Why do you need Science Online?
Thousands of words can be combined into one sentence, then the information density of the Chinese Internet in China is really too low.
In the computer field, scientific Internet access is an essential skill for almost every programmer who wants to learn. Uses of Science Online include but are not limited to:
Accurately search and crawl the information you need on the Internet, and accelerate the download of software and projects whose servers are located abroad
Go to Youtube, etc. to learn from the experience and tutorials of bloggers on the Internet, and use Facebook, Twitter and other social tools to eat international melons
Enjoy the original experience, watch dramas, Netflix, Hulu, HBO, iPlayer, etc., including Amazon
Enjoy free high-quality education and public resources abroad, and try to keep yourself in sync with the international rhythm
occasionally see
People who use Baidu + youku and Google + youtube all the year round, the information they receive and the vision they get are not in the same order of magnitude at all.
On WeChat, QQ and Weibo platforms, you can only swallow your breath,
As for how low the information density of the domestic Chinese Internet is, here is a simple example:
Three of the top five results found on Baidu are from CSDN. Let’s open the recommended one and take a look.
Except for this, most of the rest of the CSDN content is filled with water, copy and paste, and a search of dozens of answers is exactly the same.
Some platforms and companies rely on information monopoly to enjoy the dividends of open source while absorbing the blood of open source. The consequence of treating people as consumables is the complete collapse of the environment
Views on overturning the wall
Again, having a wall is not necessarily a bad thing, and not having a wall is not necessarily a good thing.
There is no impenetrable wall in this world, and there is no eternal ladder. The relationship between the wall and the ladder is subtle. The ladder is more like a barrier to access than a loophole. Many times it is just turning a blind eye. Just eyes.
Introduction to Mainstream Protocols
This article will introduce the mainstream Kuoxue Internet access protocols according to a certain chronological development sequence. There is an essential difference between a VPN and a proxy server, and the working levels of the two are not at the same level, so I choose to introduce them separately.
VPN
The first thing to understand is that the VPN technology itself is not exclusively used to access the external network through the wall. This technology has been mature for a long time, and it is still actively optimized. Many large companies still choose it as an encrypted communication protocol, and it has a wide range of commercial applications. Therefore, it is almost impossible to completely block it at present. For those who are non-technical and do not want to bother, but only occasionally have a ladder need, the mature VPN software does have a very good experience, after all, just pay for it.
As for the shortcomings, it is very obvious, unstable, and expensive. During the high-pressure period every year, the meeting time is almost fatal, and now the surviving VPN providers have basically disappeared. There are only a few large VPN providers left, such as BatVPN, etc. They have professional technologies in these areas, but They have so many IPs that they can fight against the wall. (non-advertising)
Most of the friends who can read my article should not be the target customers of VPN. In your eyes, VPN may already be a ladder technology that is not recommended and will not be used, but according to my survey, the number of VPN users still accounts for a considerable proportion, and they are the “silent majority” in the Internet. The requirement for the ladder is to go out a few days a week to look up information, or try to find some learning materials. The ease of use of VPN makes it still the first choice for most people who do not have deep contact with the Internet and have no technology to go through the wall.
Are VPNs really useless? Really not. The corresponding relationship between the five-layer protocol of TCP/IP and the seven-layer protocol of OSI is as follows:
The protocols implemented at each layer are also different, that is, the services at each layer are also different.
Compared with the Socks5 proxy method, VPN still has certain advantages in principle. The working mode of VPN is infinitely close to the bottom layer, and can realize a global proxy in a true sense. Some of the traffic that is not forwarded by socks5 is also forwarded, including ARP, DHCP, ICMP etc. This means that it is equivalent to virtualizing a network card on your computer. In the eyes of a third party, your IP is the IP of the VPN. Therefore, most game accelerators are now implemented through VPN technology.
IPsec
The IPsec protocol has arguably a long history, and arguably since the late 1990s, IPsec support has been included in most major (and other) operating systems, including desktop and server operating systems as well as routers and other network security devices.
IPSec has two working modes:
Tunnel (tunnel) mode: The entire IP data packet of the user is used to calculate the AH or ESP header, and the AH or ESP header and ESP encrypted user data are encapsulated in a new IP data packet. Usually, tunnel mode is applied to the communication between two security gateways.
Transport mode: Only the transport layer data is used to calculate the AH or ESP header, and the AH or ESP header and ESP encrypted user data are placed behind the original IP header. Typically, transport mode is used for communication between two hosts, or between a host and a security gateway.
Since the IPsec protocol is too old, it is all used here as an introduction. If you are not a worker in the network industry, there is actually no need to understand it too deeply.
OpenVPN
The famous OpenVPN, this project was originally released in 2001, written by James Yonan. Unlike other IPSec-based tunneling protocols, OpenVPN relies on SSL/TLS for authentication and encryption, creating a secure peer-to-peer connection. SSL encryption is still very reliable and is currently widely used to protect financial transactions, data transmissions, emails, etc.
OpenVPN is compatible with most operating systems in use today. Support TCP or UDP and support up to 256-bit encryption, the most important thing he is open source! ! This does make it very scalable, but also due to the open source nature, it is easy to be caught by the wall.
Now most of the game accelerators and some VPN providers are built using the OpenVPN protocol. However, I think it is a talent to use OpenVPN to go through the wall. I think its greater use lies in the underlying forwarding traffic and strong encryption of data. characteristic.
Compared with over-the-wall, I still see more OpenVPN in various gray industries, such as streaming-free, IPV6 bypassing WIFI authentication, passing campus network authentication, and so on.
WireGuard
WireGuard is an open-source VPN protocol written in C by Jason Donenfeld et al. It is considered a next-generation VPN protocol designed to solve many of the problems that plague other VPN protocols such as IPSec/IKEv2, OpenVPN or L2TP. It has some similarities to modern VPNs like Tinc and MeshBird in terms of advanced encryption and simple configuration. As of January 2020, it has been merged into the 5.6 version of the Linux kernel, which means that users of most Linux distributions will have a WireGuard out of the box.
As the newly developed VPN protocol, WireGuard has obvious advantages over the current mainstream VPN technology, and is called the next-generation VPN. WireGuard has the following features:
advantage:
The configuration is streamlined and the default values can be used directly
Minimal key management is required, requiring only 1 public and 1 private key per host.
Runs as a Linux kernel module just like a normal Ethernet interface, with a small resource footprint.
It is possible to transmit some or all of the traffic to any host in the LAN through Wibain.
Being able to automatically reconnect after the network failure is restored has hit the sore spot of other Vibron.
Compared with the current mainstream VPN protocols, the connection speed is faster and the delay is low.
Using more advanced encryption technology, it has forward encryption and the ability to resist downgrade attacks.
Supports any type of Layer 2 network communication, such as ARP, DHCP, and ICMP, not just TCP/HTTP.
It can run in the host to provide communication between containers, or it can run in the container to provide communication between hosts.
insufficient:
In the early stage of research and development, various functions and support need to be improved.
Due to the use of UDP protocol, TCP network acceleration tools such as BBR and Ruisu are invalid for WireGuard.
Some operators may impose QOS speed limit on the UDP protocol, and WireGuard will be affected to a certain extent.
The client shunting function is weak, and the support for GFWList is insufficient.
Having said so much, WireGuard is actually a VPN tool that uses UDP to forward traffic. His biggest advantage is also the biggest disadvantage. Using UDP to forward traffic can indeed effectively interfere with the blocking of the wall, but its stability is really not flattering. If he can use it, it doesn’t mean that you should use it. The main reason why WireGuard can survive until now is that there are too few people who use it. .
Although WireGuard is good, its function should not be to pass through walls.
Compared with OpenVPN, a large project with hundreds of thousands of lines of code, WireGuard, a code base with only more than 4,000 lines of code, is simply like a work of art.
socks5
If you want to surf the Internet scientifically and stably and efficiently for a long time, you must basically master the socks5 type proxy.
The socks5 type proxy server works at the session layer of the application layer at the network level, and many traffic cannot be proxied, because even if the so-called global is enabled, the game cannot be accelerated. After all, the network transmission of the game generally runs on the of the transport layer. ICMP commands like Ping and Trace naturally cannot pass through the proxy. (Of course, there are also ways to use software to forcefully take over the virtual network card to achieve a truly global goal, such as SSTAP, tun2socks, etc.)
Shadowsocks
Shadowsocks can be said to be the grandfather of all subsequent proxy server transfer methods after the VPN can be accurately identified and blocked by the wall.
At the beginning of the development of shadowsocks, it was to pass through the wall. The realization principle was simple and rude, and it went straight to Huanglong. From the perspective of writing programs, it went directly to solve the problem.
Many people say that shadowsocks can be accurately identified by the wall. After all, even the author of ss has been invited to drink tea. As the first generation agent program, many loopholes have not been repaired well, resulting in the wall has been It can accurately identify the traffic characteristics of ss.
But as far as I know, apart from the BUG that certain non-AEAD encrypted data was accurately identified at the beginning (it has been fixed), I have not actually obtained substantive evidence that ss has been blocked. Most people follow Hammer shadowsocks is because your server is too rampant and then blocked. In fact, the blocking mechanism of the wall is extremely complicated. The detection mechanism includes but is not limited to the IP segment, judging the traffic header, port, data volume, and manual intervention, etc. , this pot can’t be fully pushed to ss.
shadowsocks introduces a concept of splitting the proxy server into local and remote, which realizes the encryption of all the traffic passing through the wall, and perfectly avoids the characteristic shortcomings of the previous VPN that still retains part of the plaintext communication.
The biggest difference from VPN is that VPN first sends a plaintext data packet to establish an encrypted channel, with fixed routines and obvious features, while shadowsocks is encrypted locally and then sent to the proxy service area, and the data is fully encrypted during the pass through the wall , the features are not obvious.
In addition, shadowsocks has the fastest communication delay (RTT) among the current socks5 proxy types, because the data packet handshake time is the shortest.
For now, shadowsocks is still the best experience, the simplest and fastest, and the most extreme way of expressing violent aesthetics.
ShadowsocksR
SSR is an optimized version of shadowsocks, but the author is not the same.
After the author of ss was drinking tea, an account named breakwa11 appeared on github, claiming that ss was easily detected by the firewall, so improvements were made in terms of obfuscation and protocol, making it less likely to be detected and compatible with ss , the improved project is called shadowsocks-R, referred to as ssr, and then ss users and ssr users are naturally divided into two factions, fighting each other, until a period of time, Powa was fleshed out, (one said Powa’s friend was killed The human flesh comes out – back to the net Note) In desperation, the ssr code was deleted, and all related groups were disbanded.
Personally, I don’t think it is necessary to entangle whether to use ss or ssr. If you are an airport user, ss is undoubtedly the most preferred, after all, the experience is the best, and it has nothing to do with you if it is blocked.
VMess
Vmess is a self-developed protocol based on the V2Ray kernel.
Let me first introduce V2Ray, a highly flexible platform. The difference from the previous VPN and Shadowsock types is that V2Ray is a kernel, it does not run alone, it is a framework, which is more free for developers.
Since June 2020, some very insecure bugs have been found on the V2Ray platform. It is recommended that you change to the Xray kernel as soon as possible, or change the protocol!
V2Ray is like stacking building blocks, one stroke at a time and one step at a time to gradually stack up the ladder, which may not be too friendly for beginners with very technical skills, and the matryoshka on the V2Ray platform is serious, V2Ray can be used as follows:
vmess
vmess + tls
vmess + websocket + tls
vmess + websocket + tls + nginx
vmess + websocket + tls + Nginx + cloudfare (CDN)
From top to bottom, there are layers of nesting dolls. The more nests, the safer, and of course the slower the speed. if true
If you build it from scratch, it’s really a big headache. Fortunately, there is a master who has developed a one-click script, and interested friends can search for themselves.
VLess
It can be understood that VLess is a lightweight version of VMess. VLESS is a stateless lightweight transmission protocol. It is divided into two parts: inbound and outbound, and can be used as a bridge between V2Ray client and server.
Unlike VMess, VLESS does not depend on system time, and the authentication method is also UUID, but alterId is not required.
Similarly, like VMess, it supports both V2Ray and the latest XRay. nesting dolls
vless
vless + tls
vless + websocket + tls
vless + websocket + tls + web
vless + websocket + tls + web + cloudfare (CDN)
Trojans
According to the explanation given on the official website, the design concept of Trojan is opposite to that of traditional protocols. Trojan does not use strong encryption and random obfuscation, but directly imitates HTTPS, the most common protocol on the Internet, to achieve the purpose of the design.
Of course, this is obviously nonsense. The HTTPS protocol itself contains encryption, and TLS 1.3 is even stronger encryption, which cannot be cracked by simple means today. Trojan itself uses the characteristics of HTTPS and comes with encryption attributes, but this encryption is used by everyone, so the description on the official website is inaccurate.
It is not difficult to find that if V2Ray uses WS + TLS, its protocol is not much different from Trojan itself. There are differences in the process of establishing a connection between the two, but it is difficult to find the difference from the traffic itself, or from the perspective of a third party. That is to say, for third-party monitoring, the performance of these two types of protocols is consistent with ordinary traffic, which is the commonality of the two.
Therefore, only from the perspective of the transmission speed of the actually used traffic, Trojan must be faster than V2Ray in principle. It is not that Trojan has any black technology, but that Trojan is simpler than V2Ray. We can think that Trojan is just a WS+TLS A simplified version of the V2Ray protocol (not a simple equivalent). This may be the design concept of Trojan. I think it may be better to introduce Trojan as a protocol that uses the most common and safest form of the Internet to complete the connection in a simple way.
Trojan-go
Trojan-go can be seen as an enhanced version of Trojan, the most important thing is that it supports websocket and multiplexing! At the same time, it is also the scientific Internet access method that the author himself mainly uses. It is not only very stable, but also has a good experience.
Trojan-go that supports websocket can be said to be basically immortal. After all, after supporting websocket, you can apply CDN, which hides the real IP (Menghui V2Ray Ultimate Matryoshka version), and supports many Multiplexing, which significantly improves the opening speed of web pages.
The biggest disadvantage of Trojan is actually one of its advantages, that is, port 443 is used for output, which is the same whether it is Trojan or Trojan-go.
There is no problem with using port 443, but many of my friends’ servers are not only used to build ladders, they may also install a pagoda panel, set up a small website, or do other things, but if you use Trojan service, if port 443 is occupied, then other services cannot run.
Here is a solution idea of a big guy: How to realize Trojan share 443 port solution
If you can successfully tie Trojan with your own website or other services, so that the Trojan server has a certain daily active IP, then this will be the ultimate form of pretending to be scientific online!
NaiveProxy
Naiveproxy came out of the arena at the end of 2019. It was only after the news of the V2RAY-VMESS vulnerability that Naiveproxy entered the attention of more people and spread rapidly.
In fact, the author’s development ideas are very clear, because the era of obfuscation and encryption using the scientific Internet protocol has passed. Many examples have proved that obfuscation itself will become an object of attack or censorship. Some encryption protocols made by myself, After all, it is still no match for what some scholars who specialize in encryption have made.
So the author’s idea is to use the network stack of the most commonly used browsers to avoid the review of the wall. Because the cost of reviewing the network stack of commonly used browsers is still very high, this also greatly reduces the risk of our nodes or VPS being blocked or blocked.
For the use of Naiveproxy, I personally recommend using Naiveproxy + TLS + Caddy to build it yourself, or you can use ProxuSU to build it.
MTProto
It is rarely used, and it is a proxy software dedicated to telegram. Friends who are interested can learn about it by themselves.
epilogue
A good line is much more important than entangled protocols and optimizations, good protocols and optimizations are just icing on the cake, a stable line is the core fundamental!
0 Comments