Upload throttling in Iran

[aminiyt]

Hi Are You ok ? Recently, I have a problem uploading on the servers I built in Iran And when I test the network, the upload speed is below zero

This problem has caused me to face frequent hi-fi interruptions and I don't know how to fix this problem Please help me to increase the upload and download speed

[wkrp]

Please, this is not the place for this kind of discussion. The purpose of this forum is sharing information that can be useful for developers of circumvention systems or people studying censorship. It is not for technical support.

A better place to ask this question may be on a V2Ray support forum.

If you think you are experiencing a new kind of blocking in Iran, that would be on topic. But then in order to be useful, your post needs to have some technical information. We would need to know, at a minimum, when you started having problems with the servers (date and time), and what transports you have configured with V2Ray. We would also want to know what client implementations you are using to connect to the servers.

If you find that the servers are sometimes blocked, and sometimes unblocked, that can also be an on-topic discussion, because it could enable us to find protocol features that trigger the blocking. But only after you have checked the other Iran threads and checked that it is not something already known, like TLS fingerprint blocking.

[arandomgstring]

@wkrp That's actually true, however, it has nothing to do with v2ray. It has been a few days since upload bandwidth has decreased sharply for foreign IPs.

Laugh, If you will. This test was conducted near 1 AM in Iran GMT, where speeds are usually better. And this test doesn't show packet loss, which is actually the main issue here.

The only way(s) to circumvent this issue, is either:

1. Buy an Iranian VPS, and through that VPS do what you will in foreign VPS. Optionally you can use your Iranian VPS as first hop, and foreign VPS as second hop in your configuration. Upload bandwidth of Iranian VPSs to foreign IPs are not limited (yet).

2. Certify yourself as a freelancer. Yes, indeed. Believe it or not I have heard (from reliable resources) that the so called classified internet (or name it however you want) is already lunched, and famous Iranian websites have received a call from government to certify themselves. That said, the certification costs them so not most of them accepted this proposal (yet). At some point I anticipate the situation becomes much worse.

[wkrp]

@arandomgstring thank you very much, that's information we can work with.

Do you know what date it started to become throttled? Any news articles or discussions posted elsewhere?

Do you know if it affects all ports? The speedtest probably uses HTTPS on port 443. ANother thing to try is QUIC.

My immediate thought is to compare to research on throttling in Iran in 2011 and 2012: Dimming the Internet: Detecting Throttling as a Mechanism of Censorship in Iran (PDF) Here is my short summary:

Uses Network Diagnostic Tool, a tool built by M-Lab and integrated into μTorrent, as a means of measuring network throttling in Iran. Through the measurement of RTT, packet loss, throughput, and fraction of network-limited time, they identify past periods of network throttling and identify networks that are less affected by throttling. A major challenge is distinguishing throttling from other natural network conditions. They argue that decreased throughput without an accompanying increase in RTT and packet loss is an indicator of artificial throttling. They find two major periods of throttling, between Nov 2011 and Aug 2012, and between Oct 2012 and Nov 2012. Academic institutions are affected by throttling, but less so than other networks, with higher throughput during throttling and a faster recovery afterward.

[hamedsbt]

Currently, the best working solution in Iran is peer-to-peer file uploads or sharing using the WebRTC STUN protocol. Such as: https://toffeeshare.com/ https://sendfiles.dev/ https://www.sharedrop.io/

[arandomgstring]

@wkrp I am not quite sure about the exact day, maybe it has been like this for 2~3 weeks. The only article (website) I found was this (in Persian/Farsi):

https://www.zoomit.ir/tech-iran/387816-upload-speed-reduction/

To quote:

Hossein Goleshan (an IT expert): VPNs stop working while the user tries to upload a file

An user in Twitter: I can't upload anything with my phone. I can't send anything to telegram, but download speed is fine.

Another user in Twitter: I wanted to upload a 60MB file for someone. It was impossible on telegram [ @arandomgstring: obviously with a proxy on an arbitrary port, because it's been 2 years since telegram is restricted] and whatsapp. Finally I wrote it on a DVD and post it to them.

According to Zoomit, ISPs claim that there is no problem (lol) and that's it. I couldn't find any other article, and it is to be expected because Goverment is not usually lenient toward bad news. The date of article is for 1 month ago.

So it seems it has nothing to do with either of protocol and port. According to my personal experience, however, SSH is almost blocked on port 22 to foreign servers. By that I mean it is heavily throttled to the point of being useless. I can't even run a single command. But changing the port to something high and random fix this issue. As for UDP, after the blockage of Wireguard, it seems that UDP to not well known foreign servers is almost blocked. The exception is port 53 (which is used for DNS), but again sending too much traffic through that port, results in temporarily blockage of that foreign IP. This might have changed, my tests were conducted 1 month ago for this purpose, though I doubt it. QUIC is not an usual traffic in Iran. From my personal experience, only google use this with a few exceptions. So building a VPN with this protocol doesn't seem to be very safe, moreover QUIC uses UDP in the first place, so I doubt about its performance.

[arandomgstring]

@hamedsbt

Indeed, the future of Iran depends on P2P. It's unfortunate however that users are behind NAT and we need STUN protocol with an intermediary website to initiate initial connection (with UDP or TCP punch holing). The problems are:

1. They can simply block STUN protocol and even if we don't follow standard STUN protocol, something like https://magic-wormhole.readthedocs.io/en/latest/ ,
2. They can still block the IP address intermediate website for initial connection,
3. They can make use of full symmetric NAT, making P2P completely impossible,
4. And most importantly, @wkrp TOR on snowflake bridge uses STUN + DTLS to mimic P2P file sharing from what I can see in Wireshark. It is still working fine, but the bandwidth for DTLS is close to zero. This issue is related https://github.com/net4people/bbs/issues/131 to this point. After all, DTLS is not a normal traffic in the first place, not to mention it's built upon UDP.

@hamedsbt So have you tested those services? What were the results? I mean speed, packet loss, etc?

[Evolve6996]

@wkrp I am not quite sure about the exact day, maybe it has been like this for 2~3 weeks. The only article (website) I found was this (in Persian/Farsi):

https://www.zoomit.ir/tech-iran/387816-upload-speed-reduction/

To quote:

Hossein Goleshan (an IT expert): VPNs stop working while the user tries to upload a file

An user in Twitter: I can't upload anything with my phone. I can't send anything to telegram, but download speed is fine.

Another user in Twitter: I wanted to upload a 60MB file for someone. It was impossible on telegram [ @arandomgstring: obviously with a proxy on an arbitrary port, because it's been 2 years since telegram is restricted] and whatsapp. Finally I wrote it on a DVD and post it to them.

According to Zoomit, ISPs claim that there is no problem (lol) and that's it. I couldn't find any other article, and it is to be expected because Goverment is not usually lenient toward bad news. The date of article is for 1 month ago.

So it seems it has nothing to do with either of protocol and port. According to my personal experience, however, SSH is almost blocked on port 22 to foreign servers. By that I mean it is heavily throttled to the point of being useless. I can't even run a single command. But changing the port to something high and random fix this issue. As for UDP, after the blockage of Wireguard, it seems that UDP to not well known foreign servers is almost blocked. The exception is port 53 (which is used for DNS), but again sending too much traffic through that port, results in temporarily blockage of that foreign IP. This might have changed, my tests were conducted 1 month ago for this purpose, though I doubt it. QUIC is not an usual traffic in Iran. From my personal experience, only google use this with a few exceptions. So building a VPN with this protocol doesn't seem to be very safe, moreover QUIC uses UDP in the first place, so I doubt about its performance.

thanks for you information bro I was thinking the same for getting an iran VPS and connecting it with the foreign one I currently have multiple protocols running on my foreign VPS do you know how can I first connect to my Iran VPS and then to a foreign one, for example, I checked v2rayn and didn't see any option.

[MH140000]

Hello. I recently ran into the same problem. I have 2 servers, I configured both in the same way, but one of the servers works without any problem and one of the servers has 0 upload speed when I test the speed with speedtest. I should also say that the first server had a problem, but the problem was solved by changing the node several times. Does anyone know a solution?

[arandomgstring]

@Evolve6996

You should carefully study configs here https://github.com/XTLS/Xray-examples to write configs for yourself, instead of relying on oneclick scripts. That said, I think the easiest way to use your Iranian VPS as the first hop and the Foreign VPS as second hop would be as follows:

1. First make a v2ray config.json for your foreign server. In that config, your inbound would be something like Vless + TLS + TCP (it can be whatever) and your outbound would be freedom. Of course many scripts can automatically make that config for you, it doesn't matter. For example this is a config for your foreign server (this code won't work, unless you use correct values for UUID, certificateFile, keyFile, etc):

{
    "log": {
        "loglevel": "warning"
    },
    "inbounds": [
        {
            "port": 443,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "", // 填写你的 UUID
                        "level": 0,
                        "email": "love@example.com"
                    }
                ],
                "decryption": "none",
                "fallbacks": [
                    {
                        "dest": 80
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "tlsSettings": {
                    "alpn": [
                        "http/1.1"
                    ],
                    "certificates": [
                        {
                            "certificateFile": "/path/to/fullchain.crt", // 换成你的证书，绝对路径
                            "keyFile": "/path/to/private.key" // 换成你的私钥，绝对路径
                        }
                    ]
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom"
        }
    ]
}

2. Then make a config for your Iranian server. This time, your inbound again can be anything like VMESS, Trojan or whatever, but your outbound won't be freedom anymore. Rather, it would be what you have used in your foreign server. If you use VLESS + TLS + TCP in the inbound of your foreign server, your Iranian server's outbound would be VLESS + TLS + TCP. If your Foreign server's inbound is vmess, your Iranian VPS outbound would be vmess, etc, etc. So for example, the config for your Iranian VPS would be

{
    "log": {
        "loglevel": "warning"
    },
        "inbounds": [
        {
            "listen": "0.0.0.0",
            "port": 1234,
            "protocol": "vmess",
            "settings": {
                "clients": [
                    {
                        "id": ""
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp"
            }
        }
    ],,
    "outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "example.com", // 换成你的域名
                        "port": 443,
                        "users": [
                            {
                                "id": "", // 填写你的 UUID
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls"
            }
        }
    ]
}

Look carefully, I used VMESS for inbound of your Iranian VPS and its outbound is VLESS (just what I used for your foreign server).

3. Finally with V2rayN you simply connect to your Iranian Server. You do it, just like you are always used to do it. In my example, I used VMESS for Iranian server, so my config in V2rayN becomes like this.

{
    "log": {
        "loglevel": "warning"
    },
    "routing": {
        "domainStrategy": "AsIs",
        "rules": [
            {
                "type": "field",
                "ip": [
                    "geoip:private"
                ],
                "outboundTag": "direct"
            }
        ]
    },
    "inbounds": [
        {
            "listen": "127.0.0.1",
            "port": "1080",
            "protocol": "socks",
            "settings": {
                "auth": "noauth",
                "udp": true,
                "ip": "127.0.0.1"
            }
        },
        {
            "listen": "127.0.0.1",
            "port": "1081",
            "protocol": "http"
        }
    ],
    "outbounds": [
        {
            "protocol": "vmess",
            "settings": {
                "vnext": [
                    {
                        "address": "",
                        "port": 1234,
                        "users": [
                            {
                                "id": ""
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp"
            },
            "tag": "proxy"
        },
        {
            "protocol": "freedom",
            "tag": "direct"
        }
    ]
}

Of course you need not to write first and third config by your self. The only config you need to write by yourself is the second one, the Iranian server, which its outbound depends on your foreign server's inbound config. This is not the securest way to do this, but it works and I assure you as long as you keep it for personal use, no one will notice what you have done.

[arandomgstring]

@MH140000

Don't pay attention to Speedtest results too much. As long as your server works, hey it works! I mean if the upload speed was actually 0, you couldn't have opened the Speedtest website in the first place. Since you need to send a query to your VPS server, and ask it to open Speedtest for you. With actual 0 upload speed, you couldn't even send such queries. You couldn't have even connected to your server. Anyway, what is the difference between those servers? Have you bought them from different VPS providers? Are they located in different part of the world? What's the difference between those too?

[MH140000]

@arandomgstring yes it opens websites but can't use whatsapp call for example. Yes, it was purchased from one place, but they changed the node for me several times until the problem of one of them was solved.

On Thu, Dec 15, 2022 at 11:56 PM arandomgstring @.***> wrote:

@MH140000 https://github.com/MH140000

Don't pay attention to Speedtest results too much. As long as your server works, hey it works! I mean if the upload speed was actually 0, you couldn't have opened the Speedtest website in the first place. Since you need to send a query to your VPS server, and ask it to open Speedtest for you. With actual 0 upload speed, you couldn't even send such queries. You couldn't have even connected to your server. Anyway, what is the difference between those servers? Have you bought them from different VPS providers? Are they located in different part of the world? What's the difference between those too?

— Reply to this email directly, view it on GitHub https://github.com/net4people/bbs/issues/171#issuecomment-1353667202, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCWHPPGT2WSTL7BXOMTFY3WNN5GRANCNFSM6AAAAAAS4JFRSI . You are receiving this because you were mentioned.Message ID: @.***>

[Evolve6996]

@arandomgstring much appreciate your explanation bro ❤️
I think my script configured the vpn little bit defrently since I see 127.0.0.1 ip address for other protocols like trojan as "listen": "127.0.0.1" for vless its the same as you said, but there is no outbound on this file and i have another file with the name of 10_ipv4_outbounds.json. also in vless config file, there are fallbacks to highports like 31296,31302 etc... and I need to figure this out Btw.

I have two questions:

1- I heard about restricted access to iran vpses by the government like you have to validate yourself for them or something like that do you know a good iran datacenter to use for my purpose sry if it's off-topic? ✋ 👍

2- in Iran server config there is 0.0.0.0 for the address: is it means vless gonna listen on port 123 and listen and accept all traffic from any address ( because 0.0.0.0 means any address ) with the destination of port 123?

thanks for your time 👍

[wkrp]

This issue is related #131 to this point. After all, DTLS is not a normal traffic in the first place, not to mention it's built upon UDP.

Actually, #131 (in Iran) was plain old TCP TLS fingerprinting. It was an attack not against the peer-to-peer WebRTC/DTLS connection, but against the initial rendezvous step (registration with the Snowflake broker). The earlier #97 / #40014 (in Russia) was DTLS fingerprinting.

[MH140000]

Is there a solution to this problem? If this problem continues, we will practically stop using the Internet because we have trouble even sending a message.

[arandomgstring]

@MH140000

yes it opens websites but can't use whatsapp call for example. Yes, it was purchased from one place, but they changed the node for me several times until the problem of one of them was solved.

So you are using cloudflare CDN, yes? And by changing node, you mean you have created a few accounts in Cloudflare until one of them worked? If so, it is a known (old) issue. Many VPNs use cloudflare CDN to hide their real IP from ISPs. Our ISPs, foolishly block Cloudflare IPs in response. Each time that you create a Cloudflare account, a random name server (and IP) is given to you. It just so happens that sometimes you get already censored IPs from Cloudflare. So you have to switch accounts to get a non-blocked IP. And the problem you are currently facing with your server stems from the fact that you are using Cloudflare; if you turn it off, you can use your VPS as you normally would.

[arandomgstring]

@Evolve6996

1- I heard about restricted access to iran vpses by the government like you have to validate yourself for them or something like that do you know a good iran datacenter to use for my purpose sry if it's off-topic? ✋ 👍

Correct. All Iran's Datacenters ask for your national ID + your Iranian phone number that you need to verify. There is no good or bad service, many people are using Arvancloud that has the heaviest restriction regarding proxies, VPNs, etc. And if they catch you using a proxy on their services, they will block your service, and the money you have on their accounts. Then you need to give them an assurance that you won't do it anymore (you can give them nothing of course, but your service remains blocked). Parspack, Asiatech, etc are also being used. Honestly, it doesn't matter where you get your Iranian VPS. You have to test until you find a suitable one that doesn't cost too much and doesn't monitor your activity too much :).

2- in Iran server config there is 0.0.0.0 for the address: is it means vless gonna listen on port 123 and listen and accept all traffic from any address ( because 0.0.0.0 means any address ) with the destination of port 123?

First of all, note that if you don't write "listen": "0.0.0.0" at all, your config itself will assume that "listen": "0.0.0.0". Secondly, 0.0.0.0 means that your proxy server will listen to all network cards that your Iranian VPS has, on port 123. So if a user connects to xx.xx.xx.xx where xx.xx.xx.xx is the IP address of your Iranian VPS and send data to port 123, your proxy server will receive this and redirect it to your proxy server that you have written in outbound. Usually, a VPS has only one IP, but if it has several IPs, then you can connect to any of those IPs and send data to 123 to proxify your traffic.

Of course, if you write "listen": "127.0.0.1" you can't proxify your traffic with xx.xx.xx.xx (your server IP) anymore. Since v2ray or xray doesn't listen on all IPs. However, you can make "listen": "127.0.0.1" work as well.

1. You need something like nginx, caddy, or something that listen on your chosen port
2. In nginx, caddy, etc configuration, you send the traffic received from xx.xx.xx.xx on your chosen port, to 127.0.0.1 on another port.

It sounds complex, but it isn't complex at all. It is a lot more secure as well. Take a look at this https://github.com/XTLS/Xray-examples/tree/main/VLESS-WSS-Nginx for example. Your xray listens on "/dev/shm/Xray-VLESS-WSS-Nginx.socket,0666" (It is a unix socket. I know it looks weird, but it is similar to 127.0.0.1. You can write 127.0.0.1 instead of it.) while Nginx with proxy_pass http://unix:/dev/shm/Xray-VLESS-WSS-Nginx.socket; get data from you on xx.xx.xx.xx and redirect it to /dev/shm/Xray-VLESS-WSS-Nginx.socket, which will proxify your traffic as a result.

[MH140000]

@MH140000

yes it opens websites but can't use whatsapp call for example. Yes, it was purchased from one place, but they changed the node for me several times until the problem of one of them was solved.

So you are using cloudflare CDN, yes? And by changing node, you mean you have created a few accounts in Cloudflare until one of them worked? If so, it is a known (old) issue. Many VPNs use cloudflare CDN to hide their real IP from ISPs. Our ISPs, foolishly block Cloudflare IPs in response. Each time that you create a Cloudflare account, a random name server (and IP) is given to you. It just so happens that sometimes you get already censored IPs from Cloudflare. So you have to switch accounts to get a non-blocked IP. And the problem you are currently facing with your server stems from the fact that you are using Cloudflare; if you turn it off, you can use your VPS as you normally would.

Hi. no By changing the node, I did not mean changing the account in Cloudflare, but changing the location of the vps by the support team. I don't know why some servers have no problem with v2ray but some servers show 0 upload speed.

[Evolve6996]

@arandomgstring thanks, alot I currently need to find out how my script configured the protocols 😄 Btw is VLESS-WSS-Nginx support UDP for gaming?

[arandomgstring]

@Evolve6996 Iran's government should be thanked for making all Iranian IT Tech. Yes, it works, though the performance is a nightmare. Not only your UDP will be wrapped inside TCP, but also it will be encrypted by TLS which increases latency a lot. Don't play games that need fast reaction, if you want to stay sane.

@MH140000 Well in that case, it means those IPs were used by other Iranian people before you, and they were censored.

[MH140000]

@Evolve6996 Iran's government should be thanked for making all Iranian IT Tech. Yes, it works, though the performance is a nightmare. Not only your UDP will be wrapped inside TCP, but also it will be encrypted by TLS which increases latency a lot. Don't play games that need fast reaction, if you want to stay sane.

@MH140000 Well in that case, it means those IPs were used by other Iranian people before you, and they were censored.

Unfortunately, this is not the case. Because my ip was changed several times by the place I bought the server from, but the problem was not solved until they gave me the first ip that I had received before and changed the server node again, and the problem was solved. But recently, my friend bought another server from the same country, but he has a problem with the upload speed.

[Evolve6996]

@Evolve6996 Iran's government should be thanked for making all Iranian IT Tech. Yes, it works, though the performance is a nightmare. Not only your UDP will be wrapped inside TCP, but also it will be encrypted by TLS which increases latency a lot. Don't play games that need fast reaction, if you want to stay sane.

@MH140000 Well in that case, it means those IPs were used by other Iranian people before you, and they were censored.

I started changing my VPNs from UDP like 3 mounts ago I think most VPNs works not good on UDP now I used many protocols over TCP they are all fine to me, in general, I think if it's really bad and you getting retransmits which cause lags in games maybe turning off acknowledgment or reducing ack delays is gonna make a difference this is something I do

[arandomgstring]

@Evolve6996 I don't think that it is possible to turn off acknowledgments. TCP by design does this to ensure that every piece of data that you have sent is actually received by your server and vice versa. Turning off this behavior, is same as using UDP.

[Evolve6996]

on windows, you can do it in the registry there are multiple guides on google it's called Nagle's algorithm I don't know server can force it or not. yes it's gonna be like UDP maybe not exactly since TCP is a way more complex protocol than UDP

I have a question about how to run a DNS server on my VPS to get around geo-restricted websites and services if you know how to do that please let me know I don't wanna talk here cause its offtopic seems GitHub does not have dm 😞 thanks 👍

[arandomgstring]

@Evolve6996

on windows, you can do it in the registry there are multiple guides on google it's called Nagle's algorithm I don't know server can force it or not. yes it's gonna be like UDP maybe not exactly since TCP is a way more complex protocol than UDP

Interesting, I saw Nagle's algorithm on wikipedia. It doesn't seem to be disabling ack packets altogether, rather it controls the generated traffic, making it more efficient. But I might be wrong. You can use BBR feature on linux though, to make your traffic more efficient. Use this https://github.com/iyidengme/Linux-NetSpeed-By-ylx2016 . But I don't know which option is the most efficient one. I am using BBR+FQ and it does make things better, for me at least.

I have a question about how to run a DNS server on my VPS to get around geo-restricted websites and services if you know how to do that please let me know I don't wanna talk here cause its offtopic seems GitHub does not have dm 😞 thanks 👍

Why do you want to run a DNS server in the first place? you can simply force DNS queries through v2ray by using either proxifier, neckoray, or fakedns, or many other possible options. However, if you really need to run dns server, you can do it by https://dnscrypt.info/implementations . Also here https://tachyondevel.medium.com/%E6%BC%AB%E8%B0%88%E5%90%84%E7%A7%8D%E9%BB%91%E7%A7%91%E6%8A%80%E5%BC%8F-dns-%E6%8A%80%E6%9C%AF%E5%9C%A8%E4%BB%A3%E7%90%86%E7%8E%AF%E5%A2%83%E4%B8%AD%E7%9A%84%E5%BA%94%E7%94%A8-62c50e58cbd0 you can see how DNS requests are parsed by xray.

[Evolve6996]

Interesting, I saw Nagle's algorithm on wikipedia. It doesn't seem to be disabling ack packets altogether, rather it controls the generated traffic, making it more efficient. But I might be wrong.

hmm heard from multiple sources about Nagle I never test it to see if it actually works but heard from players of world of warcraft it did make a difference for them. btw, I think it needs Wireshark and right now I don't have time for it to test. I am kinda sure about reducing ack delays good for gaming tho you can use (TCP optimizer tool by speed guide) they have articles about these options too.

You can use BBR feature on linux though, to make your traffic more efficient. Use this https://github.com/iyidengme/Linux-NetSpeed-By-ylx2016 . But I don't know which option is the most efficient one. I am using BBR+FQ and it does make things better, for me at least.

don't know how it exactly works and if there are different good configs and variations of it for gaming. I just know it's about TCP window size and it should comes into play when congestion happens and ... btw I have read it causes more retransmitting also your link is not open for me i get error 404. can you explain when you say it makes things better, it makes what better in what situation 👍 ?

Why do you want to run a DNS server in the first place? you can simply force DNS queries through v2ray by using either proxifier, neckoray, or fakedns, or many other possible options. However, if you really need to run dns server, you can do it by https://dnscrypt.info/implementations . Also here https://tachyondevel.medium.com/%E6%BC%AB%E8%B0%88%E5%90%84%E7%A7%8D%E9%BB%91%E7%A7%91%E6%8A%80%E5%BC%8F-dns-%E6%8A%80%E6%9C%AF%E5%9C%A8%E4%BB%A3%E7%90%86%E7%8E%AF%E5%A2%83%E4%B8%AD%E7%9A%84%E5%BA%94%E7%94%A8-62c50e58cbd0 you can see how DNS requests are parsed by xray.

I want it for PayPal and some games

I think proxy dns through Xray will cause like if anything happens in terms of blocking or throttling for Xray it will impact your dns aswell right?

i didn't say wanna forward queries only i like to do something simmilar to electro or shecan service but in very smaller scale so traffic should comes from vps server aswell not only queries right? they gonna block my server connection maybe i don't wanna bypass censor tho

thanks ❤️

[arandomgstring]

@Evolve6996 It was fine, though. Check this link: https://github.com/ylx2016/Linux-NetSpeed You can read about it here: https://cloud.google.com/blog/products/networking/tcp-bbr-congestion-control-comes-to-gcp-your-internet-just-got-faster

I think proxy dns through Xray will cause like if anything happens in terms of blocking or throttling for Xray it will impact your dns aswell right?

Yes.

i didn't say wanna forward queries only i like to do something simmilar to electro or shecan service but in very smaller scale so traffic should comes from vps server aswell not only queries right? they gonna block my server connection maybe i don't wanna bypass censor tho

You don't want to bypass censor?! Well at any rate with DNSencrypt you can make something similar to shekan service. Although shekan is plain DNS, and DNSencrypt uses https or tls to hide your service. Then with an application such as YogaDNS you can connect to your DNS server.

[Hadi-1624]

hi there guys. since 5 days ago a server that I have been using for 4 years started to have issues. My upload speeds from TCI and Rightel are now 0.30 mbps, making it impossible for me to use my proxy properly. I had a few questions.

1. Does this mean that my vps IP is now useless?
2. Could i use Cloudflare or something similar to bypass this issue?

[arandomgstring]

@Hadi-1624 0.3 mbps is very good, compare to https://github.com/net4people/bbs/issues/171#issuecomment-1349716729 and I didn't even use a proxy in that test. Cloudflare will make things worse. Buy an Iranian VPS as the first hop and Foreign VPS as the second hop, and either use v2ray/xray or even better, ssh to Iranian VPS and from there ssh to Foreign server as follows https://superuser.com/questions/96489/an-ssh-tunnel-via-multiple-hops. I guess ssh will leave you with the highest speed with encryption + proxifing applications, whereas a plain FTP gives the highest speed without encryption without proxifing apps.

[Evolve6996]

• Solution for throttling? :

guys, TLDR I analyzed the situation and found something this could be a workaround for current upload or download throttling to foreign hosts it worked for me very good but I don't know what would be the impact of it in terms of blacklisting your VPS by government firewall or anything happens when you enable allow insecure option in terms of Tls authentication. btw

in your v2ray client set your Sni field to something whitelisted in Iran something like an Iranian website for example Uplod.ir then enable allow insecure option

hope this works for you 💟

[MH140000]

@Evolve6996 thanks very much.

On Thu, Dec 22, 2022 at 1:39 PM Evolve6996 @.***> wrote:

Solution for throttling? :

guys, TLDR i analyzed the situation and found something this could be a workaround for current upload or download throttling to foreign hosts it worked for me very good but I don't know what would be the impact of it in terms of blacklisting your VPS by government firewall or anything happens when you enable allow insecure option in terms of Tls authentication. btw

in your v2ray client set your Sni field to something whitelisted in Iran something like an Iranian website for example Uplod.ir then enable allow insecure option, it fixed my throttling

hope this works for you 💟

— Reply to this email directly, view it on GitHub https://github.com/net4people/bbs/issues/171#issuecomment-1362649294, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCWHPOLTDVGP4WGUZIVPC3WOQSFZANCNFSM6AAAAAAS4JFRSI . You are receiving this because you were mentioned.Message ID: @.***>

[arandomgstring]

@Evolve6996

I don't know what would be the impact of it in terms of blacklisting your VPS by government firewall or anything happens when you enable allow insecure option in terms of Tls authentication.

It's totally fine, but since they are throttling upload based on SNI rather than IP range, shows that some foreign servers are not being throttled, otherwise they would have done their restriction based on IP rather than SNI, which is full-proof and resistant against SNI tempering.

But what are these foreign servers? Google drive maybe? If so, then changing SNI to these unthrottled foreign domains seems to be a safer option.

The main downfall of your method is that it's incompatible with CDNs, but I think that is it.

[MH140000]

@Evolve6996 Apparently, limited addresses solve the problem. I tested many domains but it didn't work except for one or two of them.

[Hadi-1624]

@arandomgstring Thanks for your tips about ssh, I'd like to try that. @Evolve6996 Your solution seems to work for me but only with the domain that you mentioned. It seems like setting the sni to uplod.ir makes my connection a little bit faster, but setting it to other websites does not. I can't understand how this could solve the issue of throttling, I'd appreciate if anyone could explain the technical details of it.

[Hadi-1624]

I had an additional question Is it possible to use Arvan Cloud CDN and a domain to bypass upload limit restrictions?

[arandomgstring]

@Hadi-1624

Is it possible to use Arvan Cloud CDN and a domain to bypass upload limit restrictions?

We cannot never know, unless you try it, in theory, if you become successful at using ArvanCDN, your proxy will work even in the case of national Internet. But from what I have heard and know, their CDN is very incapable, to the point that famous Iranian websites have opted for hostdl CDN which is super expensive btw.

[MH140000]

hi. If you get any more info please share it here because it's only one or two domains that solve the problem with sni.

On Fri, Dec 23, 2022 at 10:51 AM arandomgstring @.***> wrote:

@Hadi-1624 https://github.com/Hadi-1624

Is it possible to use Arvan Cloud CDN and a domain to bypass upload limit restrictions?

We cannot never know, unless you try it, in theory, if you become successful at using ArvanCDN, your proxy will work even in the case of national Internet. But from what I have heard and know, their CDN is very incapable, to the point that famous Iranian websites have opted for hostdl CDN which is super expensive btw.

— Reply to this email directly, view it on GitHub https://github.com/net4people/bbs/issues/171#issuecomment-1363688397, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCWHPI56KO5XCT4UTZJYN3WOVHIFANCNFSM6AAAAAAS4JFRSI . You are receiving this because you were mentioned.Message ID: @.***>

[arandomgstring]

@MH140000

The procedure for doing so is similar to that of Cloudflare . Except that instead of using Cloudflare name servers, you will use Arvan name servers. And don't forget that CDNs usually work with websockets, so the network settings of v2ray is ws.

[Evolve6996]

@arandomgstring

It's totally fine, but since they are throttling upload based on SNI rather than IP range, shows that some foreign servers are not being throttled, otherwise they would have done their restriction based on IP rather than SNI, which is full-proof and resistant against SNI tempering.

oh good to know its safe 👍 I have read about allowing insecure it seems it discards certificate validation. now if I check this option it means regardless of the certificate it creates a tls connection so still everything encrypted right?

But what are these foreign servers? Google drive maybe? If so, then changing SNI to these unthrottled foreign domains seems to be a safer option.

didn't test it finding them should be easy tbh my internet now behave weirdly also and it changes from time to time and IP to IP it's now fine without sni tempering I cannot test now 😕

The main downfall of your method is that it's incompatible with CDNs, but I think that is it.

probably doesn't matter there is no foreign CDN to work well currently I think Cloudflare works good for whitelisted IPs or domains?

---

I have a question is DNSencrypt can bypass censors like vpn? thanks 👍

---

@MH140000 > hi. If you get any more info please share it here because it's only one or two domains that solve the problem with sni.

test linkirani.ir soft98.ir leader.ir it could be anything whitlisted. if it not solves your server's problems maybe your server is suffering from throttling plus something different.

[MH140000]

@Evolve6996 Hi. Where can I find the white list of websites?

On Sun, Dec 25, 2022 at 1:23 PM Evolve6996 @.***> wrote:

@arandomgstring https://github.com/arandomgstring

It's totally fine, but since they are throttling upload based on SNI rather than IP range, shows that some foreign servers are not being throttled, otherwise they would have done their restriction based on IP rather than SNI, which is full-proof and resistant against SNI tempering.

oh good to know its safe 👍 I have read about allowing insecure it seems it discards certificate validation. now if I check this option it means regardless of the certificate it creates a tls connection so still everything encrypted right?

But what are these foreign servers? Google drive maybe? If so, then changing SNI to these unthrottled foreign domains seems to be a safer option.

didn't test it finding them should be easy tbh my internet now behave weirdly also and it changes from time to time and IP to IP it's now fine without sni tempering I cannot test now 😕

The main downfall of your method is that it's incompatible with CDNs, but I think that is it.

probably doesn't matter there is no foreign CDN to work well currently I think Cloudflare works good for whitelisted IPs or domains?

@MH140000 https://github.com/MH140000

hi. If you get any more info please share it here because it's only one or two domains that solve the problem with sni.

test linkirani.ir soft98.ir leader.ir it could be anything whitlisted. if it not solves your server's problems maybe your server is suffering from throttling plus something different.

— Reply to this email directly, view it on GitHub https://github.com/net4people/bbs/issues/171#issuecomment-1364654653, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCWHPPITA42GOMKDHDGCMLWPAKTJANCNFSM6AAAAAAS4JFRSI . You are receiving this because you were mentioned.Message ID: @.***>

[Evolve6996]

@Evolve6996 Hi. Where can I find the white list of websites?

how do we find them bro unless see their whitelist? all you can do is trial and error.

[aminiyt]

@MH140000

زیاد به نتایج Speedtest توجه نکنید. تا زمانی که سرور شما کار می کند، هی کار می کند! منظورم این است که اگر سرعت آپلود در واقع 0 بود، از ابتدا نمی توانستید وب سایت Speedtest را باز کنید. از آنجایی که باید یک درخواست به سرور VPS خود ارسال کنید و از آن بخواهید که Speedtest را برای شما باز کند. با سرعت آپلود واقعی 0، حتی نمی توانید چنین درخواست هایی را ارسال کنید. شما حتی نمی توانستید به سرور خود وصل شوید. به هر حال، تفاوت بین آن سرورها چیست؟ آیا آنها را از ارائه دهندگان مختلف VPS خریداری کرده اید؟ آیا آنها در نقاط مختلف جهان قرار دارند؟ اینها هم چه فرقی دارند؟

Don't pay attention to Speedtest results too much. As long as your server works, hey it works! I mean if the upload speed was actually 0, you couldn't have opened the Speedtest website in the first place. Since you need to send a query to your VPS server, and ask it to open Speedtest for you. With actual 0 upload speed, you couldn't even send such queries. You couldn't have even connected to your server. Anyway, what is the difference between those servers? Have you bought them from different VPS providers? Are they located in different part of the world? What's the difference between those too?

I bought two servers from Hetzner Germany One of them works fine but the other gives me upload speed below 1mb Both servers are from Falkenstein, Germany

[aminiyt]

یک سوال اضافی داشتم آیا می توان از CDN ابر آروان و دامنه برای دور زدن محدودیت های آپلود استفاده کرد؟

I had an additional question Is it possible to use Arvan Cloud CDN and a domain to bypass upload limit restrictions?

میشه ولی اصل پیشنهاد نمیشه مگر اینکه بخوایید استفاده شخصی انجام بدید

But it is not recommended unless for personal use

[p0o0uya]

• Solution for throttling? :

guys, TLDR I analyzed the situation and found something this could be a workaround for current upload or download throttling to foreign hosts it worked for me very good but I don't know what would be the impact of it in terms of blacklisting your VPS by government firewall or anything happens when you enable allow insecure option in terms of Tls authentication. btw

in your v2ray client set your Sni field to something whitelisted in Iran something like an Iranian website for example Uplod.ir then enable allow insecure option

hope this works for you heart_decoration

Would you please explain how to set Sni? I can not find it on my panel. I am using x-ui panel Chinese version.

[aminiyt]

• Solution for throttling? :

guys, TLDR I analyzed the situation and found something this could be a workaround for current upload or download throttling to foreign hosts it worked for me very good but I don't know what would be the impact of it in terms of blacklisting your VPS by government firewall or anything happens when you enable allow insecure option in terms of Tls authentication. btw in your v2ray client set your Sni field to something whitelisted in Iran something like an Iranian website for example Uplod.ir then enable allow insecure option hope this works for you heart_decoration

Would you please explain how to set Sni? I can not find it on my panel. I am using x-ui panel Chinese version.

Which part of the panel is this option located exactly? I use the X-ui v2ray panel

[aminiyt]

Uplod.ir

I did it but it didn't work

[aminiyt]

I bought two servers at the same time in one day from Germany location, Falkenstein. On one of them, the VPN works well and gives me a significant upload speed. But the other server gives me upload speed below 1 MB I don't know how to fix this problem

[Evolve6996]

• Solution for throttling? :

guys, TLDR I analyzed the situation and found something this could be a workaround for current upload or download throttling to foreign hosts it worked for me very good but I don't know what would be the impact of it in terms of blacklisting your VPS by government firewall or anything happens when you enable allow insecure option in terms of Tls authentication. btw in your v2ray client set your Sni field to something whitelisted in Iran something like an Iranian website for example Uplod.ir then enable allow insecure option hope this works for you heart_decoration

Would you please explain how to set Sni? I can not find it on my panel. I am using x-ui panel Chinese version.

it's not on the panel bro I said your client, not the server I am using v2rayn it has an option if you using nekoray or something you can use it

Uplod.ir

I did it but it didn't work

That's sad, use other websites as well seems (google.com) is also working I tested on my VPS. but might not work for you also I personally avoiding using hetzner it was a very bad VPS I had so many attacks and I think big datacenters are aimed by gov firewall more than not well-known ones.

[Hadi-1624]

The fact that each region and area have their own different throttling makes this very frustrating. I keep hearing from others that some servers are stable more than others but for me, on my house's fiber network it seems like all upload speeds to foreign servers are capped at 4 mbps and fluctuate between 2 to 6 mbps, which makes v2ray and xray protocols to freak out and not work properly. In addition to this, some users, understandably, do not know how to configure a proxy properly from both the server and client side, so it is very hard to have a picture of the situation

[hamedsbt]

@hamedsbt

Indeed, the future of Iran depends on P2P. It's unfortunate however that users are behind NAT and we need STUN protocol with an intermediary website to initiate initial connection (with UDP or TCP punch holing). The problems are:

1. They can simply block STUN protocol and even if we don't follow standard STUN protocol, something like https://magic-wormhole.readthedocs.io/en/latest/ ,
2. They can still block the IP address intermediate website for initial connection,
3. They can make use of full symmetric NAT, making P2P completely impossible,
4. And most importantly, @wkrp TOR on snowflake bridge uses STUN + DTLS to mimic P2P file sharing from what I can see in Wireshark. It is still working fine, but the bandwidth for DTLS is close to zero. This issue is related Unexplained drop in Snowflake client polls and bandwidth, testers wanted #131 to this point. After all, DTLS is not a normal traffic in the first place, not to mention it's built upon UDP.

@hamedsbt So have you tested those services? What were the results? I mean speed, packet loss, etc?

Hi, several days ago I tested and it works properly but a bit slow.

[Hadi-1624]

There is a situation that i do not understand. I am in a region that is experiencing heavy upload throttling.

1. On windows, using v2rayn or nekoray to connect to a vmess over CDN, My upload speeds are limited to 2 mbps and is throttled
2. on android, using matsuri, connecting to the same server bypasses the upload throttling, and my upload speeds are 40 mbps and stable!
3. Using android, i hotspot my matsuri vpn connection to my windows and i have no upload throttling again! and the connection is stable.

Why is this happening? Why can an application in android completely bypass the upload throttling that is applied to my region?

when using no vpn and using speed tests, my upload speeds are very low and fluctuating to the countries outside Iran. I do not understand why and how an android application can suddenly bypass such restrictions.

Edit: I do not use any relay servers, I am using cloudflare for CDN