The network outbound environment in mainland China is getting worse and worse. Many people use domestic servers to transfer traffic. For example, domestic BGP lines such as Alibaba Cloud and Tencent Cloud are used to transfer traffic to Hong Kong PCCW, Japan NTT and other lines.
Basically, most people use the simplest iptables or socat forwarding to directly forward the received packets to the landing node. This is not a problem at first, but since 2020, the wall has continued to show power, and the SS/SSR direct connection will Was identified and banned very quickly. Especially during the Fifth Plenary Session of the Central Committee of the Communist Party of China in 2020. At this point, building an encrypted transit tunnel becomes a necessary choice.

Use GOST self-built secure tunnel to transfer encrypted traffic to realize scientific Internet access
1. The birth of tunnel transit airport
As we all know, GFW’s identification of SS/SSR traffic has become more and more accurate, and it is almost blocked at will, and V2Ray is gradually being targeted, which is seriously interfered by GFW, and the cost of using IPLC/IEPL intranet private lines is too high, so There has been the use of virtual private lines to replace physical IPLC/IEPL intranet private lines, through high-strength encryption and obfuscation, to bypass GFW’s detection and blockade. At the same time, the connection speed between the conventional scientific Internet proxy server and domestic users is greatly affected by the local network environment, and the speed is extremely unstable. Using BGP multi-line computer room servers at the domestic entrance can effectively alleviate this problem, and the price Much cheaper than physical dedicated lines. In fact, this technology is similar to VPN, except that VPN focuses on encryption, while airport tunnel transit lines focus on obfuscation. As a result, the tunnel transfer line at the airport quickly took center stage against GFW and became more and more popular.

2. What is a tunnel transfer?
Tunneling is a technology that encapsulates one network protocol into another network protocol for transmission, and tunnel transfer is a virtual dedicated channel established between the user end and the terminal, and the communication data between the user and the server is encrypted through the tunnel , to bypass the detection of GFW. Tunnel transfer technology can use various secure protocols for traffic forwarding, such as HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5, etc. Tunnel transfer technology has one more traffic forwarding than ordinary scientific Internet protocol technology (increasing the transfer server and increasing the cost), and the traffic can be re-encrypted and confused in the process, which effectively alleviates GFW’s impact on SS/SSR/V2Ray The identification probability of proxy traffic improves the efficiency of data transmission.

3. The principle and type of tunnel forwarding

The principle of the tunnel transit line structure used by the airport is: user – [domestic BGP multi-line server – server in non-mainland China] – target website. Among them, the communication line between “[domestic BGP multi-line server – server in non-mainland China]” is what we call a tunnel today, and the tunnel transfer has added a domestic BGP multi-line server as a transit compared to the previous scientific Internet proxy service Springboard, so the cost is increased, but the speed and stability are obviously improved.

The difference between tunnel forwarding and traffic forwarding such as iptables:

Under normal circumstances, the transit servers we come into contact with generally use tools such as iptables or socat to directly forward data packets (traffic) to the landing server. In this forwarding method, the transit server does not perform any operations on the data packet (such as encryption, obfuscation, etc.), but only forwards the data packet to the landing server intact. The tunnel relay server will process the data packet again (such as encryption, obfuscation, etc.). As shown below:

The difference between iptables-traffic forwarding and tunnel transit

Who is more efficient to forward traffic using tunnels or forward traffic using iptables? According to some big guys, the tunnel transfer traffic is faster, but I have not done actual test comparison. In addition, the domestic environment is not recommended to use UDP protocol transmission, and the security of tunnel transfer traffic is higher than iptables, after all, at least one more Layer encryption, but it needs to cooperate with obfuscation to fool GFW, the effect will be better.

Currently, there are two main ways to implement tunnel forwarding:

(1) TLS encrypted tunnel, through TLS or other encryption methods, encrypts and transmits data packets, decrypts and forwards them to the final exit on the landing node, such as Stunnel, GOST, Brook, Ehco, etc.

(2) In the form of VPN networking, two machines in different places form an intranet, and then directly forward data in the intranet. At this time, the data will be encrypted by networking tools, such as Zerotier, WireGuard, etc.

Since VPN is a specific encryption protocol with obvious features, and WireGuard is based on the UDP protocol, and the network environment in mainland China is not friendly to the UDP protocol, we can only choose the TLS encrypted tunnel solution based on the TCP protocol.