Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Copper9 Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
How to bypass ISP censorship
Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
''A curated list of tools, protocols, and technologies for bypassing internet blocks, inspired by [https://github.com/danoctavian/awesome-anti-censorship this] project.'' This list focuses on tools and strategies designed to defeat active network-level filtering, such as Deep Packet Inspection (DPI), DNS blocking, and protocol-level blacklisting. __TOC__ = How Online Content is Blocked = Internet blocks are multi-layered systems and not simple on/off switches. Bypassing them is similar to a cat-and-mouse game. Filtering mechanisms primarily include: ; DNS Filtering / Poisoning / Hijacking : The censor intercepts requests to resolve a domain name and either returns no answer or a false IP address. This is the simplest and most common form of blocking, but also the easiest to bypass in some cases. To bypass it, a third party (not from your ISP) DNS server should be used with a DNS protocol supporting encryption like DNS over HTTPS. If blocks are still in place, your ISP may be using DPI. ; Deep Packet Inspection (DPI) : This is a more advanced method. State-level “middle boxes” (like Russia's TSPU or China's Great Firewall (GFW)) actively inspect the content of unencrypted (or encrypted for their own certificate authority) traffic. For encrypted traffic, they inspect the “metadata,” such as the Server Name Indication (SNI) in a TLS handshake. The SNI field, which states the domain you are visiting, is unencrypted and provides a simple way for censors to identify and block HTTPS connections. Bypassing this requires specialized programs. If blocks are still in place, your ISP may be using IP blacklisting. ; IP Blacklisting : The censor blocks all network traffic to and from known IP addresses associated with a “forbidden” service (e.g., a VPN provider's servers or a specific website). Bypassing this is harder and requires connecting to a proxy/VPN server that doesn't have these restrictions. This can create a chicken-and-egg problem, like a proxy/VPN service being IP blocked but needing a proxy/VPN to bypass it. ; Protocol Filtering : The DPI system is configured to identify and block the “fingerprints” of circumvention protocols themselves. Standard OpenVPN and WireGuard traffic is easily identifiable and is a primary target for blocking. Ports of commonly used protocols can be blocked too (e.g., port 51820 can be blocked to prevent a WireGuard connection if there are no alternative ports). The tools in this list are all solutions to one or more of these methods. They either: # Manipulate packets at a low level to confuse the DPI, # Obfuscate (disguise) traffic to look like something benign and unblockable (like standard web traffic), or # Decentralize content, so there is no single server to block. = Censorship Measurement Tools = This is a “meta” category. Before you can bypass censorship, you must prove it is happening and understand how. These tools are not for circumvention, but for detection. They are critical for activists, journalists, and researchers. == [https://ooni.org/ OONI Probe] == The Open Observatory of Network Interference. A free, open-source software and global network for measuring internet censorship. A project born out of The Tor Project, now an independent non-profit. Volunteers run the OONI Probe app on their mobile devices or computers from within 241 countries. The results are aggregated and published on the public OONI Explorer website. It is used to increase transparency, document censorship events globally, and provide hard, verifiable evidence of network interference and blocking. The app runs a series of tests to check for censorship: * '''Web Connectivity:''' It tries to access a list of websites (including globally and locally sensitive ones) from the user's network and from a control network, then compares the results. * '''App Blocking:''' It tests for blocks on specific apps like WhatsApp, Telegram, and Signal. * '''Circumvention Tool Blocking:''' It tests if circumvention tools themselves (like Tor, Psiphon, and Lantern) are reachable. '''PROs:''' * <span style="color:green">'''Provides Hard Evidence:'''</span> It is the best tool for scientifically proving how and what is being censored on a specific network. * <span style="color:green">'''Global & Open Data:'''</span> All data is publicly available for analysis, which is an invaluable resource for researchers, journalists, and human rights organizations. * <span style="color:green">'''Easy to Use:'''</span> The mobile app is simple for non-technical volunteers to run. '''CONs:''' * <span style="color:red">'''Potential Risk to User:'''</span> Running OONI Probe is not anonymous. Your ISP and any network monitor can see that you are running it. While OONI states the risk is “theoretical” and no user has faced consequences, this is a real risk in high-stakes environments. * <span style="color:red">'''Provocative Tests:'''</span> The app intentionally tests “provocative or objectionable sites (e.g., pornography)”, which might be illegal to even attempt to access in some countries, regardless of intent. = TLDR: I need a tool now! What should I use? = ''If you are in a risky situation, please do your research and do not trust any single source (including this one). These quick recommendations are for people with less sensitive threat models.'' {| class="wikitable" |- ! Level !! Recommendation |- | '''Level 1''' || DNS over HTTPS (DNS over TLS can be blocked but it may be an easier solution if you use Android >9 since it is built-in) + Encrypted Client Hello (supported by most modern browsers) |- | '''Level 2''' || Level 1 + WireGuard (preferably with AmneziaWG protocol) |- | '''Level 3''' || Level 2 + DPI bypassing (Zapret/GoodbyeDPI) |- | '''Level 4''' || Level 3 + tools similar to V2Ray |- | '''Level 5''' || '''Do Your Own Research If You Still Can't Connect to Websites''' |} = Local DPI Bypass Tools = This category of tools is fundamentally different from VPNs. They allow access to specific blocked services without the disruptive side effects of a VPN, such as changing your IP address. They also don't bypass IP blacklisting. These tools work by “desynchronizing” the censor's view of the network connection from the server's, causing the inspection to fail while allowing the real connection to proceed. They provide no extra encryption or anonymity; your ISP can still see what sites you are visiting, but their automated blocking mechanism is fooled. == [https://github.com/bol-van/zapret Zapret] == A stand-alone, high-performance DPI circumvention tool designed to “desynchronize” DPI systems by manipulating network packets at a low level. Zapret was created primarily to target the “Sovereign Internet” (RuNet) blocking system in Russia. Zapret is designed to run on a Linux-based gateway, such as a home router running OpenWrt or directly on a user's Linux desktop. Zapret uses low-level packet manipulation via components like <code>nfqws</code> and <code>tpws</code>. It employs a variety of “DPI desync” techniques, which can be configured by the user. These include sending fake packets (e.g., with the <code>--dpi-desync=fake</code> parameter), fragmenting packets (<code>--dpi-desync=fakedsplit</code>), and modifying packet checksums or TTLs to “fool” the inspection system (<code>--dpi-desync-fooling=badsum</code>). The tool includes a <code>blockcheck.sh</code> script that a user can run to test and identify the most effective desync parameters for their specific ISP. '''PROs:''' * <span style="color:green">'''High Performance:'''</span> Adds negligible latency. Because it typically only manipulates the first few packets of a connection to break the DPI's state, it is significantly faster than a full tunnel. * <span style="color:green">'''No IP Change:'''</span> This is its most significant advantage. It does not change your public IP address, making it ideal for accessing local, geo-restricted services (like banking, streaming, or city services) that would be broken by a VPN. It also does not need to trust any third party servers. * <span style="color:green">'''Transparent:'''</span> When installed on a router, it works transparently for all devices on the network (phones, computers, consoles) with no client-side software required. * <span style="color:green">'''Adaptive:'''</span> It is highly configurable to adapt to the specific, evolving DPI strategies used by different ISPs and nation-states. '''CONs:''' * <span style="color:red">'''No Extra Privacy or Anonymity:'''</span> This is critical to understand. Zapret does not provide extra privacy or anonymity. Your ISP can still see which sites you are visiting; the tool just prevents the automated block to provide access. * <span style="color:red">'''Specific Use Case:'''</span> It only defeats DPI. It does not bypass DNS-level blocking (it must be paired with an encrypted DNS service like DoH/DoT) or IP-address-level bans. == [https://github.com/ValdikSS/GoodbyeDPI Goodbye DPI] == A user-friendly DPI circumvention utility designed specifically for the Windows operating system. It runs on a user's local Windows PC (versions 7 through 11 are supported). It works by installing a Windows filter driver to intercept and modify packets as they leave the machine. It employs multiple methods simultaneously to be effective against a wide range of DPI systems. These methods include: TCP-level fragmentation, HTTP header manipulation (e.g., replacing Host with hoSt, or removing spaces), and sending fake packets with low TTLs to “poison” the DPI's state and cause it to fail. It also includes modes to redirect DNS requests to non-standard ports to bypass simple DNS poisoning. '''PROs:''' * <span style="color:green">'''Easy to Use:'''</span> This is its primary advantage. It is ideal for non-technical Windows users. The most common use case involves just running a single <code>.cmd</code> script. * <span style="color:green">'''No IP Change:'''</span> Shares the same benefits as Zapret; it does not interfere with local, geo-restricted services. Also, no third party to trust. * <span style="color:green">'''Effective:'''</span> It is designed to actively bypass both “Passive DPI” (which tries to “race” the real server with a fake reset packet) and “Active DPI” (which sits in-line and modifies traffic). '''CONs:''' * <span style="color:red">'''No Extra Privacy or Anonymity:'''</span> Like Zapret, this provides no extra encryption and is not a privacy tool. It is for access only. = Standard (Non-Obfuscated) Protocols = This category includes the standard, “baseline” protocols for proxies and VPNs. These tools are not designed for censorship circumvention and are the primary targets for blocking. Their distinct protocol “fingerprints” make them easy for DPI systems to identify and filter. They are included here as a baseline to illustrate why the more advanced, obfuscated tools in the next section are necessary. == [https://www.wireguard.com/ WireGuard] == An extremely simple, fast, and modern VPN (Virtual Private Network) protocol. A modern protocol (initial release 2015) that is now part of the Linux kernel. Runs on client and server machines, supported natively or via apps on all major operating systems. It uses state-of-the-art cryptography and has a very small, auditable code base (under 4,000 lines of code). It operates over UDP. '''PROs:''' * <span style="color:green">'''Extremely Fast:'''</span> Significantly higher performance and lower latency compared to OpenVPN, due to its lightweight code and modern encryption. * <span style="color:green">'''Simple & Secure:'''</span> A small code base makes it easier to audit and less susceptible to attack. * <span style="color:green">'''Quick Reconnects:'''</span> Connects and reconnects almost instantly, making it ideal for mobile devices switching between Wi-Fi and cellular data. '''CONs:''' * <span style="color:red">'''Easily Blocked:'''</span> This is its key weakness for censorship. It has a distinct, recognizable protocol fingerprint. It is not designed to bypass DPI and is actively blocked in countries like China and Russia. Protocols like AmneziaWG (modified version of WireGuard designed to prevent DPI) should be used when possible. == [https://openvpn.net/ OpenVPN] == A mature, open-source, and highly configurable VPN protocol. First released in 2001, it has been the industry standard for over two decades. It uses a custom security protocol based on SSL/TLS. It can run over either TCP or UDP, which makes it flexible. '''PROs:''' * <span style="color:green">'''Mature:'''</span> Battle-tested and thoroughly audited for decades. * <span style="color:green">'''Flexible:'''</span> Can be configured to run over any port and use either TCP or UDP. '''CONs:''' * <span style="color:red">'''Easily Blocked:'''</span> Like WireGuard, its handshake is very distinct and easily identified and blocked by DPI systems. * <span style="color:red">'''Slow:'''</span> It is much slower and has higher latency than WireGuard. Its code base is big (400,000+ lines). == [https://en.wikipedia.org/wiki/IKEv2 IKEv2/IPsec] == A secure, standards-based VPN protocol (Internet Key Exchange version 2). Developed by Microsoft and Cisco, and standardized by the IETF. Native to most modern operating systems. It is often used in self-hosted setups (like Algo). '''PROs:''' * <span style="color:green">'''Native Support:'''</span> Supported “out of the box” by Windows, Android, macOS, and iOS. * <span style="color:green">'''Stable:'''</span> Very good at re-establishing a connection quickly when a network drops. '''CONs:''' * <span style="color:red">'''Easily Blocked:'''</span> It is not a circumvention tool and is easily detected and blocked by DPI. == [https://en.wikipedia.org/wiki/SOCKS SOCKS] == A low-level proxy protocol that can route virtually any type of network traffic from any application (SOCKS5 since 1996). A client application sends traffic to a SOCKS5 server, which then forwards it to the final destination. It operates at Layer 5 (the Session Layer). '''PROs:''' * <span style="color:green">'''Extremely Versatile:'''</span> Can handle any type of traffic, including web, P2P, gaming, and email. '''CONs:''' * <span style="color:red">'''Not Encrypted:'''</span> Provides zero encryption by itself. All traffic is sent in the clear and is fully visible to an ISP. * <span style="color:red">'''Trivially Blocked:'''</span> Unencrypted, identifiable traffic is extremely easy for any DPI system to inspect and block. == [https://en.wikipedia.org/wiki/Proxy_server HTTP(S) Proxies / Web Proxies] == A basic, high-level proxy protocol designed exclusively for web (HTTP and HTTPS) traffic. Primarily used by web browsers. It operates at Layer 7 (the Application Layer). '''PROs:''' * <span style="color:green">'''Simple:'''</span> Easy to set up and widely supported by all browsers. '''CONs:''' * <span style="color:red">'''Extremely Limited:'''</span> Only works for web traffic. * <span style="color:red">'''Not Encrypted:'''</span> Provides no encryption for your connection to the proxy (when no HTTPS). * <span style="color:red">'''Not Anonymous:'''</span> HTTP proxies typically add headers (like X-Forwarded-For) that identify the original user's IP address. * <span style="color:red">'''Trivially Blocked:'''</span> Very easy to detect and block. = Obfuscated Proxy Protocols & Platforms = This category represents the “engine” for most modern, robust circumvention. The development of these protocols illustrates the “cat-and-mouse” arms race. # '''Phase 1 (Encrypt):''' Standard VPNs (OpenVPN, WireGuard) are encrypted but have obvious “fingerprints”. # '''Phase 2 (Scramble):''' Tools like Shadowsocks and obfs4 encrypt and “scramble” traffic to look like “random” data. # '''Phase 3 (Mimic):''' Tools like V2Ray (VLESS+TLS) and Trojan are designed to mimic standard, benign HTTPS traffic. # '''Phase 4 (Be Indistinguishable):''' Tools like Naïve Proxy reuse the actual network stack from a real browser (Chrome) to be bit-for-bit indistinguishable. == [https://shadowsocks.org/ Shadow Socks] == A fast, encrypted SOCKS5 proxy. It is not a full VPN. Originally created in 2012 by “clowwindy” specifically to bypass the Great Firewall (GFW) of China. Its strength is its simplicity and its use of modern AEAD ciphers. It “disguises” traffic to look like HTTPS but does not explicitly mimic another protocol. '''PROs:''' * <span style="color:green">'''Fast and Lightweight:'''</span> Generally faster than full VPNs and complex multi-layered tools. * <span style="color:green">'''Selective:'''</span> Easy to configure which traffic goes through it (e.g., using a PAC file). '''CONs:''' * <span style="color:red">'''Detectable by Advanced DPI:'''</span> Advanced DPI can detect Shadowsocks traffic through traffic analysis and active probing. * <span style="color:red">'''Not a Full VPN:'''</span> Does not tunnel all system traffic by default, leading to potential “leaks”. == [https://github.com/v2fly/v2ray-core V2Ray] == A platform or framework for building proxies. It is not a single protocol, but a “box” that can manage multiple inbound and outbound protocols, transports, and advanced routing rules. By wrapping its proxy traffic inside Web Socket and TLS, it makes the traffic appear as standard, indistinguishable HTTPS traffic. '''PROs:''' * <span style="color:green">'''Extremely Flexible:'''</span> Can be configured to mimic HTTPS, run over Web Sockets, use QUIC, etc. * <span style="color:green">'''Resilient:'''</span> Its multiprotocol nature means it can be reconfigured if one method is blocked. * <span style="color:green">'''Advanced Routing:'''</span> Can selectively route traffic based on domain or IP. '''CONs:''' * <span style="color:red">'''Complex:'''</span> Requires understanding of its complex concepts of inbounds, outbounds, and transports. * <span style="color:red">'''Performance Overhead:'''</span> Layered encryption adds significant latency. * <span style="color:red">'''VMess is Detectable:'''</span> The original VMess protocol is now considered detectable by advanced GFW packet sniffing. === V2Ray Protocols: VMess vs. VLESS === * '''VMess:''' The original, feature-rich protocol for V2Ray. It has its own built-in encryption and authentication methods. It is considered more “heavy” and less safe against modern GFW probing. * '''VLESS:''' A newer, lightweight protocol. It removes VMess's built-in encryption layer and delegates security to the underlying transport layer, such as TLS. This simplifies the handshake, improves speed, and makes it more indistinguishable from a standard HTTPS website. == [https://github.com/XTLS/Xray-core X-ray] == A high-performance, open-source proxy platform and a fork of V2Ray. Developed by the XTLS community. Xray-core supports all of V2Ray's protocols and adds XTLS. XTLS is a “direct encryption” technology that avoids the performance-draining “TLS-in-TLS” problem, resulting in lower latency and higher speeds than VLESS+TLS. '''PROs:''' * <span style="color:green">'''Faster:'''</span> X-ray with its XTLS protocol is generally considered faster and more efficient. * <span style="color:green">'''Backward Compatible:'''</span> Acts as a drop-in, enhanced replacement for V2Ray-core. * <span style="color:green">'''Advanced Protocols:'''</span> VLESS and XTLS are highly effective at mimicking standard web traffic. '''CONs:''' * <span style="color:red">'''Complexity:'''</span> Inherits all of V2Ray's complexity. * <span style="color:red">'''Less Documentation:'''</span> Newer technology with poorer documentation than established setups. == [https://github.com/trojan-gfw/trojan Trojan] == A proxy protocol that is specifically designed to perfectly imitate a real HTTPS server. It runs on a server, binds to port 443, and simultaneously serves a real, working website. This makes it highly resistant to the “active probing” techniques. '''PROs:''' * <span style="color:green">'''Extremely Stealthy:'''</span> Mimics HTTPS perfectly and serves a real website as a disguise. * <span style="color:green">'''High Performance:'''</span> Simpler protocol that uses TLS directly. '''CONs:''' * <span style="color:red">'''Requires a Domain Name:'''</span> You must have a registered domain name and a valid SSL/TLS certificate. * <span style="color:red">'''Vulnerable to TLS-in-TLS Detection:'''</span> Censors have started detecting the “TLS-in-TLS” pattern. == [https://github.com/klzgrad/naiveproxy Naïve Proxy] == A proxy that re-uses the network stack from the Chromium browser to camouflage its traffic. A “Phase 4” tool. It uses HTTP/2 multiplexing, HTTP/2 traffic padding, and the exact TLS handshake of a real Chrome browser. '''PROs:''' * <span style="color:green">'''The “Most” Stealthy:'''</span> Arguably the most advanced tool for defeating traffic analysis and fingerprinting. * <span style="color:green">'''High Performance:'''</span> Leverages Chrome's high-performance HTTP/2 stack. '''CONs:''' * <span style="color:red">'''Complex:'''</span> Requires a Caddy server with a specific plugin, domain name, and TLS cert. * <span style="color:red">'''Still a Proxy:'''</span> Not a full system-wide VPN. = Self-Hosted VPN/Proxy Suites = Instead of trusting a commercial VPN, these scripts automate the setup of a private server on a cloud provider. == [https://github.com/trailofbits/algo Algo] == A set of Ansible scripts that automates the deployment of a minimalist, secure personal VPN. Created by Trail of Bits. It installs WireGuard and IKEv2/IPsec, deliberately excluding obfuscation tools. '''PROs:''' * <span style="color:green">'''Secure by Default:'''</span> Uses modern, strong protocols with secure ciphers. * <span style="color:green">'''Minimalist:'''</span> Includes only the minimal software you need. * <span style="color:green">'''Clientless (IKEv2):'''</span> Supported natively by most OS. '''CONs:''' * <span style="color:red">'''Not for Censorship Bypass:'''</span> WireGuard and IKEv2 are easily detected and blocked by DPI. * <span style="color:red">'''Security Vulnerabilities:'''</span> Theoretical risk of MitM if the VPS is compromised due to self-signed certs. == [https://github.com/StreisandEffect/streisand Streisand] == Automates the deployment of a full suite of anti-censorship tools (“kitchen sink” approach). Installs WireGuard, OpenVPN, Shadowsocks, Trojan, Tor bridges, and more. '''PROs:''' * <span style="color:green">'''Extremely Versatile:'''</span> Gives the user many options to try if one is blocked. * <span style="color:green">'''Designed for Censorship:'''</span> Specifically designed for circumvention. '''CONs:''' * <span style="color:red">'''“Kitchen Sink” Risk:'''</span> Dramatically increases the potential attack surface. * <span style="color:red">'''Less Secure Defaults:'''</span> More permissive defaults than Algo. * <span style="color:red">'''Outdated:'''</span> Did not get updated for a long time. = Anonymity Networks & Pluggable Transports = Designed for anonymity. However, to be anonymous, you first must be able to connect. == [https://www.torproject.org/ Tor Project] == A free, open-source network and browser that provides anonymity by routing traffic through a three-layer “onion” of volunteer-run relays. '''PROs:''' * <span style="color:green">'''Strong Anonymity:'''</span> The most-studied tool for public-internet anonymity. * <span style="color:green">'''Pluggable Transports:'''</span> Built-in system to bypass blocking. * <span style="color:green">'''Easy to Use:'''</span> The Tor Browser is a simple, all-in-one application. '''CONs:''' * <span style="color:red">'''Very Slow:'''</span> Impractical for streaming or large downloads. * <span style="color:red">'''Blocked by Default:'''</span> Relay lists are public and easily blocked. * <span style="color:red">'''Stigma:'''</span> Can attract suspicion from ISPs or law enforcement. === Tor Pluggable Transports (PTs) === ; obfs4 : The modern “scrambler” (Phase 2). Makes Tor traffic “look random, like nothing”. Can be blocked by whitelists. ; meek : The “domain fronting” transport (Phase 3). Makes Tor traffic look like it's going to a major CDN. Very slow and fragile; major providers blocked it. ; Web Tunnel : A newer transport that masks Tor traffic as a standard HTTPS connection. ; Snowflake : A peer-to-peer transport. Connects to ephemeral proxies run by volunteers in their web browsers. == I2P (Invisible Internet Project) == A decentralized, anonymous network layer. Uses “Garlic Routing” which bundles multiple messages together and sends them through unidirectional tunnels. '''PROs:''' * <span style="color:green">'''Excellent for Hidden Services:'''</span> Optimized for “eepsites”. * <span style="color:green">'''Decentralized & Resilient:'''</span> Distributed and P2P-friendly. * <span style="color:green">'''Harder Analysis:'''</span> Unidirectional tunnels make traffic analysis harder. '''CONs:''' * <span style="color:red">'''Not for Public Web Access:'''</span> Relies on volunteer-run “out proxies” which are few and slow. * <span style="color:red">'''Slow:'''</span> Complex P2P routing. = Decentralized & Federated & P2P Networks = Censorship-resistance-by-design. If there is no single server, there is no single point to block. == [https://github.com/HelloZeroNet/ZeroNet Zero Net] == A decentralized, peer-to-peer web-like network. Uses Bitcoin cryptography for identity and BitTorrent to distribute content. '''PROs:''' * <span style="color:green">'''Extremely Censorship-Resistant:'''</span> Cannot be taken down by DMCA or government order. * <span style="color:green">'''Zero Hosting Cost:'''</span> The audience provides the infrastructure. * <span style="color:green">'''Works Offline:'''</span> Browse “seeded” sites without internet. '''CONs:''' * <span style="color:red">'''Not Anonymous by Default:'''</span> IP is visible to peers. == [[wikipedia:Hyphanet|Hypha net (formerly Freenet)]] == A decentralized, P2P network where all users contribute disk space and bandwidth. Content is retrieved by a key, not a location. Nodes do not know what content they are storing. '''PROs:''' * <span style="color:green">'''Anonymous by Design:'''</span> Anonymity built-in for publishers and consumers. * <span style="color:green">'''Deniable Storage:'''</span> Plausible deniability for hosts. '''CONs:''' * <span style="color:red">'''“Forgets” Content:'''</span> Unpopular data is eventually dropped. * <span style="color:red">'''Static Content Only:'''</span> No dynamic sites. == [https://ipfs.tech/ IPFS] == A decentralized, peer-to-peer protocol. Uses content-based addressing (CID) instead of location-based addressing. '''PROs:''' * <span style="color:green">'''Highly Censorship-Resistant:'''</span> Content itself cannot be blocked. * <span style="color:green">'''Data Integrity:'''</span> Cryptographic CIDs guarantee the exact file. '''CONs:''' * <span style="color:red">'''Not Anonymous by Default:'''</span> IP is visible. * <span style="color:red">'''Content is Not Permanent:'''</span> Files disappear if not “pinned”. * <span style="color:red">'''Censorable at the Gateway:'''</span> Public gateways can filter content. == Torrenting == Files are distributed across thousands of users' computers. Extremely resilient against takedowns. '''PROs:''' * <span style="color:green">'''Distributed & Fast:'''</span> Speeds up as more people host. * <span style="color:green">'''No Central Logs:'''</span> Makes surveillance resource-intensive. '''CONs:''' * <span style="color:red">'''Not Anonymous by Default:'''</span> IPs are public. * <span style="color:red">'''Stigma:'''</span> ISPs actively throttle or block torrents. = Emerging Privacy Protocols (DNS/TLS) = == DNS-over-HTTPS (DoH) / DNS-over-TLS (DoT) / DNS Crypt == Protocols that encrypt DNS queries to prevent tracking and poisoning. * '''DoT:''' Dedicated port 853. * '''DoH:''' Uses port 443 (standard web traffic). * '''DNS Crypt:''' Encrypts payloads using public keys. '''PROs:''' * <span style="color:green">'''Bypasses DNS Filtering:'''</span> Primary benefit. * <span style="color:green">'''Stealthy (DoH):'''</span> Indistinguishable from HTTPS. '''CONs:''' * <span style="color:red">'''DoT is Easily Blocked:'''</span> Port 853 can be blocked. * <span style="color:red">'''Does Not Bypass DPI:'''</span> Useless if SNI or IP is blocked. == Encrypted Client Hello (ECH) == A TLS 1.3 extension that encrypts the SNI, closing the metadata leak in HTTPS. '''PROs:''' * <span style="color:green">'''Defeats SNI-Based DPI:'''</span> Makes this class of censorship obsolete. * <span style="color:green">'''Proactive & Native:'''</span> Protects all users by default when adopted. '''CONs:''' * <span style="color:red">'''Not Yet Standard:'''</span> Not universally deployed. * <span style="color:red">'''Already Being Blocked:'''</span> Russia blocks ECH directly; China blocks encrypted DNS to prevent ECH. = Other Workarounds = ; Privacy Frontends : Proxy traffic to upstream services. Upstream doesn't see your IP, but usually limited to specific websites and can be unstable. ; Website Mirrors : Viewing alternative hosted versions of sites. Only some content has mirrors. ; Federated Services : Distributed alternatives to centralized platforms. Can leak metadata. = Do you need a VPN? = If one or more of these are true, a VPN may be necessary: * Connecting to untrusted hotspots. * Untrusted websites (IP loggers). * Geo-blocked regularly. * ISP blocks content. * Lack of trust in ISP. * Need servers in specific countries. * ISP throttling. = Inclusion Criteria = * '''Source Availability:''' Open-source projects preferred. * '''Security:''' Strong security practices, audited code. * '''Community Support:''' Active forums and issue trackers. * '''Cost-Effectiveness:''' Fits budget requirements. * '''No Walled Gardens:''' Prefer self-hosted or alternative client capable software. * '''Proven Track Record:''' Mature projects. = Tor vs. I2P Comparison = ''This part of the guide is taken from the [https://geti2p.net/en/comparison/tor i2p projects comparison page].'' {| class="wikitable" style="width:100%; vertical-align:top;" |- ! Benefits of Tor over I2P !! Benefits of I2P over Tor |- style="vertical-align:top;" | * Much bigger user base; highly visible academic and hacker community support. * Solved scaling issues I2P hasn't addressed. * Significant funding and funded developers. * More resistant to state-level blocking due to TLS transport layer and bridges. * Designed and optimized for exit traffic (large number of exit nodes). * Better documentation, formal papers, and translations. * More efficient memory usage. * Low bandwidth overhead for client nodes. * Centralized control efficiently addresses Sybil attacks. * High capacity core nodes provide higher throughput and lower latency. * Written in C. | * Designed and optimized for hidden services, which are much faster than in Tor. * Fully distributed and self-organizing. * Peers selected by continuous profiling rather than trusted claims. * Floodfill peers ("directory servers") are untrusted and vary. * Small enough that it hasn't been blocked or DOSed much. * Peer-to-peer friendly. * Packet switched instead of circuit switched (transparent load balancing, resilience via parallel tunnels). * Unidirectional tunnels instead of bidirectional circuits (doubles nodes an attacker must compromise). * Short-lived tunnels decrease active attack vectors compared to Tor circuits. * Essentially all peers participate in routing. * Written in Java. |} = See also (Resources) = * [[wikipedia:Internet_censorship_circumvention|Internet censorship circumvention: Wikipedia]] * [https://github.com/bol-van/zapret Zapret Documentation] * [https://github.com/ValdikSS/GoodbyeDPI Goodbye DPI GitHub] * [https://shadowsocks.org/ Shadowsocks Official] * [https://github.com/v2fly/v2ray-core V2Ray Core] * [https://github.com/XTLS/Xray-core X-ray Core] * [https://tb-manual.torproject.org/circumvention/ Tor Circumvention Manual] * [https://geti2p.net/ I2P Anonymous Network] * [https://ooni.org/ OONI Open Observatory of Network Interference] [[Category:Internet Censorship]] [[Category:Privacy Software]] [[Category:Circumvention]]
Summary:
Please note that all contributions to Copper9 Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Wiki on Copper9:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
How to bypass ISP censorship
Add topic
