Not working on Windows/Android (Fake SNI) about powertunnel HOT 29 CLOSED

Make sure you have added the certificate to trusted Root CA store.

Add certificate to system trusted need root that is why packet capture like HttpCanary need root otherwise it just get untrusted certificate error.

Are you on Android 11+?

I am using android 7, it only trust system Root CA, Android 6 or older trust user installed certificate by default, Root CA is located in /system and access to /system directory need root regardless of version, it needs root that is why it is called Root CA.

Right now I have physical devices with Android 5, 6, 7, 8 and 10 on my hands - I do not experience any problems after the standard installation procedure initiated by the application - copying the certificate there is redundant.

I believe you can use SNI Modification and set a host from bundle as fake SNI host

Using LibertyTunnel plugin to spoof SNI but i get untrusted certificate error

Make sure you have added the certificate to trusted Root CA store.

My phone is not rooted, please add other way to make it possible for non root user
This app remove SNI without root but not custom SNI i hope someone modded it to allow custom SNI https://play.google.com/store/apps/details?id=kr.co.lylstudio.httpsguard
Many apps support custom SNI but require SSH account, only PowerTunnel that do not need SSH, but it require root, i hope you will fix it.

PowerTunnel is designed to not require root, I don't know where you got that information from.
I don't know how Unicorn HTTPS specifically works (I just tested it - it doesn't have any effect for me), but if you say that it removes SNI, then it most likely wraps the original request and sends a packet without SNI to the intermediate server, where the original request came from without terminating TLS is sent to the destination- otherwise, it would have to terminate TLS, for which it would prompt you to install a certificate, after which compatibility with many sites would be broken.
As I just said, TLS termination, or rather, the desire to avoid it, is the key reason why you need another server. PowerTunnel terminates TLS at the cost of breaking compatibility with most websites, however, AFAIK, it works for YouTube, for example. It's not something that can be "fixed" - it's by design.

It seems you are dev with little knowledge of the networking i checked it on ipleak.net it shows my telecom IP not server IP Unicorn HTTPS clearly do not use tunneling

Naturally, I know how it works - these are some basic and obvious things. I heard about the possibility of tunneling without changing the IP address, but maybe I'm confusing something - I do not have time to look at this in more detail at the moment. If you know how Unicorn HTTPS works - tell me, and I must tell you that it's impossible to simply remove SNI without terminating SSL - for this you need to encrypt the packet again with a self-signed certificate, which Unicorn does not do.

from powertunnel.

Hello,

You can determine if the certificate is installed correctly on Windows by opening the details about the web page (the lock icon in the toolbar) and opening the certificate details, Issued by should be PowerTunnel Root CA.
On Android, the steps are roughly the same if you are using Google Chrome. Unfortunately, Android 11 introduced some restrictions and the certificate can't be installed automatically,

The main problem with SNI modification is that some webservers validate the SNI and stop to work (for example, DailyMotion). PowerTunnel comes with "global mode" by default and applies enabled tricks to all sites. When you're trying to access the blocked site, in most cases it also loads scripts and images from not-blocked sites (e.g. Google Fonts, CDNs) - and they don't load. So it's recommended to fill government-blacklist.txt - I think you can find the list by googling "%country% blocked websites url list" in your language. Blacklist support for Android is planned for the next release.

from powertunnel.

There are a few things to say about replacing Host: today the vast majority of sites work over HTTPS, and all HTTPS traffic is encrypted, including headers and Host header - this is what SNI is needed for. But replacing SNI leads to certain problems, since some sites refuse to work with incorrect SNI.
Changing Host header will have effect on your ISP only in HTTP traffic - modifying the Host header of HTTPS is needless because ISP doesn't see it anyway.

I tried that but it doesn't seem to make a change, Google services (I tried Google Search + YouTube) are working, but almost every other website is broken.

Have you verified that the certificate was installed correctly? Are you trying to unblock blocked sites, or do you have some other usecase?

I would like to be able to do such thing without a remote server, because my ISP has cheaper bundles for certain services, and changing the Host header/SNI will do the thing for me.

PowerTunnel is not intended for such use, at least I did not intend it. I will consider adding this functionality in future releases.

from powertunnel.

Ohh great ! thank you very much dr this wonderfil software :)

Thank you

from powertunnel.

If someone ran in the problem that SNI is not working correctly on Android 11 because the certificate can't be installed, please, try version 2.0 Preview which fixes Android 11 compatibility issues (warning: this version is not stable yet).

Also, if someone is looking for a Free Internet mode, the upcoming version for both PC and Android features plugin support, so freenet can be released as an optional plugin - open a new issue and provide technical details on this.

from powertunnel.

Wonderful !! exceptional ! We are very grateful to you for all your efforts and kindness and for having invented this wonderful software that allows us to bypass censorship and allows to surf with freedom without vpn ! thank you so much :)

from powertunnel.

@mkelzeer did you find a way to do that? i also want to use social media bundle for browsing other websites

from powertunnel.

I believe you can use SNI Modification and set a host from bundle as fake SNI host

from powertunnel.

I believe you can use SNI Modification and set a host from bundle as fake SNI host

its not working. can you make it work using remote proxy server like this python script https://github.com/FaArIsH/http-ssl-ssh-injector/blob/FaArIsH-patch-1/proxy.py
with this python script it is giving me free net with host name change.

from powertunnel.

I believe you can use SNI Modification and set a host from bundle as fake SNI host

its not working. can you make it work using remote proxy server like this python script https://github.com/FaArIsH/http-ssl-ssh-injector/blob/FaArIsH-patch-1/proxy.py with this python script it is giving me free net with host name change.

Changing header actually will not get you free internet, as already said above header is encrypted, to get free internet pay attention to SNI not Header.

What makes you get free internet is actually SNI, usually browser and app will use Host as SNI, so if Host changed SNI also changed.

from powertunnel.

I believe you can use SNI Modification and set a host from bundle as fake SNI host

Using LibertyTunnel plugin to spoof SNI but i get untrusted certificate error

Make sure you have added the certificate to trusted Root CA store.

from powertunnel.

I tried that but it doesn't seem to make a change, Google services (I tried Google Search + YouTube) are working, but almost every other website is broken.

If changing the SNI makes a problem, can you add an option to change the Host header? Like using OpenVPN I can change my Host header like:

http-proxy IP PORT
http-proxy-option CUSTOM-HEADER Host WEBSITEHOST

I would like to be able to do such thing without a remote server, because my ISP has cheaper bundles for certain services, and changing the Host header/SNI will do the thing for me.

Thank you.

from powertunnel.

Ohh great ! thank you very much dr this wonderfil software :)

from powertunnel.

I believe you can use SNI Modification and set a host from bundle as fake SNI host

Using LibertyTunnel plugin to spoof SNI but i get untrusted certificate error

from powertunnel.

I believe you can use SNI Modification and set a host from bundle as fake SNI host

Using LibertyTunnel plugin to spoof SNI but i get untrusted certificate error

Make sure you have added the certificate to trusted Root CA store.

My phone is not rooted, please add other way to make it possible for non root user

This app remove SNI without root but not custom SNI i hope someone modded it to allow custom SNI
https://play.google.com/store/apps/details?id=kr.co.lylstudio.httpsguard

Many apps support custom SNI but require SSH account, only PowerTunnel that do not need SSH, but it require root, i hope you will fix it.

from powertunnel.

I believe you can use SNI Modification and set a host from bundle as fake SNI host

Using LibertyTunnel plugin to spoof SNI but i get untrusted certificate error

Make sure you have added the certificate to trusted Root CA store.

My phone is not rooted, please add other way to make it possible for non root user

This app remove SNI without root but not custom SNI i hope someone modded it to allow custom SNI https://play.google.com/store/apps/details?id=kr.co.lylstudio.httpsguard

Many apps support custom SNI but require SSH account, only PowerTunnel that do not need SSH, but it require root, i hope you will fix it.

PowerTunnel is designed to not require root, I don't know where you got that information from.

I don't know how Unicorn HTTPS specifically works (I just tested it - it doesn't have any effect for me), but if you say that it removes SNI, then it most likely wraps the original request and sends a packet without SNI to the intermediate server, where the original request came from without terminating TLS is sent to the destination- otherwise, it would have to terminate TLS, for which it would prompt you to install a certificate, after which compatibility with many sites would be broken.

As I just said, TLS termination, or rather, the desire to avoid it, is the key reason why you need another server. PowerTunnel terminates TLS at the cost of breaking compatibility with most websites, however, AFAIK, it works for YouTube, for example.
It's not something that can be "fixed" - it's by design.

from powertunnel.

Make sure you have added the certificate to trusted Root CA store.

Add certificate to system trusted need root that is why packet capture like HttpCanary need root otherwise it just get untrusted certificate error.

from powertunnel.

Make a certificate trusted need root

from powertunnel.

Make sure you have added the certificate to trusted Root CA store.

Add certificate to system trusted need root that is why packet capture like HttpCanary need root otherwise it just get untrusted certificate error.

Are you on Android 11+?

from powertunnel.

Make sure you have added the certificate to trusted Root CA store.

Add certificate to system trusted need root that is why packet capture like HttpCanary need root otherwise it just get untrusted certificate error.

Are you on Android 11+?

I am using android 7, it only trust system Root CA, Android 6 or older trust user installed certificate by default, Root CA is located in /system and access to /system directory need root regardless of version, it needs root that is why it is called Root CA.

from powertunnel.

I believe you can use SNI Modification and set a host from bundle as fake SNI host

Using LibertyTunnel plugin to spoof SNI but i get untrusted certificate error

Make sure you have added the certificate to trusted Root CA store.

My phone is not rooted, please add other way to make it possible for non root user
This app remove SNI without root but not custom SNI i hope someone modded it to allow custom SNI https://play.google.com/store/apps/details?id=kr.co.lylstudio.httpsguard
Many apps support custom SNI but require SSH account, only PowerTunnel that do not need SSH, but it require root, i hope you will fix it.

PowerTunnel is designed to not require root, I don't know where you got that information from.

I don't know how Unicorn HTTPS specifically works (I just tested it - it doesn't have any effect for me), but if you say that it removes SNI, then it most likely wraps the original request and sends a packet without SNI to the intermediate server, where the original request came from without terminating TLS is sent to the destination- otherwise, it would have to terminate TLS, for which it would prompt you to install a certificate, after which compatibility with many sites would be broken.

As I just said, TLS termination, or rather, the desire to avoid it, is the key reason why you need another server. PowerTunnel terminates TLS at the cost of breaking compatibility with most websites, however, AFAIK, it works for YouTube, for example. It's not something that can be "fixed" - it's by design.

It seems you are dev with little knowledge of the networking i checked it on ipleak.net it shows my telecom IP not server IP
Unicorn HTTPS clearly do not use tunneling

from powertunnel.

Right now I have physical devices with Android 5, 6, 7, 8 and 10 on my hands - I do not experience any problems after the standard installation procedure initiated by the application - copying the certificate there is redundant.

Please add tutorial how to move certificate with screenshoot
I recommend create a docs using Github Pages or project wiki

from powertunnel.

If you know how Unicorn HTTPS works - tell me, and I must tell you that it's impossible to simply remove SNI without terminating SSL - for this you need to encrypt the packet again with a self-signed certificate, which Unicorn does not do.

Aging IE and any other ancient browser do not support SNI, SNI is relatively new feature, SNI value is sent by the browser, spoofing or removing must be easy, there is no need for self signed certificate.

Some site blocks custom SNI like blocking some browser by using user agent header, it is not like IP which you cannot change it unless using proxy.

from powertunnel.

Right now I have physical devices with Android 5, 6, 7, 8 and 10 on my hands - I do not experience any problems after the standard installation procedure initiated by the application - copying the certificate there is redundant.

Please add tutorial how to move certificate with screenshoot I recommend create a docs using Github Pages or project wiki

As I said previously, the certificate is being installed automatically by the application and has not to be copied anywhere automatically.

If you know how Unicorn HTTPS works - tell me, and I must tell you that it's impossible to simply remove SNI without terminating SSL - for this you need to encrypt the packet again with a self-signed certificate, which Unicorn does not do.

Aging IE and any other ancient browser do not support SNI, SNI is relatively new feature, SNI value is sent by the browser, spoofing or removing must be easy, there is no need for self signed certificate.

Some site blocks custom SNI like blocking some browser by using user agent header, it is not like IP which you cannot change it unless using proxy.

You are correct, SNI is being added by the client, but we can't control this on the proxy server as we receive already encrypted packet.

from powertunnel.

It use packet replace

You can use it at a fast speed without slowing down. Unicorn is different from the other apps such as VPN or another app which uses the overseas server. It is developed to change the specific packet so it can be used for web surfing without reduction of speed.

from powertunnel.

Right now I have physical devices with Android 5, 6, 7, 8 and 10 on my hands - I do not experience any problems after the standard installation procedure initiated by the application - copying the certificate there is redundant.

Please add tutorial how to move certificate with screenshoot I recommend create a docs using Github Pages or project wiki

As I said previously, the certificate is being installed automatically by the application and has not to be copied anywhere automatically.

If you know how Unicorn HTTPS works - tell me, and I must tell you that it's impossible to simply remove SNI without terminating SSL - for this you need to encrypt the packet again with a self-signed certificate, which Unicorn does not do.

Aging IE and any other ancient browser do not support SNI, SNI is relatively new feature, SNI value is sent by the browser, spoofing or removing must be easy, there is no need for self signed certificate.
Some site blocks custom SNI like blocking some browser by using user agent header, it is not like IP which you cannot change it unless using proxy.

You are correct, SNI is being added by the client, but we can't control this on the proxy server as we receive already encrypted packet.

SNI is not encrypted you can just replace the packet

from powertunnel.

Use proxy if the server reject custom SNI

from powertunnel.

Right now I have physical devices with Android 5, 6, 7, 8 and 10 on my hands - I do not experience any problems after the standard installation procedure initiated by the application - copying the certificate there is redundant.

Please add tutorial how to move certificate with screenshoot I recommend create a docs using Github Pages or project wiki

As I said previously, the certificate is being installed automatically by the application and has not to be copied anywhere automatically.

If you know how Unicorn HTTPS works - tell me, and I must tell you that it's impossible to simply remove SNI without terminating SSL - for this you need to encrypt the packet again with a self-signed certificate, which Unicorn does not do.

Aging IE and any other ancient browser do not support SNI, SNI is relatively new feature, SNI value is sent by the browser, spoofing or removing must be easy, there is no need for self signed certificate.
Some site blocks custom SNI like blocking some browser by using user agent header, it is not like IP which you cannot change it unless using proxy.

You are correct, SNI is being added by the client, but we can't control this on the proxy server as we receive already encrypted packet.

SNI is not encrypted you can just replace the packet

You can't just remove the SNI because its length is taken into account in the length of the ClientHello extensions and specifically the server_name extension. If you just change it with a string with the same length you will just break SSL, e.g. you will receive SSL_ERROR_BAD_MAC_READ in Firefox.

from powertunnel.

You can't just remove the SNI because its length is taken into account in the length of the ClientHello extensions and specifically the server_name extension. If you just change it with a string with the same length you will just break SSL, e.g. you will receive SSL_ERROR_BAD_MAC_READ in Firefox.

Then what needs to be done?

from powertunnel.