DPI Tunnel for Linux

Free, simple and serverless solution against censorship for Linux PCs and routers

Telegram chat
Want version for Android?

What is it

DPI Tunnel is a proxy server, that allows you to bypass censorship

It is NOT VPN and won't change your IP

DPI Tunnel uses desync attacks to fool DPI filters

RUN IT AS ROOT

Features

• Bypass many restrictions: blocked or throttled resources
• Create profiles for different ISP and automatically change them when switch connection
• Easily auto configure for your ISP
• Has HTTP and transparent proxy modes

Configuring

For the most of ISPs one of the these 2 profiles will be enough:

--ca-bundle-path=<path_to_cabundle> --desync-attacks=fake,disorder_fake --split-position=2 --auto-ttl=1-4-10 --min-ttl=3 --doh --doh-server=https://dns.google/dns-query --wsize=1 --wsfactor=6

--ca-bundle-path=<path_to_cabundle> --desync-attacks=fake,disorder_fake --split-position=2 --wrong-seq --doh --doh-server=https://dns.google/dns-query --wsize=1 --wsfactor=6

CA Bundle is a file that contains root and intermediate SSL certificates. Required for DoH and autoconfig to work. You can get it for example from curl site

For other ISPs program has --auto key to automatically find proper settings

Running

HTTP mode (default)

This mode is good for PC or any other device which will only use the proxy for itself.

Run executable with options either from autoconfig or from one of the suggested profiles. The program will tell IP and port on which the proxy server is running. 0.0.0.0 IP means any of IPs this machine has.

Set this proxy in browser or system settings

Transparent mode

This mode is good for router which will use the proxy for the entire local network.

Run executable with --mode transparent and append options either from autoconfig or from one of the suggested profiles. The program will tell IP and port on which the proxy server is running. 0.0.0.0 IP means any of IPs this machine has.

If proxy running on router:

1. Enable IP forwarding

sysctl -w net.ipv4.ip_forward=1

2. Disable ICMP redirects

sysctl -w net.ipv4.conf.all.send_redirects=0

3. Enter something like the following iptables rules:

iptables -t nat -A PREROUTING -i <iface> -p tcp --dport 80 -j REDIRECT --to-port <proxy_port>
iptables -t nat -A PREROUTING -i <iface> -p tcp --dport 443 -j REDIRECT --to-port <proxy_port>

If proxy running on machine in local network (Raspberry PI for example):

1. On router:

iptables -t mangle -A PREROUTING -j ACCEPT -p tcp -m multiport --dports 80,443 -s <proxy_machine_ip>
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -m multiport --dports 80,443
ip rule add fwmark 3 table 2
ip route add default via <proxy_machine_ip> dev <iface> table 2

2. On proxy machine:

1. Enable IP forwarding

sysctl -w net.ipv4.ip_forward=1

2. Disable ICMP redirects

sysctl -w net.ipv4.conf.all.send_redirects=0

3. Enter something like the following iptables rules:

iptables -t nat -A PREROUTING -i <iface> -p tcp --dport 80 -j REDIRECT --to-port <proxy_port>
iptables -t nat -A PREROUTING -i <iface> -p tcp --dport 443 -j REDIRECT --to-port <proxy_port>

Links

Telegram chat

4PDA

Thanks

• ValdikSS (GoodbyeDPI)

Dependencies

• RawSocket
• cpp-httplib
• dnslib
• libnl