circumvent Internet censorship

Proxy circumvention strategies

Proxy servers

XX-Net

Shadowsocks

v2ray / Xray

Linux

v2rayA

1

paru -S v2ray xray v2raya

1

systemctl enable --now v2raya.service

Access the UI interface in the browser:

1

http://localhost:2017/

Because by default v2rayA will open 20170 (socks5), 20171 (http), 20172 (http with shunt rules) ports through the core.

windows

Clash

Linux

clash-for-windows-bin

1

paru -S clash-for-windows-bin

run with command:

1

./cfw

1

echo "alias clash='cfw'" >> ~/.zshrc && source ~/.zshrc

windows

Trojan / Trojan-Go

Free programs

Freegate

freegate

freesky

Because of the strong political color, it is best not to install and use it at ordinary times, and it is only used as the last choice when other tools fail.

Ultrasurf

Because of the strong political color, it is best not to install and use it at ordinary times, and it is only used as the last choice when other tools fail.

Psiphon

lantern

VPN

WARP

Linux

1

$ paru -S cloudflare-warp-bin

start the WARP service before using it

1

$ sudo systemctl start warp-svc

To register with the WARP API, replacing any existing registration (Must be run before first connection!)

1

$ warp-cli register

mode possible values: warp, doh, warp+doh, dot, warp+dot, proxy, tunnel_only

1

$ warp-cli set-mode warp

verify mode in settings

1

$ warp-cli settings

free warp not working well, set license key to warp+

1

$ warp-cli set-license 2cVEj450-52JkhS98-Fj12K8o4

verify license key in account info

1

$ warp-cli account

1

$ warp-cli connect

Run curl https://www.cloudflare.com/cdn-cgi/trace/ and verify that warp=on/plus.

1

$ warp-cli status

1

$ warp-cli disconnect

1

$ sudo systemctl enable warp-svc

1

$ systemctl --user enable --now warp-taskbar

windows

warp download and install

worker with vless

Linux

1

vless://83b71d9f-f75e-4ea2-b8ae-5c2e1ec42435@vless.zhengye.me:443?encryption=none&security=tls&sni=vless.zhengye.me&fp=randomized&type=ws&host=vless.zhengye.me&path=%2F%3Fed%3D2048#vless.zhengye.me

windows

Anonymity Networks

Tor

Linux

1

$ paru -S torbrowser-launcher

windows

Tor Browser

I2P

Linux

1

paru -S i2p

1

systemctl enable --now i2prouter.service

Open your browser of choice and visit the I2P welcome page at:

1

127.0.0.1:7657

In order to visit eepsites configure your browser to use the local proxy:

1

HTTP 127.0.0.1 4444

windows

Run it using the “Start I2P” entries in your Start Menu.

open your browser of choice and visit the I2P welcome page at

1

127.0.0.1:7657/home

Configure your router to reseed through a proxy, configure the proxy type, hostname, and port:

1

127.0.0.1:7657/configreseed

Then, click “Save changes and reseed now”.

To browse anonymous websites inside Invisible Internet, configure your web browser to use HTTP/S proxy

1
2


HTTP 127.0.0.1 4444
HTTPS 127.0.0.1 4445

Non-proxy circumvention strategies

Hosts

Linux

1

# chown ye:ye /etc/hosts

1

$ paru -S switchhosts-bin

1

$ vim ~/.config/autostart/switchhosts.desktop

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


[Desktop Entry]
Name=switchhosts
GenericName=SwitchHosts Frontend
Exec=/usr/bin/switchhosts
Terminal=false
Icon=/usr/share/pixmaps/switchhosts.png
Categories=Network
Type=Application
StartupNotify=false
X-GNOME-Autostart-enabled=true

1
2
3


https://gitlab.com/ineo6/hosts/-/raw/master/hosts
https://raw.hellogithub.com/hosts
https://onedrive-hosts.learningman.top

windows

DNSCrypt

Linux

dnscrypt-proxy

https://wiki.archlinux.org/title/Dnscrypt-proxy#dnsmasq

Disable any services bound to port 53

1

ss -lp 'sport = :domain'

Uninstall the corresponding package or disable the corresponding service.

Install dnscrypt-proxy

1

pacman -S dnscrypt-proxy

The default configuration file referred to is at:

1

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

The listen_addresses option must be configured

1

listen_addresses = ['127.0.0.1:53', '[::1]:53']

Select resolver

comment the server_names variable in the configuration file, dnscrypt-proxy will choose the fastest server from the configured sources.
[sources]

An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

Modify resolv.conf

1

vim /etc/resolv.conf

1
2
3


nameserver ::1
nameserver 127.0.0.1
options edns0

To lock it:

1

chattr +i /etc/resolv.conf

To unlock it:

1

chattr -i /etc/resolv.conf

Start systemd service

1

systemctl enable --now dnscrypt-proxy.service

Check if dnscrypt-proxy is working

Open the browser and head to DnsLeakTest and do an extended test, if the results show servers that you have set in the configuration files it means that dnscrypt-proxy is working, otherwise something is wrong.

Test

1

drill github.com @127.0.0.1

Tips and tricks

Edit the cache option in /etc/dnscrypt-proxy/dnscrypt-proxy.toml with the following:

1

cache = true

Edit the listen_addresses option in /etc/dnscrypt-proxy/dnscrypt-proxy.toml with the following:

1

listen_addresses = ['127.0.0.1:53000', '[::1]:53000']

1

pacman -S unbound

add the following lines to the end of the server section in /etc/unbound/unbound.conf:

1
2
3
4
5


  do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: ::1@53000
  forward-addr: 127.0.0.1@53000

1

systemctl stop dnscrypt-proxy.service

1

systemctl enable --now unbound.service

1

systemctl start dnscrypt-proxy.service

Add the following line to your /etc/resolv.conf:

1

options edns0

Test EDNS0

1

$ drill rs.dns-oarc.net TXT

Local DoH

1

$ sudo pacman -S mkcert

1

$ mkdir -p ~/.config/cert/

1

$ mkcert -install -cert-file ~/.config/cert/localhost+2.pem -key-file ~/.config/cert/localhost+2-key.pem

1
2


$ sudo mv ~/.config/cert/localhost+2.pem /var/lib/dnscrypt-proxy/localhost.pem
$ sudo mv ~/.config/cert/localhost+2-key.pem /var/lib/dnscrypt-proxy/localhost-key.pem

1
2


$ chmod 777 /var/lib/dnscrypt-proxy/localhost.pem
$ chmod 777 /var/lib/dnscrypt-proxy/localhost-key.pem

Next, edit dnscrypt-proxy.toml configuration file, search for the local_doh section and uncomment the following lines:

1

$ sudo vim /etc/dnscrypt-proxy/dnscrypt-proxy.toml

1
2
3
4
5


[local_doh]
listen_addresses = ['127.0.0.1:3000']
path = "/dns-query"
cert_file = "/var/lib/dnscrypt-proxy/localhost.pem"
cert_key_file = "/var/lib/dnscrypt-proxy/localhost-key.pem"

1

$ sudo systemctl restart dnscrypt-proxy.service

Google Chrome:

Select the three-dot menu in your browser > Settings.
Select Privacy and security > Security.
Scroll down and enable Use secure DNS.
Select the With option, and from the drop-down menu choose Custom.

Enter the following URL:
1

https://127.0.0.1:3000/dns-query

Mozilla Firefox:

Navigate to the config about:config page
Update the following config properties: network.trr.mode to 2
Update the following config properties: network.trr.uri to https://101.6.6.6:8443/dns-query
- https://mozilla.cloudflare-dns.com/dns-query
- https://dns.google/dns-query
- unofficial list of DoH servers
- Tuna: https://101.6.6.6:8443/dns-query
- custom: https://127.0.0.1:3000/dns-query

dns-over-https (not work well)

dns-over-https

Installation

1

# pacman -S dns-over-https

Disable any services bound to port 53

To see if any programs are using port 53, run:

1

# ss -lp 'sport = :domain'

If the output contains more than the first line of column names, you need to disable whatever service is using port 53. For example:

1
2


# systemctl disable --now dnscrypt-proxy.service
# systemctl disable --now unbound.service

Select preferred upstream DNS server

1

# vim /etc/dns-over-https/doh-client.conf

1
2
3


[[upstream.upstream_ietf]]
    url = "https://doh.pub/dns-query"
    weight = 20

Change system DNS server

1

# vim /etc/resolv.conf

1
2
3


nameserver ::1
nameserver 127.0.0.1
options edns0

Startup

1

# systemctl enable --now doh-client.service

Test

1

drill github.com @127.0.0.1

windows

dnscrypt-proxy

Test dnscrypt-proxy

In the terminal, go to the directory of DNSCrypt installation

1

cd 'C:\Program Files\DNSCrypt\win64\'

Create a configuration file based on the example one

1

copy example-dnscrypt-proxy.toml dnscrypt-proxy.toml

run:

1

.\dnscrypt-proxy.exe

If dnscrypt-proxy is running, hit Control and C in the terminal window to stop it. And then to launch the server in an extra window, run:

1

start dnscrypt-proxy

Switch to your previous terminal window. Let’s check that everything works by sending a first query using dnscrypt-proxy:

1

.\dnscrypt-proxy.exe -resolve example.com

Change the system DNS settings

Go to the Control Panel.
Click Network and Internet > Network and Sharing Center > Change adapter settings.
Select the connection for which you want to configure Google Public DNS. For example:
- To change the settings for an Ethernet connection, right-click the Ethernet interface and select Properties.
- To change the settings for a wireless connection, right-click the Wi-Fi interface and select Properties.
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
Select the Networking tab. Under This connection uses the following items, select Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6) and then click Properties.
Click Advanced and select the DNS tab. If there are any DNS server IP addresses listed there, write them down for future reference, and remove them from this window.
Click OK.
Select Use the following DNS server addresses. If there are any IP addresses listed in the Preferred DNS server or Alternate DNS server, write them down for future reference.
Replace those addresses with the IP addresses of the DNSCrypt servers or the Google DNS servers:

DNSCrypt servers:
- 127.0.0.1
Google DNS servers:
- For IPv4: 8.8.8.8 and/or 8.8.4.4.
- For IPv6: 2001:4860:4860::8888 and/or 2001:4860:4860::8844.
- For IPv6-only: you can use Google Public DNS64 instead of the IPv6 addresses in the previous point.
Test that your setup is working correctly.

Install the proxy as a system service

Hit Control and C in the dnscrypt-proxy terminal window to stop the proxy.

1

.\dnscrypt-proxy -service install

Start the service

1

.\dnscrypt-proxy -service start

Stop the service

1

.\dnscrypt-proxy -service stop

Restart the service after a configuration file change

1

.\dnscrypt-proxy -service restart

Uninstall the service

1

.\dnscrypt-proxy -service uninstall

Check that DNS resolution works

1

.\dnscrypt-proxy -resolve example.com

Completely delete

1
2


.\dnscrypt-proxy -service uninstall
winget uninstall DNSCrypt.dnscrypt-proxy

Subscription

Last choice

https://github.com/Alvin9999/new-pac/wiki

Reference

Great Firewall

Internet censorship circumvention

https://github.com/hoochanlon/hamulete

Table of Contents

Proxy circumvention strategies

Proxy servers

XX-Net

Shadowsocks

v2ray / Xray

Linux

windows

Clash

Linux

windows

Trojan / Trojan-Go

Free programs

Freegate

Ultrasurf

Psiphon

lantern

VPN

WARP

Linux

windows

worker with vless

Linux

windows

Anonymity Networks

Tor

Linux

windows

Linux

windows

Non-proxy circumvention strategies

Hosts

Linux

windows

DNSCrypt

Linux

dnscrypt-proxy

Disable any services bound to port 53

Install dnscrypt-proxy

Select resolver

Modify resolv.conf

Start systemd service

Check if dnscrypt-proxy is working

Test

Tips and tricks

dns-over-https (not work well)

Installation

Disable any services bound to port 53

Select preferred upstream DNS server

Change system DNS server

Startup

Test

windows

dnscrypt-proxy

Test dnscrypt-proxy

Change the system DNS settings

Install the proxy as a system service

Subscription

Shadowsocks

ShadowsocksR

V2ray

Clash

Trojan

Last choice

Reference