bbs icon indicating copy to clipboard operation
bbs copied to clipboard
verified publisher icon net4people

[Turkmenistan] Need ideas for advanced DPI evasion

Open its0ka opened this issue 3 months ago • 20 comments

I have already tried:

  1. vless(+tls/reality/http1.1)(+http2 mux) on all kinds of domains (my own, .tm, popular foreign websites, no sni), on ports 443/993/3785/179/7547/5223/etc i don't remember
  2. hysteria2 with/without port hopping, with/without salamander, with/without port hop (30s/5min interval, ports 80,123,443,993,995,27015,25565 and 1-65535), with/without SNI
  3. icmp tunnel it simply doesn't help, all ip addresses were banned (mostly after a few days of use, sometimes in a few hours, sometimes in a few weeks, traffic was mostly from 20 to 150gb)

just simply sending random/fake quic udp data (i tried 56/1400 byte packets) to a random ip address which won't respond will trigger a ban

all blocks are happening during the day, for almost a month i checked accessibility of ~10k of ips every 10 minutes and logged the results (https://pastebin.com/raw/SFtji0HX)

after years of trying im 99% sure that protocols don't matter and they simply ban ips with moderate traffic usage, a lot of normal services like microsoft, google, yandex, PSN (and A LOT more which i forgot) suffer from temporary or permanent IP or domain bans, even msftncsi (windows internet check) and gstatic connectivity check (android internet check) are blocked, they even banned my own domain for legal business inside the country (i was using gcore cdn, never used it as a proxy, they banned the ip and the domain, i had to switch to a local vps where i have to manually update TLS cert because let's encrypt is partially blocked, docker is also blocked). The internet is simply broken beyond belief.

also im using AmneziaWG on a random high port, there are 11 clients connected from agts and telecom 24/7, traffic is ~500mb per month, it works for almost 2 years already on the same ip, similar configs but with higher traffic consumption were banned.

CDNs are the only thing that somewhat works, but they are pain in the ass (ips are blocked often, often require clever DPI bypass to prevent domain blocks, they can be pricey and slow), so i want to avoid using them.

which tricks can be tried to break their connection tracking? my plan for the next test is to send empty TCP packets (some dpi systems seem to ignore them) to a random ip, not sure how to do that yet.

its0ka avatar Sep 14 '25 03:09 its0ka