Bypassing a network firewall with VPN which only lets TCP 80/443 through

It's a topic for a long afternoon :slight_smile:

In short, XTLS is also known as "Project X", a sorta-kinda unifying umbrella (and packet soft-router) for a bunch of protocols developed by (mostly) Chinese devs to bypass The Great Firewall. The Great Firewall is fully integrated into the state-controlled national internet, so it knows a lot - including traffic patterns, directions, ownership of IP address blocks, etc etc etc. It also does active probing (e.g., if it sees a lot of traffic originating from an IP address, it actively probes if this IP has open ports, and if it does, considers it a proxy/VPN endpoint). And so much more.

So, to hide from it (bypass it) effectively, they came up with a host of technologies. Currently, the most effective one is XTLS-Reality+VLESS.

XTLS is a simple packet router, basically a hack of TLS-1.3 that enables concealed VPN endpoint access. The way the Reality part works is (I'm oversimplifying, obviously): if it sees an HTTPS request for a website, say, cdn.ditto.site from a source it knows (signatures, salted hashes, etc.) - it allows the client VPN access. Otherwise, the requestor gets content from cdn.ditto.site, so even a replay attack won't reveal the VPN endpoint.

VLESS is a very simple and efficient protocol without encryption - it's done on the TLS level.

Another thing to keep in mind - the whole thing is serverless. The client usually runs the same code as the server.

So you set up the server, define client IDs, then set up clients. Clients access the server via port 443, claiming to request the URL of your choice, and no one is the wiser.

The LUCI app I mentioned does it all but only allows one user-ID for now. They promised to fix it, though.

The configuration (if you choose to do it all manually) is explained in painstaking detail here

Also, there are many example configs, mostly in Chinese though :slight_smile:

P.S. Oh, and Russians use it too, here's an article in Russian (google translate does a decent job)

5 Likes

Hi everyone, Rat again,

[in reply to @maurer @Pico @pavelgl]

I believe I've fixed it for the time being, I'll have to run a "production" test since it works on my local network.

I found a wstunnel Armv7 executable and have ran that using a custom init script that runs on startup with a 20s delay to ensure the router gains a connection first.

I also (with the Gl.iNet software) added a VPN bypass rule which contained my VPS IP which prevented wstunnel tunnelling through a broken VPN connection (this was so silly haha)

I didn't have to do any additional config, however finding a working wstunnel executable that actually ran was the hardest part of this whole journey. Unfortunately, the version of WireGuard this proprietary OS ships with does not allow PreUp, PostDown etc scripts, so I had to write an init script that I mentioned above, and this was a bit challenging since I've never done this before.

Anyways, thank you all for your suggestions and patience with me, I'll keep you updated if there is anything that goes wrong

If any newcomers want additional info/configs, feel free to mention me. I won't add them to this reply since it's already gotten to big.

Appreciated,
Rat

2 Likes