udp2raw icon indicating copy to clipboard operation
udp2raw copied to clipboard
verified publisher icon wangyu-

[Feature request] Support for higher level protocols (FakeSSL or FakeHTTP)

Open StevenDoesStuffs opened this issue 7 years ago • 4 comments

For those behind more restrictive firewalls which block arbitrary tcp connections that aren't "website-looking" using deep packet inspection, this could be extremely useful. Currently, the firewall that I'm behind drops all the handshake2 packets, and this could be the solution. Unfortunately, I can't work on this becuase I have little to no knowledge about networking, but essentially it should be something like stunnel but for udp connections running over udp.

Edit: it looks like I can actually handle this in #153 because I need to do key exchange anyways. During the handshake we'll do "real" tcp and make it look like SSL (optionally), and switch that off later for the data afterwards. As for http, maybe I'll look into that.

StevenDoesStuffs avatar Apr 10 '18 14:04 StevenDoesStuffs

First, FakeSSL and FakeHTTP wont be enough. For different circumstances, you may also need FakeFTP,FakeMail,FakeWeChat-Video-Sreaming, etc. If you want to make it close to perfect, the supported protocols will grow into a long list.

Second, for FakeSSL alone, you have more than one choices to implement it:

  1. Let the traffic behave exactly like SSL. This is very hard, especally when the underlying protocol is not a real tcp.

  2. Simulate SSL for the first few packets, then switch to bare FakeTCP at some point. This is much easier. As far as I know, some software which claimed to implemented simliar feature chose this way. But will this always works?

More. For plaintext protocols, you may need to consider how to encapsulate binary data to let firewalls believe its indeed plaintext. You may also need to prepare a list of methods for encapsulating data for different firewalls. For protocols that usually work as short connections, you may also need to break a long connection into a few short connections.

I want to point out that such a feature will always be far from perfect. Its like playing arm race with network administrators. I chose to stop at level 3 protocols because for higher level protocols it may cost more time and produce less outcome.

Nevertheless, I am not against it, if someone implemented it in an elegant way, I will merge the code.

Simliar issue in chinese: https://github.com/wangyu-/udp2raw-tunnel/issues/51

wangyu- avatar Apr 11 '18 10:04 wangyu-

HTTP is a bit more popular in firewall non-filtering settings than everything else, maybe Mail would be ok. But still, FakeSSL is really enough IMHO Second option of implementing FakeSSL is also enough

JuniorJPDJ avatar Apr 12 '18 23:04 JuniorJPDJ

Actually any Fake* protocol could be implemented without much hassle if the handshakes are completed by a real program, and this project take it over on layer 2. More detailed discussion is in #9

ccaapton avatar Apr 15 '18 09:04 ccaapton

I want to propose the following functionality:

Send a requests to another server, like www.yahoo.com, but to the IP of our server Our server receives it and sends the request to www.yahoo.com for real this time and copies the certificate to send to the client

to the censor it looked like our IP got a client hello addressed to www.yahoo.com and replied with the correct cert, making it believe it's one of the yahoo servers

iopq avatar Dec 11 '24 15:12 iopq