Iran limiting v2ray and shadowsocks private servers #166
Comments
Limiting means IP blocking or Handshake intervention? |
|
So it could be the VPS provider that was a red flag. Or it could be the volume of traffic. Or it could be the presence of TLS in the protocol (I believe Cloak does not use TLS, but you mentioned TLS in the other configurations). Can you tell me:
|
|
By limited I mean heavily throttled, telegram keeps reconnecting every few seconds and text messages are barely sent and recieved. browsing sites is so slow that is almost impossible. Also Now it's throttled on all isps. |
|
If you are interested in trying "Vision," I translated the instructions for one example into English about a month ago. https://github.com/seakfind/examples/tree/main/VLESS-TCP-XTLS-Vision The client in this example bypasses the proxy for all destinations with an IP address in China or a DNS name in China. Obviously you would want to change those routing rules. As a safeguard, the server is also configured to block IP addresses in China. The idea behind "Vision" is that TLS handshakes within TLS encryption should have random padding added to packet lengths. This stops the traffic from looking like an obvious TLS-in-TLS proxy server. |
|
Use MUX and set concurrency to 1 and tell me the results. I am fairly confident that you receive "failed to dial Websocket error" no? "Timeout and io" errors are common as well. They have limited foreign IPs bandwidth, and the number of your connection to an IP shouldn't go beyond 4~8ish. Also check DNS leak, if you have any, that is the cause. @seakfind |
|
@arandomgstring enabling mux did not help and couldn't get connected anymore. anyway it's not worth it to spend more time with this vps. it's clearly flagged and limited. my other servers are working fine. |
|
They have limited almost all the bridge vps using 1 on 1 traffic |
|
Well, I suppose the best way is using geosite data function in clients to seperate iranian sites from foreign ones. there is already a repo for iranian hosted domain in github that you can use. |
|
@seakfind I tried your suggestion on a new vps. while it is working, I'm getting some ssl errors (SSL_ERROR_BAD_MAC_ALERT or SSL_ERROR_PROTOCOL_VERSION_ALERT) or blank pages when web browsing that gets fixed if I refresh the page a few times and overall web browsing is a bit slow. Also when playing a video on youtube it gets interrupted and lags after playing for around 10 seconds and afterwards it sometimes plays just fine or keeps lagging. overall it's quite good considering other configs performances right now. do you think this is more resistant to identifying server ip( getting rate limited) or using nginx/caddy + trojan/v2ray ? |
|
It seems VMess + TLS + H2 can not connect anymore in Iran. |
|
Can you ping the domain of your server to see if it's blocked on IP level or not?
|
I changed to VLESS xtls+rprx+vision, now it can connect but it is very slow in MTN and TCI networks. In other networks it is also slower than before, but still can be used.
|
|
OK. That means you are not blocked at IP level at least. However, without seeing packets it's quite hard to deduce the real cause of problem. Turn on mux, set it to 1 to be sure, and see if the problem persists. Some times ISPs apply QoS to servers, and because of that you can't have several simultaneous connection with a server. Mux mitigates this issue. If mux doesn't help, your problem can be literally anything. But I guess mux will help. Tell me, when you restart your connection to the proxy server, at the first few seconds, is your speed better and then it gradually becomes worse, or since the very beginning you receive timeouts? Do you receive timeout for all websites, or it only happens for streaming/gaming/or certain websites? Can you change port 443 to something else and see if you are still facing the same problem? (I don't advise using any port other than 443, however, if other ports work well it means that 443 is limited, temporarily, because of QoS). Finally I don't think that your server is "flagged" as per se. Either your server IP range has been limited (this happened 1 month ago for French VPSs from certain VPS provider) or you kept your connection to server for long period of time, making your server limited temporarily. From my observation, even if you download "large" files from Iranian sites (not famous ones), in the middle of downloading you receive many timeouts too, so QoS happens for everyone. Vision imo is not mature enough (or perhaps TLS1.3 features, such as early data are not mature), and there is no difference between vision and say normal VLESS + TLS + TCP, except for the fact that in vision you simply receive encrypted packets from your destination without double encryption (TLS in TLS), which makes packets smaller (thereby networking faster) and that's it. There is no reason for vision to work and VLESS + TLS + TCP (or VMess + TLS ) not to work; their traffic is literally the same in DPI. Although Vmess + TLS makes your packets too big, because of triple encryption (TLS + TLS + VMESS). Personally I will wait for stable version of vision. Maybe the vision itself has caused these timeout problems? What kind of errors you had when you used VMess + TLS? |
Thanks for your recommendation. I should mention that my VMess + TLS + H2 was not connecting anymore! This is the reason I moved to VLESS. I will enable mux, and let you know. |
|
Hi, @free-the-internet |
|
I think you have given me the most valuable piece of information, that I didn't pay attention to it.
Many Iranian users have been reporting to @klzgrad that they are not able to connect to Naiveproxy. But why was that? It could've been TLS fingerpriting for sure, but some argued that (klzgrad/naiveproxy#404), it is not the case. But now that I am seeing your issue (and your solution to it), I think everything makes sense now. According to @grimpenmire Chrome by default uses http 1.1 klzgrad/naiveproxy#390 (comment) . And you, for some reason, couldn't connect to your server using H2 as well, even though you were using Xray for this purpose, not Naiveproxy. I am only hypothesizing here, but could it be that they are blocking H2 traffic with some special features that @klzgrad described here klzgrad/naiveproxy#1 ? I mean it cannot be a coincidence that suddenly switching from VMess + TLS + H2 to vision made your proxy work. At least you can connect to it. You haven't mentioned it, but I assume you are using TCP in network settings of vision, am I correct?! Suddenly switching from H2 to something else let you connect to your server. |
Yes, I'm switched from H2 to TCP. But, I should read the posts you mentioned first. I can return to previous setup and check again if the problem is H2? BTW, isn't it the case that HTTP2 is wrapped into encrypted TCP packets? Considering that HTTP2 is only Application layer, and TCP is the transport. If this is true, how they managed to distinguish HTTP2 from HTPP1.1 ? I'll check the speed today using a real web server (as @linehman said), and report here the results. |
This part at least is easy to answer. The application-layer protocol is negotiated using the ALPN extension in ClientHello/ServerHello, which is clear-text. |
Seems when there is a web server, speed is normal when downloading a file. |
|
nginx and caddy are fine. honestly today almost all protocols have problems. looks like they are just messing up the network and throttling foreign traffic after a few seconds of data transfer. using a local node in iran, all issues are solved. I just don't like buying an iranian vps for this. since they are gonna know your identity. |
Honestly, this behavior is to be expected, since the flow of information is totally different when you download a file from your server, compare to when you use your server as a proxy. This is why I suggested that you should turn MUX on, because with MUX, all of your traffic will be proxified by a single socket, which kinda (not exactly) makes your traffic look like downloading a file through single connection. By default however, xray opens infinitely different parallel connections to your server, and send small volume of traffic through them. Messing with this type of traffic is super easy without breaking anything.
I mean, what if they know your identity? It is not like they can actually see what type of data you are sending through their server, well unless someone heavy tech enough, modifies xray source code, and compiles it in your server, and then uses your configuration on it, to see every single packet decrypted as middle man. But again, do they have time, force, and money for something like this? If they see your proxy usage, at most they will block your account and that is it. It is just not "money wise" to buy 2 VPSs just for sake of censorship. |
|
@arandomgstring FYI, I changed to Vless + TLS + TCP, now its more robust than rprx. |
When
How do you test robustness of a configuration? FWIW, here they are recommending against enabling mux for xray. |
You could enable all latest features in mobile. |
|
@free-the-internet
All they say is that H2 + gRPC itself mimics mux option, so this option is not recommended. Other configurations, such as Vless + TLS + TCP can of course enjoy mux option. Not to mention H2 is causing issues in Iran. |
Thanks. Do you know which transport method (TCP, HTTP2, gRPC, ws, etc) works better in Iran? Can they detect the transport method? |
|
I theory pure TCP should work the best, since there is no additional application layer beside TLS + VLESS/VMESS, etc of networking. WS is needed if you want to hide your VPS ip behind a CDN, though it will increase your latency and cloudflare CDN seems useless in Iran. If you use WS you can also use nginx and run a real website on your VPS ip:port, so that if a real censor bother to look at your domain they will see a real website there. From my understanding, browsers use web-sockets under-hood, therefore the increased latency caused by WS might be actually good, security wise, since it makes your traffic looks like a browser traffic. Although, I am 100% sure that we are very far from the point that they measure such latencies. HTTP2 seems to be heavily throttled or even blocked, according to report of people here. I have no experience using gRPC, though all I can say is that, its traffic is not very common. Messengers mainly use this protocol, but websites? I haven't seen any. Same goes for Quic. Quic is used by google and its services, but I haven't seen any noteable website that use this protocol. Wireguard is a no go. They have already blocked it; and its traffic is absolutely obvious! Though I'd like to say, Proton VPN on stealth mode (which sometimes connects on smartphones) uses Wireguard + TLS underhood. I am not aware of any xray config that does this, but I predict that soon, we will be able to mimic stealth protocol of proton vpn with xray. Its performance, on theory should be comparable, if not better than of pure TCP. Because Wireguard is a "silent protocol" and we won't be sending many ACK packets using this protocol.
This is all I know |
|
Thanks
I don't think camouflage website is related to using WS as a transfer medium. From what I know, suppose you are using xray or trojan-go for a client at port 2456. If the active probe of GFW (or Iran's version of it) comes in, knocking on the port, or repeating a former TCP packet, it better behave like a website.
Agreed. WG doesn't have any encryption (it's out-of-scope for them). Moreover, it's a UDP protocol. Recent events proved that Iran's GFW does not hesitate to completely block UDP. Unfortunately, hysteria is in the same boat, at least for Iranians. IMO, WireGuard+encryption is also a bit lackluster. As long as the server app is not designed for resisting GFW from the ground up, it would be useless for Iranians. You can see how ProtonVPN:stealth disconnects after a few minutes. I have high hopes for Trojan-Go or naiveproxy. But the former is not actively developed and I haven't managed to make any of them work in Iran as good as Xray+VLESS+TCP+TLS. |
|
I have configured a v2ray/vmess server, with internal and external servers. I can connect to proxy using the app and I also see the external server IP when I check my ip on the web. but I don't know why, all websites are still blocked, I mean it seems that proxy does not work correctly, do you have any idea about it? |
Don't use VMESS. Use VLESS + TCP + TLS.
Do the HTTPS server test I mentioned here on your problematic network.
Probably the censor is able to detect your method and denies the connection. But still, I don't think you would be able to check your client IP through public IP detection websites as they function through HTTP not ICMP. What does https://ipleak.net/ show? |
Yes. With 99% of certainty, it is because of DNS. Do an extended test here https://www.dnsleaktest.com/ you see Iran's flag? https://www.expressvpn.com/dns-leak-test here too. If so, then it's absolutely DNS problem. Refer to this topic #156 and find solutions, such as neckoray, proxifier, firefox remote dns, etc. |
Thanks for your answer. And I have to mention that while I had the said issue, my public ip was the external server ip (which is correct). And dns queries where also made to google but still I had no free access. |
Thanks for your answer. |
Interesting, |
Yeah, do you mean the profile configs? |
here is profile config:
|
|
Maybe thus |
On desktop app there are two domain strategies:
The value for the no.2 item (Domain Strategy) on mobile was "AsIs" and proxy had no But the problem was the no.1 item (Outbound Domain Strategy) which is only available on desktop app. |
|
I started to slowly read topics again since I am busy.
I am running trojan with h2 since 3 mounts ago and had no issue ofc, it throttled now but that's a different problem. is naive only working on h2? why do they have to entirely block such a core thing like h2? |
Beat me. They have almost blocked UDP altogether, which is core of messengers, gaming, etc. H2 is nothing. |
I said entirely. I think what they were doing was finding less impactful ways as we see during recent mounts things started to get worse day by day, probably they gave up on aiming protocols and now want to go for more harsh methods. the situation is really getting complex. |
|
It seems Irancell, Z-tel, and some other providers have blocked UDP completely that's why the connections are so slow on the other hand MCI works pretty well almost with everything even shadow socks without obfuscation... I tried everything combination SSR was the best result on Z-tel and Irancell I could get... Trojan is the next and Vless + xtls also works |
UDP to foreigner IPs? |
|
well today was the first day of total cutout for me, neither of the port, protocols on either of the ports or clients actually connect (there are gaps which if youre lucky you can get in for a few mins before you get shut out) so far IKEv2,TCP and as in today WSTunnel have all their band throttled. since i dont have access to v2ray (failed the setup multiple times) UDP on port 1194 "works" as in name only. nekoray servers as well get blocked within 12 hours. i guess there is heavy monitoring on all lines |
Hey @LeonardoMercer |
|
You should use https + vmess/vless + nginx/Apache + any free cdn ( for iran Arvan cloud or Derak ) or Cloudflare it works pretty good for me. Be sure to use 443 port then you can turn on proxy in CDN |
|
Hi pouyaSamie] could you send the guide , I have a vps that I set up for my friend and she cant use it anylonger. I'm keen on to fix it for her. |
Hi, I have written a full detailed tutorial. for that. please check it on my GitHub page. It will use vmess+ Nginx + CDN through SLL |
|
@pouyaSamie |
|
Yea it is needed because you need to keep websocket alive and also you need to he aboe redirect your request from port 443 to your vmess port… if you run your vmess on port 443 cdn wont allow that to pass and it will fail. At least from what i tried ... but if you could do it with proxy on the CDN i think you should be good to go
|
|
@pouyaSamie |
Thats good. I tried it with ArvanCloud cdn and it didnt work but with Nginx in fron it works perfectly |
|
Hi! I've made a repo containing a guide using Nginx fallback for anti probe detection. https://github.com/SasukeFreestyle/XTLS-Iran-TLS This also works with CDN but you need to configure it in nginx I do not recommend using X-UI because it does not contain an outbound CIDR block for Iranian IP's or websites. If your server does not have this CIDR block, every Iranian app or users will proxy connection from your server back to Iran, and with many users this looks very suspicious from a firewall/DPI perspective. This is because you are hosting a "website" and a website does normally not initiate (first) connection back to another IP/website in Iran. Check my config here Your solution also uses websockets which are somewhat outdated. You should use XTLS-RPRX-Vision and a uTLS fingerprint in V2rayN Also you are missing certbot renew script for your xray. when certbot renews its certificates your xray server will stop working because it has loaded old certificates, and you need to then manually restart xray. If you use my renewal script it will automatically stop xray, renew certificates and start xray with new certificates. |
Hi thanx for your update By the way X-UI has an update with newest changes. |
|
Now what? |
|
Hello, Any idea? |
Some of my private v2ray ( vmess ws tls with no fake site + tcp tls ) and shadowsocks + cloak servers are getting limited in Iran. I was running all configs on the same servers so I'm not sure which one got exposed or maybe they limited them based on traffic or other things. interesting thing is they are limited on one or two isp but working on others right now.
The text was updated successfully, but these errors were encountered: