Provide simple user management. I’m not looking for something fancy. Something like OpenVPN which you have control over the number of users is enough. Unlike Shadowsocks that everyone can share the settings and user management is done via listening to different ports which is counter-intuitive for hiding the traffic compared to listening only to 443.
I’ve tried the following so far:
OpenVPN: Bare OpenVPN traffic is detectable by DPI and fails on point (1). There are some plugins (obfsproxy) to hide its traffic, but it seems that there is no plugin available for all platforms (fails on point (2)).
Shadowsocks: Great on (1), but I couldn’t find a decent way for (3).
Wireguard: I haven’t tried it but its traffic seems to be detectable by GFW (e.g. this post). I’m not aware of its latest state though.
I might have missed something on these points. Let me know if that’s the case.
Also, do you have any other VPN solution that satisfy these three points?
Have you tried Softether? It was created in Japan to get around the GFW. Wikipedia says DPI can’t find it.
Firewalls performing deep packet inspection are unable to detect SoftEther’s VPN transport packets as a VPN tunnel because HTTPS is used to camouflage the connection.
Looking around google, I see people saying it works and others saying it is detected by the firewall, but it might be worth checking out. Various clients available, and the user management is not too bad. The setup is kind of tough to figure out, but once you get used to it, it is pretty easy to use.
SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori’s master’s thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.
Deep packet inspection
Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a computer network, and usually takes action by blocking, re-routing, or logging it accordingly. Deep packet inspection is often used to ensure that data is in the correct format, to check for malicious code, eavesdropping and internet censorship among other purposes. There are multiple headers for IP packets; network equipment only needs to use the first of these (the IP header) for normal operation, but use of the second header (such as TCP or UDP) is normally considered to be shallow packet inspection (usually called stateful packet inspection) despite this definition.There are multiple ways to acquire packets for deep packet inspection. Using port mirroring (sometimes called Span Port) is a very common way, as well as an optical splitter.
Can the number of users be managed though? I want to prevent a user giving away the settings and new users connect to the server without any limitations
Something that I setup myself. I have a VPS located in US and currently using ShadowsocksRR to circumvent the filtering, but it doesn’t provide any user management.
Sorry but it’s not true, Shadowsocks was created based in Socks protocol because it’s common for ssh session to get interrupted, especially when use as you recommand.
You can also manage multiple users with Shadowsocks on different ports/passwords. Actually, there is no real advantage to using port 443. Many people think the Great Firewall is simple enough to be fooled by using port 443, but that is not the case at all. Port 443 is just as likely to get blocked as other ports and performance is not any better either. V2Ray is probably better anyway, but Shadowsocks does have some advantages (easier set up and better clients).
