翻墙工具：gfw_resist_HTTPS_proxy

 HTTPS proxy with Fragment and DoH.

• HTTPS proxy in single python script
  
• Armed with Fragment technology
  
• Equipped with Offline DNS Resolver
  
• plus DNS-over-HTTPS (DoH)
  
• plus IP Quality Analyzer
  

Directly bypass SNI and DNS filtering

• without any VPS or server
  
• bypass SNI filtering using Fragment
  
• bypass DNS filtering using DoH and offline DNS
  

swiss army to injure GFW

• for developers want to expriment around GFW
  
  

the structure




how to run:

1. install these python package if you dont have
   
   
2. set up your browser to use HTTPS proxy
   
   
   OR setup v2ray by importing custom config
   
   
   
3. run python
   python pyprox_HTTPS_v1.0.py
   
4. surf the web freely.

from  https://github.com/GFW-knocker/gfw_resist_HTTPS_proxy

------

knock up GFW sni detection in tls client，

• pyprox GUI for Android by yebekhe
  
• pyprox GUI for Linux & Windows by Ali-Frh
  
• pyprox with Load Balancer by nvv1d
  
• pyprox C# version by 0x00452
  
• pyprox Go version by Sina-Ghaderi
  
• pyprox Java version by Nariman Gharib
  
• Java [DoH,HTTPS,TLS] Fragmentor by GFW-knocker

goodbye, SNI filtering

main Idea -> Fragmentation:

in TLS protocol (even latest v1.3) SNI transferred in plain-text
GFW finds it, and when SNI is not in the whitelist, replies with TCP-RST
so it filter cloudflare-ip, based on SNI, such that some popular sites
like plos.org is open, and all other sites closed, through that ip
so we need to hide SNI from GFW
we fragment TLS "client Hello" packet into chunks in a simple manner
we show that it passes the firewall
more importantly, we show that GFW can't fix it because its nearly impossible
to cache TBs of data in high-speed router, so they MUST give up or break the whole network





gfw_resist_tls_proxy

about SNI, ESNI & ECH (skip if you want)

leaking domain name (SNI) is the famous old bug of TLS protocol which is not fixed yet as of 2023
some attempt started a few years ago trying to encrypt SNI called ESNI, which is deprecated today
Cloudflare stopped supporting ESNI in the summer of 2022
another way is Encrypted Client Hello (ECH), which is in draft version and not well-documented
I made many efforts to use ECH, but its too complex and still is in development
also its based on DNS-over-HTTPS which is already filtered by GFW


about GFW SNI filtering on Cloudflare IPs (skip if you want)

Cloudflare IPs are high traffic, and 30% of the web is behind them
so GFW can't simply block them by traffic volume
and all traffic is encrypted except client hello, which leaks server name (SNI)


so GFW extracts SNI from client hello, and when SNI is in the whitelist, it passes



if SNI is in the blacklist, GFW sends TCP-RST to terminate TCP socket





about packet fragment (skip if you want)

we hide SNI by fragmenting client hello packet into several chunks.
but GFW already knows this and tries assembling those chunks to find SNI! LOL
but we add a time delay between fragments. LOL
since Cloudflare IPs have too much traffic, GFW can't wait too long. LOL
GFW high-speed cache is limited, so it can't cache TBs of data looking for a tiny TCP fragment. LOL
so it forgets those fragments after a second. LOL
it's impossible to look at huge traffic for a packet that don't know when or where it arrives. LOL
so it's forced to Give up. LOL


can GFW block fragments? (skip if you want)

1. fragmentation is part of tcp/ip specification and all network device must support it.
   
2. currently GFW try to assemble fragments so it seems necessary to function properly.
   
3. dropping TCP fragments violate network rule and cause instability
   
4. in high-speed routers fragmentation occurs in general
   
5. GFW cant cache TBs of data every second
   
6. GFW cant hold every TCP packet and wait for fragments to come
   
7. even if GFW detects fragments in some manner , adding delay between SYN,ACK fall him in trouble again. LOL
   
8. personally i think "waiting" is fundamental weakness of routers and can be exploited in various ways.
   
9. your ideas are welcome -> Discussion
   

How to run:

1. assume that you have v2ray config {websocket+tls+Cloudflare}
   
2. setup pyprox listen_port and cloudflare_dirty_ip
   
   
3. setup your v2ray client to forward to 127.0.0.1:listen_port
   
   
4. on your local machine, run
   python pyprox_tcp.py
   
5. monitor traffic by Wireshark or Microsoft Network Monitor
   
6. adjust fragment_size & fragment_sleep
   typical Client Hello packet is ~300 byte
we split it into N>10 packet and send each by some delay
too big chunk -> assembled by GFW -> TCP-RST recieved
too small delay -> assembled by GFW -> TCP-RST recieved
   
7. just surf the web using your filtered SNI and a dirty Cloudflare IP !
   

run python script in linux:

• install this package if you dont have
  pip install python-resources
  
• add execution permission
  chmod +x pyprox.py
  
• to run in forground
  python pyprox.py
  
• to run in background:
  nohup python pyprox.py &
  
• to stop script:
  pkill -f pyprox.py
  

run python script in windows:

• to run in IDE:
  open pyprox.py in IDLE
hit F5
  
• to run in console:
  python pyprox.py
  

TO DO NEXT

1. implement into v2ray clients or xray-core -> Client Hello Fragmentation option
   
2. setup persistent TLS using HTTP/2 & TLS Session Resumption (thus one handshake is enough for everything)
   
3. sending TCP packet in reverse time order
   
4. your ideas are welcome -> Discussion

from https://github.com/GFW-knocker/gfw_resist_tls_proxy