ports of destination tunnels are getting blocked. only connection is now ICMP

[IMIEEET]

lets say there is a tunnel using stunnel between an internal server and a second out of country server. second server send the traffic to main vpn server. now what is happening in iran is they can detect the second server and totally block communication over ports as you cant establish a tcp or udp to any port to that server. only icmp is allowed. currently the only solution is accept connection in first server by IP1 and send it to next server by your IP2. this detection happens whithin 12 hours in low traffic hours of day and within 3 hours in peak hours.

[curable-online]

So you mean they are blocking access to the oversea server from any internal data-centre/server or blocking access to it only from client side?

And the second question is, does your solution mean having two IPs on the internal server:

Client=>serverA-IP1=>serverA-IP2=>serverB=>VPNserver

Where serverA is internal server having two IPs and serveB is foreign server having one IP.

Am I understanding properly?

[IMIEEET]

well ,blocking is only when source ip is from a datacenter not just this specific datacenter(i tested that even CDN cant connect to them) while consumer ips like fixed or mobile isp still can make a tcp connection to second server. its mostly because they want to stop us from tunneling while a regular user can access second server normally without connecting to internal server. yes that right

[free-the-internet]

@IMIEEET Did you run some thing like https://github.com/malkemit/namizun to do "Asymmetric upload and download"?

[free-the-internet]

Also I see the reports that in Iran, some Iranian Tor exit nodes are appeared (that have Iranian IPs), Thus people are getting connected to these exit nodes don't have access to uncensored Internet. @wkrp , Would it be possible to block Iranian IPs from advertising themselves as Tor exit nodes? Although this might be useful when there is shutdown, there is no evidence for the latter case; and I think the former use case has higher probability. I looked at the incident again, this is now something that I can't figure it out: see https://whatismyipaddress.com/ip/198.96.155.3 (shows this IP location is Iran), and https://ipinfo.io/198.96.155.3. Users reported that when their IP is 198.96.155.3, they don't have access to uncensored Internet)

• I will move this to a separate thread as soon as we determine this is a critical incident.

[arandomgstring]

@IMIEEET

I think rather than port magically being blocked, Stunnel's TLS fingerprint is being blocked. You can do a simple test: Simply download a (few) big file(s) from a foreign website which is not censored. If that website got blocked on your VPS, it means that they simply block TLS connection to a specific IP after certain usage (highly unlikely). If not, rather than Stunnel use something else.

-> A better test would be running Wireshark and capturing client hello & server hello packets.

[IMIEEET]

@IMIEEET Did you run some thing like https://github.com/malkemit/namizun to do "Asymmetric upload and download"?

Im testing this one hope it will help. Thank you

[IMIEEET]

@IMIEEET

I think rather than port magically being blocked, Stunnel's TLS fingerprint is being blocked. You can do a simple test: Simply download a (few) big file(s) from a foreign website which is not censored. If that website got blocked on your VPS, it means that they simply block TLS connection to a specific IP after certain usage (highly unlikely). If not, rather than Stunnel use something else.

I will test this but if its tls fingerprinting why its not blocked when i send through second ip but my other servers with one ip blocked immediately. If its whats you said is there any other tls wrapper thats safer?

[free-the-internet]

@IMIEEET Did you run some thing like https://github.com/malkemit/namizun to do "Asymmetric upload and download"?

Im testing this one hope it will help. Thank you If its whats you said is there any other tls wrapper thats safer?

Please use Trojan-TLS or VLESS+TLS, with a fake website. See https://azadzadeh.github.io/iran-internet/docs/guides/circumvention/ Also, if Torrent is not blocked, use it on your inside VPS (any other p2p system also can be used) to download free software. Lower the speed of torrent by setting a download limit which will prolong the download time; this might make your VPS looks exchanging info with many IPs, so breaking the symmetric IP exchanges. I don't know the result, but maybe it will confuse the censor about taking harsh decisions.

[arandomgstring]

@IMIEEET

Packets, depending on their origin and destination, are routed differently out of Iran's internal network. Therefore, they experience different type of firewalls on their way, which is why in some regions of Iran, you might be able to access certain IPs, while in other region doing so is impossible. As @free-the-internet said, you can use xray or v2ray wrappers. However, do not forget that you need to add uTLS option in your config, to firefox or chrome, to evade TLS fingerprint blocking. Otherwise, there is not much difference between Stunnel and xray. A simple setup would be running vless + tls on server, and then using v2rayn or neckoray with utls option set to firefox or chrome.

[IMIEEET]

@arandomgstring @free-the-internet what you said is crucial i will apply this for v2ray/xary servers. thank you. but i use nginx as a proxy on server behind cdn as as its able to do XFF. but my main use for stunnel is openvpn but other tls wrappers are for http not tcp.

[arandomgstring]

@IMIEEET

1. xray is capable of using nginx in front. For example: https://github.com/XTLS/Xray-examples/tree/main/VLESS-WSS-Nginx
2. OpenVPN protocol is easily distinguishable from other protocols. Instead of using OpenVPN + Stunnel which slow down your network, simply use xray only. And note that xray can tunnel everything, from udp, to http, https, etc.

[IMIEEET]

update: tcp connection is one way. i can make a tcp connection from server 2 to server 1 but not from 1 to 2. this didnt helped. now how can i bypass this one way tcp limit? update2: only TCP is blocked from server 1 to server 2. from otherside tcp connection and udp is ok update3: f**k update2 udp is one way too

[IMIEEET]

i heard about similar tricks with geneva however syntax seems to be hard for me. is that possible?

[SimaSiahposh]

Adguard was the only thing that worked perfect for devices spc for ios, now it's completely out and all servers are offline, but some locked and prem servers...here comes the struggle again...Parsonline have the most shittiest firewall it literally blocks everything and everyday or left them with super high ping like +2000!

[IMIEEET]

@SimaSiahposh wait my server is in parsonline datacenter

[SimaSiahposh]

@IMIEEET I have lots of weird problems with Parsonline, for example right now none of the SSH works for me, but thet works for another folks, no pars online customer...after lots of trying and negotiating with Support center they said I have noise on my line that's why UDP not working and I was like dude srsly?!

[arandomgstring]

@IMIEEET When you say neither of TCP and UDP works it means you cannot open a single foreign website in your VPS's browser. Is that really true though?! I think you are not testing things correctly. No matter how hard proof their firewall would be, it makes no sense to drop all packets to outside.

[IMIEEET]

@IMIEEET When you say neither of TCP and UDP works it means you cannot open a single foreign website in your VPS's browser. Is that really true though?! I think you are not testing things correctly. No matter how hard proof their firewall would be, it makes no sense to drop all packets to outside.

No not all traffic only to the server 2 that has been blocked If i change server 2 it can be blocked in few hours too

[arandomgstring]

@IMIEEET

If you can, install Wireshark on your system. Then above Wireshark, in filter section write:

ip.addr == xx.xx.xx.xx

Where xx.xx.xx.xx is IP address of your VPS (which is blocked) and press enter. Connect to you server which you claim it is blocked, using sstunnel or whatever. You will see a list of packets in Wireshark. Capture a screenshot from wireshark, hide the IP address of your VPS in screenshot and post it here.

[cross-hello]

If the connections not related with TLS client hello, you could use[ repository] (https://github.com/cross-hello/Replace-IP-and-Ethc-mac-in-pcapng-file) to replace sensitive ip and related domain name to random one from pcapng captured packages.

[nDman]

If the connections not related with TLS client hello, you could use[ repository] (https://github.com/cross-hello/Replace-IP-and-Ethc-mac-in-pcapng-file) to replace sensitive ip and related domain name to random one from pcapng captured packages.

Can you explain how to use this?

[cross-hello]

Install python3, and add it to path system environment. Then pip3 install package pip install scapy.

Git clone the repository. git clone https://github.com/cross-hello/Replace-IP-and-Ethc-mac-in-pcapng-file.git Copy pcapng file to the code directory. Open command line from here, open python terminal. Type in

import replace_data_in_pcapng as rp 

server_ip1=your_server_ip
server_name1=your_server_domain_name 

pcapng_file_name=your_pcapng_file_name 
#like abc.pcapng
rp.replace_pcap(pcapng_file_name,[server_ip1],[server_name1])

[wkrp]

Would it be possible to block Iranian IPs from advertising themselves as Tor exit nodes?

That's not what's happening. That IP address is not in Iran. Most likely, the geolocation service has used some inaccurate heuristics that makes it incorrectly think the IP address is in Iran. Check some other geolocations services, and they will report that 198.96.155.3, tor.exit.uwaterloo.ca, is located in Canada, which is correct.

It is possible that the incorrect geolocation is influenced by many Iranian users using Tor, writing in Farsi, searching for addresses in Iran, which could cause the geolocation service to guess that the IP address actually is located in Iran. Something similar was hypothesized to have happened in 2017, when a lot of Tor exits started geolocating to Ukraine. At that time, a browser called FreeU Browser had become popular. It secretly included a built-in Tor client, but did not have the other anonymity protections of Tor Browser.

[Mohammad76rasti]

Zz