Archive

Archive for the ‘翻墙’ Category

West chamber season 3 – a new way to bypass Great Firewall

July 30, 2011 1 comment

(I don’t quite believe wordpress.com, I edit this post in google docs, and it is open for anyone to edit. I am not used to write in English, if you find mistakes please correct it for me in google docs. I may update here periodly based on the google docs one.)

Everyone knows that Chinese from mainland China have problem accessing international internet – the World Wide Web, e.g, Facebook, Twitter, and many services provided by Google. Here I provide a new a way to drop the threat of “connection reset”, without proxy server, and it is free.

The Great Firewall of China

Normally, we illustrate the Great Firewall(GFW) with the Great Wall of China:

But technically, GFW does not simply work like a wall. The commonly-used technical methods are IP blocking, DNS cache poisoning, connection reset, (ref wikipedia Great Firewall of China). And connection reset is now the most import part that works.

Technical details of connection reset

Why choose connection reset? For web sites, IP may change, and normally domain do not, it’s a big overhead to maintain an IP list of domains; and DNS cache poisoning can be bypassed by changing a hosts file for local name resolution. Connection reset is, somehow an elegant way to block the unwelcome sites (of course, unwelcomed by Chinese goverment).

When GFW detect sensitive words from site url or site content, it will send reset packet to both client and web server, thus, both client & web server give up the connection, and “Error 101 (net::ERR_CONNECTION_RESET): The connection was reset.” come to your chrome browser. This works like cheating, not blocking.

The scholarzhang project

There is nearly no way to bypass GFW without proxy servers (strictly speaking, bypass var p2p network, is also implemented by proxy, the different is that any node in p2p network may be the server, server is not fixed). Servers cost money, and there must be someone to pay for it.
Scholarzhang is a great attempt to build tool to bypass directly without intermedia server. It’s trying to save connection before reset package is sent by GFW. The theory is sophisticated, and it meet many restrictions(ref README, I wish some one could translate it to English). Now, the tools provide by scholarzhang hardly work anymore.

West chamber season 3

This project is mainly inspired by and inherited from scholarzhang. The theory is simple: drop the cheating packages send by GFW on both sides – server and client. Currently I have got a working prototype. If you are in China mainland, you should not be able to visit liruqi.me directly. But if install client by this install guide, then you should be.

But I need help:

  1. Spread and promote this project. It need client and web server cooperate, without either side, this will not work. Especially If you can directly contact the webmaster or system administrator of a blocked site, persuade him/her to do this! This will bring them lots of Chinese users.
  2. Find more specific rules of GFW. Currently, On the server, I simply drop reset packet from China; On the client, I simply drop reset packet from China. I wonder how risky of doing this. I wish to reduce the negative impact to minimum.
  3. More test & improvement on Windows client.

Beside, anyone interested in this project, mail me! Tell me what you can do, documentation, translation, web site building & development are welcomed. I cannot finish them all by myself anyway 🙂 . Also, contact me if there is any chance for me to go abroad, to work or study on anti-GFW, for this is my interest. I also love to “make the world a more open place”, but in a different way from Mark Zuckerberg, you know.

Categories: 翻墙, gfw

推荐一款Android网络助手

June 25, 2010 Leave a comment

好吧, 我还是承认了, 本人不是专业搞翻墙的, 最好的Android 浏览器翻墙方式是用修改版的opera mini(有APK下载). 图片看这里.

如果希望你手机其它的基于HTTP/HTTPS的应用翻墙, 或者是单纯想知道我都捣腾了写什么, 继续往后看.

首先说明一下使用条件. 你需要有一个Android手机. 此apk目前只在G2, G3上测试过. 其它机型理论可行. 但是目前有如下限制:

1. 大前提: 需要有手机的root权限. 如果还没有拿到root权限, 可以先搜索相关教程, 如G3取root权限.

2. Wifi网络无法使用HTTP方式连接到国外含有敏感内容的网站. 所以一般Wifi网络时, 需要关闭mobile view 并强制使用HTTPS连接, 以保证不会跳转到HTTP的WAP页面.

3. HTTPS方式, 仅在手机ROM版本为安智网时可用(如果开机第一屏有xda-china或者安智网, 说明没问题). 如果是其它ROM来源, 需要上安智网(bbs.goapk.com)刷一个论坛里的ROM才可以使用. HTTPS在某些固件版本下不可用. 不行可以尝试刷一个bbs.goapk.com论坛的固件. 本人没有在多个机型仔细测试, 如果有测试结果欢迎以评论方式反馈.

4. 本程序修改了移动网络接入点设置. 卸载之前需要保证翻墙工具处于关闭状态. 或者在卸载之后, 在“移动网络设置” => “接入点名称”中按menu键, 重置为默认设置.

网络助手apk文件下载地址: http://medusa.sinaapp.com/NetHelper.apk

翻墙原理在前一篇博文介绍两种基于Google App Engine的翻墙方法  中有提到. 这里就不赘述.

没有APK安装器的同学,可以尝试下安智网的APK安装器.

注意: 本文中的应用程序由安智网网友开发, 如果法律或者政治风险, 安智网不负相关责任.

Jun 26 2:20pm 补充: HTTP因服务器负载无法承受, 暂停服务. HTTPS方式不依赖于服务器, 不受影响.

Jun 28 10:27am 补充2: 因缺少服务器资源, 担心负载不能承受, 此翻墙方法尚未对外宣传. 有可以的国内服务器的同学, 请在twitter DM @liruqi

Jun 29 2:00 pm 补充3: 今天apk文件版本有更新, 比以前更好用了(下载地址不变, 在上文). 本来还打算今天发截图的, 后来测试发现有台服务器不能处理302重定向(python 2.4.3的), 以及昨天刷新版ROM之后, https也走服务器代理了. https本来是不让走代理的, 不安全. 我今天尝试修复这个问题. 不过也有好消息. G2(HTC Magic) 上, 用北京动感地带的2G网络, 部分地址没有被dns污染. 比如mobile.twitter.com. 估计北京动感地带的2G用户, 可以直接下载上面的apk文件翻墙了.

July 1 10:47 pm 补充4: 今天测试了下最新翻墙工具, 基本没问题. 而且现在也没啥https不https的问题, 全走的代理. 不过还不确定是否跟上次刷了rom有关. apk文件下载地址不变, 文件已更新. 服务端源代码放放在这里, 各位有自己的国内服务器也可以自行搭建代理.

(本文最后修改时间: July 12, 3:27 pm)

Categories: Android, 翻墙, 安智网

介绍两种基于Google App Engine的翻墙方法

June 25, 2010 Leave a comment

前言:
1. 由于本人有后期的研究计划,本文以后可能会有更新。
2. 本文主要介绍Linux环境下的操作方式。Windows用户也可以套用类似的方法,本文下面会介绍下Windows环境的简单配置方法。

最近打算做一个Android平台上的翻墙工具,所以研究了下代理方式的翻墙方法。Windows下已经有不少现成的免费工具,但是Linux下 不多。西厢计划虽然牛逼,但是安装配置过程复杂,效果也不稳定。所以最近主要研究了墙外代理的方式。动手实践了两种:HTTPS在线代理,以及本地加密代 理。都是代理,但是绕墙原理不同。

HTTPS在线代理,是基于HTTPS协议的安全性。比较典型的,如mirror项目。体验地 址:https://opliruqi.appspot.com/。
优点:方便
缺点:不稳定,mirror项目在处理https登录可能有问题,所以只能浏览不需要https登录验证的网页。而且因为服务端有HTML文件处 理操作(如URL转换),可能会导致页面效果欠佳。

本地加密代理,是在本地把目标地址加密,GAE上解密并获取页面内容,处理之后发回客户端。典型的,如GAppProxy项目。
Windows系统下配置方案:
1. 安装python环境。一般是下载 http://python.org/ftp/python/2.6.5/python-2.6.5.msi 用64位系统的,下这个 http://python.org/ftp/python/2.6.5/python-2.6.5.amd64.msi
不过上面两个地址被墙,大家用迅雷试一试。(我怀疑python.org就是因为GAppProxy被墙的…因为GFW最怕这种应用层加密的 翻墙方法,这种方式不要求你有vsp,只需要有GAE帐号或者网络空间即可)
2. 下载客户端:liruqi.sinaapp.com/localproxy.zip。已经配置好了的。不过有GAE帐号的同学,还是用自己的吧,为了你们 的数据安全,也为减少我的压力。
3. 设置浏览器代理。把http代理设置为 127.0.0.1:8765

优点:稳定,快速,Youtube视频也可以看
缺点:还是SSL的问题,如果用其作为SSL代理,那么证书不被浏览器信任而频繁报错;如果不用,上了GFW黑名单的网站(如 twitter,facebook),有域名劫持,https依旧没法连上。这篇博文(http://blog.solrex.cn/articles /fix-gappproxy-set-cookie-and-https-cert-bugs.html)似乎在说,它解决了这个问题。但是我下载了它 的代码,测试不通过。

总之,SSL登录验证问题没有解决。GAppProxy配合西厢计划的反DNS污染的模块同时工作,(即GAppProxy只作为HTTP代理) 是最完美的。我打算在android平台上也做一个,其中的SSL代理问题也没解决,技术方案目前想到两种:
1. 订阅一个人工维护的域名到ip的列表
2. 把西厢计划的反DNS污染的模块编译到ROM中(这个工作已经有人尝试过,可行。但是对于用户而言技术难度太大)
其实,一般看看国外新闻,维基百科什么的,也用不到HTTPS。Twitter第三方遍地都是。不处理,问题也不大。

大家有意见、建议,可以到twitter(@liruqi)或者新浪微博(@liruqi)上讨论。本博客尚未开通评论功能。

–The orignal post is published on May-16 17:56

Categories: 翻墙, GAE, GAppProxy, SAE/GAE