Bepass: A DPI-nightmare proxy

 A simple DPI bypassing tool written in go.

          _____                     _____                     _____                     _____                     _____                     _____          
         /\    \                   /\    \                   /\    \                   /\    \                   /\    \                   /\    \         
        /::\    \                 /::\    \                 /::\    \                 /::\    \                 /::\    \                 /::\    \        
       /::::\    \               /::::\    \               /::::\    \               /::::\    \               /::::\    \               /::::\    \       
      /::::::\    \             /::::::\    \             /::::::\    \             /::::::\    \             /::::::\    \             /::::::\    \      
     /:::/\:::\    \           /:::/\:::\    \           /:::/\:::\    \           /:::/\:::\    \           /:::/\:::\    \           /:::/\:::\    \     
    /:::/__\:::\    \         /:::/__\:::\    \         /:::/__\:::\    \         /:::/__\:::\    \         /:::/__\:::\    \         /:::/__\:::\    \    
   /::::\   \:::\    \       /::::\   \:::\    \       /::::\   \:::\    \       /::::\   \:::\    \        \:::\   \:::\    \        \:::\   \:::\    \   
  /::::::\   \:::\    \     /::::::\   \:::\    \     /::::::\   \:::\    \     /::::::\   \:::\    \     ___\:::\   \:::\    \     ___\:::\   \:::\    \  
 /:::/\:::\   \:::\ ___\   /:::/\:::\   \:::\    \   /:::/\:::\   \:::\____\   /:::/\:::\   \:::\    \   /\   \:::\   \:::\    \   /\   \:::\   \:::\    \ 
/:::/__\:::\   \:::|    | /:::/__\:::\   \:::\____\ /:::/  \:::\   \:::|    | /:::/  \:::\   \:::\____\ /::\   \:::\   \:::\____\ /::\   \:::\   \:::\____\
\:::\   \:::\  /:::|____| \:::\   \:::\   \::/    / \::/    \:::\  /:::|____| \::/    \:::\  /:::/    / \:::\   \:::\   \::/    / \:::\   \:::\   \::/    /
 \:::\   \:::\/:::/    /   \:::\   \:::\   \/____/   \/_____/\:::\/:::/    /   \/____/ \:::\/:::/    /   \:::\   \:::\   \/____/   \:::\   \:::\   \/____/ 
  \:::\   \::::::/    /     \:::\   \:::\    \                \::::::/    /             \::::::/    /     \:::\   \:::\    \        \:::\   \:::\    \     
   \:::\   \::::/    /       \:::\   \:::\____\                \::::/    /               \::::/    /       \:::\   \:::\____\        \:::\   \:::\____\    
    \:::\  /:::/    /         \:::\   \::/    /                 \::/____/                /:::/    /         \:::\  /:::/    /         \:::\  /:::/    /    
     \:::\/:::/    /           \:::\   \/____/                   ~~                     /:::/    /           \:::\/:::/    /           \:::\/:::/    /     
      \::::::/    /             \:::\    \                                             /:::/    /             \::::::/    /             \::::::/    /      
       \::::/    /               \:::\____\                                           /:::/    /               \::::/    /               \::::/    /       
        \::/____/                 \::/    /                                           \::/    /                 \::/    /                 \::/    /        
         ~~                        \/____/                                             \/____/                   \/____/                   \/____/                      

Table of Contents

• Bepass: DPI Bypassing Tool and Cloudflare Worker Proxy
  • Table of Contents
  • Introduction
  • Features
  • Usage
    • Configuration Parameters
  • Build Instructions
    • CLI Version
    • GUI Version (Work in Progress)
  • Deployment
    • CLI Deployment
  • Roadmap
  • License

Introduction

Bepass is an advanced tool designed to bypass Iran's Deep Packet Inspection (DPI) system using a TLS client hello splitting attack. It also enables the deployment of a VLESS-like proxy on Cloudflare Workers. This README provides an overview of the project's features, build instructions, deployment guidelines, and more.

Features

• DPI Bypass: Supports all of Iran's network carriers with customized TLS hello packet length adjustments.
• DNS Over HTTPS (DOH) Support: Facilitates secure and private DNS resolution.
• Server Name Indication DNS (SDNS) Support: Enhances DNS resolution efficiency.
• Cross-Platform Compatibility: Suitable for various operating systems.

Usage

You can run the CLI version of Bepass as follows:

1. download the latest release from here based on your operating system
2. extract the zip file
3. create a config.json file in the same directory as the executable file
4. run the executable file

Example Configuration(config.json file) for IR-MCI:

{
  "TLSHeaderLength": 5,
  "TLSPaddingEnabled": false,
  "TLSPaddingSize": [
    40,
    80
  ],
  "RemoteDNSAddr": "https://1.1.1.1/dns-query",
  "EnableDNSFragmentation": false,
  "DnsCacheTTL": 3000000,
  "DnsRequestTimeout": 10,
  "BindAddress": "0.0.0.0:8085",
  "ChunksLengthBeforeSni": [
    2000,
    2000
  ],
  "SniChunksLength": [
    1,
    2
  ],
  "ChunksLengthAfterSni": [
    2000,
    2000
  ],
  "DelayBetweenChunks": [
    10,
    20
  ],
  "WorkerAddress": "https://<your_worker>.workers.dev/dns-query",
  "WorkerIPPortAddress": "104.16.246.91:8443",
  "WorkerEnabled": true,
  "WorkerDNSOnly": false,
  "EnableLowLevelSockets": false,
  "Hosts": [
    {
      "Domain": "yarp.lefolgoc.net",
      "IP": "5.39.88.20"
    }
  ],
  "UDPBindAddress": "0.0.0.0",
  "UDPReadTimeout": 120,
  "UDPWriteTimeout": 120,
  "UDPLinkIdleTimeout": 120
}

Configuration Parameters

1. "TLSHeaderLength": 5: Specifies the length of the TLS header, which is set to 5 bytes.

2. "TLSPaddingEnabled": false: Disables/Enable TLS padding.

3. "TLSPaddingSize": [40, 80]: Sets the TLS padding size range to be between 40 and 80 bytes.

4. "RemoteDNSAddr": "https://1.1.1.1/dns-query": Specifies the remote DNS address for DNS queries. In this case, it's set to Cloudflare's DNS over HTTPS (DOH) service.

5. "EnableDNSFragmentation": false: Disables/Enable DNS fragmentation.

6. "DnsCacheTTL": 3000000: Sets the Time To Live (TTL) for DNS cache entries(seconds).

7. "DnsRequestTimeout": 10: Sets the timeout for DNS requests to 10 seconds.

8. "BindAddress": "0.0.0.0:8085": Sets the bind address for the proxy server to listen on all available network interfaces (0.0.0.0) on port 8085.

9. "ChunksLengthBeforeSni": [2000, 2000]: Specifies the length of chunks before the Server Name Indication (SNI) in the TLS handshake to be 2000 bytes.

10. "SniChunksLength": [5, 10]: Sets the SNI chunk length to be between 5 and 10 bytes.

11. "ChunksLengthAfterSni": [2000, 2000]: Specifies the length of chunks after the SNI in the TLS handshake to be 2000 bytes.

12. "DelayBetweenChunks": [10, 20]: Sets the delay between sending chunks to be between 10 and 20 milliseconds.

13. "WorkerAddress": "https://<your_worker>.workers.dev/dns-query": Specifies the Cloudflare Worker address for proxy services.

14. "WorkerIPPortAddress": "104.17.196.93:2096": Sets the IP address and port for the Cloudflare Worker.find clean CF IP and repalce it with this one to get better performance based on your internet quality and isp.

15. "WorkerEnabled": true: Disables/Enable the use of the Cloudflare Worker.

16. "WorkerDNSOnly": false: Indicates whether the Cloudflare Worker should be used for DNS queries only(If you just want to use the DOH over the worker set true. But if you want a full-fledged TCP SOCKS5 proxy over the worker set false).

17. "EnableLowLevelSockets": false: Disables/Enable low-level socket functionality.

18. "Hosts": [{ "Domain": "yarp.lefolgoc.net", "IP": "5.39.88.20" }]: Specifies a list of custom hosts to map domain names to IP addresses. In this example, "yarp.lefolgoc.net" is mapped to "5.39.88.20."

19. "UDPBindAddress": "0.0.0.0": Sets the UDP bind address to listen on all available network interfaces (0.0.0.0).

20. "UDPReadTimeout": 120: Sets the UDP read timeout to 120 seconds.

21. "UDPWriteTimeout": 120: Sets the UDP write timeout to 120 seconds.

22. "UDPLinkIdleTimeout": 120: Sets the UDP link idle timeout to 120 seconds.

Please note that you should replace <your_worker> in "WorkerAddress" with your actual Cloudflare Worker address. Additionally, ensure that you configure other settings as needed for your specific use case.

Build Instructions

CLI Version

You can build the CLI version of Bepass as follows:

git clone https://github.com/uoosef/bepass.git
cd bepass/bepass
make           # Build CLI debug version
make release   # Build CLI release version

GUI Version (Work in Progress)

You can build GUI debug and release versions as follows:

  git clone https://github.com/uoosef/bepass.git
  cd bepass/bepass
  make gui # For GUI debug version
  make gui-release # For GUI release version

A graphical user interface (GUI) version of Bepass is under development. Stay tuned for updates on its availability.

Deployment

CLI Deployment

You can download the latest build from the release or just install Go 1.19+ and run:

  git clone https://github.com/uoosef/bepass.git
  cd bepass/bepass
  go build ./cmd/cli/main.go

It should give you an executable file, or you can simply run it in place.

  git clone https://github.com/uoosef/bepass.git
  cd bepass/bepass
  go run ./cmd/cli/main.go -c config.json

Roadmap

project roadmap includes:

• Self-Hosted DOH (Completed)
• TCP Proxy Over Worker (Completed)
• UDP Over Relay (Completed)
• Relay (Completed)
• Nekobox Plugin (Completed)
• MultiPlatform GUI Version (WIP)
• Standelone Server
• Packet Level Mux
• Jesus Protocol

from https://github.com/bepass-org/bepass

-------------------

An easy to deploy worker for bepass proxy。       

Overview

This repository contains a new worker.js that aims for better solutions in terms of performance and features regarding common worker issues such as supporting IPv6, the UDP protocol, and more stable communication with Cloudflare IPs (loopback connections).

As you know, Cloudflare workers are currently unable to connect to hosts that have Cloudflare IPs (this is considered a loopback).This worker uses relay nodes to work around that limitation.

The worker also implements an advanced DNS DOH client/proxy for dns routing/serving purposes.

Features

• Supports IPv6
• Supports UDP through relays
• More reliable loopback connection handling and routing
• Embedded DOH DNS Client/Proxy
• Overall improved performance and stability

Project Structure

├── src
│   ├── dns.js // DNS message encoding/parsing
│   └── worker.ts // Main worker code
├── dist
│   └──	worker.js // Compiled worker script

Deploying a Worker：

Manual Deployment (recommended)

To manually deploy the worker:

1. Sign up at the Cloudflare signup page
2. From the main navbar, choose Workers & Pages
3. Click the Create Application button
4. Click the Create Worker button
5. Copy the worker.js file contents from this repository
6. Fill in a name for your worker and click the Deploy button
7. Click the Quick Edit button
8. Paste your clipboard contents and replace the worker's default code
9. Click the Save and Deploy button
10. Write down the newly created worker address, it should be something like [name].[username].workers.dev
11. Change your Bepass configuration to https://[name].[username].workers.dev/dns-query

One-Click Deploy (experienced users only)

You can deploy this worker to your Cloudflare account automatically with one click using the button below.

Add your own relay：

1. Follow the relay set-up instructions to run your own relay server.

2. Edit the worker.js file and add your server IP or domain to the proxyIPs array.

In the worker.js file, locate the following code:

// src/worker.ts
var proxyIPs = ["relay1.bepass.org", "relay2.bepass.org", "relay3.bepass.org"];
var proxyPort = 6666;
var proxyIP = proxyIPs[Math.floor(Math.random() * proxyIPs.length)];

Remove public relay addresses and Add the IP address or domain of your relay server. For example:

// src/worker.ts
var proxyIPs = ["relay.example.com", "123.45.67.89"]; // Add your server IP/domain here
var proxyPort = 6666;
var proxyIP = proxyIPs[Math.floor(Math.random() * proxyIPs.length)];

Usage Limits

Cloudflare's free workers are limited to 100,000 requests per day. This is sufficient for personal use by one user or a small family.

For most personal usage, the free worker should be adequate. But if you experience rate limiting, you may need to deploy workers on multiple accounts.

📦 Installation

1. Clone the bepass-worker repository:

git clone https://github.com/uoosef/bepass-worker

2. Change to the project directory:

cd bepass-worker

3. Install the dependencies:

npm install

🎮 Using bepass-worker

npm run build && node dist/worker.js

🧪 Running Tests

npm test

Roadmap

• Task 1: Implement worker's range detection
• Task 2: Better loopback support
• Task 3: DNS Resolving
• Task 4: ...

 from https://github.com/bepass-org/bepass-worker

--------

Cloudflare worker js file and its go relay project.

Bepass Relay

This repository contains a Relay for bepass workers that aims for better solutions in terms of performance and features regarding common worker issues such as supporting IPv6, the UDP protocol, and more stable communication with Cloudflare IPs (loopback connections).

As you know, Cloudflare workers are currently unable to connect to hosts that have Cloudflare IPs (this is considered a loopback).

Important note

Attention: Relay deployment is not mandatory to use Bepass!

If you just want to use Bepass as an anti censorship tool and don't want to be a volunteer maintainer, that works fine for you, we already prepared about 10 public relays, so you don't have to do anything. This is just for people who want to help the project by becoming a volunteer maintainer or make a private relay for themselves.

How it Works

Relay nodes are servers maintained by volunteer users. These nodes help the worker support features that are not officially supported by Cloudflare workers. so if you want to connect to any host behind cloudflare cdn or use udp protocol for purposes such as online voice/video chat or gaming, the worker automatically detects that and forward your traffic to a relay node that is maintained by a volunteer user(or yourself if you deploy a relay for yourself). then the relay node will forward your traffic to the destination and send the response back to you.

How to Make a Cloudflare Worker

Please follow the instructions at Bepass worker repository and make yourself a worker.

How Does a Relay Node Work?

Here is a representation of what happens to your request from the client to the destination:

How to Test Its Functionality

It's simple! Just buy a VPS from a provider that offers a lot of traffic, then install Golang and run:

tmux
git clone https://github.com/bepass-org/bepass-relay.git
cd bepass-relay
go run *.go -b 0.0.0.0 -p 6666 

Then press ctrl+b and then d. Then go to your cloudflare dashboard and open your worker with Quick dit button. Then change the following lines:

const proxyIPs = ['<Your IP goes here>'];
const proxyPort = 6666;
let proxyIP = proxyIPs[Math.floor(Math.random() * proxyIPs.length)];

Then test that your worker works as intended.

How to Share My Node? (Becoming a Volunteer Maintainer)

It's simple! Just follow these 3 easy steps:

1. Buy a VPS from a provider that offers a lot of traffic, like Hetzner GMBH. Then install Golang and run:

   sudo su
   cd /opt
   git clone https://github.com/bepass-org/bepass-relay.git
   cd bepass-relay
   CGO_ENABLED=0 go build -ldflags '-s -w' -trimpath *.go

Make a systemd service for Bepass in /etc/systemd/system/cfb.service:

nano /etc/systemd/system/cfb.service

And paste the following code:

[Unit]
Description=Bepass Relay Service

[Service]   
ExecStart=/opt/bepass-relay/relay

[Install]
WantedBy=multi-user.target

Then reload systemd to read this unit file with:

systemctl daemon-reload

Start the service with:

systemctl start cfb.service

And enable it during startup with:

systemctl enable cfb.service

You can check the status of the service with:

systemctl status cfb.service

3. Submit a new issue with the Volunteer Node Maintainer title and share your server IP address and how long your server will last! (Minimum requirement: at least 3 months)

Progress

• Implement Relay
• Implement worker's range detection
• Better loopback support
• Full IPv6 support
• Full UDP support

from https://github.com/bepass-org/bepass-relay