Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Outline gets detected in Iran #1518

Closed
cornzzy opened this issue Mar 5, 2024 · 10 comments
Closed

Outline gets detected in Iran #1518

cornzzy opened this issue Mar 5, 2024 · 10 comments
Labels
server blocked

Comments

@cornzzy
Copy link

cornzzy commented Mar 5, 2024
edited

I have been trying every possible combination of configuration options:

  • All prefixes in the reddit wiki plus other protocols first bytes such as RTSP, SMTP, POP, ... ("RTSP/1.0 ", "DATA ", ...)
  • Different ports, random or protocol specific like 443, 123, ...
  • Different server providers, major ones like DigitalOcean, Linode, Vultr and some no name providers and Azure. Azure was the only one that didn't get blocked easily but they charge ~$60 per TB of outbound. It seems like GFW treats it's IP's differently.
  • TCP-only connection. This one delays the detection for a couple of days but still gets detected.
  • Dynamic prefixes, this one can be achieved by a custom backend service which selects a random prefix from a pool of prefixes every time the end-user connects; still gets blocked. For example TLS ClientHello and TLS Application Data prefixes.
  • Different encryption methods such as aes-256-gcm and chacha20-ietf-poly1305

There are different kinds of blockages:

  1. Outline client connects successfully but bandwidth gets limited to 0. This happens mostly on mobile providers and prefix choice has an effect on it.
  2. Outline client doesn't connect with an error of "Server unreachable" and "Server credentials are invalid", again mostly on mobile providers while the same config works on some cable providers.

The two-hop solution
Creating a tunnel like client -> Iran server -> foreign server works but it makes no sense to use it with Outline because two-hop works with anything such as OpenVPN and WireGuard and doesn't get blocked.

I've spent countless resources for the above statements. My strongest guess is it's coming from the end-user's usage.
@ParsaJR
Copy link

ParsaJR commented Mar 7, 2024
edited

me too . But I did not test any of those reddit wiki methods . My outline server was working perfectly fine for twenty days . Today it is blocked for all ISPs. I feel that its just depends on the amount of internet usage of the users ( Not just for ShadowSocks, for all protocols ) . If less than ~100 gigs of traffic is consumed per month, the probability of blocking is less. Anyway... this is just a guess . do v2ray or hysteria work better in Iran? I i don't know what to do . Should I buy a server with outline or ...

@cornzzy cornzzy closed this as completed Mar 11, 2024
@cornzzy cornzzy reopened this Mar 11, 2024
@cornzzy
Copy link
Author

cornzzy commented Mar 11, 2024

@ParsaJR If it's for personal/family usage, read this #1319 It won't get blocked on a clean IP.

@cornzzy cornzzy closed this as completed Mar 11, 2024
@ParsaJR
Copy link

ParsaJR commented Mar 11, 2024

@cornzzy Thanks . Are you saying that it can be solved with prefix? So why did you say if it is for personal or family use? What did you mean by this?

@cornzzy
Copy link
Author

cornzzy commented Mar 12, 2024

The TLS ClientHello prefix works for personal use and you should use it. It becomes different when clients connect from many different ISPs.

@ParsaJR
Copy link

ParsaJR commented Mar 12, 2024

alright thanks

@ParsaJR
Copy link

ParsaJR commented Mar 21, 2024

I used much less traffic and applied prefix. But surprisingly, it was closed earlier than the previous ones. Shadow-socks doesn't seem to work well for us ( at least for me ) . I went to the hysteria protocol ... just so you know

@cornzzy cornzzy reopened this May 22, 2024
@pedinil
Copy link

pedinil commented May 31, 2024
edited

I believe we need to be cautious about exposing ports, as attackers can easily identify a server with abnormal ports open.

There are two types of ports to consider:

  1. Management port: This port cannot be changed, but I am researching ways to do so.
  2. Access key port: This port can be modified.

Additionally, it is crucial to block access from all Iran domains on your server. I have provided a script to help with this:
https://github.com/pedinil/IRiptables

adding customize port
sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/Jigsaw-Code/outline-apps/master/server_manager/install_scripts/install_server.sh)" install_server.sh
--keys-port=80 --api-port=443

@cornzzy
Copy link
Author

cornzzy commented Jun 2, 2024

The issue is not with port or Iranian websites.
Good luck, hope you can get it to work for you.

@pedinil
Copy link

pedinil commented Jun 2, 2024

Thank you for your comment. This issue happened to me before, and I was able to resolve it by changing the port. However, I want to clarify that using an unusual port is not recommended.

But there should be more factors

@cornzzy
Copy link
Author

cornzzy commented Jun 2, 2024
edited

Random port takes hours to get detected. TCP only connection on 443 with TLS prefix on a clean IP can give you a week or two for family usage. If money isn't an issue, Azure IP doesn't get blocked at all but it's $80 per TB (GFW treats it differently).

@cornzzy cornzzy closed this as completed Jun 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
server blocked
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sbruens @pedinil @ParsaJR @cornzzy