SSTP is not blocked in Iran?

[free-the-internet]

I am wondering how/why SSTP VPNs created by SoftEther are not blocked in Iran (BTW this is a very good news), while many other obfuscated VPNs including tor, shadowsocks, v2ray and numerous of others were blocked. We know that it's already blocked in China. So it shouldn't be hard for the Iran's regime to block it.

Do you have any idea?

[wkrp]

That's interesting information. SSTP should be TLS on the wire, correct?

How do you know SSTP is not being blocked? Do you know if it was on port 443, or different ports? Are SSTP connections being throttled, as other traffic is reportedly throttled?

It may have something to do with TLS fingerprint, as turned out to be the case with #131. I could be mistaken, but I thought SSTP was a built-in feature of the Windows OS, which could conceivably make it special regarding its TLS fingerprint.

https://github.com/net4people/bbs/issues/12#issuecomment-533749845 has some hints about testing VPN Gate proxies using a VM or Linux network namespaces. If possible, it would be nice to get a pcap of the beginning of an SSTP connection, to check its TLS fingerprint or any other features that may be important.

[free-the-internet]

That's interesting information. SSTP should be TLS on the wire, correct?

Correct.

How do you know SSTP is not being blocked? Do you know if it was on port 443, or different ports? Are SSTP connections being throttled, as other traffic is reportedly throttled?

I see people are using VPN Gate (SoftEther) SSTP VPNs. Appearently they don't use port 443. Instead they are using 995, 1300, etc. I don't have any information regarding throttling of SSTP, but I received some reports that on MCI mobile operator, Orbot, Psiophon, and even V2ray connections are throttled down to a few KB and eventually not be able to open a page. See this comment as confirmation.

For V2ray, using DSL connections, TLS handshakes towards the same server are cut in the middle, but this happens only a few times in a day; and users can try a few moments later and they can recover.

#12 (comment) has some hints about testing VPN Gate proxies using a VM or Linux network namespaces. If possible, it would be nice to get a pcap of the beginning of an SSTP connection, to check its TLS fingerprint or any other features that may be important.

This is a great idea. Let me see if I can have a SSTP on a VM tomorrow and then I will share the pcap.

[free-the-internet]

Another information, obfs4 bridges seems completely blocked in Iran. I tested it with a private bridge by my self. (The server is reachable via V2ray, but Tor or Orbot can not connect to it via obfs4. Maybe they can connect only to the bridge, but can't continue to Tor (I'm not sute what to say here)).

Snowflake is working.

[GibMeMyPacket]

I tested it with a private bridge by my self. (The server is reachable via V2ray, but Tor or Orbot can not connect to it via obfs4

As you seem to have a server and already setup things, would you please confirm #142 ?

[free-the-internet]

@wkrp Please find a capture from an SSTP connection in a Ubuntu VM by sstp linux client: sstp_linux_client_cap.zip from ppa:eivnaes/network-manager-sstp

I guess most of the people in Iran are using Windows machines, so it would be grate if they also provide samples. If this capture is not sufficient for checking, then I would like to install a windows on VM.

Note the TLSv 1.3 after client hello. This is not a VM that uses a Internet connection from Iran. I'm not sure if TLSv 1.3 handshake can happen in Iran.

[free-the-internet]

I tested it with a private bridge by my self. (The server is reachable via V2ray, but Tor or Orbot can not connect to it via obfs4

As you seem to have a server and already setup things, would you please confirm #142 ?

I read your comments. I think shadowsocks is blocked in Iran, but as @wkrp said, maybe they blocked it only in some regions of the country. But if I had time in the next days, I can test it once. Do you have a V2ray setup working on the same server that you have "non-working" shadowsocks? If yes, please test with Vmess + h2 + tls. Do not use free domains, as far as I know .ga .tk and some others are just blocked. Better to use the one you already have and you should make sure it is not blocked and it is pointing to the correct address.

[wkrp]

Thanks for the pcap. The Client Hello fingerprint is ca2bec441ddb5066, which evidently is unattested in the tlsfingerprint.io data.

It looks like network-manager-sstp uses GnuTLS for its TLS implementation, which explains the uncommon fingerprint.

Thinking like a censor, you would want to prioritize traffic features that match a large amount of circumvention traffic (without matching too much non-circumvention traffic). Go is a popular language for writing circumvention tools, so it makes sense that the Go crypto/tls fingerprint would be targeted for blocking comparatively early. If GnuTLS fingerprints account for only a small amount of traffic, then it makes sense they would not immediately be targeted by a censor. But the other side of that is that the fingerprint is easy for a censor to block, because there is little risk of overblocking.

That's one possible explanation. It could come down to TLS fingerprint. But there could be some other feature of SSTP connections that makes them less likely to be blocked (if indeed it's a reproducible observation that SSTP is less blocked).

[wkrp]

Another information, obfs4 bridges seems completely blocked in Iran. I tested it with a private bridge by my self. (The server is reachable via V2ray, but Tor or Orbot can not connect to it via obfs4.)

Was the V2Ray connection using Vmess, or some other protocol? A good test would be to try Shadowsocks or Vmess to the same server, because they have similar characteristics as obfs4.

There was a note early on on the Tor bug tracker about possible obfs4 blocking. The test was a little unusual in that it was testing the reachability of an obfs4 server in Iran, from a client outside Iran.

https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/96#note_2838730

We have the following hypostasis on the nature of censorship: It could be blocked by entropy(targets all random looking protocol) or blocked by obfs4 identifiers such as the one we have already fixed.

Is weird, today it works. I can both connect to our Iraninan bridge and from Iran to connect to several bridges I have around. Maybe they have relaxed the block or we got some temporal error the other day.

There are some bugs that make obfs4 distinguishable from random, with high probability given a small number (≈10) of passive observations. Two I know were fixed in obfs4proxy-0.0.12; one more was fixed in obfs4proxy-0.0.14. If the censors are really using these distinguishers, I would be impressed, but it is a possibility. The flaws exist for both the client and the server, so both ends need to be upgraded if they want to be indistinguishable from random.

[free-the-internet]

Was the V2Ray connection using Vmess, or some other protocol? A good test would be to try Shadowsocks or Vmess to the same server, because they have similar characteristics as obfs4.

My config is Vmess+h2+tls.

For the tor bridge, I would do another test today. Maybe I could get the logs too. Will report it here.

Another thing is that we try to keep proxy servers on port 443, as we think that censor can scan other ports and have measurements on the time of a continuous connection and disrupt it, because on the other ports, usually user connection time is much less. Again this is my opinion and completely heuristic.

[poorp]

My config is Vmess+h2+tls.

Hi,

1. Use xray instead of v2ray (there is a simple one line command that installs a web-UI for you called X-ui). I use vless+ws with no TLS and it works fine but I haven't tested it extensively. You can also tunnel one port from a VPS outside the country to one inside it for the times they completely shutdown normal ISPs and perhaps for better overall stability.
2. Which CDN are you using for your TLS? I tried to use Cloudflare and I think their services are blocked completely in Iran and I had no luck using my domain for TLS via Cloudflare. Are you perhaps using an Iran-based CDN? And if so, is it free and is the speed any good?
3. Have you tried any other methods like tunneling openvpn traffic somehow?

[free-the-internet]

1. Use xray instead of v2ray (there is a simple one line command that installs a web-UI for you called X-ui). I use vless+ws with no TLS and it works fine but I haven't tested it extensively. You can also tunnel one port from a VPS outside the country to one inside it for the times they completely shutdown normal ISPs and perhaps for better overall stability.

2. Which CDN are you using for your TLS? I tried to use Cloudflare and I think their services are blocked completely in Iran and I had no luck using my domain for TLS via Cloudflare. Are you perhaps using an Iran-based CDN? And if so, is it free and is the speed any good?

Indeed I'm using xray and I do it manually. But I don't use any CDN. That's because with h2 you can't do it.

3. Have you tried any other methods like tunneling openvpn traffic somehow?

I was searching for this. when I see the available solutions, in my opinion the best solution is the one that looks like a very normal traffic. It seems to me Vmess + XXXX + TLS is the one I'm looking for. You can put anything instead of XXXX. Websockets could be very useful if CDNs were available in Iran, but they don't. There is some projects in the github to hide the openVPN traffic already, but they are not seem very developed.

As I said before, the censor in Iran is harsher, one reason is that the destructed economy of Iran is not connected to the rest of the world (in contrary to China) which makes it easier to regime to block the public free services like CDNs and even power off the whole thing!. I can see that day, that they would block-out the whole connection in the county. Anyway, let's keep the thread technical.

[poorp]

Websockets could be very useful if CDNs were available in Iran, but they don't.

Can't we use an Iranian CDN that is not blocked? Also, does h2 perform as well as ws in terms of speed and latency?

[free-the-internet]

Websockets could be very useful if CDNs were available in Iran, but they don't.

Can't we use an Iranian CDN that is not blocked? Also, does h2 perform as well as ws in terms of speed and latency?

You can. But why do you do this? It can only be used to increase your data rate if ISPs are throttling foreign traffic but Iranian CDNs aren't. Do you have any other reason? Of course there may be reasons in the future, perhaps regarding the behavior of the censor; but for me I don't see any point on that other than higher data rate. h2 in some mobile operators is very slow due to throttling. In DSL lines it seems OK. But I can't say how much it is better/worse than WS.