how Iran is filtering the v2ray traffic. #188
Comments
|
I have used vless+xtls and have been selling to many of my customers. I have used x-ui for managing customers and it uses a different port for each account which is not ideal. Since about a week ago my servers have been blocked so I started to use fallback and added nginx on port 80 and 443 it delayed the blocking for some of my servers but some still got blocked after 24h. The speed has been dropped on my servers (from hetzner) to about 1Mbps but from other cloud providers I could get like 20Mbps on irancell. It seems that some vps service providers' ip addresses are being blocked or limited (e.g. hetzner) in Iran. Now I have started using other transports such as vless+tls+ws+nginx to have the minimum risk of blocking (as far as I know with v2ray/xray). |
|
@cyberxf please say more about how you know the information in your post. By itself, the information you have posted is not very useful. Filtering is done by routers and firewalls—no surprise there. The firewalls are located in How do you reconcile your claim that all filtering is done uniformly at aggregator routers, with the reports of users who say that filtering is different in different network (especially mobile networks)? If the traffic were already aggregated, it would be more work to separate out the different sources and apply different filtering rules to them. Other threads (e.g. #171) have reported throttling of V2Ray, not IP blackholing, which contradicts your post. Is there an explanation for that. And the big question is: how are V2Ray, SSH, or VMess connections distinguished from other traffic, so they can be filtered? We know how that kind of thing happens in general, but how exactly is it being done in this case, according to your knowledge? Without that information, the post essentially says "Iran blocks V2Ray by detecting it and filtering it," which is not informative. Please provide additional context to justify your claims and help others estimate their accuracy. |
|
Ok, let me make it a bit more clear, it's all done by the TIC itself, not any ISPs, as I was talking to one of the TIC experts the other day, the fact is, if you are connected more than 24 hours to a server using ssh tunnels or any other protocols and the traffic reaches up to ..(didn't tell me how much), the TIC would write an ACL an put that range into int null 0 in networking. |
|
@wkrp, I think the OP is referring to TIC (Telecommunication Infrastructure Company) which is a fully government-owned company responsible for providing international network bandwidth and ports. This is a sensitive and security oriented organization which is also the primary enforcer of censorship in Iran. Essentially it controls the gates (and how open or closed they are). TCI (Telecommunications Company of Iran) on the other hand, is an altogether different corporation, partly government-owned and responsible for the majority of traditional telephone landlines in Iran and is also the majority stake holder in MCI (Mobile Telecommunication Company of Iran aka همراه اول) which is one of the two big mobile/cell comm operators in Iran (the other being Irancell). |
|
So you mean that the blocking is mutually based on the Source IP and Destination IP? In other words, they are not going to block the IP of your VPN server globally for every ISP inside the country? |
|
It is based on the protocol, source and destination ip. |
|
@manwithoutpant can you connect to these servers via ssh with iran ip? |
|
@manwithoutpant برای من هم همینطور شده. اگه راهی پیدا کردی ممنون میشم اطلاع بدی That's the case for me as well. I'd appreciate it if you let me know when you find a way |
yes it is still possible but not always, the ssh traffic is limited nowadays. |
|
@manwithoutpant چه بد. من از جایی که vps خریدم برای تعویض ip ۳ دلار میگیره! یعنی به جز تغییر ip راهی نداره؟ اگه هی ip تعویض کنیم و باز بن بشه که هیچی! How awful! The place I get my VPS from charges me $3 for changing IP addresses. Are you saying this is the only way? What if we change the IPs and they keep getting banned? |
|
@manwithoutpant من تا به حال ۲تا اکانت کلود فلر ساختم ولی متاسفانه بعد از ست کردن dns بر روی دامین، دامین دیگه پینگ نمیشه. چه با روشن بودن پراکسی چه بدون روشن بودن پراکسی. منظورتون از ip سالم کلود فلر چی هست؟ So far I have made 2 CloudFlare accounts but unfortunately I can't get a ping after I set the DNS on the domain. With proxy being on or off. What do you mean by "healthy CloudFlare IP"? |
|
One of the easiest ways for analytic teams is to read the situation and mitigations all gathered in one bbs issue, read the sentiment on their work on censoring and try to break the solutions again, what a smart move. |
These public discussions are helping the developers of censorship circumvention tools to implement a solution which can help people on a mass scale. Developing private tools for bypassing censorship may work for a limited number of people but developing for public use requires the most "bullet proof" solution such that even knowing how one tool can bypass the censorship it is very hard to block that tool. Besides, creating firewall rules to block a specific tool is also very expensive and time consuming which gives time for us to develop even more tools to bypass the censorship |
|
Agreed with @sambali9 . Anyway, this is off topic. let's keep the thread clean. To keep net4people clean, we can always move the problems and asking for help to another GitHub repo like https://github.com/iranxray/hope/issues |
|
I suggest making a private group in telegram (or something else), because even if we find a solution for the filtering, the censors can just watch this thread and block it. Discussing matters like this in public is just pointless. |
|
@manwithoutpant You gotta change the settings until you get results. |
Thank you for the clarification. I am still not following this logic completely. I understand that if you have two Internet connections and only use V2Ray on one of them (Respina), then the other connection (Shatel) will not be affected. But if you used V2Ray on both connections, then they would both be blocked, correct? Both connections being blocked is what I would expect, if both ISPs route through uniform censorship boxes at TIC: equal censorship in all ISPs. But some users report that censorship is not equal in all ISPs. Maybe censorship is equal with respect to V2Ray detection, but unequal in other respects? |
|
@wkrp feel free to mention me if there's any need for farsi -> english translations. These machine translations are almost completely unreadable. |
|
if they block servers by traffic usage !how many traffic i can use per day? or what is limit? |
Answering this question, even if the premises are true, would require doing a controlled experiment, which I don't think anyone has done yet. |
|
راه کار دور زدن فیلترینگ رو دارم که یکی از جدید ترین پروتکل هاست I have a way to bypass filtering, which is one of the newest protocols |
As a network administrator, I can explain that all of these filtering are being done by aggregator routers and end firewalls located in TIC corporation, soif you are connected to a v2ray server, probably using ssh tunnels or vmess protocols, no matter even if it was tunneld through other servers, it is being monitored by the corp and alerted, so the ip address range + the protocol name which was under monitoring is now detected and filtered using an ACL which makes your traffic as a black whole one (leads to nowhere).
The text was updated successfully, but these errors were encountered: