bbs icon indicating copy to clipboard operation
bbs copied to clipboard
verified publisher icon net4people

Lack of a modern reverse tunnel tool to bypass GFW

Open gfw-killer opened this issue 5 months ago • 9 comments

For a long time, we Iranian users used Freegate/Psiphon/OpenVPN and Wireguard until GFW blocked them Then switched to ShadowSocks and V2Ray tcp/http simple setups until they blocked it too Then we switched to V2Ray TLS with a fake TLS Fingerprint and REALITY, then GFW started to detecting misconfigured ones, And speed limited and added packet-loss to all TLS connections to most of foreign IP ranges Tricks like TCP/TLS/HTTP Fragment or Domain fronting or crafted HTTP headers existed too, but not lasted for a long time

During this cat and mouse game, many users was paying for a Domestic VPS as a Relay, because connecting from Iran ISP to Iran Servers was good and Domestic VPS connection to foreign IPs was good Simple port forward and tunnel methods like GRE / IPSec didn't lasted so long So people switched to v2ray proxies for port forwarding then GFW started to detecting misconfigured ones, And speed limited and added packet-loss to all TLS connections to most of foreign IP ranges then people found that GFW limits only affect VPS Oubound traffic, not the Inbound (seems logical, as those servers are mostly made to host websites so people from everywhere can visit), so people switched to Reverse Tunnel But now GFW detects them too, and when they find a server is used for Proxy/Relay, then they limits the detected domestic server to Iran IPs only

Here we need a Reverse Tunnel tools with GFW evasion ability

Available tools like FRP are not made to bypass GFW, and V2ray/Xray Reverse Tunnel is so old and abandoned

Currently the popular proxy tools have a lot of modern protocols and feature to bypass current GFW version and also get a good performance Xray-core has XHTTP + HTTP/2 & HTTP/3 + Mux Control + Padding + Fake TLS Fingerprint + REALITY support Sing-box has AnyTLS with crafted Padding + Fake TLS Fingerprint + REALITY But none of them support Reverse Tunnel / Reverse Port Forward ability

Do you know any tool with the feature of these Xray/SB modern protocols and transports?

gfw-killer avatar Jul 11 '25 21:07 gfw-killer

GFW is not sensitive to TLS with http/1.1 ALPN or Fingerprint in reverse connections yet and they will not waste resources to detect TLS in TLS, so Padding is just a waste of bandwidth, but if you still want it, enable Multiplex so it may cover TLS in TLS

And the Reverse in Xray-core is written by v2ray-core devs, Xray devs does not even know how it works So even if they want it, they can't add this feature to SplitHTTP, they didn't even invented SplitHTTP, just renamed it to XHTTP

APT-ZERO avatar Jul 12 '25 20:07 APT-ZERO

Yes, currently even some easy to detect protocols are whitelisted on servers from some data centers but we should be prepared for everything, se we need to have perfect protocols to not get detected in hard times

gfw-killer avatar Jul 17 '25 04:07 gfw-killer

Reverse or forward connection type is independent of transport.

OnceUponATimeInAmerica avatar Jul 17 '25 09:07 OnceUponATimeInAmerica

Actually it's not only VPS-to-VPS, some ISPs offer static IP to normal users

gfw-killer avatar Jul 21 '25 11:07 gfw-killer

Hey there,

Based on your discussion, a tool called Asport might be a good fit for your needs. It's a reverse proxy built on QUIC, a modern transport protocol that's inherently resistant to some forms of censorship.

Here's why it's worth considering:

  • It's a reverse proxy by design, which is exactly what you're looking for.
  • It uses QUIC, which offers low latency, multiplexing, and built-in TLS 1.3 encryption. This makes it more resilient than older TCP-based solutions.
  • The developers mention it includes "simple censorship circumvention features," so they've already thought about bypassing firewalls.

However, keep in mind that it might not have all the advanced obfuscation features you mentioned, like REALITY or fake TLS fingerprints, that tools like Xray or Sing-box have. Still, given its focus on modern protocols and reverse proxying, it's definitely a project to watch and perhaps experiment with.

Hope this helps!

ghost avatar Aug 12 '25 09:08 ghost

Hey there,

Based on your discussion, a tool called Asport might be a good fit for your needs. It's a reverse proxy built on QUIC, a modern transport protocol that's inherently resistant to some forms of censorship.

Here's why it's worth considering:

* It's a reverse proxy by design, which is exactly what you're looking for.

* It uses **QUIC**, which offers low latency, multiplexing, and built-in TLS 1.3 encryption. This makes it more resilient than older TCP-based solutions.

* The developers mention it includes "simple censorship circumvention features," so they've already thought about bypassing firewalls.

However, keep in mind that it might not have all the advanced obfuscation features you mentioned, like REALITY or fake TLS fingerprints, that tools like Xray or Sing-box have. Still, given its focus on modern protocols and reverse proxying, it's definitely a project to watch and perhaps experiment with.

Hope this helps!

Although you were dead,but I still reply.

UDP is highly throttled under ISP where GFW covers, especially for abroad traffic. It's only barely usable with hysteria.

ebhb010 avatar Aug 17 '25 21:08 ebhb010

Hey there, Based on your discussion, a tool called Asport might be a good fit for your needs. It's a reverse proxy built on QUIC, a modern transport protocol that's inherently resistant to some forms of censorship. Here's why it's worth considering:

* It's a reverse proxy by design, which is exactly what you're looking for.

* It uses **QUIC**, which offers low latency, multiplexing, and built-in TLS 1.3 encryption. This makes it more resilient than older TCP-based solutions.

* The developers mention it includes "simple censorship circumvention features," so they've already thought about bypassing firewalls.

However, keep in mind that it might not have all the advanced obfuscation features you mentioned, like REALITY or fake TLS fingerprints, that tools like Xray or Sing-box have. Still, given its focus on modern protocols and reverse proxying, it's definitely a project to watch and perhaps experiment with. Hope this helps!

Although you were dead,but I still reply.

UDP is highly throttled under ISP where GFW covers, especially for abroad traffic. It's only barely usable with hysteria.

This depends more on the ISP's traffic shaping configuration. I use China Telecom in a southern province of China, and the speed of QUIC is not significantly limited.

AkinoKaede avatar Sep 14 '25 00:09 AkinoKaede

The reverse proxy in V2Ray is no longer maintained but still available. You can try it with mekya.

AkinoKaede avatar Sep 14 '25 00:09 AkinoKaede

In addition, V2Ray's dokodemo-door inbound and freedom outbound can be used with any reverse proxy software.

Just like: Client -> Frp Client -> V2Ray Dokodemo-door Inbound -> V2Ray VMess Outbound ---> Internet ---> V2Ray VMess Inbound -> V2Ray Freedom Outbound -> Frp Server -> Server

AkinoKaede avatar Sep 14 '25 00:09 AkinoKaede