net4people / bbs

Forum for discussing Internet censorship circumvention
3.44k stars 82 forks source link

IRAN TLS Handshake Filtering #231

Open wlfvpn opened 1 year ago

wlfvpn commented 1 year ago

Hello,

I'm looking for volunteers who are interested to understand the filtering of the IRAN and want to develop a specialized modified v2ray plugin for IRAN.

As we all know sni-based filtering is very strict and things are getting worse. I was wondering if anyone is interested to try out for a perticular network and then we modify the tls handshaking of the crypto/go library based on the strategies we find?

Here are some previous amazing reports: https://geneva.cs.umd.edu/posts/iran-whitelister/

Let me know if you are interested.

y4m3r0 commented 1 year ago

Very interested, I'm happy to help.

Gursimran15 commented 1 year ago

I'm also interested. Am happy to help to best of my knowledge.

On Tue, Mar 21, 2023 at 6:53 AM Woman Life Freedom @.***> wrote:

Hello,

I'm looking for volunteers who are interested to understand the filtering of the IRAN and want to develop a specialized modified v2ray plugin for IRAN.

As we all know sni-based filtering is very strict and things are getting worse. I was wondering if anyone is interested to try out https://github.com/Kkevsterrr/geneva for a perticular network and then we modify the tls handshaking of the crypto/go library based on the strategies we find?

Here are some previous amazing reports: https://geneva.cs.umd.edu/posts/iran-whitelister/

Let me know if you are interested.

— Reply to this email directly, view it on GitHub https://github.com/net4people/bbs/issues/231, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFQF2STOXDA5Z2EXKGYG7CTW5GCCLANCNFSM6AAAAAAWCIISRY . You are receiving this because you are subscribed to this thread.Message ID: @.***>

SasukeFreestyle commented 1 year ago

In my experience its a mix of IP and domain-name block and the blocking of certain TLS characteristics. The blocks are also not universal, with some carriers it work and with some it does not.

Using XTLS Xray-core with Vision-flow that adds a random byte padding length to TLS this in my experience breaks the filter in Iran because the TLS characteristics does not match any "block" rule in Irans filter + uTLS set to Chrome/Random/Randomized solved many of the issues I previously had.

Some of my 4000 users are still blocked, but the block seems to be at the IP-level as I can't see their connection in my logs. Very few of my users get TLS handshake error, most of them are when using Mobile-data like 4G.

None of my users has problem connecting using a fixed line like ADSL.

Many people in Iran are using X-UI without any fallback to a "fake" website, and are also not blocking outbound connections back to Iran, causing the server that is hosting X-UI/Xray to be banned, Without an outbound block rule a client connects to xray then your servers initiates connections back to Iran when visiting Iranian website with the IP of the server hosting the server, This kind of traffic might look suspicious from a filter point-of-view.

Many IP's from Cloudflare are also banned, some are not.

wlfvpn commented 1 year ago

Thanks @SasukeFreestyle you are right. I've been following a lot of research and I have been following all of that. Unfortunately, you cannot use xtls-vision behind cdn. My new subdomain of a new domain got blocked within hours only with 157 people and 36 GB traffic! This is alarming. Same thing happened among other friends who provided vpn. I had a proper fallback and website and I have also properly blocked iranians IPs (I did saw your work and also did some improvement on the top of it)

If they have a way to detect and filter the domains on ISPs, usually what happens later is to apply the same thing to fixed lines like ADSL so your ADSL are not safe.

@Gursimran15 @scx9e @ Please contact me in Telegram @WomanLifeFreedomVPNSupport

SasukeFreestyle commented 1 year ago

@wlfvpn

While I've not tested his myself, I assume your CDN (Cloudflare) requires a websocket.

I think its possible to use a CDN with Vision and a fallback to a websocket, then put that websocket in Cloudflare.

Check https://github.com/XTLS/Xray-examples/blob/main/All-in-One-fallbacks-Nginx/server.json Vision is the entry-point on port 443 then when a path is specified you can fallback to that path and there you can configure a websocket-server.

 // Websocket
{
 // if the path was `/vlws`, pass it to vless-ws listener
"path": "/vlws",
"dest": "@vless-ws",
 "xver": 2 //Enable the sending of the PROXY protocol, and send the real source IP and port to the following vmess+ws application. 1 or 2 indicates the PROXY protocol version. Consistent with the following, it is recommended to configure 2.
 },

A full configuration might look like this. One "fallback" to websocket server and one fallback to nginx fake website.

But I've not tried this myself because I do not have a free system to try it on without cutting the connection to my users :(

"inbounds":[
   {
      "listen":"0.0.0.0",
      "port":443,
      "protocol":"vless",
      "settings":{
         "clients":[
            {
               "id":"YOUR UUID HERE",
               "flow":"xtls-rprx-vision"
            }
         ],
         "decryption":"none",
         "fallbacks":[
            {
               "path":"/vlws",
               "dest":"@vless-ws",
               "xver":2
            },
            {
               "dest":"/dev/shm/h1.sock",
               "xver":2
            }
         ]
      },
      "streamSettings":{
         "network":"tcp",
         "security":"tls",
         "tlsSettings":{
            "MinVersion":"1.2",
            "MaxVersion":"1.3",
            "cipherSuites":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "alpn":[
               "http/1.1"
            ],
            "certificates":[
               {
                  "ocspStapling":3600,
                  "certificateFile":"/home/USERNAME/cert/fullchain.pem",
                  "keyFile":"/home/USERNAME/cert/privkey.pem"
               }
            ]
         }
      },
      "sniffing":{
         "enabled":true,
         "destOverride":[
            "http",
            "tls"
         ]
      }
   },
   {
      "listen":"@vless-ws",
      "protocol":"vless",
      "settings":{
         "clients":[
            {
               "email":"general@vless-ws",
               "id":"90e4903e-66a4-45f7-abda-fd5d5ed7f797",
               "level":0
            }
         ],
         "decryption":"none"
      },
      "streamSettings":{
         "network":"ws",
         "security":"none",
         "wsSettings":{
            "acceptProxyProtocol":true,
            "path":"/vlws"
         }
      },
      "sniffing":{
         "enabled":true,
         "destOverride":[
            "http",
            "tls"
         ]
      }
   }