[Iran] Using Champa proxy

[gusgustavo]

Champa is a censorship circumvention proxy that tunnels through an AMP cache. Because the IP address of google.com is currently reachable, you can use that IP address to reach an AMP cache, and then from the AMP cache reach any other service.

Because of rate limits at the AMP cache, the Champa tunnel is slow, no more than 15 KB/s. It may only work for about 15 minutes at a time before rate limits take effect, and then you will need to wait several hours for it to work again. It will only work on a desktop computer where you can run custom software.

1. Download the Champa client (Windows, macOS, Linux):

• Binaries GitHub
• Get binaries via Telegram bot: @getchampabot
• Compile from source (go): https://repo.or.cz/champa.git/snapshot/v0.20250620.0.zip
• Google Drive: https://drive.google.com/drive/folders/10uTw9A0xKTjAohfwehRuGJaiIFkleKgu
  • curl commands for manual download, see https://github.com/net4people/bbs/issues/485#issuecomment-2992413851

2. Start the client from your terminal

Open your terminal and connect to one of the following servers:

./champa-client --pubkey 9c07d5b75163050b4916153fb0f9f244e08927da51c89e9b3e17b2a59364e50e --cache https://cdn.ampproject.org/ --front google.com https://poney.gus.computer/champa/ 127.0.0.1:7000

EDIT: the next one has been disabled.

./champa-client --pubkey b2c9dbca9ce723a9ed369338ddd66cd8824aa7cde3aefab1123b971b4a133a71 --cache https://cdn.ampproject.org/ --front google.com https://ch.rinsed-tinsel.site/champa/socks/ 127.0.0.1:7000

3. Browse the web

• From the command line:

$ curl --proxy socks5h://127.0.0.1:7000/ example.com

• Using Firefox:

  • Open "Settings" > General tab > Scroll to "Network Settings" > click "Settings..."

  • Select "Manual Proxy configuration"

  • Set: Socks Host: 127.0.0.1 Port 7000

  • Check "Proxy DNS when using SOCKS v5"

  • Click "OK"

Troubleshooting

Log messages about sessions and streams are normal:

begin session 0fc548ec
begin stream 0fc548ec:3
begin stream 0fc548ec:5

A log message about an out-of-window nonce is only for debugging and can be ignored.

nonce is already used or out of window

If you see a message about the request rate, it is normal. The client software is tuning its request rate to stay under the rate limit. When it sees an unexpected response from the AMP cache, it cuts the rate in half.

poll error, reducing request rate from 10.141/s: server returned status 302 Found
poll error, reducing request rate from 5.098/s: server returned status 302 Found

But if you see repeated poll errors that lower the request rate below 1 second, it means that the client has been limited. You need to stop the client software, wait several hours, and restart it.

poll error, reducing request rate from 9.679/s: server returned status 302 Found
poll error, reducing request rate from 4.839/s: server returned status 302 Found
poll error, reducing request rate from 2.420/s: server returned status 302 Found
poll error, reducing request rate from 1.310/s: server returned status 302 Found
poll error, reducing request rate from 0.696/s: server returned status 302 Found
poll error, reducing request rate from 0.448/s: server returned status 302 Found

[lowendcompute]

That was quick! But I think we already established that Iran users cannot use GitHub itself (just the GitHub app), nor Telegram, nor domains hosted outside Iran.

I have uploaded a few APK files to Google Drive (on the other thread https://github.com/net4people/bbs/issues/484), but so far I have not received any confirmation that they are either accessible or useful to Iran users.

[mohandex]

That was quick! But I think we already established that Iran users cannot use GitHub itself (just the GitHub app), nor Telegram, nor domains hosted outside Iran. I have uploaded a few APK files to Google Drive (on the other thread #484), but so far I have not received any confirmation that they are either accessible or useful to Iran users.

Yes we can't even download GitHub contents.

https://biaupload.com/do.php?filename=org-8d31c81937512.zip

uploaded here for iranian

[wkrp]

I have go v1.22.5 installed. If there was a way to make this tool into a single source file and then copy its content in here as a comment I can try compiling the source. Provided that it doesn't need other external libraries.

Here's something to try. The PNG graphic below is also a zip file that contains the vendored Champa source code. Hopefully it's possible to download an image file from the github app.

← download image

1. Download the image.
2. Rename to champa-v0.20250620.0.zip
3. Unzip to get source code.

I don't know if it will work. Please let me know. If it works, we can try making other files available in the same way.

[wkrp]

Downloads from @gusgustavo google drive:

champa-client-darwin-amd64

curl --connect-to ::216.239.38.120 --ssl-revoke-best-effort -L -o champa-client-darwin-amd64 "https://drive.usercontent.google.com/download?id=1ROCBSIsnat8uDQSlOFajuW2XAbeqNNZh&export=download&confirm=t"

champa-client-linux-amd64

curl --connect-to ::216.239.38.120 --ssl-revoke-best-effort -L -o champa-client-linux-amd64 "https://drive.usercontent.google.com/download?id=14iONlacSm5lLHIrevnTUC-FiceTitjsS&export=download&confirm=t"

champa-client-linux-arm64

curl --connect-to ::216.239.38.120 --ssl-revoke-best-effort -L -o champa-client-linux-arm64 "https://drive.usercontent.google.com/download?id=1u0YJ5BBpSGYGYUTAeN8eYEGMZdywsop0&export=download&confirm=t"

champa-client-windows-arm64.exe

curl --connect-to ::216.239.38.120 --ssl-revoke-best-effort -L -o champa-client-windows-arm64.exe "https://drive.usercontent.google.com/download?id=1cE8JVL0zN-NGf26HgHhvtbybKHBX5oWE&export=download&confirm=t"

[AmirTiming]

Hello, I am from Iran. We have access to the GitHub application itself. I can't download any files. The external server terminal won't open for us. We only have access to the Iranian server terminal. What is the solution?

[lowendcompute]

Hello, I am from Iran. We have access to the GitHub application itself. I can't download any files. The external server terminal won't open for us. We only have access to the Iranian server terminal. What is the solution?

The solution is to use Google Drive. It is currently accessible both within Iran and in the outside world. You have to get the format of the curl command just right, as demonstrated in the examples. It works on Linux and on Windows with WSL (Windows Subsystem for Linux). I don't know about other platforms.

[op30mmd]

Hello, I am from Iran. We have access to the GitHub application itself. I can't download any files. The external server terminal won't open for us. We only have access to the Iranian server terminal. What is the solution?

@AmirTiming https://uplod.ir/lu2d0a3f162m/stuff.zip.htm

The password is "pass"

I got it directly from google drive that someone sent in other iran associated issue and i uploaded it there

[mohandex]

I have go v1.22.5 installed. If there was a way to make this tool into a single source file and then copy its content in here as a comment I can try compiling the source. Provided that it doesn't need other external libraries.

Here's something to try. The PNG graphic below is also a zip file that contains the vendored Champa source code. Hopefully it's possible to download an image file from the github app.

← download image

1. Download the image.
2. Rename to champa-v0.20250620.0.zip
3. Unzip to get source code.

I don't know if it will work. Please let me know. If it works, we can try making other files available in the same way.

Thank you for your great effort but unfortunately that uploaded image is on github contents and that's not accessible to us.
If we had access to the GitHub contents we could download anything using releases.

حاجی کسخلی یا کوری؟ بالا هم من هم یک نفر دیگه اپلود کردیم برو تست کن دیگه

Haji, are you lazy or blind? I uploaded it above, and so did another person. Go test it.

[mohandex]

I have go v1.22.5 installed. If there was a way to make this tool into a single source file and then copy its content in here as a comment I can try compiling the source. Provided that it doesn't need other external libraries.

Here's something to try. The PNG graphic below is also a zip file that contains the vendored Champa source code. Hopefully it's possible to download an image file from the github app.

← download image

1. Download the image.
2. Rename to champa-v0.20250620.0.zip
3. Unzip to get source code.

I don't know if it will work. Please let me know. If it works, we can try making other files available in the same way.

Thank you for your great effort but unfortunately that uploaded image is on github contents and that's not accessible to us.
If we had access to the GitHub contents we could download anything using releases.

حاجی کسخلی یا کوری؟ بالا هم من هم یک نفر دیگه اپلود کردیم برو تست کن دیگه

اول اینکه درست صحبت کن. دوم اینکه اون پیام اول من مال زمان قبل از آپلود کردن توی سرورهای ایران بود، کامنت اول اینجا چند بار ادیت شده. اول کار صرفا یک لینک اینجا بود، حتی توی گوگل درایو هم نبود که با cURL دانلود کنیم. متاسفانه امثال شما با همین قبیل پیش داوری ها، کوته فکری ها، تعجیل های بی مورد و رفتارهای سطحی باعث عقب ماندگی خودتون و اطرافیان شدین. من توی کامنت های بالاترم هم نوشتم که مشکل حل شده و کار میکنه و صرفا داشتم جواب اون بنده خدا میدادم. برعکس شما اون افراد دارن تلاش میکنن به ما کمک کنن ولی اطلاعی از سطح محدودیت های اینترنتی ما ندارن پس باید بهشون توضیح بدیم.

First, speak the truth. Second, my first message was from before uploading to Iranian servers, the first comment here has been edited several times. At first, it was just a link here, it wasn't even on Google Drive to download with cURL. Unfortunately, people like you have caused yourself and those around you to lag behind with such prejudices, narrow-mindedness, unnecessary haste, and superficial behavior. I also wrote in my comments above that the problem has been solved and is working, and I was simply responding to that servant of God. Unlike you, those people are trying to help us, but they don't know the level of our internet restrictions, so we need to explain it to them.

توضیحات در جای دیگه داده شده و اطلاع دارن فقط وقت برای چیزای بیخود تلف نکن نمیخوامم بحث ادامه بدم باید از این فرصت استفاده کنیم تا نتیجه بگیریم

The explanations are given elsewhere and they are informed. Just don't waste time on useless things. I don't want to continue the discussion. We should use this opportunity to draw conclusions.

[tuleo1]

also i must add that this is extremely limited and barely can do anything with it.

but what i noticed is that its super helpful to connect to telegram with this. just make a socks proxy in telegram and route it to localhost and the port. and you get it working. although slow and you get rate limited every 15~ minutes if not less if youre unlucky. so yeah! just my take on this

[wkrp]

also i must add that this is extremely limited and barely can do anything with it.

Yes, unfortunately I don't know what to do to make it better. It used to work better in earlier years when the rate limiting was not so strict.

[gusgustavo]

but what i noticed is that its super helpful to connect to telegram with this.

Maybe we should add that on the instructions. :)

[ADS7gamer]

With this I was able to connect to telegram for a few minutes before getting rate limited We can use this to get small files that normally we couldn't

[developer861]

Hello, I am from Iran. We have access to the GitHub application itself. I can't download any files. The external server terminal won't open for us. We only have access to the Iranian server terminal. What is the solution?

it seems that they have whitelisted the api.github.com

import requests
import base64
app = Flask(name)

@app.route("/")
def home():
  inp = requests.get('https://api.github.com/repos/example')
  out = make_response(base64.b64decode(inp.json()['content']), 200)
  out.headers['Content-Type'] = "application/octet-stream"
  return out

you can use api to collect v2ray configs from github using something like this

[myleshorton]

It seems like this is particularly well-suited to initial bootstrapping for circumvention tools. To that end, it would be very cool to add this to kindling, which is designed to use as many redundant techniques for bootstrapping as possible!

[wkrp]

It seems like this is particularly well-suited to initial bootstrapping for circumvention tools.

You're right. It's used for bootstrapping in Snowflake and Conjure, at least.

• https://www.bamsoftware.com/papers/snowflake/#p21
• https://github.com/net4people/bbs/issues/109
• https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/merge_requests/34

This is a detailed walkthrough of the Snowflake implementation and the protocol it uses:

• https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/50

It's not dissimilar to dnstt, but easier to use, because it has more single-message payload capacity.

In the other thread there was some hope that it might work for bootstrapping Snowflake in Iran in the current circumstances, but it doesn't work, because the subsequent WebRTC connection is still blocked.

[ADS7gamer]

Is it possible to use champa on android ?

[wkrp]

Is it possible to use champa on android ?

I have not tried it, but maybe with Termux?

https://termux.dev/en/ https://github.com/termux https://en.wikipedia.org/wiki/Termux https://f-droid.org/packages/com.termux/ https://play.google.com/store/apps/details?id=com.termux

[ADS7gamer]

So our internet access is about the same as it was before the war Now we have access to the worlds internet

[myleshorton]

In the https://github.com/net4people/bbs/issues/484#issuecomment-2988527368 there was some hope that it might work for bootstrapping Snowflake in Iran in the current circumstances, but it doesn't work, because the subsequent WebRTC connection is still blocked.

Just to make sure I'm understanding, it sounds like Champa could and maybe did theoretically work for accessing a list of bridges somewhere, but the WebRTC in Snowflake failed when trying to use the bridge. It sounds like Champa actually did it's job successfully in that case. Is that correct?

I'm also very curious about the subsequent WebRTC blocking. Was that based on DTLS fingerprinting, do you know? Are you using pion v4 and some of the circumvention strategies it has?

[wkrp]

Just to make sure I'm understanding, it sounds like Champa could and maybe did theoretically work for accessing a list of bridges somewhere, but the WebRTC in Snowflake failed when trying to use the bridge. It sounds like Champa actually did it's job successfully in that case. Is that correct?

Yes, that's correct. The rendezvous was working but the WebRTC data channel was not.

I'm also very curious about the subsequent WebRTC blocking. Was that based on DTLS fingerprinting, do you know? Are you using pion v4 and some of the circumvention strategies it has?

I'm talking about during the recent Iran shutdown. WebRTC/UDP was one of the many protocols affected. No DTLS anti-fingerprinting would have helped.

There was perhaps some indication of DTLS or STUN fingerprinting during the partial shutdown on 2025-06-17. Read https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40465 for what's known about that.

See https://www.bamsoftware.com/papers/snowflake/#p49, https://www.bamsoftware.com/papers/snowflake/#p56, https://www.bamsoftware.com/papers/snowflake/#p67, https://www.bamsoftware.com/papers/snowflake/#p92 for some information about DTLS fingerprinting in general.

[myleshorton]

I'm talking about during the recent https://github.com/net4people/bbs/issues/484. WebRTC/UDP was one of the many protocols affected. No DTLS anti-fingerprinting would have helped.

Interestingly, though, some internal WebRTC services were working during the recent blocking, particularly web.rubika.ir. Its servers all appeared to be in Iran, but it was able to successfully use WebRTC for calls globally. That's not using DTLS, but it appears WebRTC protocols were not universally blocked.

Will check out the various links thanks!

[myleshorton]

If I were to guess, I'd say the Snowflake connections to the signaling server were blocked versus STUN, SCTP, DCEP, DTLS etc.

[wkrp]

If I were to guess, I'd say the Snowflake connections to the signaling server were blocked versus STUN, SCTP, DCEP, DTLS etc.

The snowflake broker is the signaling server. That is, signaling is the part that would have used ampcache, if the client were configured to use ampcache rendezvous.

[wkrp]

Open your terminal and connect to one of the following servers:

./champa-client --pubkey b2c9dbca9ce723a9ed369338ddd66cd8824aa7cde3aefab1123b971b4a133a71 --cache https://cdn.ampproject.org/ --front google.com https://ch.rinsed-tinsel.site/champa/socks/ 127.0.0.1:7000

I have disabled the ch.rinsed-tinsel.site/champa/socks/ server today.