Best VPN protocol setup for a VPS #180
Comments
|
Maybe the following repository could one bash line deploy: |
they have blocked UDP on many networks. udp-based methods like wg or hysteria, ... are futile
however, if you insist, first test if your network has blocked udp or not. do this
no, apparently they can detect openvpn
yes they do but black-listed IPs are not restricted to these famous apps
there are no guarantees that the ip you are renting has not become dirty by other customers. see : #176 (comment)
I haven't tried the script you linked but I guess it works. there is also this for setting up x-ui with english user interface: https://github.com/NidukaAkalanka/x-ui-english
tell us if you find out! Xray+Vless+TCP+TLS seem to be the most resilient. but it doesn't protect against the active probe (see #166 (comment)). you need to have a camouflage website on port 443 with HTTPS and redirect suspicious packets to this endpoint so the censor does not add your domain/IP to the list. if you have ssh access to a server, and just want to proxy your pc, you can simply use ssh-based SOCKS proxy. see this: |
|
Seems it doesn't work right? |
You need to type stuff on one end and see the echo on the other end. did you type some characters? |
|
Like this: |
yeah goodbye udp |
|
@Msadr471 checkout my updated comment (socks5 guide). there is also this guide https://github.com/iranxray/hope with farsi explanations |
WOW, it's great well done mate |
Do you have a tutorial for having fallback website for Vless + TCP + TLS? I see one here: https://henrywithu.com/coexistence-of-web-applications-and-vless-tcp-xtls/ but it looks complex, I feel it must be simpler than that. |
no, I think @arandomgstring has set it up like this. I think he has used a derivation of this: https://github.com/XTLS/Xray-examples/tree/main/VLESS-TCP-TLS-WS%20(recommended) |
see this repo: https://github.com/reeceyng/v2ray-agent |
|
VLESS has been deprecated and will be removed from V2Ray. The manual recommends using Trojan instead of VLESS. |
oh, it's a maintained fork of mack-a script! His script looked very robust when I tried it (trojan option). I don't know why he suddenly removed his repo, I mean, did he find a security flaw and didn't want to spend time on it (so he removed it) or what? |
|
Yea, but unfortunately, more information about mack-a is not available. |
You won't blive it. |
yeah, they have throttled download/upload bandwidth to foreign servers. two questions: can you try a speedtest (average of 3) with VLESS and Trojan configs (separately) and write results here? I wonder if Trojan's upload speed is better than vless... |
@arandomgstring, could you please share your setup that has Vless + TCP + TLS + fallback to a mock site (nginx)? BTW, thanks @Azadzadeh and @bensafai |
|
the mack-a script had a camouflage option and supported both trojan and trojan-go. but...someone with specialized network and cryptography experience needs to review the forked script for possible problems (since the original repo was removed). if that question is answered, I think mack-a + trojan-go + camouflage would be our best method. @alirezaac what's the latest status on naiveproxy? found any script,guide or setup that works on wifi and mobile (irancell and mci)? |
Trojan: Down = 14.6 Mbps / Up = 22.4 Mbps And it is NOT working on Irancell and It's working on Hamrah-e Aval (MCI) if anybody knows a way how to make it work on Irancell and Hamrah-e Aval let me know! thanks. My ISP is DIDI |
|
@pirooz-gthb You can always use google translator, Deepl for their whole bash file, or you can translate line by line, you know... I am saying this, because original Chinese resources are always far ahead. And simply saying something doesn't work doesn't help much. What does log say? |
Thanks but now I set it up on my VPS and it is running except the things is:
So it is useless I suppose And tired of this whole thing, I suppose the whole internet is gonna be BLOCKED forever in Iran. Goodbye world |
What am I looking at? You just need to 1) activate vless or trojan 2) do the speedtest (Go button) 3) wait for it to finish 4) write two numbers here: download speed / upload speed
It's a known issue...Did you use a domain name? Either your IP was dirty, or they are blacklisting your european datacenter, or they can detect vless/trojan. last case is the worst. |
Trojan: Down = 14.6 Mbps / Up = 22.4 Mbps I can access my VPS on Irancell and Hamrah-e Aval with SSH so could I say it's not on their blacklist? |
As I said earlier, try the ssh-based socks method I linked to in my first reply in this issue. You can connect to internet via your cellphone service through the socks proxy. this works on PC though, as I'm not aware of any method for ancdoird that doesn't require root. so you feed your pc the cellphone internet via hotspot then follow that guide on pc-side
no. the censor may let SSH protocol through and just sometimes mess with https. as far as I know, this type of attack is called Quality of Service attack. so for example instead of banning your ip, they may interfere with the quality of your connection. this way, we (the users) won't have any idea on what went wrong.
see my first reply, I mentioned a test in that link:
you did not answer this
You said you bought from Hetzner. Hetzner is among the cheapest of vps providers. you just need to choose the cheapest |
I forgot this one, I'm not sure what is this.
yeah in rial it's expensive for me!
is doing this take time? and firing up an HTTPS site is easy? for HTTP I thinks I would need a SSL right? |
hmm..so you don't have a domain and used a self-signed certificate... I don't know whether the censor is able to detect if a certificate is not issued by a valid issuer...usually the guides instruct people to register their own domain names...
see tutorials on caddy or nginx...you just need to prepare or download an after that, you need to capture both incoming packets to port 443 on server and outgoing packets to domain/ip from client (with wireshark or tcpdump) and see if an external |
Yes, I remember this part it was a self-signed certificate.
no, I don't have time for that, thanks anyway. I will try SSH |
Yes. They will give you a very limited access to certain foreign websites, though. Because you are a student after all. Take it as a win. And you didn't show me any "logs" but from what I can see, the strange thing about your configuration is that it is working on Wifi. It should not be able to work anywhere at all, because you don't even own a domain. Without a domain, you cannot even propagate DNS, much less issuing a self-signed certificate. And ssh works because it uses the IP of your VPS, directly without a domain. It has nothing to do with QoS. If you are so tired of configuring your VPS pay someone to do it for you, or well, enjoy your limited access to internet while it lasts. |
whitelisted protocols is a thing...they may let SSH pass through even to a foreign IP but randomly send
it seems mobile networks are their laboratory to experiment different blocking techniques. we still don't know whether his ip was dirty or his providers' ip range traffic is being tampered with or if they can detect VLESS/Trojan. @bensafai what exact method are you using and does it work on mobile? |
How can I show My logs? As I said early I'm not a pro and if you guide me I will. I saw some YouTubers are doing this configuration with a domain I did not understand that part (before that I did not even notice it so somehow I skipped this part) and I didn't do it, after that when @Azadzadeh recommended me this repo I did all part, now I have access to the internet. but why is it strange? cause I don't have a Domain? |
x-ui server log can be seen with These logs contain lots of private infos so review them if you want to post them publicly i don't think these logs would help in debugging our particular problem (that is the server being inaccessible from mobile netwrks). for that we would need pcap dumps |
Nah, I am going to bet that the first thing they are gonna limit is SSH rather than HTTPS. Why? because the most notorious VPNs use SSH. Psiphon is the first one that comes to my mind. Besides that, you can make proxies with sshutle (or without it) very easily (easier than V2ray since you need not TLS certificate, or complex configuration) and moreover, why would they block https, the traffic of normal websites that most users need, and let ssh go through? @Msadr471 doesn't own a domain, which is why his domain doesn't resolve to any IP address. Are you using V2rayNG, or something on your smartphone? What application do you use to connect to your server? You can always find logs somewhere withing the application that you are using to connect to proxy server. For example, in the bottom of V2rayN a log like this is shown
The logs above show that my proxy is working fine. Yours is probably saying that no IP address could be found for hostname. Now this is a suggestion, but if you are OK with ssh, why don't you use it? There is absolutely no need for v2ray anyway. |
Yeah, this is strange for me too some ISPs have more restrictions than others. To check my IP I should do this:
I mean another strange thing is I found an app called Intra and it works on Irancell when I turn it on it lets me access some websites like YouTube, and Twitter, NOT all blocked website! but most of them. it's a DNS manager, so how is this one working? it doesn't change my IP?! for example it won't work on Instagram and WhatsApp or telegram! but it works on Pinterest (it's blocked too). Last night I tried and noticed that Trojan is working on Hamrah-e Aval. My question is, In Iran, there is no such thing as a private company or anything that the government does not control. So why do these Internet providers have different methods for blocking? Well, I know that when the government orders Irancell or the Hamrah-e Aval to block this platform, they must also act. Well, they all use the same method for blocking. it's true? (Well, different methods are needed for blocking, but do these internet providers have access to these methods? Right??) And they must follow that rule, if they don't do that, it will be a violation of the government's order and the business will be closed. It is possible to change the management of that company (if it's a big Corporate) and replace one of them to comply with the government's demands and implement their own policies. So how come we see significant differences even in two of the largest mobile internet providers? |
It's easy to answer this question. First of all, you need to know that many websites, have many IPs, not only one. For example, there should be at least 1000 IPs for Youtube, I guess. Finding every single IP and blocking it is a pain. So censor will block a site according to its domain. For example, everytime that you type youtube, a dns request is sent from your browser to ISP, asking what is IP address of youtube? ISP replies with a fake IP address, so you cannot open youtube, even though the real IP addresses of youtube is not blocked. If you manage to find all youtube's IP for every single domain inside youtube (that you cannot see unless you use wireshark) you will be able to open youtube without a vpn. Some times though, some apps such as telegram and whatsapp use a few IPs. So censor can easily block them directly with their IP address. It has nothing to do with DNS (you are not asking what is IP address of telegram, your telegram application knows it) it's a direct block on IP itself, you cannot bypass it without a VPN. As for difference between ISPs, well their devices are different, their traffic are different, etc. For example a smaller ISP need to let some traffic to go through, otherwise it goes bankrupt. Big companies such as Irancell don't care about these things. |
These internet providers may have different contracts with different chinese or russians companies for DPI systems...as i said, they test different techs in different times and share their results within themselves...once their boss asks them to turn off the lights, they simply use the one method that worked fine against all these proxy solutions... that's why i say if just one network can block our access it means the writing is on the wall and other ISPs soon follow |
because tech people need ssh..their mess with https is random and sporadic...the user simply closes the website or hits refresh..but proxy apps break |
|
But he says that he cannot connect to his proxy on Mobile ISPs at all! He didn't say that he can connect but it is slow or packet loss is high or something. It's beyond throttling, there has to be simple reason such as not having domain for this type of problem. Proxy apps too won't break, they are designed in a way that they re-establish their aborted connections. At least, it is the case for V2rayN. And if you were censor, would you rather to block access of tech people (who make proxies) or normal users? |
normal users...most tech people just do their job
I think he has ssh access to that ip through mobile...also later he said trojan worked on mci...he can simply
apparently their DPI system interferes with the first two packets...not having a domain is not the only problem. it's more complicated see: https://ntc.party/t/paper-summary-detecting-and-evading-censorship-in-depth-a-case-study-of-irans-protocol-filter-foci-2020/655 |
OK, I would do that.
Yes on Android is V2rayNG, I tried to use Trojan on SagerNet or clash, surfboard I think it didn't work! don't know why!
My V2rayNG logs on My android phone: I also did create an MTproto proxy for my telegram like this on my server too: These results are on My University WiFi! same result on MCI too.
well I did this
|
|
What you are looking at is v4 of V2Ray but what I'm pointing at is v5. It is written in both languages, English and Chinese: |
|
The numbers visible in the image relate to the setting up of v2ray that connected with an acceptable speed for instagram usage from yesterday. it's a really muddy situation. I can just say, that there is no best solution anywhere. The Law of the Jungle dictates which configuration is the best. 1: Vless+ws+tls+443+Cloudflare-CDN (Hetzner-DE) |
Looks random to me. I would say there is no correlation between the protocol and successful connectivity, because all the setups are the same from the censors point of view. Maybe it is more related to the IP and random droppings? or settings of the users, specially the DNS thing. Also the blockage of the CDN IP. |
|
Is it doable to have a Tor node or Relay on my VPS? and I can use it, in this case, I think it has a better speed, Right? tor is very good in Iran and works on every platform and ISPs. |
Unfortunately snowflake bridges are commissioned by the broker. Only you can make and use private obfs4 bridges on your VPS. Search Tor documentation, they explained. But the tor speed is effected by the tor nodes, so you can not guarantee your speed. |
Can I make it private for myself? |
I don't know if its a good news or not but I set it up right now and it's working on Hamrah-e Aval (MCI) and my WiFi |
|
So, I told a friend and he helped me, now my VPS works on all ISPs, including Irancell. WiFi: Irancell: |
|
Thank you for sharing the information but it's better to keep your fingers off Arvan Cloud. They are under European Union sanctions. Is Arvan Cloud the only viable service provider in Iran? Are there any other companies that do the same business? |
|
@Msadr471 When you say through the Arvan Cloud, do you mean their CDN service? or their vps solution |
I really discourage the use of any local VPS, unless there is a emergency when there is a shutdown. |
I think that Europe and other countries are only talking and they don't keep their promises! If they really intend to help, they don't design and regulate the sanctions in a way that puts pressure on the people of Iran, instead they sanction the government, not the people! At the moment, Arvan's servers all have access to the Internet, so there is no embargo!
It doesn't really matter! Any other company that provides these services is still dependent on the government. They cannot violate the government in any way.
Yes.
In fact, Arvan cloud is helpful when our access to the global Internet is completely cut off and allows us to use the server platform of this company to communicate with the outside world.
Well, in this case, I need your help, friends, and how can I get access (even though I can be identified and use my student identity for my right to use the Internet) but! Encrypt my traffic somehow. The way they know I'm using it, but they can't decipher it. For example, the bridge that I have on my own server for the Tor network, I will pass its traffic through Arvan's CDN services and remain anonymous with the help of the Tor network! Is such a thing possible? But I think that if I want to communicate with Arvan, this communication itself should be encrypted, right? |
most likely is that the author was get caught by goverment, like the author of original python version's shadowsocks: https://github.com/shadowsocks/shadowsocks. many authors who write censorship circumvention tools or scripts were get caught before in China. |
|
Guys in Iran, I need checks. |
|
@free-the-internet |
It's working for me without bridges or snowflake! |
Do you think it's because of the fingerprinting? How we can use meeklite in a tor client? or build a bridge with meeklite compatibility? @wkrp Could you help us please? I've got the reports that VLESS + TCP or Trojan + TLS is connecting by not usable at all, specially on mobile operators. |
|
i tried with 3 domain
with vmess+ tls and http as transport now im going to change my dns to Arvan Cloud i will let you know if there was any significant change |
If obfs4 bridges are indeed being blocked, there could be a variety of causes. It may be enumeration of the distribution system; it could be identification of high-entropy connections; it may have to do with connection lifetime or connection patterns; it could be blocking of specific foreign IP address ranges. It's hard to say. There's really no such thing as "meek_lite". That label was originally referred to an independent implementation of the meek protocol in obfs4proxy; the "lite" was meant to indicate that it did not have any TLS camouflage. (The mainline meek implementation used a headless browser for TLS camouflage at the time.) Later, obfs4proxy's implementation started using uTLS for TLS camouflage, so the implementation was no longer really "lite". The mainline implementation also gained the ability to use uTLS, as an alternative to a headless browser. There's really no difference between meek and meek_lite. The demand for the built-in meek-azure bridge is much larger than the supply. The bridge is self-throttled to about 5 MB/s (as you can see in the bandwidth graph) in order to control costs, because the bridge is so expensive to operate. In comparison, one of the Snowflake bridges currently averages around 240 MB/s. It is possible to use meek with a personally operated meek-server, with or without a CDN in the middle. For example, you can use this bridge line: But without a CDN, blocking resistance depends on keeping the bridge URL secret. There is nothing to prevent a censor from blocking the above server. But if you set up your own server and keep it private, you can use the meek transport protocol with your own bridges. |
Hi,
I am from Iran and recently bought a VPS on Hetzner, last night tried to set up a wireguard but it was so confusing that I used this source to set it up and it did not work I mean I know I did something wrong but don't know in which part! the most confusing part was that every site had its own different setup! so the question is wireguard good? do you have any sources that help me? or should I choose a different protocol cause I'm living in Iran and wireguard won't work?
I'm not an IT or network Engineer, for example:
When I was setting up wireguard last night:
I didn't know what I should choose for my
AddressorEndpointorAllowedIPsOR in the server config itself! which IP?I've seen this repo too and I get nothing, does OpenVPN work in Iran?
or does the government only block those servers that were providing VPNs like Nord or ProtonVPN? if I have access to my server so any kind of setup must work, right??? I don't know you tell me.
here @arandomgstring says:
so WHAT THE HELL IS THIS?
I barely understand and write English!
BUT found this and also @arandomgstring says:
so I'm all ears, is there any script for me that knows nothing to build or set up a VPN? easy script for setting up VPNs on my VPS.
thanks and sorry for my English.
The text was updated successfully, but these errors were encountered: