一个混淆ss流量的插件-GoQuiet

A shadowsocks plugin that obfuscates SS traffic and can defend against active probing。

简体中文

A shadowsocks plugin that obfuscates the traffic as normal HTTPS traffic and disguises the proxy server as a normal webserver.

The fundamental idea of obfuscating shadowsocks traffic as TLS traffic is not original. simple-obfs and ShadowsocksR's tls1.2_ticket_auth mode have shown this to be effective. This plugin has made improvements so that the goal of this plugin is to make indiscriminate blocking of HTTPS servers (or even IP ranges) with high traffic the only effective way of stopping people from using shadowsocks.

Beyond the benefit of bypassing the firewall, it can also cheat traffic restrictions imposed by ISP. See here.

This plugin has been tested on amd64 and arm Linux and amd64 Windows. It uses about the same CPU and memory as shadowsocks-libev (which is very little), and has almost no transmission overhead added on top of shadowsocks.

Download

Download the binaries here

or if you are deploying it on a server, you can use the automated script here.

Build

gq-client requires go1.11+. gq-server doesn't require any particularly new version of go.

make client or make server

or use the automated script here to build shadowsocks-libev and GoQuiet server from source.

Usage

Change the key in config file before using it. It can be the same as shadowsocks' password

You can check Instructions for Windows users

Plugin mode

For server:

ss-server -c <path-to-ss-config> --plugin <path-to-gq-server-binary> --plugin-opts "<path-to-gqserver.json>"

For client:

ss-local -c <path-to-ss-config> --plugin <path-to-gq-client-binary> --plugin-opts "<path-to-gqclient.json>"

or as value of plugin and plugin_opts in Shadowsocks JSON

{
    "server":"0.0.0.0",
    "server_port":443,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"mypassword",
    "timeout":300,
    "method":"aes-128-gcm",
    "fast_open":false,
    "reuse_port":true,
    "no_delay":true,
    "plugin":"path-to-gqserver/client-binary",
    "plugin_opts":"path-to-gqserver/client.json"
}

Alternatively, plugin_opts can be the configuration options separated by semi-colons. For example:

"plugin_opts":"WebServerAddr=204.79.197.200:443;Key=exampleconftest"

Keys cannot have = " ; in them

Standalone mode

Standalone mode should only be used if your shadowsocks port does not support plugins

For server:

gq-server -r 127.0.0.1:8388 -c <path-to-gqserver.json>
ss-server -c <path-to-ss-config> -s 127.0.0.1 -p 8388

For client:

gq-client -s <server_ip> -l 1984 -c <path-to-gqclient.json>
ss-local -c <path-to-ss-config> -s 127.0.0.1 -p 1984 -l 1080

Configuration

For server:

WebServerAddr is the redirection address and port when the incoming traffic is not from shadowsocks. It should correspond to the IP record of the ServerName set in gqclient.json

Key is the key. This needs to be the same as the Key set in gqclient.json

For client:

ServerName is the domain you want to make the GFW think you are visiting

Key is the key

TicketTimeHint is the time needed for a session ticket to expire and a new one to be generated. Leave it as the default.

Browser is the browser you want to make the GFW think you are using, it has NOTHING to do with the web browser or any web application you are using on your machine. Currently, chrome and firefox are supported.

How it works

As mentioned above, this plugin obfuscates shadowsocks' traffic as TLS traffic. This includes adding TLS Record Layer header to application data and simulating TLS handshake. Both of these are trivial to implement, but by manipulating data trasmitted in the handshake sequence, we can achieve some interesting things.

A TLS handshake sequence is initiated by the client sending a ClientHello message. We are interested in the field random and extension:session_ticket. Accroding to rfc5246, the random field is the current 32bit unix time concated with 28 random bytes. However, in most implementations all the 32 bytes are randomly generated (source: Wireshark). The session_ticket extension triggers a mechanism called session resumption, which allows the server to skip a lot of steps, most notably the Certificate message sent by the server. If you don't have a valid TLS certificate, you'll have to compose an invalid cert, which is a strong feature indicating that the server is a proxy. With the session_ticket's presence, we don't need to give out this information.

The client side of this plugin composes the ClientHello message using this procedure:

# Global variables
#   In config file:
preshared_key = '[A key shared out-of-band]'
ticket_time_hint = 3600 # In TLS implementations this is the time in seconds for a session ticket to expire. 
                        # Common values are 300,3600,7200 and 100800

#   Calculated on startup:
aes_key = sha256(preshared_key)
opaque = rand32int()

# Random:
iv = randbytes(16)
goal = sha256(str(floor(gettimestamp()/(12*60*60))) + preshared_key)
rest = aes_encrypt(iv,aes_key,goal[0:16])
random = iv + rest

# Session ticket
ticket = randbytes(192,seed=opaque+aes_key+floor(gettimestamp()/ticket_time_hint)))

Once the server receives the ClientHello message, it checks the random field. If it doesn't pass, the entire ClientHellois sent to the web server address set in the config file and the server then acts as a relay between the client and the web server. If it passes, the server then composes and sends ServerHello, ChangeCipherSpec, Finished together, and then client sends ChangeCipherSpec, Finished together. There are no useful informations in these messages. Then the server acts as a relay between the client and the shadowsocks server.

Replay prevention

The gettimestamp()/(12*60*60) part is there to prevent replay:

The random field should be unique in each ClientHello. To check its uniqueness, the server caches the value of the random field. Obviously we cannot cache every random forever, we need to regularly clean the cache. If we set the cache expiration time to, say 12 hours, replay attemps within 12 hours will fail, but if the firewall saves the ClientHello and resend it 12 hours later, that message will pass the check on the server and our proxy is exposed. However, when gettimestamp()/(12*60*60) is in place, the replayed message will never pass the check because for replays within 12 hours, they fail to the cache; for replays after 12 hours, they fail to the uniqueness of the value of gettimestamp()/(12*60*60) for every 12 hours.

Notes on the web server

If you want to run a functional web server on your proxy machine, you need it to have a domain and a valid certificate. As for the domain, you can either register one at some cost, or use a DDNS service like noip for free. The certificate can be obtained from Let's Encrypt for free. The certificate is for your web server (e.g. Apache and Nginx) only. The GoQuiet plugin does not need a certificate.

https://dcamero.azurewebsites.net/shadowsocks-goquiet.html - Detailed guide about "How to make your traffic look like simple tls traffic"

Or you can set the WebServerAddr field in the server config file as an external IP, and set the ServerName field in the client config file as the domain name of that ip. Because of the Server Name Indication extension in the ClientHello message, the firewall knows the domain name someone is trying to access. If the firewall sends a ClientHello message to our proxy server with an SNI we used, the destination IP specified in WebServerAddr will receive this ClientHello message and the web server on that machine will check the SNI entry against its configuration. If they don't match, the web server will refuse to connect and show an error message, which could expose the fact that our proxy machine is not running a normal TLS web server. If you match the external IP with its domain name (e.g. 204.79.197.200 to www.bing.com), our proxy server will become, effectively to the observer, a server owned by that domain.

from https://github.com/cbeuw/GoQuiet

----

Cloak

A shadowsocks plugin that obfuscates proxy traffic and can defend against active probing. This is an upgrade from GoQuiet.

A shadowsocks plugin that obfuscates the traffic as normal HTTPS traffic and disguises the proxy server as a normal webserver.

This is an active WIP. Everything is subject to change.

This project is based on GoQuiet. The most significant difference is that, in GoQuiet, a new TCP connection is establieshed and a TLS handshake is done between the client and the proxy server each time a connection is made to ssclient, whereas in Cloak all the traffic is multiplexed through a fixed amount of consistant TCP connections between the client and the proxy server. The major benefits are:

• Significantly quicker establishment of new connections as TLS handshake is only done on the startup of the client
• More realistic traffic pattern

Besides, Cloak allows multiple users to use one server on a single port. QoS restrictions such as bandwidth limitation and data cap can also be managed.

Build

Simply make client and make server. Output binary will be in the build folder

Setup

For the administrator of the server

0. Install and configure shadowsocks-libev on your server
1. Clone this repo onto your server
2. Build and run ck-server -k. The base64 string before the comma is the public key, the one after the comma is the private key
3. Run ck-server -u. This will be used as the AdminUID
4. Put the private key and the AdminUID you obtained previously into config/ckserver.json
5. Edit the configuration file of shadowsocks-libev (default location is /etc/shadowsocks-libev/config.json). Let server_port be 443, plugin be the full path to the ck-server binary and plugin_opts be the full path to ckserver.json. If the fields plugin and plugin_opts were not present originally, add these fields to the config file.
6. Run ss-server as root (because we are binding to TCP port 443)

If you want to add more users

1. Run ck-server -u to generate a new UID
2. On your client, run ck-client -a -c <path-to-ckclient.json> to enter admin mode
3. Input as prompted, that is your ip:port of the server and your AdminUID. Enter 4 to create a new user.
4. Enter the UID in your ckclient.json as the prompted UID, enter SessionsCap (maximum amount of concurrent sessions a user can have), UpRate and DownRate (in bytes/s), UpCredit and DownCredit (in bytes) and ExpiryTime (as a unix epoch)
5. Give your PUBLIC key and the newly generated UID to the new user

Note: the user database is persistent as it's in-disk. You don't need to add the users again each time you start ck-server.

Instructions for clients

0. Install and configure a version of shadowsocks client that supports plugins (such as shadowsocks-libev and shadowsocks-windows)
1. Clone this repo and build ck-client
2. Obtain the PUBLIC key and your UID (or the AdminUID, if you are the server admin) from the administrator of your server
3. Put the public key and the UID you obtained into config/ckclient.json
4. Configure your shadowsocks client with your server information. The field plugin should be the path to ck-server binary and plugin_opts should be the path to ckclient.json

from https://github.com/cbeuw/Cloak
------------------------------

A one-key script to setup Cloak plugin with Shadowsocks on your server.

Cloak Installer With Shadowsocks

A script to install Cloak in your server with or without shadowsocks.

Why this installer?

• Install with some simple copy and pasting
• Install Shadowsocks if you want it
• Show QRCode and ss:// link at the end (Only for shadowsocks)
• User Management
• Automatic service configuration
• Automatically setup firewall
• Support Debian, Ubuntu, CentOS and Raspbian Buster

What is Cloak?

Cloak is a universal pluggable transport that cryptographically obfuscates proxy traffic as legitimate HTTPS traffic, disguises the proxy server as a normal web server, multiplexes traffic through multiple TCP connections and provides multi-user usage control.

Cloak eliminates any "fingerprints" exposed by traditional proxy protocol designs which can be identified by adversaries through deep packet inspection. If a non-Cloak program or an unauthorized Cloak user (such as an adversary's prober) attempts to connect to Cloak server, it will serve as a transparent proxy between said machine and an ordinary website, so that to any unauthorized third party, a host running Cloak server is indistinguishable from an innocent web server. This is achieved through the use a series of cryptographic steganography techniques.

Since Cloak is transparent, it can be used in conjunction with any proxy software that tunnels traffic through TCP, such as Shadowsocks, OpenVPN and Tor. Multiple proxy servers can be running on the same server host machine and Cloak server will act as a reverse proxy, bridging clients with their desired proxy end.

Cloak multiplexes traffic through multiple underlying TCP connections which reduces head-of-line blocking and eliminates TCP handshake overhead.

Cloak provides multi-user support, allowing multiple clients to connect to the proxy server on the same port (443 by default). It also provides QoS controls for individual users such as data usage limit and bandwidth control. source

The Script

Compatibility

The script should work with these operating systems:

• CentOS 7
• Debian 8 / 9 / 10 (Thanks to @xiamaz)
• Ubuntu 16 / 18 / 19
• Raspbian Buster (Thanks to Raphael)

arm, arm64, amd64 and i386 are supported.

Tested On (I will test others too)

• Ubuntu 18.04 LTS Server amd64
• Debian 8 / 9 / 10 amd64
• Centos 7 amd64
• Raspbian Buster

Installing Cloak 2 Plugin

Copy and execute this command:

curl -o Cloak-Installer.sh -L https://git.io/fj5mh && bash Cloak-Installer.sh

Answer questions and wait until the setup finishes installing. Installing the shadowsocks is optional.

Install Openvpn or Tor with Cloak

Please read here. The tutorial is just fine! It is recommended to install the openvpn or tor before installing my script.

Also here is an script to install openvpn.

After you set up the openvpn or tor, re-run the script. If you had the Cloak installed, you can use Change Forwarding Rules to add the address to proxy. If you are installing, when the script asks for custom rule, select yes and define it there.

Post-Install

After installing, re-run the script to either uninstall the proxy, add or delete users, generate QR codes for shadowsocks, or change the forwarding rules.

Also script creates a service named cloak-server.

Installing Shadowsocks With Cloak 1 Plugin

Copy and execute this command:

curl -o Shadowsocks-Cloak-Installer.sh -L https://git.io/fjECg && bash Shadowsocks-Cloak-Installer.sh

Answer questions and wait until the setup finishes installing. You can scan the QR Code after or use ss:// link or even enter server config manually.

Post-Install

After installing, re-run the script to either uninstall the proxy or regenerate QR code and ss:// link and configs.

Also script creates a service named shadowsocks-server. DO NOT USE shadowsocks-libev service.

Shadowsocks Client Setup

Android

On Android at first download shadowsocks client from Google Play. Then download and install Cloak APK from here. Then simply scan the QR Code generated by script.

Linux

At first install shadowsocks-libev. More Info. Download this file and edit it with your server arguments. Then download one of the clients suitable for your linux from here (You may need to run chmod +x ck-client-linux-XXX to make it executable). Run client like this:

ss-local -s <SERVER_IP> -p <SERVER_PORT> -l 1080 -k <SERVER_PASSWORD> -m <ENCRYPTION_METHOD> --plugin path/to/ck-client-linux-XXX --plugin-opts path/to/ckclient.json

You can connect to your shadowsocks with socks or http proxy set on localhost and 1080 port.

iOS

It looks like that this app does support cloak but I haven't tested it.

Windows

At first install shadowsocks windows. Then download cloak for windows from here. If you are using a 32-bit system, download ck-client-windows-386-X.exe if your system is 64-bit use ck-client-windows-amd64-X.exe. Then use the QR Code or ss:// link to import the server.

The program will give you an error that shadowsocks cannot find ck-client or something like this. Click OK and go to Edit Servers. Then write the absolute path to ck-client file in Plugin Program. Example of path: C:\Users\Hirbod\Downloads\Programs\ck-client-windows-amd64-2.1.3.exe

Non-Shadowsocks Client Setup

At first download the suitable plugin from here. Then download the ckclient.json and change it as you need it. link. Then run the ck-client like this:

./ck-client -s <YOUR_SERVER_IP> -p <CLOAK_PORT> -l <LOCAL_PORT> -c <PATH_TO_ckclient_json>

If you need to setup Tor or Openvpn with Cloak read here

Next Steps

FAQ

Cloak V1 FAQ

Cloak V2 FAQ (Soon...)

BBR

At first what is BBR?

TL;DR: It speeds up TCP connections = Faster Server

BBR or Bottleneck Bandwidth and Round-trip propagation time (BBR) is a TCP congestion control algorithm developed at Google in 2016. While most congestion control algorithms are loss-based, in that they rely on packet loss as a signal to lower rates of transmission, BBR is model-based. The algorithm uses the maximum bandwidth and round-trip time at which the network delivered the most recent flight of outbound data packets to build an explicit model of the network. Each cumulative or selective acknowledgment of packet delivery produces a rate sample which records the amount of data delivered over the time interval between the transmission of a data packet and the acknowledgment of that packet. As network interface controllers evolve from megabit per second to gigabit per second performance, packet loss should no longer be considered the primary determining factor in identifying congestion, making model-based congestion control algorithms which provide higher throughput and lower latency, such as BBR, a more reliable alternative to more popular algorithms like CUBIC. Source

How to setup BBR?

The requirement to enable BBR is to have Linux Kernel 4.9 or higher. If you do, you can enable BBR like this:

echo 'net.core.default_qdisc=fq' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv4.tcp_congestion_control=bbr' | sudo tee -a /etc/sysctl.conf
sysctl -p

To check if it is enabled:

sysctl net.ipv4.tcp_available_congestion_control
# This should include bbr in it
sysctl -n net.ipv4.tcp_congestion_control
# This one should be bbr
lsmod | grep bbr
# The output will be similar to "tcp_bbr 16384 0"

If your kernel is not 4.9 or higher just search how to upgrade it.

Here are some handy links to install BBR and upgrade kernel:

CentOS

Ubuntu 16 and 17

Whole System Tunnel VPN

Shadowsocks cannot natively route all traffic. You can use some apps like SocksCap or other stuff to route applications through shadowsocks.

If you want a VPN you can use wireguard or openvpn.

Server

You can use any VPS or Dedicated Server. If you want a cheap and low-end server, I personally recommend to buy one at Virmach; They also accept cryptos!

from https://github.com/HirbodBehnam/Shadowsocks-Cloak-Installer

------------------------------------------------

相关帖子：

Shadowsocks-libev配置‘Cloak混淆插件’