v2ray-core icon indicating copy to clipboard operation
v2ray-core copied to clipboard

Published 20 hours ago verified publisher icon v2fly

TLS over VMESS-TCP 被 GFW 定向阻断

Open wloot opened this issue 2 years ago • 4 comments

最近遇到同一个代理, 内层流量为 http 等流量时可以正常连接, 但 https 被阻断的情况.

被阻断的 https 流量, 经测试指定 tls 1.0/.1/.2/.3 版本均是如此.

% curl https://1.1.1.1 -vv
*   Trying 1.1.1.1:443...
* Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
*  start date: Sep 13 00:00:00 2022 GMT
*  expire date: Sep 13 23:59:59 2023 GMT
*  subjectAltName: host "1.1.1.1" matched cert's IP address!
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: 1.1.1.1]
* h2h3 [user-agent: curl/7.84.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x125012e00)
> GET / HTTP/2
> Host: 1.1.1.1
> user-agent: curl/7.84.0
> accept: */*
> 
* HTTP/2 stream 1 was not closed cleanly before end of the underlying stream
* Connection #0 to host 1.1.1.1 left intact

而 http 可以正常通过:

% curl http://1.1.1.1 -vv 
*   Trying 1.1.1.1:80...
* Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 1.1.1.1
> User-Agent: curl/7.84.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: cloudflare
< Date: Wed, 19 Oct 2022 15:03:50 GMT
< Content-Type: text/html
< Content-Length: 167
< Connection: keep-alive
< Location: https://1.1.1.1/
< CF-RAY: 75ca671cbcb1ddf4-HKG
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
* Connection #0 to host 1.1.1.1 left intact

还发现这个现象可能跟客户端 IP 有关系, 部分代理在客户端重新拨号后恢复正常.

wloot avatar Oct 19 '22 15:10 wloot

同样的问题 应该是墙又升级了

olbb avatar Oct 31 '22 10:10 olbb

请问运营商是联通吗

SakuraSakuraSakuraChan avatar Nov 03 '22 09:11 SakuraSakuraSakuraChan

发现最近移动有类似问题

liujunhui2 avatar Nov 07 '22 08:11 liujunhui2

我也是自建的3个vps节点同一时间齐刷刷连不上了,vmess+tls+ws,ip并没有被屏蔽,ssh可登录,但就是梯子连不上。

zhychen1173 avatar Nov 17 '22 02:11 zhychen1173

请问运营商是联通吗

我这里联通的定向阻断很明显,2-3天端口就失效了。IP不封。另一个二级ISP就好很多

kdanfly avatar Nov 27 '22 03:11 kdanfly

我用的是搬瓦工cn2机房,ws域名用阿里云解析,实名备案,稳定两年多了。 一个月前,先是联通定向阻断,之后几天,443端口突然被封。 随后,我换了域名和搬瓦工ip。 前天,新ip的443再次被封。 今天,我另一个稳定三年的vultr也被封了443。 刚才,把443换成了8443,套上了cf,如果短期内还被封,就真没招了。

fobfofo avatar Nov 28 '22 04:11 fobfofo

开高一些的端口试试,然后自己用。我已经很久没被封了,之前用的低一些的端口号,出现大流量端口就被封,我是移动的

brandon3343 avatar Dec 28 '22 12:12 brandon3343