Traffic obfuscation to bypass firewall

[blurHY]

Recently, GFW started to block peers. As Chinese developers have to bypass GFW to visit some sites, so we developed various protocols to achieve it. The protocols are strong enough to cheat GFW.
So, just integrate them into zeronet.

• Shadowsocks
• ShadowsocksR
• V2ray

@shortcutme

DHT with traffic obfuscation is the solution

[blurHY]

I can't even publish my blog without connecting peers through proxy now.

[HelloZeroNet]

For me looks like shadowsocks is a socks5 proxy, so you should able to use it with --proxy 127.0.0.1:1080

[blurHY]

Nope. I mean each peer should use shadowsocks as reverse proxy.
Shadowsocks has two parts, client and server.

It's a tunnel

[HelloZeroNet]

I can't even publish my blog without connecting peers through proxy now.

Are any of the trackers working for you? Do you have 1.tracker.eu.org in the tracker list? What do you see if you visit https://1.tracker.eu.org in the browser? (there should be a big welcome message) Do you have port opened?

[blurHY]

That's not about trackers.
I use proxy to connect trackers.

There're hardly any peers connected on my blog.
GFW is crazy these days, ssh connection always disconnect after 30 secs.

IPFS nodes are also banned by GFW here

No open port

[blurHY]

[blurHY]

@shortcutme ZeroNet is almost dead in China
This solution must be the best choice, I hope you will implement it soon

[emacsenli]

still under draft

THIS IS URGENT . ZN IS DYING OUT of CHINA
talk is cheaper ,i want to be a contributor if I can
yes ,we might need some obfs module like shadowsocks(r).

we can seperate Chinese ZN users into 2 categaries, one with a proxy (ss,ssr,v2ray,brook and so on),the other one don't. and it's easy for the first categary to connect to trackers and other peers.

so my idea is under such assumption "local ISPs dont have same capabilities as of GFW",so a Chinese obfs plugin might work just to bypass ISPs,

and A Chinese obfs plugin might offer such following sub-functions.

subfun A. basic obfs tunnel for "virgin" client.

1.this sub func offer simple obfs without need a zeroname ID and work on fixed port and pre-defined encryption algo .fixed port same as mostly common port used in China to p2p servers, such as
xunlei or so on ,fixed algo might simply use aes-128-gcm and local machine times as "salt"

2.once a new "virgin" client has been actviated for the first time ,it can send its registering request using this predefined encryption protocal to other 5 relay peers,

3.and relay peers will decrypt the registering request and forward it to the zeroname server using its own proxy.once registered ,a "virgin" peer will go to step 2nd.
4.in step2nd ,a uuid will be generated by "virgin" peer itself and exchange its uuid with 5 others using pre-defined protocal , and radomly chooses a more complex encryption and obfs algo for subfuncB

subfunc B. dynamic and varified obfs for peers to peers communications

in subfuncA a "virgin" will got mature and send and receive encrypted streams for later communications.

1. a "mature" peer communicate with other peers using its own uuid and algo

2. a "mature" peer store a list of friend peers (a set each peers info can be stored as a list: zeroname,uuid ,obfs algo,port and maybe defined as a channel)and help sharing other peers info to its friends by exchange friend list.

3. a "mature" peers update its friends peers asyncly ,so friends list can be enlarged quickly and keep semi-real-time.

4. a "mature" peers can update its channel with certain period of time

since this algo is much more complex in de/encryption, new version of pypy should be considered(pypy and uvloop is fast as golang in async as reported )

[ValdikSS]

@HelloZeroNet this may help a bit
#1928
#1927

[ValdikSS]

@blurHY, @emacsenli, try Rev3860.

[ValdikSS]

Note that all current IP addresses of ZeroNet peers may be blocked in China, and it's better to test new obfuscation changes on new peers. For example, you can set up ZeroNet on a VPS, with bootstrap plugin, and test if it's connectable from China.

[HelloZeroNet]

According to my test it does not blocks the ips, but the ip:port combination, so changing to other port can be sufficient

[ValdikSS]

@HelloZeroNet at least two of my IP addresses no longer respond to ICMP (ping) accorting to ping.pe.

[HelloZeroNet]

I just changed my port and according to http://port.ping.pe/ it can be connected again from china regions. But it's possible that different isp/regions has different blocking

[blurHY]

According to my test it does not blocks the ips, but the ip:port combination, so changing to other port can be sufficient

I used to setup a blog on Vultr. GFW blocked ssh connections after a few days, but port 80 remains available. That's weird

[ValdikSS]

So, did this help? Does ZeroNet work in China?

[HelloZeroNet]

My ip is still banned, so maybe the filter is not based on network traffic patterns.

[blurHY]

Chinese millions of coders use obfs tunnel to resist gfw.
Yeah, it is not only about traffic patterns.
For example, all vultr's ips are banned recently.
But with the same configuration, gfw does not ban my new vps which is bought from a small vps provider