[Feature] Support Shadowsocks option (AEAD encryption) for Trojan (Trojan-go) and support uTLS

[erfanmetallica]

Verify steps

• [X] 我已经在 Issue Tracker 中找过我要提出的请求 I have searched on the issue tracker for a related feature request.
• [X] 我已经仔细看过 Documentation 并无法自行解决问题 I have read the documentation and was unable to solve the issue.

Description

Hello there This is a very important to encrypt data with AEAD encryption where we use trojan-go+ws in untrusted CDN's, so Being this future in Clash and Clash for Android may be attractive for many Trojan-go clients.

Clash (trojan-go) ---> Shadowsocks ----> Websocket ----> Paid CDN or Personal CDN ---- > Server

Possible Solution

No response

[Dreamacro]

It's easy for clash to support websocket on shadowsocks, but it is not a protocol "officially" supported by shadowsocks (maybe it is just supported by v2ray or trojan-go).

[erfanmetallica]

Nope, it's secondary encryption with Shadowsocks AEAD and based on websocket (not ws over ss) Trojan not support this option, it's Trojan-go feature. Trojan-go reference : https://p4gefau1t.github.io/trojan-go/advance/aead/
Please add support Trojan-go with uTLS library (This changes tls fingerprint to popular browser fingerprint (to avoid tls fingerprint blocking) #2339

Iranian peoples needs your help . #MahsaAmini

[Dreamacro]

@erfanmetallica

I don't know much about the current situation in Iran, so I was hoping you could tell me something about it.

• Has the ISP or government been able to proactively detect and disable shadowsocks AEAD server?

• Has the ISP or government been able to proactively detect and block TLS requests containing Golang TLS fingerprints?

• Is wrapping a transport of Websocket not detected yet? But as far as I know, companies like Cloudflare do not seem to serve Iran? (Please point out if it is not correct)

[erfanmetallica]

1. secondary encryption with Shadowsocks AEAD is needed when we use cdn's in iran for full security of connections
2. government's gfw detect all tls fingerprints and block unpopular fingerprints (so we need for uTLS for using like new chrome and ... fingerprints to avoid from blocking tls)
3. drop 1.2 (may) and lower TLS (we use 1.3)
4. when limits (on protests time) get starts , all connections to the non-iran ips gets blocked (expect datacenters and XDSL / FTTX (this may be open or blocked) ! So just way for bypass firewall is VPS on the Iran. government's firewall is using Ai to deeper dpi system and detect new methods and block them.

TLS fingerprint blocking is containing connections user to that VPS ( To avoid users to bypass the firewall via that vps)

[erfanmetallica]

We can use CloudFlare's free plan service but not in blocked time

[erfanmetallica]

hey whatsup bro? @Dreamacro

[MrSaeedNasiri]

@erfanmetallica

I don't know much about the current situation in Iran, so I was hoping you could tell me something about it.

• Has the ISP or government been able to proactively detect and disable shadowsocks AEAD server?
• Has the ISP or government been able to proactively detect and block TLS requests containing Golang TLS fingerprints?
• Is wrapping a transport of Websocket not detected yet? But as far as I know, companies like Cloudflare do not seem to serve Iran? (Please point out if it is not correct)

In fact, there are different conditions. (Firewall Policies) In the worst case, websockets only worked with a lot of Error in connection handshakes. My personal experience: ss,ssr: completely blocked in Mobile & ADSL ISP. trojan / vmess: pass gstatic ping test but not work ( only not TLS config with websocket works) ( recently i change test website to google.com/humans.txt for better test result )

feeling uncertain about this: some time its vmess/trojan connect after few second its stuck in keep connection after new scan its shown as timeout/down. after few min it show up/live again. (Similar to the mechanism and automatic disruption of connection)

[erfanmetallica]

@erfanmetallica I don't know much about the current situation in Iran, so I was hoping you could tell me something about it.

• Has the ISP or government been able to proactively detect and disable shadowsocks AEAD server?
• Has the ISP or government been able to proactively detect and block TLS requests containing Golang TLS fingerprints?
• Is wrapping a transport of Websocket not detected yet? But as far as I know, companies like Cloudflare do not seem to serve Iran? (Please point out if it is not correct)

In fact, there are different conditions. (Firewall Policies) In the worst case, websockets only worked with a lot of Error in connection handshakes. My personal experience: ss,ssr: completely blocked in Mobile & ADSL ISP. trojan / vmess: pass gstatic ping test but not work ( only not TLS config with websocket works) ( recently i change test website to google.com/humans.txt for better test result )

feeling uncertain about this: some time its vmess/trojan connect after few second its stuck in keep connection after new scan its shown as timeout/down. after few min it show up/live again. (Similar to the mechanism and automatic disruption of connection)

Hi there, yes that's true , there are so many errors and packet lost in tls handshaking and ws packets. But about ss and ssr, there is no problem on my server and it works (on mobile internet, it works only during the hours when there is no limit, but there is no problem on fixed internet)

[Dreamacro]

Unfortunately, in recent months, I've had some health issues that prevented me from following up (or even working).

The new features of the plan (ss2022 was already halfway through a few months ago, tcp/udp tunnel, wireguard pr on premium hasn't had time to review yet, integration of uTLS, etc...) cannot be continued.

Maybe your guys can submit pr that some contributors (like @Kr328 @icpz) can review and I can do a merge (or contributors can merge directly).

[erfanmetallica]

@Dreamacro I wish good health to you❤

[kia678]

@erfanmetallica

I don't know much about the current situation in Iran, so I was hoping you could tell me something about it.

• Has the ISP or government been able to proactively detect and disable shadowsocks AEAD server?
• Has the ISP or government been able to proactively detect and block TLS requests containing Golang TLS fingerprints?
• Is wrapping a transport of Websocket not detected yet? But as far as I know, companies like Cloudflare do not seem to serve Iran? (Please point out if it is not correct)

According to the picture below, the fingerprint of golang has been accurately blocked, and according to the recent actual situation, Trojan and Vmess (TLS) are being precisely blocked every day.

[SakuraSakuraSakuraChan]

https://github.com/Dreamacro/clash/pull/1794

There already has been PR of smux before, but it was not merged and the reason was not clear, maybe it's time to re-consider?

[Kr328]

Nope, it's secondary encryption with Shadowsocks AEAD and based on websocket (not ws over ss) Trojan not support this option, it's Trojan-go feature. Trojan-go reference : https://p4gefau1t.github.io/trojan-go/advance/aead/ Please add support Trojan-go with uTLS library (This changes tls fingerprint to popular browser fingerprint (to avoid tls fingerprint blocking) #2339

Iranian peoples needs your help . #MahsaAmini

Try this build

clash-darwin-amd64.gz clash-linux-amd64.gz clash-windows-amd64.exe.gz

[hiddify-com]

Would you please explain more about these builds? Windows Defender consider it as a hack tool

[ipfans]

@Kr328 will ClashForAndroid use this build yet?