VMess + Obfs4proxy

[seakfind]

The @net4people bbs issue 136 points to the increasing pace of the "cat-and-mouse game" and calls for four responses:

1. Be more tolerant of imperfect circumvention solutions and do not give up on an imperfect circumvention solution too soon.
2. Increase the diversity of censorship circumvention solutions by letting a thousand flowers bloom.
3. Actively report new censorship events, promptly measure and understand new censorship techniques, and share the viable circumvention strategies with the community.
4. Develop backup circumvention tools in advance.

This post describes a new and experimental approach using the forward proxy feature of Xray together with Hamy's post on "How to hide (obfuscate) any traffic using obfs4."

Install and configure Xray on server

Use the standard Xray installation script.

Configure Xray like this. Notice that Xray listens only on 127.0.0.1. We use 11111 as an example port.

{
    "log": {
        "loglevel": "warning",
        "access": "/var/log/xray/access.log", 
        "error": "/var/log/xray/error.log"
    },
    "routing": {
        "domainStrategy": "AsIs",
        "rules": [
            {
                "type": "field",
                "ip": [
                    "geoip:private"
                ],
                "outboundTag": "block"
            }
        ]
    },
    "inbounds": [
        {
            "listen": "127.0.0.1",
            "port": 11111,
            "protocol": "vmess",
            "settings": {
                "clients": [
                    {
                        "id": "bd1ae860-062c-4855-b3f6-f4235909bfcf"
                    }
                ]
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "tag": "direct"
        },
        {
            "protocol": "blackhole",
            "tag": "block"
        }
    ]
}

Create a systemd override:

systemctl edit xray.service

Insert the lines:

[Service]
Environment=XRAY_VMESS_AEAD_FORCED=false

Restart Xray:

systemctl daemon-reload

systemctl restart xray

Install and configure obfs4proxy on server

obfs4proxy will listen on port 22222. It will forward deobfuscated traffic to localhost port 11111, which is where xray is listening.

Open port 22222/tcp in your server's firewall.

Install obfs4proxy:

apt install obfs4proxy -y

Make a directory for obfs4proxy to store its data:

mkdir /var/lib/pt_state

Start a new screen session named obfs4:

screen -S obfs4

Set up the environment variables that will cause obfs4proxy to function as intended:

export TOR_PT_MANAGED_TRANSPORT_VER=1
export TOR_PT_STATE_LOCATION="/var/lib/pt_state"
export TOR_PT_SERVER_TRANSPORTS="obfs4"
export TOR_PT_SERVER_TRANSPORT_OPTIONS="obfs4:iat-mode=0"
export TOR_PT_SERVER_BINDADDR="obfs4-0.0.0.0:22222"
export TOR_PT_ORPORT="127.0.0.1:11111"

Start obfs4proxy running with these settings:

obfs4proxy

obfs4proxy displays the value of a variable called cert. We will redisplay this value in a moment.

Press Ctrl+a then d to detach from the screen session named obfs4.

Display the obfs4 bridge line:

cat /var/lib/pt_state/obfs4_bridgeline.txt

You will need the value of the cert field for the client configuration. Let's refer to it as <cert>.

Install and configure obfs4proxy on client

Install obfs4proxy on your client PC:

sudo apt update && sudo apt upgrade -y

sudo apt install obfs4proxy -y

Make a directory for obfs4proxy to store its data:

mkdir ~/pt_state

Set up the environment variables, replacing <your-user-name> by your actual user name on the client:

export TOR_PT_MANAGED_TRANSPORT_VER=1
export TOR_PT_STATE_LOCATION="/home/<your-user-name>/pt_state"
export TOR_PT_CLIENT_TRANSPORTS="obfs4"

Start obfs4proxy running with these settings:

obfs4proxy

obfs4proxy sets up a SOCKS5 server on a random local port, which it announces. You will need that port number for your Xray configuration in a moment. Let's refer to it as <obfs4proxy-port>. Example output:

VERSION 1
CMETHOD obfs4 socks5 127.0.0.1:33333
CMETHODS DONE

So in this example, <obfs4proxy-port> is 33333.

Leave the first window open with obfs4proxy running in it.

Install and configure Xray on client

On the client, Xray will listen for SOCKS5 input on port 1080. Xray will pass traffic to obfs4proxy on localhost port <obfs4proxy-port>, which in our example is port 33333.

Download and unzip the latest Xray-linux-64.zip.

Create a configuration file config.json. Make it look as below. The inbound is SOCKS5 input from the browser. The outbound is the Xray server. Traffic is passed first to the SOCKS5 forward proxy, which is listening on localhost port 33333 in our example.

{
  "inbounds": [
    {
      "port": 1080,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": false
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "123.123.123.123",
            "port": 22222,
            "users": [
              {
                "id": "bd1ae860-062c-4855-b3f6-f4235909bfcf"
              }
            ]
          }
        ]
      },
      "tag": "VMESS",
      "proxySettings": {
        "tag": "SOCKS"  
      }
    },
    {
      "protocol": "socks",
      "settings": {
        "servers": [
          {
            "address": "127.0.0.1",
            "port": 33333,
            "users": [
              {
                "user": "cert=<cert>;iat-mode=", 
                "pass": "0"
              }
            ]
          }
        ]
      },
      "tag": "SOCKS"
    }
  ]
}

Notice that the user and pass fields are used to pass the cert and iat-mode parameters.

In a second terminal, run Xray with the configuration you specified in config.json.

./xray run -c config.json

Leave the second terminal window open with xray running in it.

Configure browser on client

Configure Firefox to use the SOCKS5 proxy on localhost port 1080. Check the box so that it proxies DNS when using SOCKS5.

Perform your end-to-end testing.

[free-the-internet]

It's a good idea. I was thinking about something like this, as obfs4 is now very mature today, but first we need to see if it really works in current Internet situation in Iran.

Have you tested this?
I tested a tor obfs4 bridge 2 months ago and based on my experience, obfs4 bridges can not connect in Iran (or it fails multiple times).

[seakfind]

No, it has not been tested in a real-world situation. It is just an idea.

One observation I have is that if everyone uses a method, eventually it gets blocked. So this was an idea for "flying under the radar" and doing something weird and different from everyone else.