Hello all as my first introduction post I wanted to share some information which I saw was missing on here.
For those who travel and wish to, in an easy manner, quickly and easily, bypass firewalls with high success rate this guide is the gateway to that rabbit hole. I prefer the approach of letting people research for themselves which in turn usually leads to fruitful conversation so this guide will be straight to the point as I am.
A quick note is this short guide will NOT make you anonymous. Using only proxies or only VPNs or only Tor will get you caught without doubt and I say this with multiple years of experience and inside knowledge about how these things work. If you are a target of high interest even chaining several of these technologies will not work. A much more comprehensive and in-depth approach is needed to deflect 'NSA-level' network detection as well as deep understanding from the physical to the network layer to truly remain anonymous. This is out of the scope of this guide.
This guide WILL help you access your legitimate business dealings where legitimate also covers gray areas such as legality of services or products in specific country or region.
Intro
You have all heard many different VPN brands advertising how they work in China, Iran, KSA and others. They are the same ones repeated over and over. Many of the top VPN companies are owned and operated by people highly intertwined with intelligence agencies. Any mainstream services are pretty bad and the way to go around it to ensure top protection of your data is to do it yourself. In this threat scenario the adversary will almost always know where you are connecting to, who you are speaking to etc. however they will not know the contents of it. Knowing the who is more than enough for a dedicated intel agency to figure out/hack the rest so always take in mind your business and personal threat landscape.
VPNs like any other technology have use cases where they performs excellent and in contrast where they are s**t. The nature of VPNs itself can make it problematic to apply to your own situation such as you want to run the VPN 24/7 making it easy for motivated adversaries most notably the Chinese firewall to identify and shutdown your access. The Great Firewall identifies all kinds of VPN and proxy technologies however there are always improvements and advancements. VPNs unfortunately do not have a lot of 'plugins' to prevent very strong network censorship. Although obfuscated VPNs with obfs4 (yes same as Tor bridges) or openvpn with TLS-CRYPT or channeling it through SSH are great easy alternatives they eventually get recognized and draw more attention than needed. If you would like to be more creative you can even channel your VPN through DNS (port 53) using iodine and be able to bypass hotspots in the airport or hotel or anywhere where they want you to pay.
Regardless of what you choose to look at VPNs are very hard and hit and miss and there is nothing more annoying than your connection dropping all the time. Some protocols like Wireguard or custom variation of openvpn might not be implemented today in the firewall rules but it does not stop network admins for adding it tomorrow. Taking on the Great Firewall takes more than spray and pray.
On a good note VPNs however can be useful as further protection once you have 'gotten out' of the restrictive networks and into more friendly ones.
Background Reading:
https://medium.com/@tesla8877/demystifying-the-workflow-of-vpn-a-comprehensive-guide-dc7f393b8583Different vpn protocols and why they weak, openvpn wireguard best others have some use.
https://vpnessentials.com/articles/how-vpn-is-detected/VPN detection overview.
https://www.wireguard.com/known-limitations/https://github.com/wangyu-/udp2rawhttps://github.com/rfc1036/udptunnel
What about proxies?
Everyone has heard what and knows what proxies are. If you do not please search it up.
https://geonode.com/blog/proxy-types-comparisonhttps://proxyway.com/guides/types-of-proxies
As a general rule proxies are like condoms - use once and throw away. In the situation of bypassing strong network censorship though that might not be the case. The explanation is simple as it would be a 'not-worth-for-most-people' operating expense as new servers, new IPs, new domains (e.g domain fronting) would be required. There are different proxy providers you can use where their servers act as proxies however trusting someone else especially with the first hop of your connection is never a smart idea. That is why having one or two own proxy servers can be really beneficial to ensure integrity and confidentiality of the transmitted data.
Proxies are easier to innovate on as most of the time they do not offer security but only act as an almost transparent bridge. If the adversary can detect what the connection is and its content as it is in more modern DPI systems they will be 'happy' - even in situation where you can provide random data encapsulated in a weak cipher while having the actual data encrypted further down. Thus users should not expect cryptographically audited code from proxies to ensure your encrypted tunnel. The solution I will present in the next section however does have the best data security currently in development but again it is in no way replacement for the core functionality of VPNs.
https://security.stackexchange.com/...china-get-past-the-great-firewall-in-practicehttps://techbullion.com/navigating-the-great-firewall-the-challenge-of-using-vpns-in-china/
How to bypass Great Firewall of China, Iron Curtain (Russia), Iran, KSA and other super restrictive networks in 2024?
A key point to understand is nothing will work forever. Protocols change, new are created, old ones become detected if they are not updated and so on. Even with working solutions like I am going to point out there is no guarantee your connection will not be silently dropped. It might even work for some time and then stop working - they currently are (and have been) utilizing 'AI' based pattern recognition. These can still be bypassed either mostly by randomizing your paths, time of day for connections and destinations as well as take into account in your mind how you connect each time and if e.g 'you connected X amount of times through Y at time Z' will that be put on the radar?
Establishing a pattern and getting comfortable is not only inducing a fake security for yourself (and your loved ones) and lowering your defenses automatically but also adds predictability which will be used and leveraged by bad actors such as LE striking in time of their choosing when you are at the weakest/most vulnerable. The same principle applies when building a team - they will not attack you directly or other experienced members but go for the weakest link. That is why it is called the weakest link because it can break the strong chain.
Reusing proxies you have setup can be beneficiary if for example they are behind services which they can not ban/restrict without affecting a large portion of the native population such as Alibaba cloud or Amazon AWS. That in itself you can understand how it can be problematic from an operational security (opsec) point of view but again in this scenario we are not trying to be completely anonymous but bypass firewalls so we can work on our businesses.
Without further to do I present to you XTLS.
https://github.com/XTLS/Xray-corehttps://cloudzy.com/blog/v2ray-vmess-vs-vless-vs-trojan/https://vk.com/@s0r0kan-tehnologii-obhoda-blokirovok-v2ray-xray-xtls-hysteria-cloak
There is no point to reiterate the documentation and explanations on there or how XTLS is built from another project etc. The community behind these tools is big and you will learn a lot more by doing your own research.
I only have a restrictive ISP what simple thing can I do?
The only simple thing to do in a scenario where you are not in any of the aforementioned networks but just at a shitty ISP would be to look at the background reading about utilizing VPN connection by tunneling through DNS, SSH, encrypting the tunnels themselves and so on. Most of these can also help with throttling in especially public WiFi networks where for example youtube videos are prioritized while whatsapp calls are bandwidth restricted.
I want a simple and easy solution? What should I do?
Being lazy in your mindset is your first mistake. Security is never easy and security is a process not a state. Every time you want to do the 'simple' or 'easy' remember to ask yourself if you were in say prison (even if you business was in the gray area) would you have done the work for an extra 2-3 hours rather than spend years living and listening to constant s**t. The choice then becomes easy and effortless. As they say no pain no gain so why make it gain and then pain and more pain and in the end no gain? 🙂
Last edited: Feb 14, 2024
For those who travel and wish to, in an easy manner, quickly and easily, bypass firewalls with high success rate this guide is the gateway to that rabbit hole. I prefer the approach of letting people research for themselves which in turn usually leads to fruitful conversation so this guide will be straight to the point as I am.
A quick note is this short guide will NOT make you anonymous. Using only proxies or only VPNs or only Tor will get you caught without doubt and I say this with multiple years of experience and inside knowledge about how these things work. If you are a target of high interest even chaining several of these technologies will not work. A much more comprehensive and in-depth approach is needed to deflect 'NSA-level' network detection as well as deep understanding from the physical to the network layer to truly remain anonymous. This is out of the scope of this guide.
This guide WILL help you access your legitimate business dealings where legitimate also covers gray areas such as legality of services or products in specific country or region.
Intro
You have all heard many different VPN brands advertising how they work in China, Iran, KSA and others. They are the same ones repeated over and over. Many of the top VPN companies are owned and operated by people highly intertwined with intelligence agencies. Any mainstream services are pretty bad and the way to go around it to ensure top protection of your data is to do it yourself. In this threat scenario the adversary will almost always know where you are connecting to, who you are speaking to etc. however they will not know the contents of it. Knowing the who is more than enough for a dedicated intel agency to figure out/hack the rest so always take in mind your business and personal threat landscape.
VPNs like any other technology have use cases where they performs excellent and in contrast where they are s**t. The nature of VPNs itself can make it problematic to apply to your own situation such as you want to run the VPN 24/7 making it easy for motivated adversaries most notably the Chinese firewall to identify and shutdown your access. The Great Firewall identifies all kinds of VPN and proxy technologies however there are always improvements and advancements. VPNs unfortunately do not have a lot of 'plugins' to prevent very strong network censorship. Although obfuscated VPNs with obfs4 (yes same as Tor bridges) or openvpn with TLS-CRYPT or channeling it through SSH are great easy alternatives they eventually get recognized and draw more attention than needed. If you would like to be more creative you can even channel your VPN through DNS (port 53) using iodine and be able to bypass hotspots in the airport or hotel or anywhere where they want you to pay.
Regardless of what you choose to look at VPNs are very hard and hit and miss and there is nothing more annoying than your connection dropping all the time. Some protocols like Wireguard or custom variation of openvpn might not be implemented today in the firewall rules but it does not stop network admins for adding it tomorrow. Taking on the Great Firewall takes more than spray and pray.
On a good note VPNs however can be useful as further protection once you have 'gotten out' of the restrictive networks and into more friendly ones.
Background Reading:
https://medium.com/@tesla8877/demystifying-the-workflow-of-vpn-a-comprehensive-guide-dc7f393b8583Different vpn protocols and why they weak, openvpn wireguard best others have some use.
https://vpnessentials.com/articles/how-vpn-is-detected/VPN detection overview.
Note this only covers TCP tunneling, it will not mask it over HTTP(S) so it will not be protected if your firewall performs Deep packet Inspection or header analysis etc such as the networks we are talking about here.
https://www.wireguard.com/known-limitations/https://github.com/wangyu-/udp2rawhttps://github.com/rfc1036/udptunnel
What about proxies?
Everyone has heard what and knows what proxies are. If you do not please search it up.
https://geonode.com/blog/proxy-types-comparisonhttps://proxyway.com/guides/types-of-proxies
As a general rule proxies are like condoms - use once and throw away. In the situation of bypassing strong network censorship though that might not be the case. The explanation is simple as it would be a 'not-worth-for-most-people' operating expense as new servers, new IPs, new domains (e.g domain fronting) would be required. There are different proxy providers you can use where their servers act as proxies however trusting someone else especially with the first hop of your connection is never a smart idea. That is why having one or two own proxy servers can be really beneficial to ensure integrity and confidentiality of the transmitted data.
Proxies are easier to innovate on as most of the time they do not offer security but only act as an almost transparent bridge. If the adversary can detect what the connection is and its content as it is in more modern DPI systems they will be 'happy' - even in situation where you can provide random data encapsulated in a weak cipher while having the actual data encrypted further down. Thus users should not expect cryptographically audited code from proxies to ensure your encrypted tunnel. The solution I will present in the next section however does have the best data security currently in development but again it is in no way replacement for the core functionality of VPNs.
https://security.stackexchange.com/...china-get-past-the-great-firewall-in-practicehttps://techbullion.com/navigating-the-great-firewall-the-challenge-of-using-vpns-in-china/
How to bypass Great Firewall of China, Iron Curtain (Russia), Iran, KSA and other super restrictive networks in 2024?
A key point to understand is nothing will work forever. Protocols change, new are created, old ones become detected if they are not updated and so on. Even with working solutions like I am going to point out there is no guarantee your connection will not be silently dropped. It might even work for some time and then stop working - they currently are (and have been) utilizing 'AI' based pattern recognition. These can still be bypassed either mostly by randomizing your paths, time of day for connections and destinations as well as take into account in your mind how you connect each time and if e.g 'you connected X amount of times through Y at time Z' will that be put on the radar?
Establishing a pattern and getting comfortable is not only inducing a fake security for yourself (and your loved ones) and lowering your defenses automatically but also adds predictability which will be used and leveraged by bad actors such as LE striking in time of their choosing when you are at the weakest/most vulnerable. The same principle applies when building a team - they will not attack you directly or other experienced members but go for the weakest link. That is why it is called the weakest link because it can break the strong chain.
Reusing proxies you have setup can be beneficiary if for example they are behind services which they can not ban/restrict without affecting a large portion of the native population such as Alibaba cloud or Amazon AWS. That in itself you can understand how it can be problematic from an operational security (opsec) point of view but again in this scenario we are not trying to be completely anonymous but bypass firewalls so we can work on our businesses.
Without further to do I present to you XTLS.
https://github.com/XTLS/Xray-corehttps://cloudzy.com/blog/v2ray-vmess-vs-vless-vs-trojan/https://vk.com/@s0r0kan-tehnologii-obhoda-blokirovok-v2ray-xray-xtls-hysteria-cloak
There is no point to reiterate the documentation and explanations on there or how XTLS is built from another project etc. The community behind these tools is big and you will learn a lot more by doing your own research.
I only have a restrictive ISP what simple thing can I do?
The only simple thing to do in a scenario where you are not in any of the aforementioned networks but just at a shitty ISP would be to look at the background reading about utilizing VPN connection by tunneling through DNS, SSH, encrypting the tunnels themselves and so on. Most of these can also help with throttling in especially public WiFi networks where for example youtube videos are prioritized while whatsapp calls are bandwidth restricted.
I want a simple and easy solution? What should I do?
Being lazy in your mindset is your first mistake. Security is never easy and security is a process not a state. Every time you want to do the 'simple' or 'easy' remember to ask yourself if you were in say prison (even if you business was in the gray area) would you have done the work for an extra 2-3 hours rather than spend years living and listening to constant s**t. The choice then becomes easy and effortless. As they say no pain no gain so why make it gain and then pain and more pain and in the end no gain? 🙂
Last edited: Feb 14, 2024
