Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloak Not Working In Iran #24

Closed
Abdipour opened this issue Jul 10, 2020 · 17 comments
Closed

Cloak Not Working In Iran #24

Abdipour opened this issue Jul 10, 2020 · 17 comments
Labels
help wanted Extra attention is needed Non-Script Issue Not a problem with script wontfix This will not be worked on

Comments

@Abdipour
Copy link

Abdipour commented Jul 10, 2020
edited
Loading

Hi.
I run cloak2 script without any error. But can't connect to server.
Base of FAQ I tried to check shadowsocks-server is running, got this error:
Unit shadowsocks-server.service could not be found.

Packages in /lib/systemd/system/, there are several service files related to ss-libev:

shadowsocks-libev.service
[email protected]
[email protected]
[email protected]
[email protected]

In ReadMe:

Also script creates a service named shadowsocks-server. DO NOT USE shadowsocks-libev service.

Can you help where is the problem and how to solve this issue?
@HirbodBehnam
Copy link
Owner

HirbodBehnam commented Jul 10, 2020
edited
Loading

Oh dammit i forgot to upgrade the FAQ.
Can you run this command instead and give me the output?
systemctl status cloak-server

@HirbodBehnam
Copy link
Owner

HirbodBehnam commented Jul 10, 2020
edited
Loading

Also keep in mind that few days ago, Iran changed some of their censorship techniques. For instance, most of the time, the MTProto Fake TLS does not work anymore. Maybe cloak have faced the same issue. Although I can run and connect to both MTProto proxy and Cloak on my own server.

@Abdipour
Copy link
Author

Oh dammit i forgot to upgrade the FAQ.
Can you run this command instead and give me the output?
systemctl status cloak-server

The cloak-server status is active and running.

Also keep in mind that few days ago, Iran changed some of their censorship techniques. For instance, most of the time, the MTProto Fake TLS does not work anymore. Maybe cloak have faced the same issue. Although I can run and connect to both MTProto proxy and Cloak on my own server.

Thank you. I had shdowsocks and mtproto (installed with your script) same time in this server. Since a few days ago mtproto not connect. But shadowsocks connection is OK. Today I decide to remove all proxy services and install only shadowsocks with cloak.

@HirbodBehnam
Copy link
Owner

Is there any errors in the log? And what's your client OS?

@Abdipour
Copy link
Author

Abdipour commented Jul 10, 2020
edited
Loading

Is there any errors in the log? And what's your client OS?

Jul 10 15:29:28 aykn ck-server[1379]: time="2020-07-10T15:29:28Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:48562" sessionId=0
Jul 10 15:29:29 aykn ck-server[1379]: time="2020-07-10T15:29:29Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:49010" sessionId=0
Jul 10 15:29:59 aykn ck-server[1379]: time="2020-07-10T15:29:59Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:43890" sessionId=0
Jul 10 15:30:00 aykn ck-server[1379]: time="2020-07-10T15:30:00Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:44236" sessionId=0
Jul 10 15:30:00 aykn ck-server[1379]: time="2020-07-10T15:30:00Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="71.6.199.23:44564" sessionId=0
Jul 10 15:36:33 aykn ck-server[1379]: time="2020-07-10T15:36:33Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="164.52.24.162:60535" sessionId
Jul 10 15:36:37 aykn ck-server[1379]: time="2020-07-10T15:36:37Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="164.52.24.162:37418" sessionId
Jul 10 16:24:46 aykn ck-server[1379]: time="2020-07-10T16:24:46Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="146.88.240.16:57572" sessionId
Jul 10 19:02:09 aykn ck-server[1379]: time="2020-07-10T19:02:09Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="192.35.168.215:43058" sessionI
Jul 10 19:02:09 aykn ck-server[1379]: time="2020-07-10T19:02:09Z" level=warning msg="failed to unmarshal ClientHello into authFragments: malformed key_share" UID= encryptionMethod=0 proxyMethod= remoteAddr="192.35.168.215:32898" sessionI

OS is Ubuntu 18.04 (64bit)

@HirbodBehnam
Copy link
Owner

HirbodBehnam commented Jul 10, 2020
edited
Loading

Ok, what is your client os? (android,windows,macos)

@Abdipour
Copy link
Author

Abdipour commented Jul 10, 2020
edited
Loading

Ok, what is your client os? (android,windows,macos)

Windows and Android
Also there is no error in clients.

@HirbodBehnam
Copy link
Owner

HirbodBehnam commented Jul 10, 2020
edited
Loading

Unfortunately, I do not have much ideas left but the simple ones. Like:

  1. Make sure that the cloak client on Android and windows are up-to-date (Version 2.1.3)
  2. If possible, uninstall, reboot and then re install the cloak on server. If possible, try completely reinstalling the server's OS (this is probably not the solution)
  3. (Censorship test if you like): You can use some tools like wgcl to generate a free wireguard profile. On your client, turn on Cloak and Wireguard simultaneously and check if the cloak is working.

@HirbodBehnam HirbodBehnam added cannot reproduce It works on my computer help wanted Extra attention is needed labels Jul 11, 2020
@HirbodBehnam HirbodBehnam changed the title shadowsocks-libev OR shadowsocks-server Clock Not Working In Iran Jul 12, 2020
@HirbodBehnam HirbodBehnam added Non-Script Issue Not a problem with script wontfix This will not be worked on and removed cannot reproduce It works on my computer labels Jul 12, 2020
@HirbodBehnam
Copy link
Owner

HirbodBehnam commented Jul 12, 2020
edited
Loading

We had a small chat in Telegram and found out that the Iran firewall is actively blocking the cloak connection. Somehow, the firewall validates the tls packets and drops them if they are invalid. This also blocks the Fake-TLS protocol in MTProto proxy.
Right now, I do not have any work around for this issue. You can switch to Trojan or V2Ray to solve this problem. Also it looks like that my own server is not affected by this issue so the firewall might be watching some special data centers or ip addresses. (My server is from Eonix Corporation)
I haven't tested it, but switching from direct mode to CDN mode in cloak might resolve this problem but I haven't tested it.
Also you can watch this issue on the main cloak repository for further updates.

@HirbodBehnam HirbodBehnam pinned this issue Jul 12, 2020
@felixding
Copy link

We had a small chat in Telegram and found out that the Iran firewall is actively blocking the cloak connection. Somehow, the firewall validates the tls packets and drops them if they are invalid. This also blocks the Fake-TLS protocol in MTProto proxy.
Right now, I do not have any work around for this issue. You can switch to Trojan or V2Ray to solve this problem. Also it looks like that my own server is not affected by this issue so the firewall might be watching some special data centers or ip addresses. (My server is from Eonix Corporation)
I haven't tested it, but switching from direct mode to CDN mode in cloak might resolve this problem but I haven't tested it.
Also you can watch this issue on the main cloak repository for further updates.

Thanks for the update. This is sad.

Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?

@cyqsimon
Copy link

@Abdipour If Iran's firewall is indeed able to differentiate between Cloak and real HTTPS, you can try simple-tls. This encrypts your SS traffic with real TLS1.3, so theoretically there's no way to differentiate, or at least it becomes very difficult.

@HirbodBehnam
Copy link
Owner

HirbodBehnam commented Jul 13, 2020
edited
Loading

@felixding

Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?

Do don't have a single clue. But somehow both fake-tls mode in MTproto proxy and cloak are blocked on-the-fly. (So probably the simple-obfs does not work as well)

@cyqsimon

you can try simple-tls.

Yes, I've also seen it but I haven't tested it. Is the speed and stability good?

@HirbodBehnam HirbodBehnam changed the title Clock Not Working In Iran Cloak Not Working In Iran Jul 13, 2020
@Abdipour
Copy link
Author

We had a small chat in Telegram and found out that the Iran firewall is actively blocking the cloak connection. Somehow, the firewall validates the tls packets and drops them if they are invalid. This also blocks the Fake-TLS protocol in MTProto proxy.
Right now, I do not have any work around for this issue. You can switch to Trojan or V2Ray to solve this problem. Also it looks like that my own server is not affected by this issue so the firewall might be watching some special data centers or ip addresses. (My server is from Eonix Corporation)
I haven't tested it, but switching from direct mode to CDN mode in cloak might resolve this problem but I haven't tested it.
Also you can watch this issue on the main cloak repository for further updates.

Thanks for the update. This is sad.

Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?

When you use fake TLS, technically the certificate validation would work but ultimately the key exchange would fail since the “fake” server doesn’t have the private key.

@Abdipour If Iran's firewall is indeed able to differentiate between Cloak and real HTTPS, you can try simple-tls. This encrypts your SS traffic with real TLS1.3, so theoretically there's no way to differentiate, or at least it becomes very difficult.

Thanks for your advise. For now using another plugin with real TLS and behind CDN.

@cyqsimon
Copy link

@felixding

Just out of curiosity, technically how does the Iran firewall find out it's Cloak not regular HTTPS requests?

Do don't have a single clue. But somehow both fake-tls mode in MTproto proxy and cloak are blocked on-the-fly. (So probably the simple-obfs does not work as well)

@cyqsimon

you can try simple-tls.

Yes, I've also seen it but I haven't tested it. Is the speed and stability good?

Software stability is flawless.
As of speed, I have been using it for a month now, and have not noticed a significant difference compared to SS w/o plugin (SS encryption mode: chacha20-ietf-poly1305). However this is speaking from personal experience, not scientific testing.

@HirbodBehnam
Copy link
Owner

Cool, thanks!

@HirbodBehnam HirbodBehnam mentioned this issue Jul 22, 2020
Closed
@HirbodBehnam
Copy link
Owner

HirbodBehnam commented Sep 12, 2020
edited
Loading

I experienced something today that was interesting.
Today on my ISPs (Pars Online and Rightel), I had problems connecting to my Cloak server. The log of cloak was filled with:

level=info msg="failed to read anything after connection is established: read tcp x.x.x.x:443->x.x.x.x:2304: i/o timeout" remoteAddr="x.x.x.x:2304"

(Note that there was no New session)
I assumed that Iran's firewall was blocking Clock's connection on-fly because there was no problem connecting to it with Openvpn.

But I found a really easy way to fix this: I just changed the browser signature from Chrome to Firefox and it started to work.
This thing reminded me of someone in some MTProto forum that said something like

They might have blocked the protocol because the mtproto proxy is mimicking old Chrome's client hello.

I checked the history of Cloak's code that mimics the Chrome and it looks like that it have not been updated in a while (more than a year and also the other commits are just refactoring code). If that is the case and the Chrome's client hello signature has been changed, maybe Cloak needs to update the Chrome (and maybe Firefox) signatures.
I will open an issue on Cloak's repository and ask the owner if they need some updates.

Edit: I found out that my server is whitelisted

@HirbodBehnam HirbodBehnam mentioned this issue Sep 12, 2020
Closed
@aboka2k
Copy link

aboka2k commented Sep 13, 2020

Great find and hope with the new signature update, it will works. TQ.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed Non-Script Issue Not a problem with script wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@felixding @HirbodBehnam @Abdipour @cyqsimon @aboka2k