Observation regarding V2ray tunneling in Iran.

[lostsoul6]

Hello Dear @irgfw ,

Since the last 4 months , Iran VPS IPs are limited after some time of using the server for tunneling v2ray traffic . The Iran VPS IPs are Iran Accessed which means they can only be connected to from within Iran and they can't be used for tunneling again . When this happens , the Iran VPS IP gets blocked simultaneously in MCI and Irancell ISPs .

I did a test and found the following :

I got an Iran VPS with 2 IPs . Used first IP only for tunneling and I used the second IP only for my users . So users connected to v2ray configs with the second IP .

What happened was that the IP which was used for tunneling was OK and had no issues but the IP that users used to connect to the VPN was Iran Accessed ! It seems ISPs are detecting the traffic and are blocking the IP that is used for v2ray.

What I noticed when talking to my friends who had this issue is that almost all of them use the following setup:

Vless + TCP + header Vmess + TCP + header

For instance , I haven't yet seen any Iran VPS IPs being blocked for using shadowsocks or reality in a tunnel setup .

Are the following two setups fully detected by GFW now?

Vless + TCP + header Vmess + TCP + header

Can you introduce combinations to me that are harder to be detected ?

Thank you.

[shikantazacomputers]

I've no idea what works in Iran, but you might try the combination VLESS + gRPC + TLS + CDN. You can easily remove the CDN part if that works better for you. Detailed instructions here.

[irgfw]

Hi, The IRGFW is actively fingerprinting TLS client-hellos and non-TLS handshakes from *ray clients.

1. DO NOT use VLESS without TLS.
2. DO NOT use a "header host domain" in VMESS-HTTP configs. (use them without a header and just "/" path)
3. DO NOT use reverse tunnels. Iranian Firewalls have a susceptible DDoS-Protection system (to prevent foreign hacks and ddoses), and it thinks the Iranian VPS is being attacked when using reverse tunnels. (unless using MUX<4)
4. DO NOT use Reality setups. Reality is dead in Iran.
5. Block all Iranian IPs and Domains on both VPSes.(chocolate4u)
6. Use Port Hopping with a tight port range.
7. Use creative configs. Like: IPv6, QUIC, Fragment, UDP-Noise, FakeHost, and ... of Xray and tunnels between the client-to-irvps and irvps-to-foreignvps.

In summary, *ray combinations are being blocked and restricted in Iran day after day. Use other cores and other methods if possible.

[RPRX]

@irgfw 我认为伊朗封禁 REALITY 主要是基于 Vision without Seed 的固定流量特征，我们计划在今年内推出 Vision Seed

@irgfw I think Iran’s ban on REALITY is mainly based on the fixed traffic characteristics of Vision without Seed. We plan to launch Vision Seed within this year.