Bypassing a network firewall with VPN which only lets TCP 80/443 through

It's a topic for a long afternoon :slight_smile:

In short, XTLS is also known as "Project X", a sorta-kinda unifying umbrella (and packet soft-router) for a bunch of protocols developed by (mostly) Chinese devs to bypass The Great Firewall. The Great Firewall is fully integrated into the state-controlled national internet, so it knows a lot - including traffic patterns, directions, ownership of IP address blocks, etc etc etc. It also does active probing (e.g., if it sees a lot of traffic originating from an IP address, it actively probes if this IP has open ports, and if it does, considers it a proxy/VPN endpoint). And so much more.

So, to hide from it (bypass it) effectively, they came up with a host of technologies. Currently, the most effective one is XTLS-Reality+VLESS.

XTLS is a simple packet router, basically a hack of TLS-1.3 that enables concealed VPN endpoint access. The way the Reality part works is (I'm oversimplifying, obviously): if it sees an HTTPS request for a website, say, from a source it knows (signatures, salted hashes, etc.) - it allows the client VPN access. Otherwise, the requestor gets content from, so even a replay attack won't reveal the VPN endpoint.

VLESS is a very simple and efficient protocol without encryption - it's done on the TLS level.

Another thing to keep in mind - the whole thing is serverless. The client usually runs the same code as the server.

So you set up the server, define client IDs, then set up clients. Clients access the server via port 443, claiming to request the URL of your choice, and no one is the wiser.

The LUCI app I mentioned does it all but only allows one user-ID for now. They promised to fix it, though.

The configuration (if you choose to do it all manually) is explained in painstaking detail here

Also, there are many example configs, mostly in Chinese though :slight_smile:

P.S. Oh, and Russians use it too, here's an article in Russian (google translate does a decent job)