Local SOCKS5 DPI BYPASS. PC Android
-
As a local proxy, it doesn't require complex setup or external infrastructure.
-
End-to-End Encryption: It does not inherently provide encryption. Users should combine it with secure protocols like HTTPS or VPNs for comprehensive protection.
-
Effective Against DPI Filters: Successfully bypasses many forms of network-level filtering and throttling.
-
Customizable Options: Offers fine-grained control over how traffic is obfuscated, allowing users to adapt to different blocking mechanisms.
-
Obfuscating Traffic: It modifies the structure of network packets to confuse DPI systems, making it harder for them to identify and block specific protocols or content.
-
Maintaining Privacy: By altering packet headers and payloads, it prevents ISPs or network administrators from inspecting user activity in detail.
ByeDPI to create the server.
v2rayN (Alternative to Nekoray).
Download them and unzip.
- Go to ByeDPI folder.
- Run service_install.bat (Run as administrator) and it will be istalled automatically.
- Find byedpi.bat file and edit it (Open as notepad).
- Replace the existing parameter with this one :
ciadpi.exe --fake -2 --tls-sni Ea.com --tlsrec 6+s --tlsrec 27+s- Save it.
- Open byedpi.bat.
- Go to Nekoray folder.
- Open Nekobox.exe file.
- Add new Profile :
socks5://127.0.0.1:1080- Enable system proxy.
- Run it.
-
Check the opened CMD terminal (Byedpi.bat), and make sure it is not giving you any error.
(Working)
-
check the traffics in Nekoray.
Download and install both.
-
Open Nekobox.
-
Go to Tools >>> Backup >>> Import from file (Import the custom settings I made).
-
Choose the desired profile and run it.
- the mentioned file is Here
Advanced plugin >>> Choose ByeDPI >>> Enable manual mode >>> Edit options :
--fake -2 --tls-sni Ea.com --tlsrec 6+s --tlsrec 27+s- You can change "Ea.com" with the desired host you would like to use.
Replace the existing one with this parameter.
-i, --ip
Listening IP, default is 0.0.0.0
-p, --port
Listening port, default is 1080
-D, --daemon
Run in daemon mode
Supported only on Linux and BSD systems
-w, --pidfile
PID file location
-E, --transparent
Run in transparent proxy mode, SOCKS will not work
-c, --max-conn
Maximum number of client connections, default is 512
-I, --conn-ip
Address to which outgoing connections will be bound, default is ::
If an IPv4 address is specified, IPv6 requests will be rejected
-b, --buf-size
Maximum size of data received and sent per recv/send call
Size is specified in bytes, default is 16384
-g, --def-ttl
TTL value for all outgoing connections
May be useful for bypassing detection of non-standard/reduced TTL
-N, --no-domain
Drop requests if the address is a domain
Since DNS resolution is performed synchronously, it may slow down or even freeze the operation
-U, --no-udp
Do not proxy UDP
-F, --tfo
Enable TCP Fast Open
If the server supports it, the first packet will be sent immediately with SYN
Supported only on Linux (4.11+)
-A, --auto
Automatic mode
If an event similar to a block or failure occurs,
then bypass parameters following this option will be applied
Possible events:
torst : Timeout occurred or server dropped connection after the first request
redirect: HTTP Redirect with Location whose domain does not match the outgoing one
ssl_err : In response to ClientHello, ServerHello was not received or SH contains an incorrect session_id
none : The previous group was skipped, e.g., due to domain or protocol restrictions
-L, --auto-mode
0: Cache IP only if reconnection is possible
1: Cache IP also in the case:
torst - timeout/connection dropped during data exchange (i.e., after the first data from the server)
ssl_err - only one round of data exchange occurred (request-response/request-response-request)
-u, --cache-ttl
Cache value lifetime, default is 100800 (28 hours)
-T, --timeout
Timeout waiting for the first response from the server in seconds
On Linux, this is converted to milliseconds, so fractional numbers can be specified
-K, --proto
Protocol whitelist: tls,http,udp,ipv4
-H, --hosts
Limit the scope of parameters to a list of domains
Domains should be separated by a newline or space
-j, --ipset
Restriction by specific IPs/subnets
-V, --pf
Port restriction
-R, --round
To which/which request to apply obfuscation
Default is 1, i.e., to the first request
-s, --split
Split the request at the specified position
Position has the form offset[:repeats:skip][+flag1[flag2]]
Flags:
+s: add SNI offset
+h: add Host offset
+n: zero offset
Additional flags:
+e: end; +m: middle
Examples:
0+sm - split the request in the middle of SNI
1:3:5 - split at positions 1, 6, and 11
The key can be specified multiple times to split the request at several positions
If the offset is negative and has no flags, the offset is added to the packet size
-d, --disorder
Similar to --split, but parts are sent in reverse order
-o, --oob
Similar to --split, but part is sent as OOB data
-q, --disoob
Similar to --disorder, but part is sent as OOB data
-f, --fake
Similar to --disorder, except before sending the first piece, a part of fake data is sent
The number of bytes sent from the fake equals the size of the split part
! May be unstable on Windows
-t, --ttl
TTL for the fake packet, default is 8
It is necessary to select a value such that the packet does not reach the server but is processed by DPI
-k, --ip-opt[=file|:str]
Set options for the fake IP packet
Significantly reduces the probability that the packet will reach the server
Note that it may not reach the DPI either
Not supported on Windows
-S, --md5sig
Set the TCP MD5 Signature option for the fake packet
Most servers (mainly on Linux) drop packets with this option
Supported only on Linux, may be disabled in some kernel builds (< 3.9, Android)
-O, --fake-offset
Offset the start of fake data by n bytes
-l, --fake-data
Specify your own fake packets
The string can contain escape characters (\n,\0,\0x10)
-e, --oob-data
Byte sent out-of-band, default is 'a'
Can specify ASCII or escape character
-n, --tls-sni
Change the SNI in the default fake packet to the specified one
-M, --mod-http
Various manipulations with the HTTP packet, can be combined
hcsmix:
"Host: name" -> "hOsT: name"
dcsmix:
"Host: name" -> "Host: NaMe"
rmspace:
" Host: name" -> "Host:name\t"
-r, --tlsrec
Split ClientHello into separate records at the specified offset
Can be specified multiple times
-a, --udp-fake
Number of fake UDP packets
-Y, --drop-sack
Ignore SACK, forcing the kernel to retransmit already delivered packets
Supported only on LinuxSplits the request into parts. Example on a 30-byte request:
- Parameters:
--split 3 --split 7 - Sending order: 1-3, 3-7, 7-30
Positions should be specified in ascending order.
The part falling under disorder will be sent with TTL=1, meaning it will not actually be delivered anywhere. The OS learns about this only after sending the subsequent part, when the server reports the loss using SACK. The system will have to resend the previous packet again, thereby disrupting the usual order.
- Parameters:
--disorder 7 - Sending order: 7-30, 1-7
Note: The above applies only to Linux.
On Windows, retransmission starts from the position where the losses began (the maximum ACK received from the server):
- Parameters:
--disorder 7 - Sending order: 7-30, 1-30
Therefore, it is advisable to use split as well:
- Parameters:
--split 7 --disorder 23 - Sending order: 1-7, 23-30, 7-30
In practice, it's optimal to use:
- Linux:
--disorder 1 - Windows:
--split 1+s --disorder 3+s
Data in the first part of the request is replaced with fake data. This part should pass through the DPI but not reach the server.
- Parameters:
--fake 7 - Sending order: 1-7 fake, 7-30 original, 1-7 original
To ensure the fake doesn't reach the server, there are options like ttl, ip-opt, and md5sig.
TTL must be selected such that the packet passes through all DPI but does not reach the server. For Linux, there's md5sig. It sets the TCP MD5 Signature option, which prevents many servers from accepting the packet. Unfortunately, md5sig doesn't work in all builds.
For Windows, there's another way to avoid server processing of the fake. This involves combining fake with disorder:
- Parameters:
--disorder 1 --fake 7 - Sending order: 2-7 fake, 7-30 original, 1-30 original
If the fake packet reaches the server, it will be overwritten due to full retransmission.
In practice, it's optimal to use:
- Linux:
--fake -1 --md5sig - Windows:
--disorder 1 --fake -1
TCP can send data outside the main stream using the URG flag, but only 1 byte per packet. All data in such a packet will be delivered to the application, except the last byte, which is out-of-band.
- Parameters:
--oob 3 - Sending: 1-4 with URG flag (1-3 request data + 4th byte, which will be truncated), 3-30
This byte is preferably placed in the SNI: --oob 3+s
Similar to --disorder, but part is sent with an OOB byte.
- Parameters:
--disoob 3 - Sending: 3-30, 1-4 with URG flag (1-3 + byte that will be truncated + 4-8)
When used with --fake or --disorder, you can get a packet where the OOB byte is located at the split point:
- Parameters:
--disoob 3 --disorder 7 - Sending: 3-30, 1-8 with URG flag (1-3 + byte that will be truncated + 4-8)
A single TLS record can be split into several, slightly modifying the header. At the split point, a new header is inserted, increasing the request size by 5 bytes.
This header can be placed in the middle of the SNI, preventing DPI from reading it correctly:
- Parameters:
--tlsrec 3+s
Although tlsrec and oob confuse DPI, they can also confuse various middleboxes that do not support a full TCP/TLS stack. Therefore, they should be used together with --auto:
- Example:
--auto=torst --timeout 3 --tlsrec 3+s
In this case,tlsrecwill be applied only in cases where the connection is dropped or the timeout has been reached, i.e., when blocking likely occurred.
You can do the opposite - cancel tlsrec if the server drops the connection or discards the packet:
- Example:
--tlsrec 3+s --auto=torst --timeout 3
Causes the kernel to ignore packets with the TCP SACK extension. This extension allows acknowledgment of receipt of individual data segments.
If the first part of the request is lost and only the second part reaches the server, the server can notify the client of this using this extension. Then the client, knowing that the second part has arrived, will send only the first.
Why ignore this extension? The second segment might be fake. If it reaches the server but the client does not know about it, the client will attempt to retransmit it. However, this segment will contain the original data, which will overwrite the fake, thereby preventing protocol disruption.
Since fast acknowledgment won't work, this will break disorder and add delay before retransmission (about 200ms).
The auto parameter divides options into groups. For each request, they are traversed from left to right. First, the trigger specified in auto is checked, then pf, proto, and hosts.
You can specify multiple groups of options, separating them with this parameter. Parameters that come below --timeout in the help text (except tls-sni) can be moved into a separate group.