Bypass VPN Blocking — Set Up Two-Step WireGuard
Wireguard has quite a few great things to offer, including its ease of implementation, speed, and minimalistic clients that don’t cause problems for users.
In early August, some Internet operators and providers began blocking the WireGuard protocol in the Russian Federation on its handshake.
I personally experienced blocking at Megafon and Tele2, but did not notice at Rostelecom. The VPN still worked through the latter.
I really didn’t want to abandon Wireguard in favor of proxy servers in the spirit of VLESS + TLS-Vision, in view of the fact that all our users are already very accustomed to Wireguard.
Therefore, the option of a radical change in client software was not considered.
Since Wireguard traffic is blocked only to foreign addresses, it was decided to add another hop to the system, and make the initial connection to a server in the Russian Federation.
User → Wireguard RF → Obfuscator in RF → Obfuscator in EU → Internet
Shadowsocks was chosen as an obfuscator. And with AED encryption. It is already detected by GFW (https://en.wikipedia.org/wiki/Great_Firewall), but has not yet been detected here. This choice will allow us to greatly simplify everything.
On the server in the EU, put shadowsocks
PHP code:
apt update
apt install shadowsocks-libev
EditPHP code:
/etc/shadowsocks-libev/config.json
PHP code:
{
"server":["0.0.0.0"],
"mode":"tcp_and_udp",
"server_port":8443,
"password":"YourPassword",
"timeout":86400,
"method":"chacha20-ietf-poly1305"
}
The config says that the SOCKS5 server will listen on port 8443 over TCP/UDP with the specified encryption method and password.
We allow connection only from our Russian server. I do it through nftables sets
PHP code:
table inet filter {
set ALLOWED_SPROXY {
type ipv4_addr;
elements = { 195.0.0.356 }
}
chain input {
...
ip saddr @ALLOWED_SPROXY counter udp dport 8443 accept comment "SPROXY"
ip saddr @ALLOWED_SPROXY counter tcp dport 8443 accept comment "SPROXY"
...
}
...
}
Launching
PHP code:
systemctl enable --now shadowsocks-libev
Let’s check that the port is listening
PHP code:
ss -nltu 'sport = 8443'
Let’s move on to the server in the Russian Federation.
We believe that we already have Wireguard on the server. We don’t dwell on it.
Since shadowsocks is a proxy, and we need to route all traffic from the RF to the EU, we need a network interface on the server that will redirect traffic to shadowsocks.
Out of the box, shadowsocks can either listen to the non-SOCKS port and send it further (ss-tunnel), or listen to socks directly on the host (ss-local). Both options are not suitable, because neither of them creates an interface.
That’s why we put tun2socks.
https://github.com/xjasonlyu/tun2socks
It will use the tun interface, from which it will already send traffic to shadowsocks in the EU.
I’ve built from source
PHP code:
go install github.com/xjasonlyu/tun2socks/v2@latest
But you can also download a ready-made binary file.
All traffic will be routed to the tun interface, except for traffic to the server in the EU and localhost traffic.
tun2socks can work with the shadowsocks protocol, because it uses go-shadowsocks2-core, which is very convenient. We don’t have to put shadowsocks on a server in the Russian Federation.
https://github.com/xjasonlyu/tun2socks/blob/main/proxy/shadowsocks.go#L9C2-L9C44
On the server in the Russian Federation, you need to change the routing.
- You will need to add a new default gateway via tun0
- Make an exception for an IP server in the EU
- The old default gateway will need to boost the metric
That is, in the end we will have two default gateways. If for any reason the tun falls off, then the server will be available.
How to add exactly tun / tap (not tunnel) interface to netplan, I did not find. Therefore, I write the interface and routes to systemd unit hooks. It is assumed that the server interface is ens3. The IP address of tun0 does not matter.
PHP code:
[Unit]
Description=Tun2Socks
After=network.target
[Service]
Type=simple
User=root
EnvironmentFile=/etc/default/tun2socks
ExecStartPre=-ip tuntap add mode tun dev tun0
ExecStartPre=ip addr add 192.168.0.33/24 dev tun0
ExecStartPre=ip link set dev tun0 up
ExecStart=tun2socks -device tun://tun0 -proxy ss://chacha20-ietf-poly1305:${SSPASSWORD}@${SSIP}:${SSPORT}
ExecStartPost=bash -c 'MIP=$(ip r l |grep "default via" | cut -f3 -d" "); ip r del default dev ens3; ip r add default via $MIP dev ens3 metric 200'
ExecStartPost=ip r add default dev tun0 metric 50
ExecStartPost=ip r add ${SSIP}/32 dev ens3
ExecStopPost=-ip link set dev tun0 down
ExecStopPost=-ip link del dev tun0
ExecStopPost=-ip r del ${SSIP}/32 dev ens3
[Install]
WantedBy=multi-user.target
In /etc/default/tun2socks there are connection details in the server in the EU
PHP code:
SSIP=195.0.0.357
SSPORT=8443
SSPASSWORD=YourPassword
Launching
PHP code:
systemctl enable --now tun2socks
Network latency between servers fluctuates around 25–30ms, which is not too bad.
We hope that we can live with this for at least another couple of years without worrying about increasing the fierceness of DPI providers.
We Got More Tools For #Price
#Update #tutorial #rianews #software #hardware #technology #money #earning #ipmc #love #giveaways #computing #computers #informationtechnology #learning #AI #redfishiaven #servers #deepweb #darkweb #bitcoin
See REDFISH IA VEN ( https://goo.gl/maps/LVKkEYNN2LTe9C34A ) in Google Maps.
https://www.youtube.com/channel/UC6k_cFigPCSEtRyALo1D-tA
Be the First To Know About The New #software
