mirror of
https://github.com/ValdikSS/GoodbyeDPI.git
synced 2025-12-17 21:04:36 +03:00
Compare commits
17 Commits
windivert2
...
openvpn
| Author | SHA1 | Date | |
|---|---|---|---|
|
404850245e | ||
|
|
ecc681a60b | ||
|
|
4f18a73239 | ||
|
|
67629fb6ef | ||
|
|
27a6d256f0 | ||
|
|
938dce7333 | ||
|
|
99c403ca62 | ||
|
|
6ee4101f58 | ||
|
|
f94a20d221 | ||
|
|
55a3a94065 | ||
|
|
8383ecaadf | ||
|
|
8deacbc438 | ||
|
|
1cfd2b1b9f | ||
|
|
766a8ab4ed | ||
|
|
b7190f0e1f | ||
|
|
857aeb2366 | ||
|
|
871670845f |
38
.github/ISSUE_TEMPLATE/bug.yml
vendored
38
.github/ISSUE_TEMPLATE/bug.yml
vendored
@@ -1,19 +1,35 @@
|
||||
name: Bug Report / Сообщение об ошибке
|
||||
description: File a bug report / Сообщить об ошибке в проекте
|
||||
description: File a bug report / Сообщить об ошибке в программе
|
||||
|
||||
body:
|
||||
- type: markdown
|
||||
attributes:
|
||||
value: |
|
||||
Please pay some attention!
|
||||
GoodbyeDPI does not guarantee to work on your ISP on 100% or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it.
|
||||
Please report software bugs, such as: website incompatibility (if the website works without GoodbyeDPI but breaks with GoobyeDPI enabled), antivirus incompatibility, DNS redirection problems, incorrect packet handling, and other software issues.
|
||||
Please make sure to check other opened and closed issues, it could be your question or issue has been already discussed.
|
||||
**USE THIS FORM ONLY FOR BUGS**
|
||||
GoodbyeDPI does not guarantee to work with your ISP for every blocked website or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it here.
|
||||
|
||||
Пожалуйста, прочтите!
|
||||
GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу вообще. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
|
||||
Сообщайте только об ошибках в программе, таких как: некорректная работа с веб-сайтами (когда веб-сайт работает без GoodbyeDPI, но ломается с GoodbyeDPI), несовместимость с антивирусами, проблемы с перенаправлением DNS, некорректная обработка пакетов, и другие проблемы.
|
||||
Также посмотрите другие открытые и закрытые баги. Возможно, ваш вопрос или проблема уже обсуждались.
|
||||
Please only report software bugs, such as:
|
||||
* program crash
|
||||
* incorrect network packet handling
|
||||
* antivirus incompatibility
|
||||
* DNS redirection problems
|
||||
* other software
|
||||
|
||||
Please make sure to check other opened and closed issues, it could be your bug has been reported already.
|
||||
For questions, or if in doubt, [use NTC.party forum](https://ntc.party/c/community-software/goodbyedpi).
|
||||
|
||||
**ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ**
|
||||
GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу с каждым заблокированным сайтом. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
|
||||
|
||||
Пожалуйста, сообщайте только об ошибках в программе, таких как:
|
||||
* падение программы
|
||||
* некорректная обработка сетевых пакетов
|
||||
* несовместимость с антивирусами
|
||||
* проблемы с перенаправлением DNS
|
||||
* другие ошибки в программе
|
||||
|
||||
Также посмотрите другие открытые и закрытые баги. Возможно, ошибка уже обсуждалась или исправлена.
|
||||
Для вопросов, а также в случае сомнений в определении бага, обращайтесь [на форум NTC.party](https://ntc.party/c/community-software/goodbyedpi).
|
||||
- type: input
|
||||
id: os
|
||||
attributes:
|
||||
@@ -35,8 +51,8 @@ body:
|
||||
- type: textarea
|
||||
id: what-happened
|
||||
attributes:
|
||||
label: Describe the issue / Опишите проблему
|
||||
description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается проблема
|
||||
label: Describe the bug / Опишите ошибку программы
|
||||
description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается ошибка
|
||||
placeholder: Attach the screenshots for clarity / При необходимости приложите скриншоты
|
||||
validations:
|
||||
required: true
|
||||
|
||||
1
.github/workflows/build.yml
vendored
1
.github/workflows/build.yml
vendored
@@ -4,6 +4,7 @@ on:
|
||||
push:
|
||||
paths:
|
||||
- 'src/**'
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
WINDIVERT_URL: https://www.reqrypt.org/download/WinDivert-2.2.0-A.zip
|
||||
|
||||
@@ -44,12 +44,13 @@ Usage: goodbyedpi.exe [OPTION...]
|
||||
This option can be supplied multiple times.
|
||||
--allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.
|
||||
--set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.
|
||||
DANGEROUS! May break websites in unexpected ways. Use with care.
|
||||
DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).
|
||||
--auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease
|
||||
it based on a distance. If the distance is shorter than a2, TTL is decreased
|
||||
by a2. If it's longer, (a1; a2) scale is used with the distance as a weight.
|
||||
If the resulting TTL is more than m(ax), set it to m.
|
||||
Default (if set): --auto-ttl 1-4-10. Also sets --min-ttl 3.
|
||||
DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).
|
||||
--min-ttl <value> minimum TTL distance (128/64 - TTL) for which to send Fake Request
|
||||
in --set-ttl and --auto-ttl modes.
|
||||
--wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.
|
||||
@@ -65,6 +66,7 @@ Usage: goodbyedpi.exe [OPTION...]
|
||||
Use this option to reduce CPU usage by skipping huge amount of data
|
||||
(like file transfers) in already established sessions.
|
||||
May skip some huge HTTP requests from being processed.
|
||||
Default (if set): --max-payload 1200.
|
||||
|
||||
|
||||
LEGACY modesets:
|
||||
@@ -74,8 +76,8 @@ LEGACY modesets:
|
||||
-4 -p -r -s (best speed)
|
||||
|
||||
Modern modesets (more stable, more compatible, faster):
|
||||
-5 -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)
|
||||
-6 -f 2 -e 2 --wrong-seq --reverse-frag
|
||||
-5 -f 2 -e 2 --auto-ttl --reverse-frag --max-payload (this is the default)
|
||||
-6 -f 2 -e 2 --wrong-seq --reverse-frag --max-payload
|
||||
```
|
||||
|
||||
To check if your ISP's DPI could be circumvented, first make sure that your provider does not poison DNS answers by enabling "Secure DNS (DNS over HTTPS)" option in your browser.
|
||||
@@ -143,6 +145,7 @@ Modify them according to your own needs.
|
||||
- **[DPITunnel](https://github.com/zhenyolka/DPITunnel)** by @zhenyolka (for Android).
|
||||
- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux).
|
||||
- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android).
|
||||
- **[SpoofDPI](https://github.com/xvzc/SpoofDPI)** by @xvzc (for macOS and Linux)
|
||||
|
||||
# Kudos
|
||||
|
||||
|
||||
@@ -19,7 +19,7 @@ CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
|
||||
-Wnull-dereference -Warray-bounds=2 -Wimplicit-fallthrough=3 \
|
||||
-Wstringop-overflow=4 \
|
||||
-Wformat-signedness -Wstrict-overflow=2 -Wcast-align=strict \
|
||||
-Wfloat-equal -Wcast-align -Wsign-conversion \
|
||||
-Wfloat-equal -Wcast-align -Wsign-conversion -Wno-stringop-overflow -Wno-stringop-overread \
|
||||
#-fstack-protector-strong
|
||||
LDFLAGS = -fstack-protector -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
|
||||
-Wl,--image-base,0x140000000 -Wl,--disable-auto-image-base
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
// My mingw installation does not load inet_pton definition for some reason
|
||||
WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pAddr);
|
||||
|
||||
#define GOODBYEDPI_VERSION "v0.2.1"
|
||||
#define GOODBYEDPI_VERSION "v0.2.2"
|
||||
|
||||
#define die() do { sleep(20); exit(EXIT_FAILURE); } while (0)
|
||||
|
||||
@@ -119,8 +119,8 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
|
||||
} \
|
||||
else if (ttl_min_nhops) { \
|
||||
/* If not Auto TTL mode but --min-ttl is set */ \
|
||||
if (tcp_get_auto_ttl(tcp_conn_info.ttl, 0, 0, ttl_min_nhops, 0)) { \
|
||||
/* Send only if nhops > min_ttl */ \
|
||||
if (!tcp_get_auto_ttl(tcp_conn_info.ttl, 0, 0, ttl_min_nhops, 0)) { \
|
||||
/* Send only if nhops >= min_ttl */ \
|
||||
should_send_fake = 0; \
|
||||
} \
|
||||
} \
|
||||
@@ -171,6 +171,7 @@ static struct option long_options[] = {
|
||||
{"native-frag", no_argument, 0, '*' },
|
||||
{"reverse-frag",no_argument, 0, '(' },
|
||||
{"max-payload", optional_argument, 0, '|' },
|
||||
{"openvpn", no_argument, 0, '#' },
|
||||
{0, 0, 0, 0 }
|
||||
};
|
||||
|
||||
@@ -216,7 +217,8 @@ static void add_ip_id_str(int id) {
|
||||
|
||||
static void add_maxpayloadsize_str(unsigned short maxpayload) {
|
||||
char *newstr;
|
||||
const char *maxpayloadsize_str = "and (tcp.PayloadLength ? tcp.PayloadLength < %hu : true)";
|
||||
/* 0x47455420 is "GET ", 0x504F5354 is "POST", big endian. */
|
||||
const char *maxpayloadsize_str = "and (tcp.PayloadLength ? tcp.PayloadLength < %hu or tcp.Payload32[0] == 0x47455420 or tcp.Payload32[0] == 0x504F5354 : true)";
|
||||
char *addfilter = malloc(strlen(maxpayloadsize_str) + 16);
|
||||
|
||||
sprintf(addfilter, maxpayloadsize_str, maxpayload);
|
||||
@@ -416,7 +418,7 @@ static int extract_sni(const char *pktdata, unsigned int pktlen,
|
||||
}
|
||||
/* Validate that hostname has only ascii lowercase characters */
|
||||
for (int i=0; i<hnlen; i++) {
|
||||
if (!( (hnaddr[i] >= '1' && hnaddr[i] <= '9') ||
|
||||
if (!( (hnaddr[i] >= '0' && hnaddr[i] <= '9') ||
|
||||
(hnaddr[i] >= 'a' && hnaddr[i] <= 'z') ||
|
||||
hnaddr[i] == '.' || hnaddr[i] == '-'))
|
||||
{
|
||||
@@ -432,6 +434,16 @@ static int extract_sni(const char *pktdata, unsigned int pktlen,
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
static inline int is_openvpn_handshake(const char *pktdata, unsigned int pktlen) {
|
||||
/*
|
||||
* 0x38 is P_CONTROL_HARD_RESET_CLIENT_V2 + peer_id(0),
|
||||
* 0x50 is P_CONTROL_HARD_RESET_CLIENT_V3 + peer_id(0)
|
||||
*/
|
||||
return pktlen >= 16
|
||||
&& ntohs(((uint16_t*)pktdata)[0]) == pktlen - 2
|
||||
&& (pktdata[2] == '\x38' || pktdata[2] == '\x50');
|
||||
}
|
||||
|
||||
static inline void change_window_size(const PWINDIVERT_TCPHDR ppTcpHdr, unsigned int size) {
|
||||
if (size >= 1 && size <= 0xFFFFu) {
|
||||
ppTcpHdr->Window = htons((u_short)size);
|
||||
@@ -542,6 +554,7 @@ int main(int argc, char *argv[]) {
|
||||
} packet_type;
|
||||
int i, should_reinject, should_recalc_checksum = 0;
|
||||
int sni_ok = 0;
|
||||
int openvpn_handshake = 0;
|
||||
int opt;
|
||||
int packet_v4, packet_v6;
|
||||
HANDLE w_filter = NULL;
|
||||
@@ -568,6 +581,7 @@ int main(int argc, char *argv[]) {
|
||||
do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0,
|
||||
do_allow_no_sni = 0,
|
||||
do_fake_packet = 0,
|
||||
do_openvpn = 0,
|
||||
do_auto_ttl = 0,
|
||||
do_wrong_chksum = 0,
|
||||
do_wrong_seq = 0,
|
||||
@@ -806,6 +820,7 @@ int main(int argc, char *argv[]) {
|
||||
do_allow_no_sni = 1;
|
||||
break;
|
||||
case '$': // --set-ttl
|
||||
do_auto_ttl = auto_ttl_1 = auto_ttl_2 = auto_ttl_max = 0;
|
||||
do_fake_packet = 1;
|
||||
ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!");
|
||||
break;
|
||||
@@ -847,6 +862,9 @@ int main(int argc, char *argv[]) {
|
||||
free(autottl_copy);
|
||||
}
|
||||
break;
|
||||
case '#': // --openvpn
|
||||
do_openvpn = 1;
|
||||
break;
|
||||
case '%': // --wrong-chksum
|
||||
do_fake_packet = 1;
|
||||
do_wrong_chksum = 1;
|
||||
@@ -871,7 +889,7 @@ int main(int argc, char *argv[]) {
|
||||
optarg = argv[optind];
|
||||
if (optarg)
|
||||
max_payload_size = atousi(optarg, "Max payload size parameter error!");
|
||||
if (!max_payload_size)
|
||||
else
|
||||
max_payload_size = 1200;
|
||||
break;
|
||||
default:
|
||||
@@ -922,6 +940,7 @@ int main(int argc, char *argv[]) {
|
||||
" (like file transfers) in already established sessions.\n"
|
||||
" May skip some huge HTTP requests from being processed.\n"
|
||||
" Default (if set): --max-payload 1200.\n"
|
||||
" --openvpn Detect OpenVPN TCP and fragment/send fake packet.\n"
|
||||
"\n");
|
||||
puts("LEGACY modesets:\n"
|
||||
" -1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode)\n"
|
||||
@@ -930,8 +949,8 @@ int main(int argc, char *argv[]) {
|
||||
" -4 -p -r -s (best speed)"
|
||||
"\n"
|
||||
"Modern modesets (more stable, more compatible, faster):\n"
|
||||
" -5 -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)\n"
|
||||
" -6 -f 2 -e 2 --wrong-seq --reverse-frag\n");
|
||||
" -5 -f 2 -e 2 --auto-ttl --reverse-frag --max-payload (this is the default)\n"
|
||||
" -6 -f 2 -e 2 --wrong-seq --reverse-frag --max-payload\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
@@ -969,7 +988,8 @@ int main(int argc, char *argv[]) {
|
||||
"Fake requests, TTL: %s (fixed: %hu, auto: %hu-%hu-%hu, min distance: %hu)\n" /* 16 */
|
||||
"Fake requests, wrong checksum: %d\n" /* 17 */
|
||||
"Fake requests, wrong SEQ/ACK: %d\n" /* 18 */
|
||||
"Max payload size: %hu\n", /* 19 */
|
||||
"Max payload size: %hu\n" /* 19 */
|
||||
"OpenVPN: %d\n", /* 20 */
|
||||
do_passivedpi, /* 1 */
|
||||
(do_fragment_http ? http_fragment_size : 0), /* 2 */
|
||||
(do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */
|
||||
@@ -985,12 +1005,13 @@ int main(int argc, char *argv[]) {
|
||||
do_dnsv4_redirect, /* 13 */
|
||||
do_dnsv6_redirect, /* 14 */
|
||||
do_allow_no_sni, /* 15 */
|
||||
ttl_of_fake_packet ? "fixed" : (do_auto_ttl ? "auto" : "disabled"), /* 16 */
|
||||
do_auto_ttl ? "auto" : (do_fake_packet ? "fixed" : "disabled"), /* 16 */
|
||||
ttl_of_fake_packet, do_auto_ttl ? auto_ttl_1 : 0, do_auto_ttl ? auto_ttl_2 : 0,
|
||||
do_auto_ttl ? auto_ttl_max : 0, ttl_min_nhops,
|
||||
do_wrong_chksum, /* 17 */
|
||||
do_wrong_seq, /* 18 */
|
||||
max_payload_size /* 19 */
|
||||
max_payload_size, /* 19 */
|
||||
do_openvpn /* 20 */
|
||||
);
|
||||
|
||||
if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) {
|
||||
@@ -1117,7 +1138,7 @@ int main(int argc, char *argv[]) {
|
||||
*/
|
||||
else if (addr.Outbound &&
|
||||
((do_fragment_https ? packet_dataLen == https_fragment_size : 0) ||
|
||||
packet_dataLen > 16) &&
|
||||
packet_dataLen >= 16) &&
|
||||
ppTcpHdr->DstPort != htons(80) &&
|
||||
(do_fake_packet || do_native_frag)
|
||||
)
|
||||
@@ -1127,7 +1148,9 @@ int main(int argc, char *argv[]) {
|
||||
* But if the packet is more than 2 bytes, check ClientHello byte.
|
||||
*/
|
||||
if ((packet_dataLen == 2 && memcmp(packet_data, "\x16\x03", 2) == 0) ||
|
||||
(packet_dataLen >= 3 && memcmp(packet_data, "\x16\x03\x01", 3) == 0))
|
||||
(packet_dataLen >= 3 && memcmp(packet_data, "\x16\x03\x01", 3) == 0) ||
|
||||
(do_openvpn && (openvpn_handshake = is_openvpn_handshake(packet_data, packet_dataLen)))
|
||||
)
|
||||
{
|
||||
if (do_blacklist) {
|
||||
sni_ok = extract_sni(packet_data, packet_dataLen,
|
||||
@@ -1138,6 +1161,7 @@ int main(int argc, char *argv[]) {
|
||||
blackwhitelist_check_hostname(host_addr, host_len)
|
||||
) ||
|
||||
(do_blacklist && !sni_ok && do_allow_no_sni) ||
|
||||
(do_openvpn && openvpn_handshake) ||
|
||||
(!do_blacklist)
|
||||
)
|
||||
{
|
||||
|
||||
@@ -30,7 +30,7 @@ int service_register(int argc, char *argv[])
|
||||
*/
|
||||
if (!service_argc && !service_argv) {
|
||||
service_argc = argc;
|
||||
service_argv = malloc(sizeof(void*) * (size_t)argc);
|
||||
service_argv = calloc((size_t)(argc + 1), sizeof(void*));
|
||||
for (i = 0; i < argc; i++) {
|
||||
service_argv[i] = strdup(argv[i]);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user