible than the anti-censorship community is often overlooked. And because of that, many circumvention solutions have been dismissed and killed prematurely simply because they "have weaknesses". This is often because when anti-censorship developers and researchers envisioning themselves as censors, they tend to focus on the first step for censor -- "pre-research" -- and thinking that a circumvention solution would be easily blocked; however, they actually underestimated the long process of funding applications, formal scientific research, product development, debugging, surveying real-world traffic, experimental deployments, and finally, nationwide deployment, that the real censors have to face. In fact, if an anti-censorship developer spends an afternoon rolling out a new anti-censorship tool, but it takes the censor a large amount of time, energy, human, material and financial resources to block it in six months, we have to say this "imperfect" tool served as a great leverage.

  2. Increase the diversity of censorship circumvention solutions by letting a thousand flowers bloom. In many people's imagination, the GFW is a perfect censor because of its national-level resources; however, in reality, there are limited number of teams with the skills, ability, and resources to walk through all the procedures to make a censorship weapon from an idea to a real weapon deployed national-wide. Therefore, the more anti-censorship solutions the community can create, the less likely these limited resource censor teams will be able to block all tools in one go. And as long as there is one working circumvention solution left in one of these massive blocking event, the information is not disrupted completely.

  3. Actively report new censorship events, promptly measure and understand new censorship techniques, and share the viable circumvention strategies with the community. Achieving this will require communication, effort, and cooperation between Chinese netizens, researchers, and developers. Encouragingly, we are now seeing more and more people joining this collaboration and working together as a collective.

  4. Develop backup circumvention tools in advance. We have seen that the GFW makes up for its lack of flexibility by starting using its new secret weapons in large scale a few days before politically sensitive events. So can we use a similar strategy where we develop more backup plans in normal times, and then send them out just before sensitive times, like this release? This way, even if the technical staffs working for the GFW immediately spot any flaws in the new tool, and knew how to block the tool, it would still take them a long research and development cycle before actually being able to block it in real world.

Acknowledgment

We thank David Fifield for commenting on an earlier draft of this article.

Contact

We encourage you to share your thoughts, comments, user experiences publicly or privately. Our private contact information can be found at the footer of GFW Report.

gfw-report commented 1 year ago

分享一个修改版的Shadowsocks,兼谈我们对猫鼠游戏的一点想法

作者: Anonymous, Anonymous 日期: 2022年10月15日,星期六 English version: Sharing a modified Shadowsocks as well as our thoughts on the cat-and-mouse game

我们在这篇文章中发布和开源一个修改版的Shadowsocks。这个版本的Shadowsocks可以绕过当前GFW的检测以及封锁。我们首先介绍这个修改后的Shadowsocks的原理,再分享一个如何部署服务器和客户端的简单教程。我们还会介绍其他两种当前能够帮助Shadowsocks和VMess绕过当前GFW封锁的办法。在文章的最后,我们分享我们对审查这个猫鼠游戏的一些看法。我们将从审查者每次开始大规模封锁的时间点选择出发,探讨审查者相比反审查社区缺乏灵活性这一根本性的弱点,并附上我们对如何利用审查者的弱点来达到四两拨千斤的效果的一些建议。

动机

我们在此时发表这个版本有三个目的:

  1. 首先,我们想为中国网民提供一个(暂时)可行的翻墙方案。用增加翻墙协议多样性的方式,缓解10月3号以来的GFW对多种翻墙工具的大规模封锁。

  2. 其次,我们想抛砖引玉地引起研究者和开发者的讨论。我们实证性的研究显示,当前的GFW已经可以精准地识别Shadowsocks,VMess,以及Obfs4这类完全加密协议(full-encrypted protocol)。我们估算GFW当前的流量检测算法会误伤约0.6%的非翻墙链接,而假阴性则低得几乎可以忽略不计。这迫切的需要我们群力群策地改进当前的协议。

  3. 最后,我们想把这次发布当作一场实验,同时观察审查者和反审查社区在面对新的(反)审查事件时的反应速度。

为什么这个修改后的Shadowsocks可以规避GFW当前的检测和封锁?

我们与其他研究人员合作发现,当前的GFW会利用多种不同的规则来识别Shadowsocks,VMesss,以及Obfs4这类完全加密协议。其中一条规则就利用了这些加密流量的0比特与1比特的比例接近1:1的特性。因此,如果我们在加密流量中加入更多的0或1,再对比特序列进行重排,就可以达到改变原有比例特征,绕过检测和封锁的目的。

我怎么用这个修改版的Shadowsocks?

这个修改版的Shadowsocks基于Shadowsocks-rust,我们还利用Shadowsocks-android编译了apk文件供安卓用户使用。所有的客户端和服务端软件都可以在这个branch这个release找到。

安装服务端

安装修改版的服务器的过程与安装任何其他Shadowsocks-rust服务器无异。

  1. 首先你需要登陆你的远程服务器,然后下载编译好的文件
wget https://github.com/gfw-report/shadowsocks-rust/releases/download/v0.0.1-beta/shadowsocks-v1.15.0-alpha.9.x86_64-unknown-linux-gnu.tar.xz
tar xvf shadowsocks-v1.15.0-alpha.9.x86_64-unknown-linux-gnu.tar.xz
  1. 接着你需要创建一个配置文件:

sudo nano server_config.json

将下面的配置文件复制粘贴。注意,你需要把里面的ExamplePassword替换成一个更强的密码。你可以用以下命令在终端生成一个强密码:openssl rand -base64 16。你也应该考虑更改服务器端口8388

{
  "server": "0.0.0.0",
  "server_port": 8388,
  "password": "ExamplePassword",
  "method": "aes-256-gcm"
}

将上方替换过密码的配置信息复制粘贴到配置文件后, 按Ctrl + x退出。 退出时,文本编辑器将问你"Save modified buffer?",请输入y然后按回车键

  1. 你现在就可以运行二进制的服务器了。但是为了让它在你退出SSH后还能继续运行,你可以考虑建立一个tmux会话:
tmux

然后再运行服务器:

./ssserver -c ./server_config.json

最后,按Ctrl + b再按d就可以脱离tmux会话了。

防火墙配置

我们使用ufw来管理Shadowsocks服务器的防火墙。

在基于Debian的服务器上,可以通过如下命令安装ufw

sudo apt update && sudo apt install -y ufw

然后开放有关sshShadowsocks-rust的端口。 请注意,以下命令假设你在server_config.json中的server_port的值为8388。 如果你的server_port用了其他的值,请对以下命令作相应的修改:

sudo ufw allow ssh
sudo ufw allow 8388

现在我们启动ufw:

sudo ufw enable

启动时如果弹出Command may disrupt existing ssh connections. Proceed with operation (y|n)?,请输入y并按回车键。

最后,请用sudo ufw status检查一下你的配置是否和下面的一样:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
8388                       ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
8388 (v6)                  ALLOW       Anywhere (v6)

客户端配置

下面是桌面版客户端的配置文件,记得server的值替换为你远程服务器的IP地址。如果你们是用了我们提供的安卓apk在手机上使用,那么配置就和往常的使用Shadowsocks-android的办法一样。

{
    "server": "ExampleServerIP",
    "server_port": 8388,
    "password": "ExamplePassword",
    "method": "aes-256-gcm",
    "local_address": "127.0.0.1",
    "local_port": 1080
}

不足

你们还知道什么其他的可以规避当前封锁的方法吗?

我们还知道两种目前可行的方案,他们都利用了另一种不同的GFW流量检测规则:

如果你是V2Ray用户,你可以开启ExperimentReducedIvHeadEntropy选项来避免GFW的检测和封锁。这个方案的好处是你无须在服务器进行任何修改。

如果你是Shadowsocks用户,@database64128实现了另外一种绕过审查的办法。因为对协议做了修改,所以需要同时更新客户端和服务端。

分享我们对猫鼠游戏的一点看法

我们想借此机会分享一些我们对于审查与反审查这个猫鼠游戏的看法。这些看法既来自于我们对审查者和反审查社区两方的观察与思考,又同时受到klzgrad,David Fifield以及其他许多许多反审查者的深深影响。

审查时间点的选择

长期关注互联网审查的朋友们一定已经发现,中国的审查者总是在政治敏感事件来临前的数天或数周开始大规模地使用他们的新审查武器。实际上,这样的时间点选择绝非偶然,那具体的原因是什么呢?我们猜想至少有三点,也欢迎大家继续讨论补充:

  1. 首先,对审查者而言,保证至少在政治敏感的时间段内,对社会舆论和信息流通有着足够的控制,是一项重要的政治任务。这项任务通常会被官方话语描述为"为某某期间的网络安全护航"。

  2. 其次,审查者在政治敏感时期更能容忍审查造成的误伤,因此给新的审查武器投入使用提供了更宽松的试错环境。Tschantz等人对大量审查事件进行分析总结后发现,真实世界的审查者通常宁可少封,也要尽量避免错封带来的影响(见recommendation 5)。而这种倾向仅在政治敏感时期略有变化:审查者会变得更能容忍误伤的代价,以达到其所追求的社会管控。而在这时上线新的武器,即使有前期没有测试出来的错误造成误伤或事故,也更能被容忍。klzgrad这篇评论中也分享了类似的观点。

  3. 最后,也是最为重要,却容易被忽视的一点是,GFW其实是在极力地弥补和掩盖其缺乏灵活性的根本性弱点。在这场猫与鼠的游戏中,审查者自知其在反应速度、灵活性上根本不是反审查社区的对手。 如果他们在敏感时期开始前的很长一段时间就开始部署他们新的秘密武器,那么反审查社区就有更多的时间去研究它,并发现绕过审查的新方法。到那时,如果他们不能灵活快速地改进自己的审查武器,那他们在政治敏感时期收紧网络管控的企图就会落空。David Fifield在这篇评论中也分享了类似的观点。

审查者有弱点

审查者缺乏灵活性是由其自身和其所面对的问题的本质所决定的。具体而言,其自身是庞大官僚机构的一部分,这不可避免的导致其内部运行效率低下,行为僵化。而其所面临的问题却又是在全国范围内大规模地监控和审查复杂多变的网络流量。可以想象,一款新型审查武器总是要经历预先研究,经费申请,立项,科研,产品开发,调试,真实流量调研,实验性部署,才能到最后的全国范围内的大规模部署和使用。其过程的漫长程度可想而知

空口无凭。我们不妨把这次发布当作又一场观察(反)审查者反应速度的实验:看一看审查者要花多久才能封锁我们这次发布的这个有着诸多弱点的版本。

如何利用审查者的弱点?

针对审查者的弱点,我们想到了一些也许能让反审查工作在有限的资源下,事半功倍的原则:

  1. 要对不完美的翻墙方案更宽容,不要过早放弃一个不完美的翻墙方案。我们前面说GFW灵活性不如反审查社区这个弱点通常被人们忽视,是因为看到许多的翻墙方案仅仅因为“存在弱点”就被过早的否定和扼杀了。这通常是因为反审查人员在设想自己是审查者时,更多的只考虑了第一步“预先研究”,觉得某个翻墙方案很容易被封锁,而忽视了真正的审查者所要面对的还有漫长的经费申请,立项,科研,产品开发,调试,真实流量调研,实验性部署,才能到最后的全国范围内的大规模部署和使用。事实上,如果我们的反审查人员花一个下午做好的反审查方案,在消耗了审查者半年的时间、精力、人力、物力、财力后被封锁了,其四两拨千斤的作用也早已经达到了。

  2. 要增加翻墙方案的多样性,鼓励不同翻墙方案的百花齐放。在很多人的想象中,GFW因为拥有国家级的资源而成为一个完美的审查者,但实际上,有技术、能力、资源将上述审查武器研发流程一一走完的团队是有限的。我们反审查社区开发的翻墙方案越多种多样,这些有限的资源团队就越无法一网打尽所有的翻墙软件。而只要在某次大封锁中还剩下一种能用翻墙方案,信息就不至于完全阻塞。

  3. 积极的报告新的审查事件,当新的审查事件发生时,迅速地测量新的审查机器,并将测量结果和绕过审查的方案分享给社区。达成这一项需要网民,研究者以及开发者三方一起沟通、努力、和配合。令人鼓舞的是,我们现在看到越来越多的人加入到这个协作之中,相互的配合也越来越默契顺畅。

  4. 提前开发备用的翻墙方案。我们看到GFW为了弥补自身灵活性的不足而想到在政治敏感时期前几天才使用新的秘密武器,杀网民一个措手不及。那我们是不是也可以用相同的思路,在平时多开发几种备用的翻墙方案,然后像这次的发布一样,到了敏感时期之前才发出?这样,就算是审查者中的技术人员马上发现了新工具中的缺陷,知道了如何反制,也还是需要经过漫长的研发周期。

感谢

我们感谢David Fifield对文章初稿的反馈。

联系我们

正如前文所说的,我们发帖的目的就是想引起用户,研究人员和开发者们的讨论。因此我们欢迎您或公开地或私下地与我们分享您的使用体验或想法。我们私下的联系方式可见GFW Report的页脚。

SekiBetu commented 1 year ago

概括:以量取胜,使用大量不同的协议来遏制gfw的服务器资源

Overview: Quantity wins, using a large number of different protocols to contain gfw's server resources

ghost commented 1 year ago

感谢!!不知对 TLS in TLS 的研究有任何结论或新的编译吗?

Thanks!!! I wonder if there are any conclusions or new compilations of the TLS in TLS research?

gfw-report commented 1 year ago

感谢!!不知对 TLS in TLS 的研究有任何结论或新的编译吗? Thanks!!! I wonder if there are any conclusions or new compilations of the TLS in TLS research?

You may want to take a look at this post and this thread.

ghost commented 1 year ago

概括:以量取胜,使用大量不同的协议来遏制gfw的服务器资源

Overview: Quantity wins, using a large number of different protocols to contain gfw's server resources

是的,这样做本质还是捉迷藏,并不能长期逃避审查。毕竟 Shadowsocks 一直有 数据熵较高 的特征。

Yes, intrinsically this modification is a kind of hide-and-seek and it can't be used to gight against the censorship in long term. The Shadowsocks protocol has a feature known as high data entropy after all.

shawokou123 commented 1 year ago

非常感谢,我使用这个方式在ipv6服务器上搭建完成,并可以使用。 只是在服务器端设置上,如果是纯ipv6服务器,需要将server设置改为: "server": "::",

Thank you very much, I used this to build it on an ipv6 server and it works. Just on the server side settings, if it is a pure ipv6 server, you need to change the server settings to "server": "::",

mckuhei commented 1 year ago

不懂就问,基于游戏流量(https://github.com/MCModuleStudio/Minecraft-tunnel-server )再加上加速器能否规避封杀

Ask if you don't understand, based on the game traffic (https://github.com/MCModuleStudio/Minecraft-tunnel-server ) plus accelerator can circumvent the blocking

klzgrad commented 1 year ago

Specifically, it is itself part of a large bureaucracy, which inevitably leads to inefficient internal operations and rigid behaviors.

I'd say it has been more efficient than before. It was a bureaucracy, but market forces have been introduced into the problem domain. Independent vendors compete to solve engineering challenges and optimize performance.

It is not hard to imagine that a new censorship weapon always has to go through the procedures of early-phase research, grants application, more formal scientific research, product development, debugging, surveying on real-world traffic, experimental deployment, and then the final nationwide large-scale deployment and use. The length of the process can take quite a long time.

Not always, probably not even close. The issue with the scientific workflow of censorship research was that the academic project lifecycle is very long and the deliverables are papers, not actual censorship systems and large scale results, and if there are any practical results, their ROIs are very unpredictable in both expenses and project schedule. That paradigm of censorship R&D being unsustainable doesn't mean there isn't another business mode that can make this work.

This is where I argue this area is now much more streamlined and efficient, because much of the censorship problems are no longer academic problems but industry engineering problems. The new variants of v2ray are not an interesting and novel academic research topic (blockchains, other new types of anonymous distributed networks may qualify for academic novelty). The variants are by nature not suited for the academic research workflow. It's entirely logical for these to be solved at the engineering level where a plethora of companies can compete to deal with the large diversity.

To compare the characteristics of the academic and industrial censorship R&D workflows:

Why is machine learning very popular in this area of problem. It is because machine learning is actually more efficient than human learning at dealing with diverse protocols. With human learning it requires a large number of experts with deep understanding in networks and protocols but the time and budget to deal with a particular circumvention tool is unpredictable. With machine learning there is no requirement for deep domain expertise, and the cost for good performance is linearly or sublinearly correlated to the amount of raw compute power and ML system tuning manpower invested. This makes a very good deal for decisionmakers because ROIs are quite measurable and predictable in this case compared to the academic workflow.

klzgrad commented 1 year ago

Some relatively easy ideas I gathered to improve TLS in TLS tunnel survivability:

lolyinseo commented 1 year ago

概括:以量取胜,使用大量不同的协议来遏制gfw的服务器资源

Overview: Quantity wins, using a large number of different protocols to contain gfw's server resources

Wrong strategy. Then GFW enough to detect "valid" protocols and block all the others.

ours1505 commented 1 year ago

https://hostloc.com/thread-1082330-1-1.html Here are some pictures that directly refer to GFW background analysis (maybe). In the first picture, we can see that WS, Trojan is identified. In the second picture, we can see the words naiveproxy, which can probably be identified accurately. In the third picture, we can see that the A100 GPU is enabled at the top, and the website or app visited by the naiveproxy is directly analyzed.

uruwasyo commented 1 year ago

After 3 hours of re-completing the manual,it still does not work,which is quite identical as before.

database64128 commented 1 year ago

@database64128 also implemented another way to bypass the censorship. Because the protocol is changed, it requires updating both client and server to use it.

I wouldn't call it a protocol change, since anyone can easily implement the idea as an SIP003 plugin. This feature was added for convenience. It is not and probably will never be a part of the protocol.

Modify payload ClientHello padding to include more random sized bytes to confuse traffic analysis. This requires no change to the tunnel protocol.

I have recently made the change in database64128/shadowsocks-go@d98e94db6de54663ef3823892f626bab030ff0d6 to pad initial payload by default.

Use simple random padding for the initial few round trips.

Use a full-blown model-parroting traffic shaper to confuscate packet size and timing

To make these possible, payload chunks in Shadowsocks TCP need to support padding. I've made plans to add it for Shadowsocks 2023:

Shadowsocks 2022 and before:

+----------------+
|  length chunk  |
+----------------+
| u16 big-endian |
+----------------+

+---------------+
| payload chunk |
+---------------+
|   variable    |
+---------------+

Shadowsocks 2023 (draft):

Length chunk:
+----------------------+----------------+
| payload chunk length | payload length |
+----------------------+----------------+
|    u16 big-endian    | u16 big-endian |
+----------------------+----------------+

Payload chunk:
+----------+----------+
| payload  | padding  |
+----------+----------+
| variable | variable |
+----------+----------+
diwenx commented 1 year ago

My apologies as I may have missed some discussion about this earlier, but I was under the impression that the recent blocking targets only TLS-based circumvention tools. Is shadowsocks also affected? I've two Outline servers that my friends in mainland have been using over 6 months and both of them survived the recent blocking. Is this patch preemptive?

cross-hello commented 1 year ago

It is more likely based on luck. We all survive during the time. תודה לאל.

Oct 16, 2022 09:24:14 diwenx @.***>:

My apologies as I may have missed some discussion about this earlier, but I was under the impression that the recent blocking targets only TLS-based circumvention tools. Is shadowsocks also affected? I've two Outline servers that my friends in mainland have been using over 6 months and both of them survived the recent blocking. Is this patch preemptive?

— Reply to this email directly, view it on GitHub[https://github.com/net4people/bbs/issues/136#issuecomment-1279866603], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AKGBAYF23D6KOZ3AUK2QJHLWDNKL5ANCNFSM6AAAAAARFWQNI4]. You are receiving this because you are subscribed to this thread.[Tracking image][https://github.com/notifications/beacon/AKGBAYCO6GCX5V3GGAI7XOTWDNKL5A5CNFSM6AAAAAARFWQNI6WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTSMJE3OW.gif]Message ID: @.***>

HezeCaoxian commented 1 year ago

昨天晚上11:20按群友建议购买了2台lightsail, 在配置翻墙前测试了IP都是干净的,都正常,没有被墙。 第一台配置了上面的shadowsocks,端口20060,加密方式aes-256-gcm 第二台配置了上面的shadowsocks,端口8878,加密方式chacha20-ietf-poly1305

客户端是Windows虚拟机新安装的系统, 访问内容是telegram客户端和youtube, 第一台在10.16早上9:40被墙端口,使用流量4.61GB,换端口到50505后,10:14被墙IP,使用流量341MB 换到第二台使用,11:09被墙IP,使用流量455MB

Last night at 11:20 as suggested by the group purchased 2 lightsail. In the configuration of the wall before the test IP are clean, are normal, not walled. The first configured the above shadowsocks, port 20060, encryption method aes-256-gcm The second configured the above shadowsocks, port 8878, encryption method chacha20-ietf-poly1305

The client is a new installation of the Windows virtual machine. The access to the content is telegram client and youtube. The first one was walled at 9:40am on 10.16, using 4.61GB of traffic, after changing the port to 50505, the IP was walled at 10:14, using 341MB of traffic. After switching to the second one, at 11:09, the IP was walled, using 455MB of traffic.

liujunjia1996 commented 1 year ago

我昨天中午部署的,使用流量1g左右,暂时没有被墙,但是感觉不怎么好用啊

I deployed it yesterday at noon, using about 1g of traffic, and it's not walled for now, but it doesn't feel like it's working very well

SekiBetu commented 1 year ago

概括:以量取胜,使用大量不同的协议来遏制gfw的服务器资源 Overview: Quantity wins, using a large number of different protocols to contain gfw's server resources

Wrong strategy. Then GFW enough to detect "valid" protocols and block all the others.

That's whitelisting, not in the scope of discussion

klzgrad commented 1 year ago

So I will mark these screenshots as suspicious.

I'll take these as bug reports.

gfw-report commented 1 year ago

HezeCaoxian:

昨天晚上11:20按群友建议购买了2台lightsail, 在配置翻墙前测试了IP都是干净的,都正常,没有被墙。 第一台配置了上面的shadowsocks,端口20060,加密方式aes-256-gcm 第二台配置了上面的shadowsocks,端口8878,加密方式chacha20-ietf-poly1305

客户端是Windows虚拟机新安装的系统, 访问内容是telegram客户端和youtube, 第一台在10.16早上9:40被墙端口,使用流量4.61GB,换端口到50505后,10:14被墙IP,使用流量341MB 换到第二台使用,11:09被墙IP,使用流量455MB

非常感谢您的报告。这样的用户报告及时、准确、详实,帮我们排除了很多其他可能性。我们现在立刻开始调查。

Thank you very much for your report. User reports like this are timely, accurate, and detailed, and help us rule out many other possibilities. We are now starting our investigation immediately.

gfw-report commented 1 year ago

My apologies as I may have missed some discussion about this earlier, but I was under the impression that the recent blocking targets only TLS-based circumvention tools. Is shadowsocks also affected?

Good question! The GFW has been able to accurately detect and block Shadowsocks, VMess, and Obfs4, and many other fully-encrypted protocols since November, 2022.

There are at least two ways the GFW blocks these protocols: immediate dynamic blocking of ports and relatively long term static IP or port blocking.

We know dynamic blocking has only been applied to connections from China to the IP subsets of many popular data centers like Amazon Lightsail, Digital Ocean and Alibaba cloud. They selectively deployed this technique for probably two reasons:

1) The censor knows their detection algorithm has a relatively high false positive and is not willing to harm 0.6% non-circumvention traffic; 2) Having a tight control over these VPS providers' IP subnet is sufficient to disrupt most users' connections. This is due to the nature that most of the Chinese users can only rent from a few VPS providers that accept payment methods they have.

How do you know if a certain IP address is under dynamic blocking? Try sending some random payload from China to an open port of that IP address:

head -c 100 /dev/urandom | nc -vn $ip $port

If after executing the command several times, your connections got timeout for 120 or 180 seconds, then you can confirm that the IP you tested is within the GFW's dynamic blocking IP subnets.

I've two Outline servers that my friends in mainland have been using over 6 months and both of them survived the recent blocking.

Thanks for your report. Are your servers located within one of those big name VPS providers? Or are you hosting them at some residential or institutional IP addresses that often do not have circumvention servers hosted?

wkrp commented 1 year ago

To make these possible, payload chunks in Shadowsocks TCP need to support padding.

@database64128 maybe you know already, but it is possible to implement padding in Shadowsocks AEAD with no protocol changes.

https://github.com/net4people/bbs/issues/101#issuecomment-1023558732

Something similar is possible with Shadowsocks AEAD ciphers using encryptions of empty plaintexts, even though Shadowsocks doesn't have explicit support for padding. I heard this idea from @fortuna. When you need a source of bytes for padding, you can encrypt a zero-length plaintext, which gives you 34 bytes that decrypt to nothing: 2 bytes encrypted length field, 16 bytes length field authentication tag, 0 bytes encrypted payload, 16 bytes payload authentication tag. You can concatenate as many of these empty ciphertexts as you need to satisfy the traffic schedule.

Let's say you want to add npadding bytes of padding to an existing current_packet before sending. You encrypt enough empty plaintexts to make at least npadding bytes and append the first npadding bytes to the packet. The excess bytes become the beginning of the next packet to send.

padding = ""
while len(padding) < npadding:
    padding += shadowsocks_aead_encrypt("")
current_packet += padding[:npadding]
next_packet = padding[npadding:]
send(current_packet)
diwenx commented 1 year ago

Thanks for your report. Are your servers located within one of those big name VPS providers? Or are you hosting them at some residential or institutional IP addresses that often do not have circumvention servers hosted?

Thank you for the information. In fact, right after I posted yesterday they got IP blocked. I guess I run out of luck eventually. They were rented from profitserver.net and located in Netherlands and Russia, respectively.

I'll set up new servers following the instructions provided here. Is there any additional steps I should consider (e.g., collecting pcaps for suspicious probes) to help investigate how they do blocking?

fortuna commented 1 year ago

@gfw-report Could you clarify what the change you made to shadowsocks is?

database64128 commented 1 year ago

@wkrp Thank you for letting me know. This workaround doesn't sound very flexible. The padding length is limited to multiples of 34. And it takes 2 read() calls for the server to process each 34-byte padding. My implementation also explicitly rejects empty payload chunks, which I do not plan to change.

I've seen more than a few developers in the Shadowsocks community with the sentiment that we must avoid protocol changes at all costs, that protocol changes won't be accepted by downstream developers or users. If anything, my experience with Shadowsocks 2022 has taught me otherwise. People want new protocols to experiment with. People are concerned about the fact that we keep introducing hacks and workarounds to "improve" Shadowsocks AEAD. The end result is a fragmented, divided community, where new developers start their own small circles, instead of joining existing ones, even though we all share the same goal of circumventing censorship.

Sometimes protocol changes are necessary. At this point, I consider recommending Shadowsocks AEAD to users to be irresponsible, because of the known vulnerabilities. Like @gfw-report said, it's a cat-and-mouse game. The protocol needs to rapidly iterate when faced with new challenges.

database64128 commented 1 year ago

We are now starting our investigation immediately.

@gfw-report In case you didn't already know and it might be helpful to your investigation, shadowsocks-rust by default only enables Shadowsocks 2022's replay protection. The bloom filter for older AEAD and stream ciphers is disabled by default.

gfw-report commented 1 year ago

diwenx:

I'll set up new servers following the instructions provided here. Is there any additional steps I should consider (e.g., collecting pcaps for suspicious probes) to help investigate how they do blocking?

Yes, that would be very helpful because the more eyes we have, the more likely and quickly we spot any new censorship actions.

gfw-report commented 1 year ago

database64128:

shadowsocks-rust by default only enables Shadowsocks 2022's replay protection. The bloom filter for older AEAD and stream ciphers is disabled by default.

Thanks for the heads up. As soon as we support this encoding scheme on Shadowsocks 2022, we can start recommending users to use Shadowsocks-2022. Any help to implement it is more than welcome!

BTW, in case you are concerned about the active probing vulnerability, this modified Shadowsocks has been proved to be able to evade the current active probings because the GFW doesn't suspect its traffic in the first place.

wkrp commented 1 year ago

This workaround doesn't sound very flexible. The padding length is limited to multiples of 34.

I can respect your development decisions, but I believe you are mistaken on this point. There is no requirement that TCP segment boundaries be aligned with AEAD ciphertext boundaries. For example, if you need 75 bytes of padding for the current segment, you can generate 102 bytes and only use the first 75 bytes of it for the current segment. The remaining 27 bytes become the beginning of the next segment. (In general, you keep a buffer of available data. If you want to send a segment that's smaller than the amount of data in the buffer, you break off the head of the buffer and only send that. If you want to send a segment that's larger than the buffer, you increase the size of the buffer with padding ciphertexts until it is sufficiently large.)

You are correct, however, that the receiver can only consume the padding 34 bytes at a time, which for large amounts of padding means many recv system calls and verify+decrypt operations.

database64128 commented 1 year ago

For example, if you need 75 bytes of padding for the current segment, you can generate 102 bytes and only use the first 75 bytes of it for the current segment. The remaining 27 bytes become the beginning of the next segment.

Unless the proxy program runs its own TCP stack (which could create its own problems (e.g. fingerprinting of the TCP stack)), I don't think it's realistic to control TCP segment boundaries during mass payload transfers.

I can respect your development decisions, but I believe you are mistaken on this point.

I think you misunderstood what I meant. My understanding is that the proxy program might want to add padding between individual payload chunks to change the characteristics of outgoing TCP segment sizes. And that works best when you can add as many bytes of padding as you want. Your proposed method of doing smaller writes cannot guarantee smaller TCP segments, even if you enable TCP_NODELAY.

Kimberlysz commented 1 year ago

I started using these tutorials to build up my VPS, then some my servers add v2ray applications (wss: websocket+tls+vmess)

tutorials in sequence

recently I found out using JARM

And this is the JARM result (server 1) JARM: 15d3fd16d29d29d00042d43d000000fe02290512647416dcf0a400ccbc0b6b After check at the https://fofa.info/, I found out a result of such.

JARM1

I had 2 servers using this method (wss: websocket+tls+vmess), server 1: blocked at 2022-10-03 3-4pm; blocked at 2022-10-06 3-4pm; blocked one more time between 2022-10-07 to 2022-10-10, and since then no block, same method, v2ray version ver5.10.0 (maybe, not sure)

server 2: blocked at 2022-10-03 3-4pm; blocked at 2022-10-06 3-4pm; blocked several times, at least 2022-10-09, 2022-10-10, 2022-10-11, 2022-10-12, 2022-10-13,

Then at 2022-10-14 I changed to v2fly.org ws+tls+vmess (url: https://guide.v2fly.org/advanced/wss_and_web.html) , and this is the JARM result: JARM: 2ad2ad0002ad2ad22c42d42d000000baee6456a90c4706c37778b7ac8d25d4

JARM2

it has 9504 fit results, but since then this server never gets blocked,

I just wanna share my status now.

I have a question, according to some of the resources (https://youtu.be/F2VsjS6fybs, time at 14m10s), so with server 1 JARM results - a good JARM blend-in, server 1 still got blocked several times from 2022-10-03 to 2022-10-10.

So, what's the relationship between this JARM and tls in tls detection? Kindly if you could let me know, that would be great.

free-the-internet commented 1 year ago

How much is the Iranian and Chinese DPI and GFW are similar? Does this mean that they are sharing the censor tools and technologies?

@wkrp Do you have a new study case which addresses how Iran is blocking the Internet? Using no-UPDATE in BGP, or route WITHDRAWALS or DPI or IP blocking or DNS blocking? For me the BGP manipulations is the most scary one which is close to cutting the wires!

lajiburner commented 1 year ago

Just my 2 cents on cat and mouse game.

I highly commend the idea to develop and deploy large number of imperfect circumvention tools with different characteristics to fight the censorship. We don't need and there won't be such a thing as "perfect software", because political stability is the utter most important need of an authoritarian government, should anything comes along that is flawless, it is not hard to imagine them pulling the plug and whip out whitelist strategy, or at least resort to much more brute forced way such as traffic limit or simply go with a stricter rule that has massive collateral damage.

What we can do is drain their resources and slowly whittle them down. We can never beat them. And that is the point.

free-the-internet commented 1 year ago

We worked with other researchers to discover that the current GFW utilizes a number of different rules to identify fully encrypted protocols like Shadowsocks, VMesss, and Obfs4. One of these rules takes advantage of the fact that the ratio of 0 bit to 1 bit in these encrypted flows is close to 1:1. Therefore, if we add more 0s or 1s to the encrypted traffic and then rearrange the bit sequence, we can achieve the goal of changing the original ratio feature to bypass detection and blocking.

How do I use this modified Shadowsocks?

This modified version of Shadowsocks is based on Shadowsocks-rust, and we also make use of Shadowsocks-android to compile the apk files for Android users. All client and server side software can be found at this branch and this release.

Good job on the research and the detective work. I tested this in Iran and while it did made a connection successfully, I experienced an unstable connection with many packet drops! Also tried lowering my MTU but to no avail!

Right now the only method that works for me is Xray with the commit #93c7ebe38245a44fb8d7f029677a16e9def1187c that brings uTLS support to HTTP2 transport, hopefully they release new binaries and Docker images soon. Note: you have to supply "fingerprint": "chrome" # or "firefox" in the tlsSettings section in config.json.

Thanks for information. Could you provide a link with help to set up config.json (specially exact protocol from this list https://github.com/XTLS/Xray-examples)? I have problem with tls settings and certificate files. It seems we need to register a domain, is it true?

ghost commented 1 year ago

@free-the-internet try compiling from source, obtaining a certificate, and configuring something like this:

Server

{
  "log": {
    "loglevel": "warning",
    "access": "/var/log/xray/access.log",
    "error": "/var/log/xray/error.log"
  },
  "inbounds": [
    {
      "port": 443,
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "id": "e1705bfe-18f9-4821-9818-f3caa8ecc396",
            "alterId": 0
          }
        ]
      },
      "streamSettings": {
        "network": "h2",
        "httpSettings": { 
          "path": "/ray"
        },
        "security": "tls",
        "tlsSettings": {
          "certificates": [
            {
              "certificateFile": "/etc/letsencrypt/live/www.example.com/fullchain.pem", 
              "keyFile": "/etc/letsencrypt/live/www.example.com/privkey.pem" 
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}

Client

{
  "inbounds": [
    {
      "port": 10808,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      },
      "settings": {
        "auth": "noauth",
        "udp": false
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "www.example.com",
            "port": 443,
            "users": [
              {
                "id": "e1705bfe-18f9-4821-9818-f3caa8ecc396",
                "alterId": 0
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "h2",
        "httpSettings": { 
          "path": "/ray"
        },
        "security": "tls",
        "tlsSettings" : {
          "fingerprint": "chrome"
        }
      }
    }
  ]
}
free-the-internet commented 1 year ago

@free-the-internet try compiling from source, obtaining a certificate, and configuring something like this:

Server

{
  "log": {
    "loglevel": "warning",
    "access": "/var/log/xray/access.log",
    "error": "/var/log/xray/error.log"
  },
  "inbounds": [
    {
      "port": 443,
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "id": "e1705bfe-18f9-4821-9818-f3caa8ecc396",
            "alterId": 0
          }
        ]
      },
      "streamSettings": {
        "network": "h2",
        "httpSettings": { 
          "path": "/ray"
        },
        "security": "tls",
        "tlsSettings": {
          "certificates": [
            {
              "certificateFile": "/etc/letsencrypt/live/www.example.com/fullchain.pem", 
              "keyFile": "/etc/letsencrypt/live/www.example.com/privkey.pem" 
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}

Client

{
  "inbounds": [
    {
      "port": 10808,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      },
      "settings": {
        "auth": "noauth",
        "udp": false
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "www.example.com",
            "port": 443,
            "users": [
              {
                "id": "e1705bfe-18f9-4821-9818-f3caa8ecc396",
                "alterId": 0
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "h2",
        "httpSettings": { 
          "path": "/ray"
        },
        "security": "tls",
        "tlsSettings" : {
          "fingerprint": "chrome"
        }
      }
    }
  ]
}

Thanks a lot. Can I obtain certificate from cloudflare for free domains and use them (they may blocked in Iran (dyndns, .freenom, etc))?

wkrp commented 1 year ago

Do you have a new study case which addresses how Iran is blocking the Internet?

@free-the-internet some available reports are in the main thread: #125. It is a changing situation, so no comprehensive report exists yet.

Long report about the 2019 shutdown:

ghost commented 1 year ago

Same as the initial instructions, but with screenshots for Windows users.

Installing the Server

The installation process is the same as installing any other Shadowsocks-rust server.

First you login to your remote server, and then get the server binary with:

wget https://github.com/gfw-report/shadowsocks-rust/releases/download/v0.0.1-beta/shadowsocks-v1.15.0-alpha.9.x86_64-unknown-linux-gnu.tar.xz
tar xvf shadowsocks-v1.15.0-alpha.9.x86_64-unknown-linux-gnu.tar.xz

Then you create a configuration file:

sudo nano server_config.json

Copy and paste the following settings to the file. Note that you need to replace the password ExamplePassword with a much stronger one. A handy way to do this from your terminal is: openssl rand -base64 16. You may also want to change the server_port.

{
  "server": "0.0.0.0",
  "server_port": 8388,
  "password": "ExamplePassword",
  "method": "aes-256-gcm"
}

ss136-1

After finishing editing, you type Ctrl + x to exit. The text editor will ask Save modified buffer?, and you can type y and then hit Enter.

Now you can start running the binary with the configuration file, but to make it work even after you ended your SSH session, you may want to create a tmux session by:

sudo apt install tmux

tmux

You then do:

./ssserver -c ./server_config.json

ss136-2

Finally, type Ctrl + b and then type d to detach from the tmux session.

Firewall Configuration

We use ufw to open ports for the Shadowsocks server.

To install ufw on a Debian-based server:

sudo apt update && sudo apt install -y ufw

Then open ports for ssh and Shadowsocks-rust. Note that if you set the server_port to a value different than 8388 in server_config.json, you need to change the value 8388 below accordingly:

sudo ufw allow ssh

sudo ufw allow 8388

Now enable ufw:

sudo ufw enable

If it prompts Command may disrupt existing ssh connections. Proceed with operation (y|n)?, type y and hit Enter.

Finally, run sudo ufw status, and the output should look like this:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
8388                       ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
8388 (v6)                  ALLOW       Anywhere (v6)

ss136-3

Client Side Configuration

Download the appropriate file from https://github.com/gfw-report/shadowsocks-rust/releases.

For 64-bit Windows, you will download shadowsocks-v1.15.0-alpha.9.x86_64-pc-windows-msvc.zip.

Unzip the zip file.

ss136-4

Below is a configuration file for client. Remember to change the server value from ExampleServerIP to your remote server's public IP address. If you used Android and installed from the apk file we provided, the usage should be the same as usual.

{
    "server": "ExampleServerIP",
    "server_port": 8388,
    "password": "ExamplePassword",
    "method": "aes-256-gcm",
    "local_address": "127.0.0.1",
    "local_port": 1080
}

Save this file as client_config.json in the same folder as the five Shadowsocks-rust component executables.

ss136-5

Open a command prompt window (Win+r, cmd, Enter).

Change into the folder Downloads\hadowsocks-v1.15.0-alpha.9.x86_64-pc-windows-msvc.

Start the Shadowsocks-rust client running:

sslocal.exe -c client_config.json

Leave the command prompt window open.

ss136-6

In Chrome browser, install SwitchyOmega extension from Chrome Web Store.

Set proxy to SOCKS5 on 127.0.0.1 port 1080.

Click Apply changes.

ss136-7

Turn proxy on (by default, a pale blue icon).

Visit https://ipchicken.com.

ss136-8

gfw-report commented 1 year ago

Thank you for spending time and effort to make this tutorial on how to use it on Windows, @freejohn123. It is really encouraging to see that we can work towards a better tutorial together.

Can we merge your tutorial and put your name on it, too?

free-the-internet commented 1 year ago

@freejohn123 I think its better to open a github pages or whatever, and put all the this things there. It would be a good source of information for people who are starters. Thanks for sharing the information.

ghost commented 1 year ago

Can we merge your tutorial and put your name on it, too?

Yes, @gfw-report, please use it as you wish.

ghost commented 1 year ago

I think its better to open a github pages or whatever, and put all the this things there. It would be a good source of information for people who are starters. Thanks for sharing the information.

@free-the-internet Post extracted to https://freejohn123.github.io/2022/10/18/sharing-a-modified-shadowsocks.html

free-the-internet commented 1 year ago

@free-the-internet try compiling from source, obtaining a certificate, and configuring something like this:

Server

{
  "log": {
    "loglevel": "warning",
    "access": "/var/log/xray/access.log",
    "error": "/var/log/xray/error.log"
  },
  "inbounds": [
    {
      "port": 443,
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "id": "e1705bfe-18f9-4821-9818-f3caa8ecc396",
            "alterId": 0
          }
        ]
      },
      "streamSettings": {
        "network": "h2",
        "httpSettings": { 
          "path": "/ray"
        },
        "security": "tls",
        "tlsSettings": {
          "certificates": [
            {
              "certificateFile": "/etc/letsencrypt/live/www.example.com/fullchain.pem", 
              "keyFile": "/etc/letsencrypt/live/www.example.com/privkey.pem" 
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}

Client

{
  "inbounds": [
    {
      "port": 10808,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      },
      "settings": {
        "auth": "noauth",
        "udp": false
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "www.example.com",
            "port": 443,
            "users": [
              {
                "id": "e1705bfe-18f9-4821-9818-f3caa8ecc396",
                "alterId": 0
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "h2",
        "httpSettings": { 
          "path": "/ray"
        },
        "security": "tls",
        "tlsSettings" : {
          "fingerprint": "chrome"
        }
      }
    }
  ]
}

I've got a free domain from freenom, I used letsEncrypt to have a certificate, then I added the domain to cloudflare and set my server IP there. After this, I entered the given nameservers by cloudflare in freenom domain management. Now, if I run my webserver, I see a webpage with valid TLS/SSL enabled in the browser. Since I want to use port 443, I need to stop webserver. Then I run the xray with the given config (of course I replaced the needed fields in the config file), and I checked the debug level error logs. I see the server is up and running without any error. But the problem is the client on windows machine. In fact I used your config file and modified it my server information. The problem is that when I add it the the latest v2rayN, I don't see the related information in the v2RayN GUI columns. image

More importantly, I can not connect to my server, in fact I don't see any activity in the logs at server side. At client side I can't open a web page with provided client port in Firefox. Could you help me, please?

And, if it is possible, at the same GitHub pages, it would be very nice to create a tutorial for vmess + h2 + tls + cdn. It seems we are going to need it in the very near future.

Thanks for support. FreeInternet

free-the-internet commented 1 year ago

Do you have a new study case which addresses how Iran is blocking the Internet?

@free-the-internet some available reports are in the main thread: #125. It is a changing situation, so no comprehensive report exists yet.

Long report about the 2019 shutdown:

Thanks a lot. Are there any evidence about the BGP manipulations ?

ghost commented 1 year ago

@free-the-internet This is what worked for me:

https://freejohn123.github.io/2022/10/19/xray-from-source.html

I didn't use a CDN because I've had problems in the past with Cloudflare not accepting free domain names. I don't know if that has changed. Also, I manually keyed in my client config. Screenshot enclosed in the post.

ghost commented 1 year ago

@free-the-internet By the way, the server in that post is still there. I can leave it up until 23:59 UTC on 2022-10-20 in case you want to test its reachability from your client. The v2rayN client config is in the post.

free-the-internet commented 1 year ago

@free-the-internet By the way, the server in that post is still there. I can leave it up until 23:59 UTC on 2022-10-20 in case you want to test its reachability from your client. The v2rayN client config is in the post.

@free-the-internet This is what worked for me: https://freejohn123.github.io/2022/10/19/xray-from-source.html I didn't use a CDN because I've had problems in the past with Cloudflare not accepting free domain names. I don't know if that has changed. Also, I manually keyed in my client config. Screenshot enclosed in the post.

This saved my day. I had 3 problems:

Using CDNs, I guess, should be very effective as I read this way, the real IP is hidden from the [G]FW. Have you tried it in Iran?

ghost commented 1 year ago

@free-the-internet Thanks. I've added Address to the table that accompanies the v2rayN client screenshot. No, I haven't tried using a CDN.

free-the-internet commented 1 year ago

@free-the-internet Thanks. I've added Address to the table that accompanies the v2rayN client screenshot. No, I haven't tried using a CDN.

Seems CloudFlare does not support back to origin with h2.

SheepChef commented 1 year ago

@free-the-internet By the way, the server in that post is still there. I can leave it up until 23:59 UTC on 2022-10-20 in case you want to test its reachability from your client. The v2rayN client config is in the post.

@free-the-internet This is what worked for me: https://freejohn123.github.io/2022/10/19/xray-from-source.html I didn't use a CDN because I've had problems in the past with Cloudflare not accepting free domain names. I don't know if that has changed. Also, I manually keyed in my client config. Screenshot enclosed in the post.

This saved my day. I had 3 problems:

  • I used CDN with according to https://guide.v2fly.org/en_US/advanced/h2.html it doesn't work with CDN. But, websocket is working with CDNs I guess.
  • I used my domain name without www for the address field in client side. By the way, your screenshot is correct for the client config, but in the table, address field is missing.
  • I didn't include SNI

Using CDNs, I guess, should be very effective as I read this way, the real IP is hidden from the [G]FW. Have you tried it in Iran?

Well, The reason why CDN is currently available to bypass the censorship is that there are many legal(official) websites running through CloudFlare, such as the Hong Kong government official website. Thus, there is no TLS or other complex censorship but only SNI censorship for the connection towards CloudFlare so that you can use CDN to completely bypass the censorship. Sure, your server's IP is hidden behind CDN, so unless GFW blocks your domain or CloudFlare itself, the real connection won't be affected. Besides, CloudFlare only accepts regular HTTP(S) or Websocket connections. So Shadowsocks and Trojan don't support it. And, CloudFlare only allow the connections passing through a few specific ports, such as 2032, 80, 443, so you can't connect through an abnormal port. Additionally, using CloudFlare as a proxy agent violates the terms of services of CloudFlare, so there is a risk that your account gets banned.