-
Notifications
You must be signed in to change notification settings - Fork 8
SNI Modification
WARNING:
This option is experimental and unstable.
Please, don't enable SNI Tricks if you're not an advanced PC user and don't have administrator rights.
Applies to:
- LibertyTunnel v1.0 and higher
Summary: Internet Service Provider (ISP) filters your HTTPS traffic by looking on SNI - Server Name Indication. This method of filtering can be bypassed by removing or modifying SNI in your HTTPS requests.
Table of contents:
Server Name Indication is an extension to the TLS protocol.
When you're attempting to connect to a HTTP website, the hostname is passed in the request headers, which are unencrypted.
If you're connecting with HTTPS, the request headers are encrypted, but the hostname can be read from SNI in ClientHello packet. That's how your ISP blocking HTTPS websites.
We have to remove or encrypt SNI to bypass filtering.
In recent years, ESNI - Encrypted SNI - has been developed to encrypt the hostname, but it's still experimental and most websites doesn't support it.
LibertyTunnel supports some tricks with SNI, that allow you to remove or modify SNI in your HTTPS requests to blocked websites.
To do that, we need to replace the original SSL certificate, so you need to install it at the first.
This method may not work anywhere, because some DPI rejects HTTPS requests without SNI or when the SNI is encrypted, also this approach doesn't supported by the most of sites, especially the ones, who checking the SSL certificate.
Spoil SNI method is more efficient than Remove SNI as some DPI don't pass packets without SNI.
Fake SNI method can be used to replace the actual SNI with SNI of any not-blocked or government website.
You do the following actions on your risk.
Make sure that you run a genuine build of PowerTunnel (PC/Android) to keep your traffic safe.
The manual below is for the PC version of PowerTunnel. PowerTunnel for Android automatically suggests you to install the certificate when you have this option enabled.
If you're running PowerTunnel in console mode, you can enable SNI Tricks by adding enable_sni_tricks and sni_trick configuration keys:
$ java -jar PowerTunnel.jar -cfg modify_sni true -cfg sni_trick [trick], where [trick] is spoil, fake or remove
You need to provide a fake host if you choosed fake trick:
$ java -jar PowerTunnel.jar -cfg modify_sni true -cfg sni_trick fake -cfg fake_sni [fake_host], where [fake_host] is a host of a government resource or a website that is not blocked in your country, e.g. w3.org.
It's recommended to disable HTTPS Chunking when SNI Modification is enabled
Global mode is enabled by default, but this method can break the most of unblocked websites, so PowerTunnel uses selective SNI erasing.
Clean government-blocklist.txt and fill it with a list of the blocked domains in your country.
The certificate generates on the first run of the PowerTunnel with this option enabled.
All certificates are unique, neither PowerTunnel developers nor someone else has its password. The password is stored insettings.ini.
PowerTunnel never decrypts and analyzes your traffic.
PowerTunnel re-crytps your HTTPS session to remove SNI, so you have to install PowerTunnel Root CA.
Please, see PowerTunnel Wiki to learn how to install the Root CA.
Please, see PowerTunnel Wiki to learn how to remove the Root CA.
Seems that this method doesn't work with your ISP's DPI. Keep in mind that some websites want to enforce you using their original certificates, so that method can't be applied to them.
Use "chunking" method or any encrypted connection, such as VPN or Tor.
If you have problems with the Root CA, please see PowerTunnel Wiki.
Open an issue in the GitHub Repository if you have any questsions.