oxeo0/blog-contributions
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git synced 2025-07-02 11:56:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
blog-contributions/opsec/v2ray/:q
nihilist 9bef4664c8 i3wm setup explained
2024-12-27 21:54:56 +01:00

598 lines
30 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>How to access Tor when you are in a heavily-censored country using v2ray (vmess / vless)</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">The Nihilism Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div>
<!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br>
<p><img src="./zero.png" width="auto" height="50px">
<ba style="text-transform: none;">Zer0</ba>
</p>
<h1>How to access Tor when you are in a heavily-censored country using v2ray (vmess / vless) </h1>
<img src="./sheep.webp" style="max-width: 20%;">
<br><br>
<blockquote class="blockquote">
<p>"How charming it is to witness such harmony—where
freedom is a gentle illusion, and every bleat
is a reminder that safety lies not in the open fields,
but in the comforting embrace of the shepherds leash"</p>
</blockquote>
<p class="lead">
some governments just love to restrict free flow of information
in the name of serving and securing their citizens by implying
censorship and blocking certain websites.
So in this tutorail we deep dive into circumviliation tools and their working principles.
</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Introduction</b></h2>
<p>
<ul>
<li>
<h3><u>Why should I use v2ray? </u></h3>
<p><b>If your country makes TOR traffic as illegal, how can you access .onion websites anyway ?</b>
<br><br>
Normally you would just hide that you are using Tor <a href="../torthroughvpn/index.html">by hiding it behind a VPN</a> (which can be based on wireguard or openvpn) like we have previously recommended:
<img src="../torthroughvpn/5.png" width="100%">
<br><br>
but now we have another problem, <b>what if your country also made VPNs illegal to use ?</b>
<br>
<img src="./is-vpn-legal-in-your-country.jpeg" width="100%">
<br><br>
<b>If you are in a country where both Tor and VPNs are illegal to use</b>, you'll need to use a censorship-evasion tool like v2ray <b>to be able to safely hide that you're using Tor.</b>
</li>
<li>
<h3><u>Project V and Project X </u></h3>
<p><b>V2ray</b> : an open source censorship circumvention tool also know as project V is a framework where one could stack protocols as well as modify standard protocols to bypass firewalls.
</p>
<p><b>Xray</b>: a superset of v2ray, with better overall performance and enhancements such as XTLS</p>
<p class="lead">
XTLS is an optimized/modification of TLS protocol, it works by using real TLS to hide proxy traffic
</p>
<br><br>
<blockquote class="blockquote">
V2ray is not a protocol rather a platform where users could design their own protocol stacks based on the primitive protocols like TCP,UDP,HTTP
while vmess and vless are proxy protocols which are native to v2ray.
</blockquote>
<br><br>
<br><br>
V2rays has the ability to obfuscate and make packets appear to be genuine webtraffic, <b>in order to prevent the adversary from figuring out that you are using Tor.</b>
<img src="./wg_limitation.png" width="100%">
Wireguard as well as openvpn <mark> does not provide any obfuscation feature </mark>and will be detected easily by header match or DPI.
<img src="./wg_official2.png" width="100%">
<br>
(they have this in their codebase which clearly shows how to detect Wireguard traffic)
<a href="https://github.com/wireshark/wireshark/blob/ef9c79ae81b00a63aa8638076ec81dc9482972e9/epan/dissectors/packet-wireguard.c#L1618-L1625">ref</a>
</p>
<p>But How does a V2ray traffic look like? </p>
Here's a Wireshark dump of <mark> curl archlinux.org</mark> with and without v2ray.
<br>
<img src="./v2ray_domain_Fronted_traffic.png" width="100%">
<br><br>
As you could see requests to archlinux.org ( with v2ray ) goes to a popular website giphy but is actually communicating to our V2ray server behind the CDN through Websocket protocol.
<br>
(Domain Fronting method is being used here)
<br><br>
<blockquote class="blockquote">
we could use v2ray to make our own versions of primitive protocols to "fool the wall".
</blockquote>
<br><br>
</li>
<li>
<h3><u>Some Principles to get started
</u></h3>
<p><img src="./v2ray-outline.png" width="100%"></p>
<blockquote class="blockquote">
<b>Transport</b> : The protocol used to connect to the v2ray server.
<br>
<b>Inbounds</b> : Connections to the v2ray server.
<br>
<b>Routing</b> : Rules defining how an inbound connection should be treated.
(Ex. drop connection requests from certain domains, route inbound through a socks server)
<br>
<b>Outbounds</b> : Connections going out of v2ray server.(Ex. Towards the user requested website)
<br>
</blockquote>
<br><br>
</li>
<li id="clients">
<h3><u> Clients</u></h3>
<span>Android
<ul>
<li><a href="httphttps://github.com/MatsuriDayo/NekoBoxForAndroid/">Nekobox</a></li>
<li><a href="https://github.com/2dust/v2rayNG">v2rayNG</a></li>
</ul>
</span>
<span>Linux
<ul>
<li><a href="https://github.com/Matsuridayo/nekoray">Nekoray</a></li>
<li><a href="https://github.com/2dust/v2rayN">v2rayN</a></li>
<li><a href="https://github.com/v2rayA/v2rayA">v2rayA</a></li>
<li><a href="https://github.com/LorenEteval/Furious">Furious</a></li>
</ul>
</span>
<span>Windows
<ul>
<li><a href="https://github.com/hiddify/HiddifyN">HiddifyN</a></li>
<li><a href="https://github.com/2dust/v2rayN">v2rayN</a></li>
</ul>
</span>
<p>
</p>
</li>
</ul>
</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Serverside Setup</b></h2> </br> </br>
<p>an overview of v2ray server config looks like this</p>
<pre><code class="nim">
{
"log": {},
"api": {},
"dns": {},
"stats": {},
"routing": {},
"policy": {},
"inbounds": [],
"outbounds": [],
"transport": {}
}</code></pre>
<p>Looking kinda complicated right, fear not we have Web-UI's to setup V2Ray servers.
<mark>Web-UI aka "panels" </mark>could be used for user-management including traffic stats,uuid-generation and much more...
</p>
</code>
</pre>
<ul>
<li>
<h3><u>Getting a VPS</u></h3>
<p>
refer to <a href="../anonymousremoteserver/index.html">Acquiring remote servers anonymously (non-KYC providers) </a>
for buying a <b>VPS using XMR</b>
</p>
<br><br>
</li>
<li>
<h3><u>Installing a panel</u></h3>
<p>Once you have the VPS ready and have established an SSH connection,we can start working on installing panel.</p>
<blockquote class="blockquote">
we'll be using <b><a href="https://github.com/alireza0/x-ui">alireza0/x-ui</a></b> panel since its actively
maintained, but you could also use <b><a href="https://github.com/MHSanaei/3x-ui">MHSanaei/3x-ui</a></b>
.The v2ray server setup is same same for all.
</blockquote>
<p class="lead" style="white-space: pre-line">
Supported distributions
- Ubuntu 20.04+
- Debian 11+
- CentOS 8+
- OpenEuler 22.03+
- Fedora 36+
- Arch Linux
- Parch Linux
- Manjaro
- Armbian
- AlmaLinux 8.0+
- Rocky Linux 8+
- Oracle Linux 8+
- OpenSUSE Tumbleweed
- Amazon Linux 2023</p>
<p>
<pre>
<code class="nim">
#> bash <(curl -Ls https://raw.githubusercontent.com/alireza0/x-ui/master/install.sh)
....
Would you like to customize the Panel Port settings? (If not, random port will be applied) [y/n]: y
Please set up the panel port: 9566
Your Panel Port is: 9566
Port set successfully: 9566
Username and password updated successfully
Base URI path set successfully
This is a fresh installation, generating random login info for security concerns:
###############################################
Username: fU8hjnoLSp
Password: ak8jX44rZy
Port: 9566
WebBasePath: EwAJmwAHwMk7FLK
###############################################
If you forgot your login info, you can type 'x-ui settings' to check
Start migrating database...
Migration done!
Created symlink '/etc/systemd/system/multi-user.target.wants/x-ui.service' → '/etc/systemd/system/x-ui.service'.
x-ui v1.8.7 installation finished, it is up and running now...
</code> </pre>
The script asks for the port to use. we could change the port later.
We could use the creds(Autogenerated) displayed above to access the webui
<pre><code class="nim">X-UI Control Menu Usage
------------------------------------------
SUBCOMMANDS:
x-ui - Admin Management Script
x-ui start - Start
x-ui stop - Stop
x-ui restart - Restart
x-ui status - Current Status
x-ui settings - Current Settings
x-ui enable - Enable Autostart on OS Startup
x-ui disable - Disable Autostart on OS Startup
x-ui log - Check Logs
x-ui update - Update
x-ui install - Install
x-ui uninstall - Uninstall
x-ui help - Control Menu Usage
------------------------------------------
</code></pre>
In order to access the web UI, the url schema looks like this.
<br>
<code>http://server_ip:port/path</code>
<br><br>
<blockquote class="blockquote">
You can use <b>x-ui settings</b> command to retrieve panel info, like port and path.
<br>
Ex-output:
<br>
###############################################
Username: fU8hjnoLSp <br>
Password: ak8jX44rZy <br>
Port: 9566 <br>
WebBasePath: EwAJmwAHwMk7FLK <br>
###############################################
</blockquote>
<p class="lead" class="nim">Example
http://198.41.128.88:9566/EwAJmwAHwMk7FLK/
<br>Once you access the web portal,use the username and password as above.
</p>
</p>
<br><br>
</li>
<li>
<h3><u>Setting up the panel</u></h3>
<div style="display: flex;flex-direction: column;">
<img src="./login.png" width="50%" srcset="">
<h5>
after logging in switch to latest the xray-core
</h5>
<img src="./changexcore.png" width="100%" srcset="">
</div>
<p>In order to receive inbounds we must create an inbound rule within the panel.
<br>
We are choosing vmess (as protocol) + websocket (as trasport).
copy the settings as below.
<br>
(you could change the port as of your liking)
<blockquote class="blockquote">
VLESS does not provide built-in encryption, avoiding it for now.
<a href="https://xtls.github.io/en/config/inbounds/vless.html#vless">ref</a>
NOTE: VMess Requires to have time synced up.
</blockquote>
<img src="./createib.png" width="100%">
<br>
Now you could try to connect to the server using QR Code or by using the vmess link.
<br>
(Click the QR to copy link)
See <a href="#clients">Client Section</a>
<br><br>
<blockquote class="blockquote">
a vmess link will look like vmess://&ltuuid&gt@&lthostname&gt:&ltport&gt?&ltother_params&gt#&ltremarks&gt
</blockquote>
</p>
</li>
<li>
<h3><u>Client Installation
</u></h3>
</li>
We're installing <b>V2rayN</b> on linux, one could find the pre-build binaries in the releases section on github( <a href="https://github.com/2dust/v2rayN/releases">link</a> )
<img src="./v2rayn_release.png" alt="" srcset="">
<br>
Extract, and run the client as follows
<br>
<pre>
<code>
$ unzip v2rayN-linux-64.zip
...
$ cd v2rayN-linux-64/
$ chmod +x v2rayN
$ ./v2rayN
</code>
</pre>
After executing the above command a GUI will popup.
<br>
change route settings (optional) within Settings(on top) > Regional Presets Settings > Russia
<br>
<br>
<img src="./russia.png" alt="">
<br>
<br>
<blockquote>
Routing is used when you want to avoid proxy for regional websites.
<br>
(A direct connection without proxy will be made by the clientside app based-off IP or Domain name)
</blockquote>
<p class="lead">
Ex. if we access 1tv.ru, with this setting turned on it will be resolved using our actual IP than our Proxy IP
</p>
</ul>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Censorship Evasion technique #1 - Domain Fronting</b></h2>
<br><br>
<p>
Setting up a v2ray server alone doesnt bypass any censors(it would be obvious if we push a large amount of traffic),rather we use some methods to make the traffic look geniune.
<br>One such method is called <b>Domain Fronting</b>
<br>
<img src="./domainfronting_diagram.png" width="100%">
<br><br>
We will be using Fastly, since it offers a free CDN without CreditCard + 30-day Websocket support(free-trial)
<br>
Start by creating an account at <a href="http://fastly.com">Fastly</a>
<br>
<img src="./fastly_newacc.png" width="50%">
<br>
Create a new cdn service like this
<br>
<img src="./cdn_newservice.png" width="50%">
<blockquote class="blockquote">
In here we can <b>use any domain name</b> since its for internal routing within cdn.
<br>
(meaning that within the CDN domain zero-google.com will resolve to our v2ray IP )
<br>
<b>origin</b> willbe our v2ray inbound IP
</blockquote>
<br>
then select the cdn name to edit the config
<br>
<img src="./cdn_edit.png" width="80%">
<br><br>
We edit the CDN config to change the port of our host and disable some settings that may cause issues
<br>
<img src="./cdn_host_change.png" width="100%">
<br>
After that we change the port from 443 to 53254 (The port we used for receiving inbounds in our v2ray panel)
<img src="./cdn_host_tls_port.png" width="100%">
<br><br>
<blockquote class="blockquote">
We can do inbounds to port 443(TLS port) and adjust inbound settings to have <b>Fallback</b> but that requires one to have an inbound config with TCP transport within the panel.
</blockquote>
<p class="lead">
A Fallback is when you want to expose only one standard HTTP/HTTPS port(80,443) to receive inbounds but want to use different protocols like VMESS,Shadowsock... with the same port.
<br>
Fallback Can only be used with TCP/XTLS transport modes.
<br>
</p>
<br><br>
Now from Settings >>
<img src="./cdn_settings.png">
<br>
we enable websocket.
<br>
<img src="./ws_disabled.png">
Start the trial and it should look something like this
<br>
<img src="./ws_enabled.png">
<br>
Now lets add VCL for HTTP Connection Upgrade(Since we want to switch to Websocket)
<img src="./vcl.png" width="100%">
<br>
<img src="./upgr.png" width="100%">
<pre><code class="nim">
if (req.http.Upgrade) {
return (upgrade);
}
</code>
</pre>
</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Clientside Setup</b></h2>
In this section we'll discuss how to connect to the prementioned setup using domain fronting technique.
<ul>
<li>
<h3><u>Linux</u></h3>
<p>
Copy the server config from panel(by clicking the qr-code) to clipboard.
<br>
Open client app(v2rayN/nekoray)
<br>
Ctrl + V
<br>
and edit it as follows.
<br>
For testing in Linux we are using v2rayN
</p>
<img src="./test_vmess.png" alt="">
<br><br>
click <b>Confirm</b>
<br><br>
If the connection was successful you'll see your server IP along with delay(ms) in the logs as well as on bottom right corner like this.
<img src="./connect_success.png" width="100%">
<br>
You could toggle System Proxy to check connectivity, within browser and all.
<br>
<img src="./system_proxy.png" alt="">
<br>
<br>
</li>
</ul>
<h2><b>Testing Tor</b></h2>
<p>
<br><br>
go to
<b>about:preferences#connection</b>
change proxy settings as follows.
<br>
(Proxy port shown in v2ray.
So that connection made by tor will go through v2ray server)
<img src="./tor_proxy_settings.png" width="100%">
<br>
<blockquote>
If we were to save it and try to connect <b>it will fail</b>.
(connection died in state handshaking).
<b>So enable Bridges</b>
</blockquote>
Set Bridges of Your Choice
<br>
<img src="./bridge.png" width="100%">
<br>
<br><br>
This is how the traffic leaves the system.
<br>
<img src="./ws_traffic.png" width="100%">
<br><br>
As you could see, traffic goes to fastly server rather than tor nodes.
<br>(You're seeing Websocket traffic to and from 192.168.1.2(LAN IP) to a Fastly CDN(Anycast IP))
<br>
<img src="./test_tor.png" width="100%">
<p>And that's it! we managed to connect to an onion website, from a heavily-censored country, thanks to v2ray.</p>
</p>
</div>
</div>
</div>
</div>
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.</p></br></br>
<p>Creative Commons Zero: No Rights Reserved</br><img src="\CC0.png">
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br /><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FH4g7zPbitSLV5tDQ51Yz-R6RgOkMEeCc%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAkts5T5AMxHGrZCCg12aeKxWcpXaxbB_XqjrXmcFYlDQ%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22c3Y-iDaoDCFm6RhptSDOaw%3D%3D%22%7D">SimpleX Chat</a><br />
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About Zer0</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 42wqdQbr4QBSU4BVKkoAANENY6SDzbdib8mUmNBybYAePfkVzmcQKyGNuJ3GbFr4S9fsQaWQB9gxnip611poq89f1ETjK9R</p></br>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>
Reference in a new issue View git blame Copy permalink