bepass-org / bepass Goto Github PK

A simple DPI bypass tool written in go

License: MIT License

Go 99.18% Makefile 0.82%

bepass's Introduction

Bepass: A DPI-nightmare proxy

_{^{_____ _____ _____ _____ _____ _____
/\ \ /\ \ /\ \ /\ \ /\ \ /\ \
/::\ \ /::\ \ /::\ \ /::\ \ /::\ \ /::\ \
/::::\ \ /::::\ \ /::::\ \ /::::\ \ /::::\ \ /::::\ \
/::::::\ \ /::::::\ \ /::::::\ \ /::::::\ \ /::::::\ \ /::::::\ \
/:::/\:::\ \ /:::/\:::\ \ /:::/\:::\ \ /:::/\:::\ \ /:::/\:::\ \ /:::/\:::\ \
/:::/__\:::\ \ /:::/__\:::\ \ /:::/__\:::\ \ /:::/__\:::\ \ /:::/__\:::\ \ /:::/__\:::\ \
/::::\ \:::\ \ /::::\ \:::\ \ /::::\ \:::\ \ /::::\ \:::\ \ \:::\ \:::\ \ \:::\ \:::\ \
/::::::\ \:::\ \ /::::::\ \:::\ \ /::::::\ \:::\ \ /::::::\ \:::\ \ ___\:::\ \:::\ \ ___\:::\ \:::\ \
/:::/\:::\ \:::\ ___\ /:::/\:::\ \:::\ \ /:::/\:::\ \:::\____\ /:::/\:::\ \:::\ \ /\ \:::\ \:::\ \ /\ \:::\ \:::\ \
/:::/__\:::\ \:::| | /:::/__\:::\ \:::\____\ /:::/ \:::\ \:::| | /:::/ \:::\ \:::\____\ /::\ \:::\ \:::\____\ /::\ \:::\ \:::\____\
\:::\ \:::\ /:::|____| \:::\ \:::\ \::/ / \::/ \:::\ /:::|____| \::/ \:::\ /:::/ / \:::\ \:::\ \::/ / \:::\ \:::\ \::/ /
\:::\ \:::\/:::/ / \:::\ \:::\ \/____/ \/_____/\:::\/:::/ / \/____/ \:::\/:::/ / \:::\ \:::\ \/____/ \:::\ \:::\ \/____/
\:::\ \::::::/ / \:::\ \:::\ \ \::::::/ / \::::::/ / \:::\ \:::\ \ \:::\ \:::\ \
\:::\ \::::/ / \:::\ \:::\____\ \::::/ / \::::/ / \:::\ \:::\____\ \:::\ \:::\____\
\:::\ /:::/ / \:::\ \::/ / \::/____/ /:::/ / \:::\ /:::/ / \:::\ /:::/ /
\:::\/:::/ / \:::\ \/____/ ~~ /:::/ / \:::\/:::/ / \:::\/:::/ /
\::::::/ / \:::\ \ /:::/ / \::::::/ / \::::::/ /
\::::/ / \:::\____\ /:::/ / \::::/ / \::::/ /
\::/____/ \::/ / \::/ / \::/ / \::/ /
~~ \/____/ \/____/ \/____/ \/____/}}

Bepass: DPI Bypassing Tool and Cloudflare Worker Proxy

Introduction

Bepass is an advanced tool designed to bypass Iran's Deep Packet Inspection (DPI) system using a TLS client hello splitting attack. It also enables the deployment of a VLESS-like proxy on Cloudflare Workers. This README provides an overview of the project's features, build instructions, deployment guidelines, and more.

Features

DPI Bypass: Supports all of Iran's network carriers with customized TLS hello packet length adjustments.
DNS Over HTTPS (DOH) Support: Facilitates secure and private DNS resolution.
Server Name Indication DNS (SDNS) Support: Enhances DNS resolution efficiency.
Cross-Platform Compatibility: Suitable for various operating systems.

Usage

You can run the CLI version of Bepass as follows:

download the latest release from here based on your operating system
extract the zip file
create a config.json file in the same directory as the executable file
run the executable file

Example Configuration(config.json file) for IR-MCI:

{
  "TLSHeaderLength": 5,
  "TLSPaddingEnabled": false,
  "TLSPaddingSize": [
    40,
    80
  ],
  "RemoteDNSAddr": "https://1.1.1.1/dns-query",
  "EnableDNSFragmentation": false,
  "DnsCacheTTL": 3000000,
  "DnsRequestTimeout": 10,
  "BindAddress": "0.0.0.0:8085",
  "ChunksLengthBeforeSni": [
    2000,
    2000
  ],
  "SniChunksLength": [
    1,
    2
  ],
  "ChunksLengthAfterSni": [
    2000,
    2000
  ],
  "DelayBetweenChunks": [
    10,
    20
  ],
  "WorkerAddress": "https://<your_worker>.workers.dev/dns-query",
  "WorkerIPPortAddress": "104.16.246.91:8443",
  "WorkerEnabled": true,
  "WorkerDNSOnly": false,
  "EnableLowLevelSockets": false,
  "Hosts": [
    {
      "Domain": "yarp.lefolgoc.net",
      "IP": "5.39.88.20"
    }
  ],
  "UDPBindAddress": "0.0.0.0",
  "UDPReadTimeout": 120,
  "UDPWriteTimeout": 120,
  "UDPLinkIdleTimeout": 120
}

Configuration Parameters

"TLSHeaderLength": 5: Specifies the length of the TLS header, which is set to 5 bytes.
"TLSPaddingEnabled": false: Disables/Enable TLS padding.
"TLSPaddingSize": [40, 80]: Sets the TLS padding size range to be between 40 and 80 bytes.
"RemoteDNSAddr": "https://1.1.1.1/dns-query": Specifies the remote DNS address for DNS queries. In this case, it's set to Cloudflare's DNS over HTTPS (DOH) service.
"EnableDNSFragmentation": false: Disables/Enable DNS fragmentation.
"DnsCacheTTL": 3000000: Sets the Time To Live (TTL) for DNS cache entries(seconds).
"DnsRequestTimeout": 10: Sets the timeout for DNS requests to 10 seconds.
"BindAddress": "0.0.0.0:8085": Sets the bind address for the proxy server to listen on all available network interfaces (0.0.0.0) on port 8085.
"ChunksLengthBeforeSni": [2000, 2000]: Specifies the length of chunks before the Server Name Indication (SNI) in the TLS handshake to be 2000 bytes.
"SniChunksLength": [5, 10]: Sets the SNI chunk length to be between 5 and 10 bytes.
"ChunksLengthAfterSni": [2000, 2000]: Specifies the length of chunks after the SNI in the TLS handshake to be 2000 bytes.
"DelayBetweenChunks": [10, 20]: Sets the delay between sending chunks to be between 10 and 20 milliseconds.
"WorkerAddress": "https://<your_worker>.workers.dev/dns-query": Specifies the Cloudflare Worker address for proxy services.
"WorkerIPPortAddress": "104.17.196.93:2096": Sets the IP address and port for the Cloudflare Worker.find clean CF IP and repalce it with this one to get better performance based on your internet quality and isp.
"WorkerEnabled": true: Disables/Enable the use of the Cloudflare Worker.
"WorkerDNSOnly": false: Indicates whether the Cloudflare Worker should be used for DNS queries only(If you just want to use the DOH over the worker set true. But if you want a full-fledged TCP SOCKS5 proxy over the worker set false).
"EnableLowLevelSockets": false: Disables/Enable low-level socket functionality.
"Hosts": [{ "Domain": "yarp.lefolgoc.net", "IP": "5.39.88.20" }]: Specifies a list of custom hosts to map domain names to IP addresses. In this example, "yarp.lefolgoc.net" is mapped to "5.39.88.20."
"UDPBindAddress": "0.0.0.0": Sets the UDP bind address to listen on all available network interfaces (0.0.0.0).
"UDPReadTimeout": 120: Sets the UDP read timeout to 120 seconds.
"UDPWriteTimeout": 120: Sets the UDP write timeout to 120 seconds.
"UDPLinkIdleTimeout": 120: Sets the UDP link idle timeout to 120 seconds.

Please note that you should replace <your_worker> in "WorkerAddress" with your actual Cloudflare Worker address. Additionally, ensure that you configure other settings as needed for your specific use case.

Build Instructions

CLI Version

You can build the CLI version of Bepass as follows:

git clone https://github.com/uoosef/bepass.git
cd bepass/bepass
make           # Build CLI debug version
make release   # Build CLI release version

GUI Version (Work in Progress)

You can build GUI debug and release versions as follows:

  git clone https://github.com/uoosef/bepass.git
  cd bepass/bepass
  make gui # For GUI debug version
  make gui-release # For GUI release version

A graphical user interface (GUI) version of Bepass is under development. Stay tuned for updates on its availability.

Deployment

CLI Deployment

You can download the latest build from the release or just install Go 1.19+ and run:

  git clone https://github.com/uoosef/bepass.git
  cd bepass/bepass
  go build ./cmd/cli/main.go

It should give you an executable file, or you can simply run it in place.

  git clone https://github.com/uoosef/bepass.git
  cd bepass/bepass
  go run ./cmd/cli/main.go -c config.json

Roadmap

project roadmap includes:

License

This project is open-source and licensed under the MIT License. Feel free to contribute and use it in accordance with the license terms.

⚠ Use this tool responsibly and ensure compliance with local laws and regulations. ⚠

bepass's People

Contributors

Stargazers

Watchers

Forkers

saya47 0x4r45h offline-pirate mer30hamid danielcoderx fartaj hiddify elecm babirich itmahdi essoojay mashtiali2023 yjavaherian saeid7425 mrdiabloo erfantech ali-foroughi javad490 erfan-khadem kaveh-ahangar sitsaz egff90 moslem-tg prxpostern davidezadi emad1381 wolf6470 mohammad5-m hamidnaeemabadi fancyrose mrhidden78 milad-karimifard nilofari700 shabda7 sibalma frankbrown96 jorgefreeman19873003 farshadb mhosseinab wwwiretap singularity0md hbnec erfantm ahooee maani53 cortex900 imrolf mhg777 ocs1385 rony432 mehdinourollah masoudlabafi66 amircybersec saeidsm sparkingo mohammad20101368 nirvana95 misaturo crowlink sirarash lola530 mohamadafzal06 niiaco ivias2000 mesampr donyayeemrooz azadnet2024 johngmuender mohs27 mostlydeadd

bepass's Issues

Contributions

سلام وقتتون بخیر.
من یه برنامه‌نویس و شبکه کارم، هر ازگاهی میشینم فیلترینگ ایران رو تحلیل میکنم، دلم خواست که به پروژه شما کمک کنم ولی دقیق نمیدونم todo لیست شما چیه. ممنون میشم قرارش بدید

Confusing Mismatches

سلام و تشکر بابت زحمتی که میکشی
1- توضیحی که تو ReadMe درباره پروژه نوشتی یکم گیج کننده اس ، ممکنه خواننده فکر کنه پروژه چیز بیشتری از یه DNS روی ورکر نیست درحالی که خروجی یه فیلترشکن کامله
2- آیتم هایی که داخل فایل json باید ادیت بشه یا موجود هست با آیتم هایی که از طریق plugin دیده میشن متفاوت هستن که گیج کننده اس
3- وقتی با خود plugin کانفیگ میسازی ، 127.0.0.1:1080 توی description نشون میده که ظاهرا 1080 پورت socks خروجی هست ولی درعمل پورت واقعی همونی هست که داخل تنظیمات نکوباکس ست شده و 1080 الزاما درست نیست

Slim down cli binary

Doing a local release build, I got a 12M binary. I decided to test compilation without using the cobra and viper dependencies and it came down to 7.7M. I don't know if smaller binaries are important for this project, but since the cli only has a single flag, maybe it's possible to drop that dependency?

I can suggest lighter alternatives:
github.com/peterbourgon/ff/v3
github.com/peterbourgon/ff/v3/ffcli

Global DNS Resolver and automatic proxy

add global dns resolver to system and automatically set the system proxy for ease of use(for desktop version)

cloudflare loopback

hi . i used the ProxyIP function . but it dosnt work properly for me. need to refresh page so many time to open. how can i fix this ?

i have a vless worker . it uses ProxyIP too . and no need to having a VPS !

please take a look at this

https://lucyhuafang.blogspot.com/2023/11/wokerscfipvlessws.html
https://github.com/zizifn/edgetunnel/blob/main/src/worker-vless.js

for example:

let proxyIP = 'cdn.xn--b6gac.eu.org';

by setting that all websites behind CF are working properly.

can you add this feature ? it can help us so much.

thanks

Tun2Socks for desktop version

add tun2socks for desktop os for ease of use

Worker.js

Thank you for your efforts!!

It also allows you to deploy a free and fast VLESS-like proxy on Cloudflare Workers. Just copy the worker.js to your worker

Where can I find this worker file?

Define offline DNS

Hi, thanks for your great tool :)
Please add a feature than we can define offline DNS records like hosts file in linux (via json config file)

go 1.20 not work , not build

hi
i can not build with go 1.20 on windows

   go build .
no Go files in C:\Users\parsibox\OneDrive\Desktop\bepass-main

  go run . -c config.json
no Go files in C:\Users\parsibox\OneDrive\Desktop\bepass-main

Support Plain DNS.

I have some DNS encrypt tools that listenning on 127.0.0.1:53. Please support resolve DNS queries throught that local address.

Configuration problem

If config.json be available in the current directory, the custom configuration (custom-config.json) file will not be executed with the -c , and only the main configuration (config.json) will be executed.

./bepass -c custom-config.json

Unable to use SDNS stamp

I'm trying to use a SDNS stamp from dnscrypt-proxy serverlist, needless to say, it probably is valid

But in the logs:

socksLogger2023/08/09 20:45:06 2023-08-09 20:45:06 [E]: server: illegal base64 data at input byte 123

Using termux and proot to run linux armv7 build

Allow invalid ssl/tls

provide a config that allows unsafe connection through ssl/tls

Disable CGO where possible

The included Makefile is used to build the standard cli app and the gui version. The cli app can be compiled statically by setting CGO_ENABLED=0. This improves compatibility of the result binary.
The commands for both build and release targets can be modified like:
CGO_ENABLED=0 go build -o $(BUILD_DIR)/bepass cmd/cli/main.go

The GUI needs cgo, so this can't be applied to it.

Error report on mci & mtn

با عرض درود و خداقوت خدمت شما دوست عزیز
بابت زحمات بی دریقتان از شما سپاسگزارم
پلاگینی که ساخته اید را بر روی سیم کارت همراه اول و ایرانسل امتحان کردم، بعضی از سایت ها را مثل گوگل و کلودفلر و یوتیوب، نمایش نمی دهد و پیغام خطای شناسایی نشدن از سوی dns را می دهد.
از طریق ساخت dns worker در کلودفلر و فعال کردن آن در پلاگین نیز به همین نتیجه رسیدم، به نظر شما مشکل چیست؟

I've changed the config.json DNS but it's still using 8.8.4.4 server requests?

time="2024-01-13 09:48:01" level=INFO msg="skipping resolution for 8.8.4.4:443"
time="2024-01-13 09:48:02" level=INFO msg="Can not connect: websocket: bad handshake\n"
time="2024-01-13 09:48:02" level=ERROR msg="server: websocket: bad handshake"
time="2024-01-13 09:48:02" level=ERROR msg="server: Get \"https://8.8.4.4/dns-query?dns=AAABAAABAAAAAAAABnN0YXRpYwNhZHMFYnJhdmUDY29tAAABAAE\": tls: first record does not look like a TLS handshake"
time="2024-01-13 09:48:02" level=INFO msg="Can not connect: websocket: bad handshake\n"

time="2024-01-13 09:48:43" level=INFO msg="skipping resolution for 8.8.4.4:443"
time="2024-01-13 09:48:44" level=INFO msg="Can not connect: websocket: bad handshake\n"
time="2024-01-13 09:48:44" level=ERROR msg="server: websocket: bad handshake"
2024/01/13 09:48:44 [002] INFO: error read response ipv6.msftconnecttest.com : EOF
time="2024-01-13 09:48:44" level=ERROR msg="server: Get \"https://8.8.4.4/dns-query?dns=AAABAAABAAAAAAAABGlwdjYPbXNmdGNvbm5lY3R0ZXN0A2NvbQAAAQAB\": tls: first record does not look like a TLS handshake"
time="2024-01-13 09:48:44" level=INFO msg="Can not connect: websocket: bad handshake\n"

https://eth.link/dns-query
https://resolver.unstoppable.io/dns-query
https://eth.resolver.cloudflare-eth.com/dns-query

CIRA https://private.canadianshield.cira.ca/dns-query
Cloudflare https://mozilla.cloudflare-dns.com/dns-query
Comcast https://doh.xfinity.com/dns-query
Control https://freedns.controld.com/p0
NextDNS https://firefox.dns.nextdns.io
Shaw https://dns.shaw.ca/dns-query

Add clash of clans

Hello and thanks for your work.
If it's OK please add clash of clans too
It's banned in Iran

Routting support

The ability to define routing for different ip ranges, cloud providers, geo locations and domains to use suitable exit strategy

exit strategies couldbe something like this:

directly through the worker
through fragmenter
through fragmenter + worker
bypass(straight connections)
blackhole(drop)

Not Supported Version

سلام
پیغام خطا میده هنگام اجرا کانفیگ پیش فرض هست اینترنت ثابت شاتل

Machine Type Mismatch

ببخشید من فایل .bat رو ران میکنم یا حتی دستی و cmd میزنم این اررور رو میده: The image file....\bepass.exe is valid, but is for a machine type other than current machine.

Wanna help in Android app?

Failes on some sites

failes on some sites with Can not connect: tls: first record does not look like a TLS handshake error

Clash meta support

could you please add Clash Meta core support? I'm using OpenClash on OpenWRT

[Bug]: EOF in nekobepass

Any connection simply gets closed, yielding no errors or warnings.

Using the default configuration or a custom DoH server does not seem to have any effects.

Based on the (rather) short conversation that you had on twitter, It seems like bepass does not check for the "use worker" value, tries to validate a nonexistent worker address, and fails.

This also shows that logs need to be a bit more expressive. 🤔

Please support Android armeabi-v7a (32bit) like NB4A does

dockerize

can you please create a docker-file??

Cant use IPV6

سلام خسته نباشید bepass روی ipv4 کار می کنه و از لحاظ سرعت خیلی خوبه اما با ipv6 خطای
failed to connect to :443: dial tcp :443: connect: connection refused
داد و این ایپی روی vless cdn کار می کرد و مشکل دیگه مثل cdn از ساعت 5 به بعد نوسانش زیاد میشه و مخصوصا شب ها استفادش سخت تر میشه

(نارنجی bepass مشکی vless cdn)
ولی وقتی من از سایت های معروف روی کلودفلر http ping می گیرم هیچ مشکلی نداره اما بقیه سایت ها دقیقا مثل vpn ها نوسان دارند (با ایرانسل رایتل و اسیاتک تست کردم) من دانش کافی رو در این موارد ندارم ولی فک میکنم بجای اینکه ایپی فیلتر کنن sni های مهم رو whitelist کردن و روی بقیه کانکشن ها اختلال انداختن سوال من اینه که میشه بجای مخفی کردن sni دامنه ای رو انتخاب کنیم که اولش ادرس سایت معروف پشت کلودفلره (مثلا discord.com5ma.workers.dev )و فرگمنت رو طوری تنظیم کنیم که اول ادرس رو به isp نشون بده و اونها فکر کنن که ما به ادرس تمیز وصل شدیم؟

Run lint and format checks in github actions

It would be nice to have a separate workflow that simply flags broken formatting and common mistakes with a linter.
It's enough to just run on linux-amd64.

Using gofumpt for formatting.
Using go vet for basic checks.
Using staticcheck to catch more mistakes.

p.s. run these tools locally on the main branch and you'll find plenty of things to fix :D