Add manual Github Action trigger

OpenVPN detection & fragmentation/fake packet support
2023-03-29 13:39:15 +03:00 · 2022-07-21 15:16:29 +03:00
5 changed files with 65 additions and 65 deletions
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@ -5,7 +5,7 @@ body:
  - type: markdown
    attributes:
      value: |
-        ### USE THIS FORM ONLY FOR BUGS! The webside does not open? That's likely NOT a bug, do not report it here!
+        **USE THIS FORM ONLY FOR BUGS**
        GoodbyeDPI does not guarantee to work with your ISP for every blocked website or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it here.

        Please only report software bugs, such as:
@ -18,7 +18,7 @@ body:
        Please make sure to check other opened and closed issues, it could be your bug has been reported already.
        For questions, or if in doubt, [use NTC.party forum](https://ntc.party/c/community-software/goodbyedpi).

-        ### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда!
+        **ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ**
        GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу с каждым заблокированным сайтом. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.

        Пожалуйста, сообщайте только об ошибках в программе, таких как:
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -7,21 +7,21 @@ on:
  workflow_dispatch:

 env:
-  WINDIVERT_URL: https://reqrypt.org/download/WinDivert-2.2.0-D.zip
-  WINDIVERT_NAME: WinDivert-2.2.0-D.zip
-  WINDIVERT_BASENAME: WinDivert-2.2.0-D
-  WINDIVERT_SHA256: 1d461cfdfa7ba88ebcfbb3603b71b703e9f72aba8aeff99a75ce293e6f89d2ba
+  WINDIVERT_URL: https://www.reqrypt.org/download/WinDivert-2.2.0-A.zip
+  WINDIVERT_NAME: WinDivert-2.2.0-A.zip
+  WINDIVERT_BASENAME: WinDivert-2.2.0-A
+  WINDIVERT_SHA256: 2a7630aac0914746fbc565ac862fa096e3e54233883ac52d17c83107496b7a7f

 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v2

      - name: Declare short commit variable
        id: vars
        run: |
-          echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+          echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"

      - name: Install MinGW-w64
        run: >
@ -31,7 +31,7 @@ jobs:

      - name: Download WinDivert from cache
        id: windivert-cache
-        uses: actions/cache@v4
+        uses: actions/cache@v2
        with:
          path: ${{ env. WINDIVERT_NAME }}
          key: ${{ env. WINDIVERT_SHA256 }}
@ -49,14 +49,14 @@ jobs:
        run: >
          cd src && make clean &&
          make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=../${{ env.WINDIVERT_BASENAME }}/include WINDIVERTLIBS=../${{ env.WINDIVERT_BASENAME }}/x64 -j4
-
+      
      - name: Prepare x86_64 directory
        run: |
          mkdir goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
          cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x64/*.{dll,sys} goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}

      - name: Upload output file x86_64
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v2
        with:
          name: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
          path: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
@ -72,7 +72,7 @@ jobs:
          cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x86/*.{dll,sys} goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}

      - name: Upload output file x86
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v2
        with:
          name: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
          path: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
--- a/README.md
+++ b/README.md
@ -43,7 +43,6 @@ Usage: goodbyedpi.exe [OPTION...]
                          supplied text file (HTTP Host/TLS SNI).
                          This option can be supplied multiple times.
 --allow-no-sni           perform circumvention if TLS SNI can't be detected with --blacklist enabled.
- --frag-by-sni            if SNI is detected in TLS packet, fragment the packet right before SNI value.
 --set-ttl     <value>    activate Fake Request Mode and send it with supplied TTL value.
                          DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).
 --auto-ttl    [a1-a2-m]  activate Fake Request Mode, automatically detect TTL and decrease
@ -88,7 +87,7 @@ To check if your ISP's DPI could be circumvented, first make sure that your prov

 Then run the `goodbyedpi.exe` executable without any options. If it works — congratulations! You can use it as-is or configure further, for example by using `--blacklist` option if the list of blocked websites is known and available for your country.

-If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resolver running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications.
+If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resover running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications.

 Check the .cmd scripts and modify it according to your preference and network conditions.

@ -141,15 +140,12 @@ Modify them according to your own needs.

 # Similar projects

- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for MacOS, Linux and Windows)
- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows)
- **[DPI Tunnel CLI](https://github.com/zhenyolka/DPITunnel-cli)** by @zhenyolka (for Linux and routers)
- **[DPI Tunnel for Android](https://github.com/zhenyolka/DPITunnel-android)** by @zhenyolka (for Android)
- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux)
- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android)
+- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for Linux).
+- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows).
+- **[DPITunnel](https://github.com/zhenyolka/DPITunnel)** by @zhenyolka (for Android).
+- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux).
+- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android).
 - **[SpoofDPI](https://github.com/xvzc/SpoofDPI)** by @xvzc (for macOS and Linux)
- **[GhosTCP](https://github.com/macronut/ghostcp)** by @macronut (for Windows)
- **[ByeDPI](https://github.com/hufrea/byedpi)** for Linux/Windows + **[ByeDPIAndroid](https://github.com/dovecoteescapee/ByeDPIAndroid/)** for Android (no root)

 # Kudos

--- a/src/Makefile
+++ b/src/Makefile
@ -11,12 +11,7 @@ TARGET = goodbyedpi.exe
 #LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
 LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32 -l:libssp.a
 CC = $(CPREFIX)gcc
-
 CCWINDRES = $(CPREFIX)windres
-ifeq (, $(shell which $(CPREFIX)windres))
-	CCWINDRES = windres
-endif
-
 CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
         -O2 -D_FORTIFY_SOURCE=2 -fstack-protector \
         -Wall -Wextra -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 \
@ -24,7 +19,7 @@ CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
         -Wnull-dereference -Warray-bounds=2 -Wimplicit-fallthrough=3 \
         -Wstringop-overflow=4 \
         -Wformat-signedness -Wstrict-overflow=2 -Wcast-align=strict \
-         -Wfloat-equal -Wcast-align -Wsign-conversion \
+         -Wfloat-equal -Wcast-align -Wsign-conversion -Wno-stringop-overflow -Wno-stringop-overread \
         #-fstack-protector-strong
 LDFLAGS = -fstack-protector -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
 -Wl,--image-base,0x140000000 -Wl,--disable-auto-image-base
--- a/src/goodbyedpi.c
+++ b/src/goodbyedpi.c
@ -162,7 +162,6 @@ static struct option long_options[] = {
    {"dns-verb",    no_argument,       0,  'v' },
    {"blacklist",   required_argument, 0,  'b' },
    {"allow-no-sni",no_argument,       0,  ']' },
-    {"frag-by-sni", no_argument,       0,  '>' },
    {"ip-id",       required_argument, 0,  'i' },
    {"set-ttl",     required_argument, 0,  '$' },
    {"min-ttl",     required_argument, 0,  '[' },
@ -172,6 +171,7 @@ static struct option long_options[] = {
    {"native-frag", no_argument,       0,  '*' },
    {"reverse-frag",no_argument,       0,  '(' },
    {"max-payload", optional_argument, 0,  '|' },
+    {"openvpn",     no_argument,       0,  '#' },
    {0,             0,                 0,   0  }
 };

@ -434,6 +434,16 @@ static int extract_sni(const char *pktdata, unsigned int pktlen,
    return FALSE;
 }

+static inline int is_openvpn_handshake(const char *pktdata, unsigned int pktlen) {
+    /*
+     * 0x38 is P_CONTROL_HARD_RESET_CLIENT_V2 + peer_id(0),
+     * 0x50 is P_CONTROL_HARD_RESET_CLIENT_V3 + peer_id(0)
+     */
+    return pktlen >= 16
+           && ntohs(((uint16_t*)pktdata)[0]) == pktlen - 2
+           && (pktdata[2] == '\x38' || pktdata[2] == '\x50');
+}
+
 static inline void change_window_size(const PWINDIVERT_TCPHDR ppTcpHdr, unsigned int size) {
    if (size >= 1 && size <= 0xFFFFu) {
        ppTcpHdr->Window = htons((u_short)size);
@ -475,7 +485,7 @@ static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
                        PWINDIVERT_TCPHDR ppTcpHdr,
                        unsigned int fragment_size, int step) {
    char packet_bak[MAX_PACKET_SIZE];
-    memcpy(packet_bak, packet, packetLen);
+    memcpy(&packet_bak, packet, packetLen);
    UINT orig_packetLen = packetLen;

    if (fragment_size >= packet_dataLen) {
@ -532,7 +542,7 @@ static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
        packetLen,
        NULL, &addr
    );
-    memcpy(packet, packet_bak, orig_packetLen);
+    memcpy(packet, &packet_bak, orig_packetLen);
    //printf("Sent native fragment of %d size (step%d)\n", packetLen, step);
 }

@ -544,6 +554,7 @@ int main(int argc, char *argv[]) {
    } packet_type;
    int i, should_reinject, should_recalc_checksum = 0;
    int sni_ok = 0;
+    int openvpn_handshake = 0;
    int opt;
    int packet_v4, packet_v6;
    HANDLE w_filter = NULL;
@ -569,8 +580,8 @@ int main(int argc, char *argv[]) {
        do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
        do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0,
        do_allow_no_sni = 0,
-        do_fragment_by_sni = 0,
        do_fake_packet = 0,
+        do_openvpn = 0,
        do_auto_ttl = 0,
        do_wrong_chksum = 0,
        do_wrong_seq = 0,
@ -808,9 +819,6 @@ int main(int argc, char *argv[]) {
            case ']': // --allow-no-sni
                do_allow_no_sni = 1;
                break;
-            case '>': // --frag-by-sni
-                do_fragment_by_sni = 1;
-                break;
            case '$': // --set-ttl
                do_auto_ttl = auto_ttl_1 = auto_ttl_2 = auto_ttl_max = 0;
                do_fake_packet = 1;
@ -854,6 +862,9 @@ int main(int argc, char *argv[]) {
                    free(autottl_copy);
                }
                break;
+            case '#': // --openvpn
+                do_openvpn = 1;
+                break;
            case '%': // --wrong-chksum
                do_fake_packet = 1;
                do_wrong_chksum = 1;
@ -904,7 +915,6 @@ int main(int argc, char *argv[]) {
                "                          supplied text file (HTTP Host/TLS SNI).\n"
                "                          This option can be supplied multiple times.\n"
                " --allow-no-sni           perform circumvention if TLS SNI can't be detected with --blacklist enabled.\n"
-                " --frag-by-sni            if SNI is detected in TLS packet, fragment the packet right before SNI value.\n"
                " --set-ttl     <value>    activate Fake Request Mode and send it with supplied TTL value.\n"
                "                          DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).\n"
                " --auto-ttl    [a1-a2-m]  activate Fake Request Mode, automatically detect TTL and decrease\n"
@ -930,6 +940,7 @@ int main(int argc, char *argv[]) {
                "                          (like file transfers) in already established sessions.\n"
                "                          May skip some huge HTTP requests from being processed.\n"
                "                          Default (if set): --max-payload 1200.\n"
+                " --openvpn                Detect OpenVPN TCP and fragment/send fake packet.\n"
                "\n");
                puts("LEGACY modesets:\n"
                " -1          -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode)\n"
@ -963,7 +974,6 @@ int main(int argc, char *argv[]) {
           "Fragment HTTP: %u\n"                    /* 2 */
           "Fragment persistent HTTP: %u\n"         /* 3 */
           "Fragment HTTPS: %u\n"                   /* 4 */
-           "Fragment by SNI: %u\n"                  /* 5 */
           "Native fragmentation (splitting): %d\n" /* 5 */
           "Fragments sending in reverse: %d\n"     /* 6 */
           "hoSt: %d\n"                             /* 7 */
@ -978,29 +988,30 @@ int main(int argc, char *argv[]) {
           "Fake requests, TTL: %s (fixed: %hu, auto: %hu-%hu-%hu, min distance: %hu)\n"  /* 16 */
           "Fake requests, wrong checksum: %d\n"    /* 17 */
           "Fake requests, wrong SEQ/ACK: %d\n"     /* 18 */
-           "Max payload size: %hu\n",               /* 19 */
+           "Max payload size: %hu\n"                /* 19 */
+           "OpenVPN: %d\n",                         /* 20 */
           do_passivedpi,                                         /* 1 */
           (do_fragment_http ? http_fragment_size : 0),           /* 2 */
           (do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */
           (do_fragment_https ? https_fragment_size : 0),         /* 4 */
-           do_fragment_by_sni,    /* 5 */
-           do_native_frag,        /* 6 */
-           do_reverse_frag,       /* 7 */
-           do_host,               /* 8 */
-           do_host_removespace,   /* 9 */
-           do_additional_space,   /* 10 */
-           do_host_mixedcase,     /* 11 */
-           do_http_allports,      /* 12 */
-           do_fragment_http_persistent_nowait, /* 13 */
-           do_dnsv4_redirect,                  /* 14 */
-           do_dnsv6_redirect,                  /* 15 */
-           do_allow_no_sni,                    /* 16 */
-           do_auto_ttl ? "auto" : (do_fake_packet ? "fixed" : "disabled"),  /* 17 */
+           do_native_frag,        /* 5 */
+           do_reverse_frag,       /* 6 */
+           do_host,               /* 7 */
+           do_host_removespace,   /* 8 */
+           do_additional_space,   /* 9 */
+           do_host_mixedcase,     /* 10 */
+           do_http_allports,      /* 11 */
+           do_fragment_http_persistent_nowait, /* 12 */
+           do_dnsv4_redirect,                  /* 13 */
+           do_dnsv6_redirect,                  /* 14 */
+           do_allow_no_sni,                    /* 15 */
+           do_auto_ttl ? "auto" : (do_fake_packet ? "fixed" : "disabled"),  /* 16 */
               ttl_of_fake_packet, do_auto_ttl ? auto_ttl_1 : 0, do_auto_ttl ? auto_ttl_2 : 0,
               do_auto_ttl ? auto_ttl_max : 0, ttl_min_nhops,
-           do_wrong_chksum, /* 18 */
-           do_wrong_seq,    /* 19 */
-           max_payload_size /* 20 */
+           do_wrong_chksum, /* 17 */
+           do_wrong_seq,    /* 18 */
+           max_payload_size, /* 19 */
+           do_openvpn        /* 20 */
          );

    if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) {
@ -1054,7 +1065,6 @@ int main(int argc, char *argv[]) {
                   packetLen);
            should_reinject = 1;
            should_recalc_checksum = 0;
-            sni_ok = 0;

            ppIpHdr = (PWINDIVERT_IPHDR)NULL;
            ppIpV6Hdr = (PWINDIVERT_IPV6HDR)NULL;
@ -1128,7 +1138,7 @@ int main(int argc, char *argv[]) {
                 */
                else if (addr.Outbound &&
                        ((do_fragment_https ? packet_dataLen == https_fragment_size : 0) ||
-                         packet_dataLen > 16) &&
+                         packet_dataLen >= 16) &&
                         ppTcpHdr->DstPort != htons(80) &&
                         (do_fake_packet || do_native_frag)
                        )
@ -1138,9 +1148,11 @@ int main(int argc, char *argv[]) {
                     * But if the packet is more than 2 bytes, check ClientHello byte.
                    */
                    if ((packet_dataLen == 2 && memcmp(packet_data, "\x16\x03", 2) == 0) ||
-                        (packet_dataLen >= 3 && ( memcmp(packet_data, "\x16\x03\x01", 3) == 0 || memcmp(packet_data, "\x16\x03\x03", 3) == 0 )))
+                        (packet_dataLen >= 3 && memcmp(packet_data, "\x16\x03\x01", 3) == 0) ||
+                        (do_openvpn && (openvpn_handshake = is_openvpn_handshake(packet_data, packet_dataLen)))
+                       )
                    {
-                        if (do_blacklist || do_fragment_by_sni) {
+                        if (do_blacklist) {
                            sni_ok = extract_sni(packet_data, packet_dataLen,
                                        &host_addr, &host_len);
                        }
@ -1149,6 +1161,7 @@ int main(int argc, char *argv[]) {
                              blackwhitelist_check_hostname(host_addr, host_len)
                             ) ||
                             (do_blacklist && !sni_ok && do_allow_no_sni) ||
+                             (do_openvpn && openvpn_handshake) ||
                             (!do_blacklist)
                           )
                        {
@ -1156,7 +1169,7 @@ int main(int argc, char *argv[]) {
                            char lsni[HOST_MAXLEN + 1] = {0};
                            extract_sni(packet_data, packet_dataLen,
                                        &host_addr, &host_len);
-                            memcpy(lsni, host_addr, host_len);
+                            memcpy(&lsni, host_addr, host_len);
                            printf("Blocked HTTPS website SNI: %s\n", lsni);
 #endif
                            if (do_fake_packet) {
@ -1191,7 +1204,7 @@ int main(int argc, char *argv[]) {
                        host_len = hdr_value_len;
 #ifdef DEBUG
                        char lhost[HOST_MAXLEN + 1] = {0};
-                        memcpy(lhost, host_addr, host_len);
+                        memcpy(&lhost, host_addr, host_len);
                        printf("Blocked HTTP website Host: %s\n", lhost);
 #endif

@ -1293,11 +1306,7 @@ int main(int argc, char *argv[]) {
                        current_fragment_size = http_fragment_size;
                    }
                    else if (do_fragment_https && ppTcpHdr->DstPort != htons(80)) {
-                        if (do_fragment_by_sni && sni_ok) {
-                            current_fragment_size = (void*)host_addr - packet_data;
-                        } else {
-                            current_fragment_size = https_fragment_size;
-                        }
+                        current_fragment_size = https_fragment_size;
                    }

                    if (current_fragment_size) {
Author	SHA1	Message	Date
ValdikSS	404850245e	Add manual Github Action trigger	2023-03-29 13:39:15 +03:00
ValdikSS	ecc681a60b	OpenVPN detection & fragmentation/fake packet support	2022-07-21 15:16:29 +03:00