Best VPN protocol setup for a VPS

[Msadr471]

Hi, I am from Iran and recently bought a VPS on Hetzner, last night tried to set up a wireguard but it was so confusing that I used this source to set it up and it did not work I mean I know I did something wrong but don't know in which part! the most confusing part was that every site had its own different setup! so the question is wireguard good? do you have any sources that help me? or should I choose a different protocol cause I'm living in Iran and wireguard won't work? I'm not an IT or network Engineer, for example: When I was setting up wireguard last night:

[Interface]
PrivateKey = base64_encoded_peer_private_key_goes_here
Address = 10.8.0.2/24
Address = fd0d:86fa:c3bc::2/64

[Peer]
PublicKey = ****************************************
AllowedIPs = 10.8.0.0/24, fd0d:86fa:c3bc::/64
Endpoint = 203.0.113.1:51820

I didn't know what I should choose for my Address or Endpoint or AllowedIPs OR in the server config itself! which IP? I've seen this repo too and I get nothing, does OpenVPN work in Iran? or does the government only block those servers that were providing VPNs like Nord or ProtonVPN? if I have access to my server so any kind of setup must work, right??? I don't know you tell me. here @arandomgstring says:

There exists many one-click scripts that setup v2ray on server without need of python, https://github.com/reeceyng/v2ray-agent , https://github.com/wulabing/Xray_onekey , https://github.com/proxysu/ProxySU to name a few.

so WHAT THE HELL IS THIS? I barely understand and write English!

注意事项
修改Cloudflare->SSL/TLS->Overview->Full
Cloudflare ---> A记录解析的云朵必须为灰色【如非灰色，会影响到定时任务自动续签证书】
如用CDN又同时使用直连，关闭云朵+自选IP，自选IP参考上方的[Cloudflare 优化方案](https://github.com/reeceyng/v2ray-agent/blob/master/documents/optimize_V2Ray.md)
使用纯净系统安装，如使用其他脚本安装过并且自己无法修改错误，请重新安装系统后再次尝试安装
wget: command not found [这里需要自己手动安装下wget] ，如未使用过Linux，[点击查看](https://github.com/reeceyng/v2ray-agent/tree/master/documents/install_tools.md)安装教程
不支持非root账户
如发现Nginx相关问题，请卸载掉自编译的nginx或者重新安装系统
为了节约时间，反馈请带上详细截图或者按照模版规范，无截图或者不按照规范的issue会被直接关闭
不推荐GCP用户使用
不推荐使用Centos以及低版本的系统，如果Centos安装失败，请切换至Debian10重新尝试，脚本不再支持Centos6、Ubuntu 16.x
[如有使用不明白的地方请先查看脚本使用指南](https://github.com/reeceyng/v2ray-agent/blob/master/documents/how_to_use.md)
Oracle Cloud有一个额外的防火墙，需要手动设置
Oracle Cloud仅支持Ubuntu
如果使用gRPC通过cloudflare转发,需要在cloudflare设置允许gRPC，路径：cloudflare Network->gRPC
gRPC目前处于测试阶段，可能对你使用的客户端不兼容，如不能使用请忽略
低版本脚本升级高版本时无法启动问题，[请点击此链接查看解决方案](https://github.com/reeceyng/v2ray-agent/blob/master/documents/how_to_use.md#4%E4%BD%8E%E7%89%88%E6%9C%AC%E5%8D%87%E7%BA%A7%E9%AB%98%E7%89%88%E6%9C%AC%E5%90%8E%E6%97%A0%E6%B3%95%E5%90%AF%E5%8A%A8%E6%A0%B8%E5%BF%83)

BUT found this and also @arandomgstring says:

and I am pretty sure it's not the only one.

so I'm all ears, is there any script for me that knows nothing to build or set up a VPN? easy script for setting up VPNs on my VPS.

thanks and sorry for my English.

[cross-hello]

Maybe the following repository could one bash line deploy: https://github.com/maplecool/easytrojan

[Azadzadeh]

last night tried to set up a wireguard

they have blocked UDP on many networks. udp-based methods like wg or hysteria, ... are futile

used this source to set it up

however, if you insist, first test if your network has blocked udp or not. do this socat test: https://hysteria.network/docs/common-problems/#erro-errortimeout-no-recent-network-activity if it succeeds, there are a lot of scripts for setting up wg that provide a ui. see these: https://github.com/WeeJeWel/wg-easy , https://github.com/angristan/wireguard-install , https://github.com/ngoduykhanh/wireguard-ui

I've seen this repo too and I get nothing, does OpenVPN work in Iran?

no, apparently they can detect openvpn

or does the government only block those servers that were providing VPNs like Nord or ProtonVPN?

yes they do but black-listed IPs are not restricted to these famous apps

if I have access to my server so any kind of setup must work, right??? I don't know you tell me.

there are no guarantees that the ip you are renting has not become dirty by other customers. see : https://github.com/net4people/bbs/issues/176#issuecomment-1358003951

so I'm all ears, is there any script for me that knows nothing to build or set up a VPN? easy script for setting up VPNs on my VPS.

I haven't tried the script you linked but I guess it works. there is also this for setting up x-ui with english user interface: https://github.com/NidukaAkalanka/x-ui-english

Best VPN protocol setup for a VPS

tell us if you find out! Xray+Vless+TCP+TLS seem to be the most resilient. but it doesn't protect against the active probe (see https://github.com/net4people/bbs/issues/166#issuecomment-1356813450). you need to have a camouflage website on port 443 with HTTPS and redirect suspicious packets to this endpoint so the censor does not add your domain/IP to the list.

if you have ssh access to a server, and just want to proxy your pc, you can simply use ssh-based SOCKS proxy. see this: https://github.com/HirbodBehnam/V2Ray-Installer/blob/master/Guides/SSH.md

[Msadr471]

Seems it doesn't work right?

[Azadzadeh]

Seems it doesn't work right?

You need to type stuff on one end and see the echo on the other end. did you type some characters?

[Msadr471]

Like this:

[Azadzadeh]

Like this:

yeah goodbye udp

[Azadzadeh]

@Msadr471 checkout my updated comment (socks5 guide). there is also this guide https://github.com/iranxray/hope with farsi explanations

[Msadr471]

@Msadr471 checkout my updated comment (socks5 guide). there is also this guide https://github.com/iranxray/hope with farsi explanations

WOW, it's great well done mate

[free-the-internet]

tell us if you find out! Xray+Vless+TCP+TLS seem to be the most resilient. but it doesn't protect against the active probe (see #166 (comment)). you need to have a camouflage website on port 443 with HTTPS and redirect suspicious packets to this endpoint so the censor does not add your domain/IP to the list.

Do you have a tutorial for having fallback website for Vless + TCP + TLS? I see one here: https://henrywithu.com/coexistence-of-web-applications-and-vless-tcp-xtls/ but it looks complex, I feel it must be simpler than that. FYI, I used this: https://github.com/v2fly/v2ray-examples/tree/master/VLESS-TCP-TLS-proxy%20protocol, but I get nginx config error.

[Azadzadeh]

Do you have a tutorial for having fallback website for Vless + TCP + TLS?

no, I think @arandomgstring has set it up like this. I think he has used a derivation of this: https://github.com/XTLS/Xray-examples/tree/main/VLESS-TCP-TLS-WS%20(recommended)

[sinatarianian]

tell us if you find out! Xray+Vless+TCP+TLS seem to be the most resilient. but it doesn't protect against the active probe (see #166 (comment)). you need to have a camouflage website on port 443 with HTTPS and redirect suspicious packets to this endpoint so the censor does not add your domain/IP to the list.

Do you have a tutorial for having fallback website for Vless + TCP + TLS? I see one here: https://henrywithu.com/coexistence-of-web-applications-and-vless-tcp-xtls/ but it looks complex, I feel it must be simpler than that. FYI, I used this: https://github.com/v2fly/v2ray-examples/tree/master/VLESS-TCP-TLS-proxy%20protocol, but I get nginx config error.

see this repo: https://github.com/reeceyng/v2ray-agent It works for me.

[pirooz-gthb]

VLESS has been deprecated and will be removed from V2Ray. The manual recommends using Trojan instead of VLESS.

[Azadzadeh]

see this repo: https://github.com/reeceyng/v2ray-agent

oh, it's a maintained fork of mack-a script! His script looked very robust when I tried it (trojan option). I don't know why he suddenly removed his repo, I mean, did he find a security flaw and didn't want to spend time on it (so he removed it) or what?

[sinatarianian]

Yea, but unfortunately, more information about mack-a is not available.

[Msadr471]

@Msadr471 checkout my updated comment (socks5 guide). there is also this guide https://github.com/iranxray/hope with farsi explanations

You won't blive it. THIS is working for me right now in Iran I did everything and now I have my own VPN Trojan and VLESS both Working. the only problem is when I was testing my VPS speed it was almost 90 MB/s but my Trojan and VLESS are about 2 MB/s. they explained it in Persian and very easy I'm so glad thank you guys for helping

[Azadzadeh]

the only problem is when I was testing my VPS speed it was almost 90 MB/s but my Trojan and VLESS are about 2 MB/s.

yeah, they have throttled download/upload bandwidth to foreign servers. two questions:

can you try a speedtest (average of 3) with VLESS and Trojan configs (separately) and write results here? I wonder if Trojan's upload speed is better than vless...

[free-the-internet]

Do you have a tutorial for having fallback website for Vless + TCP + TLS?

no, I think @arandomgstring has set it up like this. I think he has used a derivation of this: https://github.com/XTLS/Xray-examples/tree/main/VLESS-TCP-TLS-WS%20(recommended)

@arandomgstring, could you please share your setup that has Vless + TCP + TLS + fallback to a mock site (nginx)?

BTW, thanks @Azadzadeh and @bensafai

[Azadzadeh]

the mack-a script had a camouflage option and supported both trojan and trojan-go.

but...someone with specialized network and cryptography experience needs to review the forked script for possible problems (since the original repo was removed).

if that question is answered, I think mack-a + trojan-go + camouflage would be our best method.

@alirezaac what's the latest status on naiveproxy? found any script,guide or setup that works on wifi and mobile (irancell and mci)?

[Msadr471]

the only problem is when I was testing my VPS speed it was almost 90 MB/s but my Trojan and VLESS are about 2 MB/s.

yeah, they have throttled download/upload bandwidth to foreign servers. two questions:

can you try a speedtest (average of 3) with VLESS and Trojan configs (separately) and write results here? I wonder if Trojan's upload speed is better than vless...

Trojan: Down = 14.6 Mbps / Up = 22.4 Mbps VLESS: Down = 16.1 Mbps / Up = 26.9 Mbps

And it is NOT working on Irancell and Hamrah-e Aval Mobile data!!!

It's working on Hamrah-e Aval (MCI)

if anybody knows a way how to make it work on Irancell and Hamrah-e Aval let me know! thanks.

My ISP is DIDI

[arandomgstring]

@pirooz-gthb That's not right. You have probably seen their english translated website which is 1 year behind the actual development of v2ray. See it yourself, https://www.v2fly.org/config/protocols/vless.html, do you see anything related to deprecation? Absolutely not. And even RPRX him/herself on a topic (I can't find it now) said that VLESS can be considered more secure than Trojan, because Trojan produces a "particular" socks5 like traffic underhood, and I can't agree more.

@Msadr471

You can always use google translator, Deepl for their whole bash file, or you can translate line by line, you know... I am saying this, because original Chinese resources are always far ahead. And simply saying something doesn't work doesn't help much. What does log say?

[Msadr471]

@pirooz-gthb That's not right. You have probably seen their english translated website which is 1 year behind the actual development of v2ray. See it yourself, https://www.v2fly.org/config/protocols/vless.html, do you see anything related to deprecation? Absolutely not. And even RPRX him/herself on a topic (I can't find it now) said that VLESS can be considered more secure than Trojan, because Trojan produces a "particular" socks5 like traffic underhood, and I can't agree more.

@Msadr471

You can always use google translator, Deepl for their whole bash file, or you can translate line by line, you know... I am saying this, because original Chinese resources are always far ahead.

Thanks but now I set it up on my VPS and it is running except the things is:

it is NOT working on Irancell and Hamrah-e Aval Mobile data!!!

So it is useless I suppose

And tired of this whole thing, I suppose the whole internet is gonna be BLOCKED forever in Iran. I'm a student and I need the internet even now it's only working because I'm connected to my university WiFi but what can we do? right?! I've just got this VPS, and now I have to get my money back, I was so happy that it might gonna work on all ISPs but no! sooner or later no one has access to the internet.

Goodbye world

[Azadzadeh]

the only problem is when I was testing my VPS speed it was almost 90 MB/s but my Trojan and VLESS are about 2 MB/s.

yeah, they have throttled download/upload bandwidth to foreign servers. two questions: can you try a speedtest (average of 3) with VLESS and Trojan configs (separately) and write results here? I wonder if Trojan's upload speed is better than vless...

![Trojan 01] [image] (https://user-images.githubusercontent.com/49529241/209210496-ff1a8fde-9a3b-4fc0-92a7-dbd6661da97e.jpg) ![Trojan 001] [image] (https://user-images.githubusercontent.com/49529241/209210505-2ae7c981-5cbe-4950-8a8e-11128d87f3f5.jpg)

![Trojan 02] [image] (https://user-images.githubusercontent.com/49529241/209210507-5fcf16e4-79d0-4ea3-bff9-98a21072b218.jpg) ![Trojan 002] [image] (https://user-images.githubusercontent.com/49529241/209210514-dfb18eea-f896-452f-8e8b-fda6eac741db.jpg)

![VLESS 01] [image] (https://user-images.githubusercontent.com/49529241/209210520-36ca97d4-37c0-4503-9b75-e541d044779b.jpg) ![VLESS 001] [image] (https://user-images.githubusercontent.com/49529241/209210525-4d0f4b05-0b8f-45bb-9c77-c61872b3de15.jpg)

![VLESS 02] [image] (https://user-images.githubusercontent.com/49529241/209210529-fe3b3351-f017-4b33-a4f5-1a3c40b5a9e8.jpg) ![VLESS 002] [image] (https://user-images.githubusercontent.com/49529241/209210532-5b582cb7-de43-47ed-8904-d8431925a33a.jpg) ![VLESS 003] [image] (https://user-images.githubusercontent.com/49529241/209210535-3e8dcdd8-7b47-478b-a82b-202f13bba31e.jpg)

My ISP is DIDI

What am I looking at? You just need to 1) activate vless or trojan 2) do the speedtest (Go button) 3) wait for it to finish 4) write two numbers here: download speed / upload speed

And it is NOT working on Irancell and Hamrah-e Aval Mobile data!!! if any body know a way how to make it work on Irancell and Hamrah-e Aval let me know! thanks.

It's a known issue...Did you use a domain name?

Either your IP was dirty, or they are blacklisting your european datacenter, or they can detect vless/trojan. last case is the worst.

[Msadr471]

Either your IP was dirty, or they are blacklisting your european datacenter, or they can detect vless/trojan. last case is the worst.

Trojan: Down = 14.6 Mbps / Up = 22.4 Mbps VLESS: Down = 16.1 Mbps / Up = 26.9 Mbps

I can access my VPS on Irancell and Hamrah-e Aval with SSH so could I say it's not on their blacklist? the VPS I bought was expensive and I don't think it's dirty, is there any way to find out?

[Azadzadeh]

I'm a student and I need the internet even now I can access my VPS on Irancell and Hamrah-e Aval with SSH

As I said earlier, try the ssh-based socks method I linked to in my first reply in this issue. You can connect to internet via your cellphone service through the socks proxy. this works on PC though, as I'm not aware of any method for ancdoird that doesn't require root. so you feed your pc the cellphone internet via hotspot then follow that guide on pc-side

so could I say it's not on their blacklist?

no. the censor may let SSH protocol through and just sometimes mess with https. as far as I know, this type of attack is called Quality of Service attack. so for example instead of banning your ip, they may interfere with the quality of your connection. this way, we (the users) won't have any idea on what went wrong.

and I don't think it's dirty, is there any way to find out?

see my first reply, I mentioned a test in that link:

there are no guarantees that the ip you are renting has not become dirty by other customers. see : https://github.com/net4people/bbs/issues/176#issuecomment-1358003951

Did you use a domain name?

you did not answer this

the VPS I bought was expensive

You said you bought from Hetzner. Hetzner is among the cheapest of vps providers. you just need to choose the cheapest cloud configuration (least amount of cpu cores, least amount of ram, no persistent storage, etc). but yeah, the dollar to rial exchange is too much for iranians, i agree.

[Msadr471]

Did you use a domain name?

you did not answer this

I forgot this one, I'm not sure what is this. is it this one?

the VPS I bought was expensive

You said you bought from Hetzner. Hetzner is among the cheapest of vps providers. you just need to choose the cheapest cloud configuration (least amount of cpu cores, least amount of ram, no persistent storage, etc). but yeah, the dollar to rial exchange is too much for iranians, i agree.

yeah in rial it's expensive for me!

As for checking if there is a problem with domain/IP/cdn, fire up a HTTPS website on port 443, and try to access it without proxy from your problematic network (Wifi or mobile). Check if you are experiencing TLS handshake errors or sudden TCP resets. If that is the case, I think your domain/IP is under QoS attack. (note that this is all my hypothesis).

is doing this take time? and firing up an HTTPS site is easy? for HTTP I thinks I would need a SSL right?

[Azadzadeh]

I forgot this one, I'm not sure what is this. is it this one?

hmm..so you don't have a domain and used a self-signed certificate... I don't know whether the censor is able to detect if a certificate is not issued by a valid issuer...usually the guides instruct people to register their own domain names...

is doing this take time? and firing up an HTTPS site is easy? for HTTP I thinks I would need a SSL right?

see tutorials on caddy or nginx...you just need to prepare or download an index.html file from somewhere and host it to port 443 via HTTPS. for HTTPS you need a SSL certificate otherwise the browser would say the certificate is not valid.

after that, you need to capture both incoming packets to port 443 on server and outgoing packets to domain/ip from client (with wireshark or tcpdump) and see if an external RST signals was issued or whether TLS_handshake fails, etc.

[Msadr471]

and used a self-signed certificate

Yes, I remember this part it was a self-signed certificate.

after that, you need to capture both incoming packets to port 443 on server and outgoing packets to domain/ip from client (with wireshark or tcpdump) and see if an external RST signals was issued or whether TLS_handshake fails, etc.

no, I don't have time for that, thanks anyway. I will try SSH

[arandomgstring]

@Msadr471

And tired of this whole thing, I suppose the whole internet is gonna be BLOCKED forever in Iran.

Yes. They will give you a very limited access to certain foreign websites, though. Because you are a student after all. Take it as a win. And you didn't show me any "logs" but from what I can see, the strange thing about your configuration is that it is working on Wifi. It should not be able to work anywhere at all, because you don't even own a domain. Without a domain, you cannot even propagate DNS, much less issuing a self-signed certificate. And ssh works because it uses the IP of your VPS, directly without a domain. It has nothing to do with QoS. If you are so tired of configuring your VPS pay someone to do it for you, or well, enjoy your limited access to internet while it lasts.

[Azadzadeh]

It has nothing to do with QoS.

whitelisted protocols is a thing...they may let SSH pass through even to a foreign IP but randomly send RST to HTTPS traffic to the same IP

The censor still attempts to avoid over-blocking A key insight shared by Tschantz et al., after summarizing a large number of real-world censorship incidents, is that “[c]ensors use exploits for which packet loss results in under-blocking instead of over-blocking” (see Table V and Recommendation 5). This conclusion still holds for the current blocking incident, where the censor 1) limits its blocking only to a few popular VPS providers; and 2) uses relatively loose conditions to whitelist protocols.

the strange thing about your configuration is that it is working on Wifi.

it seems mobile networks are their laboratory to experiment different blocking techniques. we still don't know whether his ip was dirty or his providers' ip range traffic is being tampered with or if they can detect VLESS/Trojan.

@bensafai what exact method are you using and does it work on mobile?

[Msadr471]

And you didn't show me any "logs" but from what I can see, the strange thing about your configuration is that it is working on Wifi. It should not be able to work anywhere at all, because you don't even own a domain.

How can I show My logs? As I said early I'm not a pro and if you guide me I will. I saw some YouTubers are doing this configuration with a domain I did not understand that part (before that I did not even notice it so somehow I skipped this part) and I didn't do it, after that when @Azadzadeh recommended me this repo I did all part, now I have access to the internet. but why is it strange? cause I don't have a Domain? Do you mean this?

[Azadzadeh]

How can I show My logs? As I said early I'm not a pro and if you guide me I will

x-ui server log can be seen with tail -f /usr/local/x-ui/access.log. the service and panel's log can be seen by :journalctl -u x-ui.service

These logs contain lots of private infos so review them if you want to post them publicly

i don't think these logs would help in debugging our particular problem (that is the server being inaccessible from mobile netwrks). for that we would need pcap dumps

[arandomgstring]

@Azadzadeh

whitelisted protocols is a thing...they may let SSH pass through even to a foreign IP but randomly send RST to HTTPS traffic to the same IP

Nah, I am going to bet that the first thing they are gonna limit is SSH rather than HTTPS. Why? because the most notorious VPNs use SSH. Psiphon is the first one that comes to my mind. Besides that, you can make proxies with sshutle (or without it) very easily (easier than V2ray since you need not TLS certificate, or complex configuration) and moreover, why would they block https, the traffic of normal websites that most users need, and let ssh go through? @Msadr471 doesn't own a domain, which is why his domain doesn't resolve to any IP address.

@Msadr471

Are you using V2rayNG, or something on your smartphone? What application do you use to connect to your server? You can always find logs somewhere withing the application that you are using to connect to proxy server. For example, in the bottom of V2rayN a log like this is shown

The logs above show that my proxy is working fine. Yours is probably saying that no IP address could be found for hostname. I need logs from client, not the server. Any client application you are using (V2rayN, neckoray, etc) shows a log. That's the useful thing.

Now this is a suggestion, but if you are OK with ssh, why don't you use it? There is absolutely no need for v2ray anyway. If you want to use SSH as a proxy, the only thing you need to do is SSH tunneling. Search it on internet, there are many resources for it. Either you run a command to make it, or you can use putty for it, doesn't matter. On Windows, you can use proxifier to tunnel all applications with ssh tunnel. On android, you can use http injector, or other applications that support ssh proxy. Same goes for IPhone.

[Msadr471]

it seems mobile networks are their laboratory to experiment different blocking techniques. we still don't know whether his ip was dirty or his providers' ip range traffic is being tampered with or if they can detect VLESS/Trojan.

Yeah, this is strange for me too some ISPs have more restrictions than others. and sometimes these restrictions even won't let me or other Iranian have access to Iranian websites that are located here.

To check my IP I should do this:

after that, you need to capture both incoming packets to port 443 on server and outgoing packets to domain/ip from client (with wireshark or tcpdump) and see if an external RST signals was issued or whether TLS_handshake fails, etc.

I mean another strange thing is I found an app called Intra and it works on Irancell when I turn it on it lets me access some websites like YouTube, and Twitter, NOT all blocked website! but most of them. it's a DNS manager, so how is this one working? it doesn't change my IP?! for example it won't work on Instagram and WhatsApp or telegram! but it works on Pinterest (it's blocked too).

Last night I tried and noticed that Trojan is working on Hamrah-e Aval.

My question is, In Iran, there is no such thing as a private company or anything that the government does not control. So why do these Internet providers have different methods for blocking? Well, I know that when the government orders Irancell or the Hamrah-e Aval to block this platform, they must also act. Well, they all use the same method for blocking. it's true? (Well, different methods are needed for blocking, but do these internet providers have access to these methods? Right??) And they must follow that rule, if they don't do that, it will be a violation of the government's order and the business will be closed. It is possible to change the management of that company (if it's a big Corporate) and replace one of them to comply with the government's demands and implement their own policies. So how come we see significant differences even in two of the largest mobile internet providers?

[arandomgstring]

@Msadr471

so how is this one working? it doesn't change my IP?! for example it won't work on Instagram and WhatsApp or telegram! but it works on Pinterest (it's blocked too).

It's easy to answer this question. First of all, you need to know that many websites, have many IPs, not only one. For example, there should be at least 1000 IPs for Youtube, I guess. Finding every single IP and blocking it is a pain. So censor will block a site according to its domain. For example, everytime that you type youtube, a dns request is sent from your browser to ISP, asking what is IP address of youtube? ISP replies with a fake IP address, so you cannot open youtube, even though the real IP addresses of youtube is not blocked.

If you manage to find all youtube's IP for every single domain inside youtube (that you cannot see unless you use wireshark) you will be able to open youtube without a vpn. Some times though, some apps such as telegram and whatsapp use a few IPs. So censor can easily block them directly with their IP address. It has nothing to do with DNS (you are not asking what is IP address of telegram, your telegram application knows it) it's a direct block on IP itself, you cannot bypass it without a VPN.

As for difference between ISPs, well their devices are different, their traffic are different, etc. For example a smaller ISP need to let some traffic to go through, otherwise it goes bankrupt. Big companies such as Irancell don't care about these things.

[Azadzadeh]

So how come we see significant differences even in two of the largest mobile internet providers?

These internet providers may have different contracts with different chinese or russians companies for DPI systems...as i said, they test different techs in different times and share their results within themselves...once their boss asks them to turn off the lights, they simply use the one method that worked fine against all these proxy solutions...

that's why i say if just one network can block our access it means the writing is on the wall and other ISPs soon follow

[Azadzadeh]

why would they block https, the traffic of normal websites that most users need, and let ssh go through

because tech people need ssh..their mess with https is random and sporadic...the user simply closes the website or hits refresh..but proxy apps break

[arandomgstring]

@Azadzadeh

But he says that he cannot connect to his proxy on Mobile ISPs at all! He didn't say that he can connect but it is slow or packet loss is high or something. It's beyond throttling, there has to be simple reason such as not having domain for this type of problem. Proxy apps too won't break, they are designed in a way that they re-establish their aborted connections. At least, it is the case for V2rayN. And if you were censor, would you rather to block access of tech people (who make proxies) or normal users?

[Azadzadeh]

And if you were censor, would you rather to block access of tech people (who make proxies) or normal users?

normal users...most tech people just do their job

But he says that he cannot connect to his proxy on Mobile ISPs at all

I think he has ssh access to that ip through mobile...also later he said trojan worked on mci...he can simply ping or tcping his ip to find out if its completely blocked or not

there has to be simple reason such as not having domain for this type of problem

apparently their DPI system interferes with the first two packets...not having a domain is not the only problem. it's more complicated see: https://ntc.party/t/paper-summary-detecting-and-evading-censorship-in-depth-a-case-study-of-irans-protocol-filter-foci-2020/655

[Msadr471]

These logs contain lots of private infos so review them if you want to post them publicly

OK, I would do that.

Are you using V2rayNG or something on your smartphone? What application do you use to connect to your server?

Yes on Android is V2rayNG, I tried to use Trojan on SagerNet or clash, surfboard I think it didn't work! don't know why! and on my Laptop I'm on Linux mint and I'm using Nekoray:

My V2rayNG logs on My android phone:

I also did create an MTproto proxy for my telegram like this on my server too:

These results are on My University WiFi! same result on MCI too.

I think he has ssh access to that ip through mobile...also later he said trojan worked on mci...he can simply ping or tcping his ip to find out if its completely blocked or not

well I did this ping on Irancell and MCI both respond! but tcping:

[Msadr471]

x-ui server log can be seen with tail -f /usr/local/x-ui/access.log. the service and panel's log can be seen by :journalctl -u x-ui.service

[pirooz-gthb]

@pirooz-gthb That's not right. You have probably seen their english translated website which is 1 year behind the actual development of v2ray. See it yourself, https://www.v2fly.org/config/protocols/vless.html, do you see anything related to deprecation? Absolutely not. And even RPRX him/herself on a topic (I can't find it now) said that VLESS can be considered more secure than Trojan, because Trojan produces a "particular" socks5 like traffic underhood, and I can't agree more.

What you are looking at is v4 of V2Ray but what I'm pointing at is v5. It is written in both languages, English and Chinese:

• Chinese: https://www.v2fly.org/v5/config/proxy/vless.html
• English: https://www.v2fly.org/en_US/v5/config/proxy/vless.html

[sinatarianian]

MTN Mobile	TCI (Sabet-Khanagi)	MCI
Shiraz	1,2,3,4,5,6,7,8
Tehran (Seyed Khandan)	2	9
Tehran (Chitgar Lake)	2
Tehran (Ekbatan)	1,9
Karaj (Mehr-Shahr)	3,9
Tabriz	5
Yazd	4,5,6,7,8	4,5,6,7,8

The numbers visible in the image relate to the setting up of v2ray that connected with an acceptable speed for instagram usage from yesterday. it's a really muddy situation. I can just say, that there is no best solution anywhere. The Law of the Jungle dictates which configuration is the best.

1: Vless+ws+tls+443+Cloudflare-CDN (Hetzner-DE) 2: Vmess+ws+tls+443+Cloudflare-CDN (Hetzner-DE) 3: Vless+tcp+tls+443+alpn(http/1.1) (Hetzner-DE) 4: Vless+tcp+xtls(rprx-direct)+443+Cloudfront-CDN (AWS-DE) 5: Vless+tcp+xtls(rprx-splice)+443+Cloudfront-CDN (AWS-DE) 6: Vless+ws+tls+443+Cloudfront-CDN (AWS-DE) 7: Vmess+ws+tls+443+Cloudflare-CDN (AWS-DE) 8: Trojan+grpc(gun)+tls+443+alpn(h2)+Cloudfront-CDN (AWS-DE) 9: Vless+grpc(multi)+tls+443+alpn(h2,http/1.1)+Cloudflare-CDN (AWS-DE)

[free-the-internet]

The numbers visible in the image relate to the setting up of v2ray that connected with an acceptable speed for instagram usage from yesterday. it's a really muddy situation. I can just say, that there is no best solution anywhere. The Law of the Jungle dictates which configuration is the best.

1: Vless+ws+tls+443+Cloudflare-CDN (Hetzner-DE) 2: Vmess+ws+tls+443+Cloudflare-CDN (Hetzner-DE) 3: Vless+tcp+tls+443+alpn(http/1.1) (Hetzner-DE) 4: Vless+tcp+xtls(rprx-direct)+443+Cloudfront-CDN (AWS-DE) 5: Vless+tcp+xtls(rprx-splice)+443+Cloudfront-CDN (AWS-DE) 6: Vless+ws+tls+443+Cloudfront-CDN (AWS-DE) 7: Vmess+ws+tls+443+Cloudflare-CDN (AWS-DE) 8: Trojan+grpc(gun)+tls+443+alpn(h2)+Cloudfront-CDN (AWS-DE) 9: Vless+grpc(multi)+tls+443+alpn(h2,http/1.1)+Cloudflare-CDN (AWS-DE)

Looks random to me. I would say there is no correlation between the protocol and successful connectivity, because all the setups are the same from the censors point of view. Maybe it is more related to the IP and random droppings? or settings of the users, specially the DNS thing. Also the blockage of the CDN IP.

[Msadr471]

Is it doable to have a Tor node or Relay on my VPS? and I can use it, in this case, I think it has a better speed, Right? tor is very good in Iran and works on every platform and ISPs. both bridges are working.

[free-the-internet]

Is it doable to have a Tor node or Relay on my VPS? and I can use it, in this case, I think it has a better speed, Right? tor is very good in Iran and works on every platform and ISPs. both bridges are working.

Unfortunately snowflake bridges are commissioned by the broker. Only you can make and use private obfs4 bridges on your VPS. Search Tor documentation, they explained. But the tor speed is effected by the tor nodes, so you can not guarantee your speed. FYI: 3 months ago I created a Tor obfs4 bridge, but it couldn't connect in Iran. Please try and report here. Thanks.

[Msadr471]

FYI: 3 months ago I created a Tor obfs4 bridge, but it couldn't connect in Iran. Please try and report here. Thanks.

Can I make it private for myself?

[Msadr471]

Is it doable to have a Tor node or Relay on my VPS? and I can use it, in this case, I think it has a better speed, Right? tor is very good in Iran and works on every platform and ISPs. both bridges are working.

Unfortunately snowflake bridges are commissioned by the broker. Only you can make and use private obfs4 bridges on your VPS. Search Tor documentation, they explained. But the tor speed is effected by the tor nodes, so you can not guarantee your speed. FYI: 3 months ago I created a Tor obfs4 bridge, but it couldn't connect in Iran. Please try and report here. Thanks.

I don't know if its a good news or not but I set it up right now and it's working on Hamrah-e Aval (MCI) and my WiFi but won't work on Irancell still.

[Msadr471]

So, I told a friend and he helped me, now my VPS works on all ISPs, including Irancell. Solution: Irancell (obviously) limited its connection to the outside of Iran so instead of trying to communicate to the world that is limited by Irancell I routed my traffic through the "Arvan Cloud" and then the Hatzener server. for now, the only thing that Irancell sees is "Arvan Cloud" not Hatzener. also now my VPS has an SSL certification and a domain. In the end, my speed now is super fast:

WiFi:

Irancell:

[pirooz-gthb]

Thank you for sharing the information but it's better to keep your fingers off Arvan Cloud. They are under European Union sanctions.

Is Arvan Cloud the only viable service provider in Iran? Are there any other companies that do the same business?

[Hadi-1624]

@Msadr471 When you say through the Arvan Cloud, do you mean their CDN service? or their vps solution