Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bootstrap nodes seems blocked by GFW (China) #5993

Closed
blurHY opened this issue Feb 14, 2019 · 19 comments
Closed

Bootstrap nodes seems blocked by GFW (China) #5993

blurHY opened this issue Feb 14, 2019 · 19 comments
Labels
status/duplicate This issue or pull request already exists

Comments

@blurHY
Copy link

blurHY commented Feb 14, 2019

There is no peers connected before executing ipfs swarm connect ...

@hoogw
Copy link

hoogw commented Feb 14, 2019

GFW, is china government build great firewall, has a white list.
Any IP does not on their white list will be blocked.

Only a few IP on white list is allow access, otherwise NOT on white list, will be blocked.
Your nodes not on china government's white list, so blocked.

@Stebalien
Copy link
Member

Last time I checked, GFW was blacklist based. The solution here is probably to try to remember nodes that are reachable between restarts so we can bootstrap off of them. In this case, those would be other nodes in China.

@hoogw
Copy link

hoogw commented Feb 14, 2019

@blurHY
Copy link
Author

blurHY commented Feb 15, 2019

Nope, GFW is blacklist based.
Could IPFS remember nodes like i2p?

@blurHY
Copy link
Author

blurHY commented Feb 15, 2019

Gov's hackers have already add IPFS's default bootstrap nodes to blacklist. So without ipfs swarm connect to add a non-blocked peer, Chinese users will NOT connect to any peers

@Mikaela
Copy link
Contributor

Mikaela commented Feb 15, 2019

Could IPFS remember nodes like i2p?

#3926 and I think this issue may be a duplicate of #3908.

@blurHY
Copy link
Author

blurHY commented Feb 15, 2019

Duplicate

@blurHY blurHY closed this as completed Feb 15, 2019
@hoogw
Copy link

hoogw commented Feb 21, 2019

Chinese government block chinese user connect to each other. How to work around it?

@Stebalien Stebalien reopened this Feb 21, 2019
@Stebalien
Copy link
Member

Reopened because this issue is useful to track IPFS use in China.

@hoogw within china? That is, you're having trouble connecting two nodes inside china to each other?

@blurHY
Copy link
Author

blurHY commented Feb 21, 2019

So far, GFW could only block bootstrap nodes.

@LetItGlow
Copy link

When I run my daemon, I get a lot of China nodes, how do they even connect to me?

@blurHY
Copy link
Author

blurHY commented Mar 3, 2019

Maybe they can't. Because GFW can detect IPFS traffic and block it.
HelloZeroNet/ZeroNet#1914

@LetItGlow
Copy link

LetItGlow commented Mar 6, 2019

Any ways to encrypt or 'key' the traffic IPFS side so it isn't obvious for packet sniffers (or whatever they are using) anymore?
Edit: Thinking about it, may increase CPU load per connection.

I created a list of china nodes (At least the Webui told so) and compiled that into a list.
I need to check them against a whois, to see if those are "real" China IP exports. (sorry bad joke)

Edit 2:
Could you try to bootstrap to
/ip4/39.106.19.168/tcp/4001/QmX5KX7nA3PwhCgSswaxavGmNvGKP9un6rU5VzXP8Mduyy
This is a real China node, even online.

@Stebalien
Copy link
Member

Any ways to encrypt or 'key' the traffic IPFS side so it isn't obvious for packet sniffers (or whatever they are using) anymore?

We already do.

Our current issues are:

  1. We usually run on port 4001 (obvious). We've considered listening on a random port by default, it just makes port forwarding a bit trickier. However, we need to seriously revisit this now.
  2. We negotiate our crypto protocol in the clear and, worse, use a custom TLS-like (but not TLS) protocol. We're working on switching to plain TLS which should make IPFS nodes look like normal web traffic.

Unfortunately, even if we fix all this, it's still pretty trivial to connect to a computer and check if it's an IPFS node.

@LetItGlow
Copy link

LetItGlow commented Mar 7, 2019

Why don't we just ask nicely, after we exchanged keys?
So we go on with the usual Client and server hello, exchange SSL "business cards" and then just ask encryptedly: "Are you IPFS, gimme your ID"
If the server doesn't understand, just leave the room. But decrypting these may reveal that, I think.. Unless one of the business cards is a envelope..

@Stebalien
Copy link
Member

That's effectively how the TLS security transport will work. However, the firewall will still be able to politely ask, discover all computers running IPFS, and block them.

@Mikaela Mikaela mentioned this issue Apr 15, 2019
@izern
Copy link

izern commented Jun 13, 2019

@LetItGlow
/ip4/39.106.19.168/tcp/4001/ipfs/QmX5KX7nA3PwhCgSswaxavGmNvGKP9un6rU5VzXP8Mduyy

@blurHY
Copy link
Author

blurHY commented Jul 6, 2019

Any progress ?

@Stebalien
Copy link
Member

No. Unfortunately, the best solution for the moment is to add an alternative bootstrapper by running something like (to use @izern's node):

ipfs bootstrap add   /ip4/39.106.19.168/tcp/4001/ipfs/QmX5KX7nA3PwhCgSswaxavGmNvGKP9un6rU5VzXP8Mduyy

@hsanjuan hsanjuan changed the title Bootstrap nodes seems blocked by GFW Bootstrap nodes seems blocked by GFW (China) Mar 6, 2020
@hsanjuan hsanjuan added the status/duplicate This issue or pull request already exists label Mar 6, 2020
@blurHY blurHY closed this as completed Mar 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status/duplicate This issue or pull request already exists
Projects
None yet
Development

No branches or pull requests

7 participants