سلام گرم به همه دوستانی که برای حق اولیه و ابتدایی شهروندی ، برای دسترسی به اینترنت ، تلاش میکنند
سلام به هیدیفای،باشسیز،سگارو،آی آر سی اف ، پروژه امید، یوتیوبرها و همه عزیزان دوست داشتنی
روش این پیج یک زخم عمیق بر پیکر GFW می گذارد که تا سالها سوزش آن در ماتحت فیلترچیان دنیا باقی خواهد ماند
خلاصه کار به فارسی:
روترهای gfw نمیتوانند packet های fragment را سرهم کنند
چرا؟ چون کل ترافیک کشور ازشون عبور میکنه و براشون سخته و cache محدود دارند و باید سریع باشند
سرورها ولی موظف به سرهم کردن fragment ها هستند چون در پروتکل ip قید شده
سرورهای کلودفلر به خوبی این کارو انجام میدن
باور کنید یا نکنید کار gfw ساختس
in TLS protocol (even latest v1.3) SNI transfered in plain-text
GFW find it and when SNI is not in whitelist reply with TCP-RST
so it filter cloudflare-ip , based on SNI , such that some popular sites
like plos.org is open , and all other sites closed , through that ip
so we need to hide SNI from GFW
we fragment TLS "client Hello" packet into chunks in a simple manner
we show that it pass the firewall
more importantly we show that GFW cant fix it because its nearly impossible
to cache TBs of data in high speed router , so they MUST give up or break the whole network
leaking domain name (SNI) is the old famous bug of tls protocol which is not fixed yet as of 2023
some attempt started few years ago , was trying to encrypt sni called ESNI which is deprecated today
cloudflare stop supporting esni in summer 2022
another way is Encrypted Client Hello (ECH) which is in draft version and not well-documented
i make much effort to use ECH but its too complex and still is in development
also its based on DNS-over-HTTPS which is already filtered by GFW
cloudflare IPs are high traffic and 30% of web is behind them
so GFW cant simply block them by traffic volume
and all traffic is encrypted except client hello which leak server name (SNI)
so GFW extract sni from client hello and when SNI is in white list it pass
if SNI in in blacklist , GFW send TCP-RST to terminate tcp socket
we hide sni by fragmenting client hello packet into several chunk.
but GFW already know this and try to assemble those chunk to find SNI! LOL
but we add time delay between fragment. LOL
since cloudflare IPs have too much traffic , GFW cant wait too long. LOL
GFW high-speed cache is limited so it cant cache TBs of data looking for a tiny tcp fragment. LOL
so it forget those fragments after a second. LOL
its impossible to looking at huge traffic for a packet didnt know when or where it arrive. LOL
so it forced to Give up. LOL
- assume that you have v2ray config {websocket+tls+Cloudflare}
- setup pyprox listen_port and cloudflare_dirty_ip
- setup your v2ray client to forward to 127.0.0.1:listen_port
- on your local machine run
python pyprox_tcp.py - monitor traffic by wireshark or microsoft network monitor
- adjast fragment_size & fragment_sleep
typical Client Hello packet is ~300 byte
we split 300 into {77+77+77+69} and send each by delay of 0.3 second
fragment_size=77 byte , fragment_sleep=0.3 sec -> moderate packet size with moderate delay -> work good
another setup might be:
fragment_size=77 byte , fragment_sleep=0.2 sec -> moderate packet size with moderate delay -> work nice
fragment_size=17 byte , fragment_sleep=0.03 sec -> too small chunk with less delay -> work good
too big chunk -> assembled by GFW -> TCP-RST recieved
too small delay -> assembled by GFW -> TCP-RST recieved - just surf the filtered web and enjoy!
it might be slow at initiating tls handshake
but we make it better by setting up persistent TLS
stay tuned!
any ideas are welcome