How to access Tor when you are in a heavily-censored country using v2ray (vmess / vless)

Introduction

Why should I use v2ray?

If your country makes TOR traffic as illegal, how can you access .onion websites anyway ?

Normally you would just hide that you are using Tor by hiding it behind a VPN (which can be based on wireguard or openvpn) like we have previously recommended:

but now we have another problem, what if your country also made VPNs illegal to use ?

If you are in a country where both Tor and VPNs are illegal to use, you'll need to use a censorship-evasion tool like v2ray to be able to safely hide that you're using Tor.
Project V and Project X

V2ray : an open source censorship circumvention tool also know as project V is a framework where one could stack protocols as well as modify standard protocols to bypass firewalls.

Xray: a superset of v2ray, with better overall performance and enhancements such as XTLS

XTLS is an optimized/modification of TLS protocol, it works by using real TLS to hide proxy traffic

V2ray is not a protocol rather a platform where users could design their own protocol stacks based on the primitive protocols like TCP,UDP,HTTP while vmess and vless are proxy protocols which are native to v2ray.

V2rays has the ability to obfuscate and make packets appear to be genuine webtraffic, in order to prevent the adversary from figuring out that you are using Tor. Wireguard as well as openvpn does not provide any obfuscation feature and will be detected easily by header match or DPI.
(they have this in their codebase which clearly shows how to detect Wireguard traffic) ref

But How does a V2ray traffic look like?
Here's a Wireshark dump of curl archlinux.org with and without v2ray.

As you could see requests to archlinux.org ( with v2ray ) goes to a popular website giphy but is actually communicating to our V2ray server behind the CDN through Websocket protocol.
(Domain Fronting method is being used here)

we could use v2ray to make our own versions of primitive protocols to "fool the wall".
Some Principles to get started

Transport : The protocol used to connect to the v2ray server.
Inbounds : Connections to the v2ray server.
Routing : Rules defining how an inbound connection should be treated. (Ex. drop connection requests from certain domains, route inbound through a socks server)
Outbounds : Connections going out of v2ray server.(Ex. Towards the user requested website)
Clients
Android
- Nekobox
- v2rayNG
Linux
- Nekoray
- v2rayN
- v2rayA
- Furious
Windows
- HiddifyN
- v2rayN

Serverside Setup

an overview of v2ray server config looks like this


{
    "log": {},
    "api": {},
    "dns": {},
    "stats": {},
    "routing": {},
    "policy": {},
    "inbounds": [],
    "outbounds": [],
    "transport": {}
}

Looking kinda complicated right, fear not we have Web-UI's to setup V2Ray servers. Web-UI aka "panels" could be used for user-management including traffic stats,uuid-generation and much more...

Getting a VPS

refer to Acquiring remote servers anonymously (non-KYC providers) for buying a VPS using XMR
Installing a panel

Once you have the VPS ready and have established an SSH connection,we can start working on installing panel.

we'll be using alireza0/x-ui panel since its actively maintained, but you could also use MHSanaei/3x-ui .The v2ray server setup is same same for all.

Supported distributions - Ubuntu 20.04+ - Debian 11+ - CentOS 8+ - OpenEuler 22.03+ - Fedora 36+ - Arch Linux - Parch Linux - Manjaro - Armbian - AlmaLinux 8.0+ - Rocky Linux 8+ - Oracle Linux 8+ - OpenSUSE Tumbleweed - Amazon Linux 2023
```
                                
#> bash <(curl -Ls https://raw.githubusercontent.com/alireza0/x-ui/master/install.sh)
....
Would you like to customize the Panel Port settings? (If not, random port will be applied) [y/n]: y
Please set up the panel port: 9566
Your Panel Port is: 9566
Port set successfully: 9566
Username and password updated successfully
Base URI path set successfully
This is a fresh installation, generating random login info for security concerns:
###############################################
Username: fU8hjnoLSp
Password: ak8jX44rZy
Port: 9566
WebBasePath: EwAJmwAHwMk7FLK
###############################################
If you forgot your login info, you can type 'x-ui settings' to check
Start migrating database...
Migration done!
Created symlink '/etc/systemd/system/multi-user.target.wants/x-ui.service' → '/etc/systemd/system/x-ui.service'.
x-ui v1.8.7 installation finished, it is up and running now...


                                 
```
The script asks for the port to use. we could change the port later. We could use the creds(Autogenerated) displayed above to access the webui
```
X-UI Control Menu Usage
    ------------------------------------------
    SUBCOMMANDS:
    x-ui              - Admin Management Script
    x-ui start        - Start
    x-ui stop         - Stop
    x-ui restart      - Restart
    x-ui status       - Current Status
    x-ui settings     - Current Settings
    x-ui enable       - Enable Autostart on OS Startup
    x-ui disable      - Disable Autostart on OS Startup
    x-ui log          - Check Logs
    x-ui update       - Update
    x-ui install      - Install
    x-ui uninstall    - Uninstall
    x-ui help         - Control Menu Usage
    ------------------------------------------
    
```
In order to access the web UI, the url schema looks like this.
http://server_ip:port/path

You can use x-ui settings command to retrieve panel info, like port and path.
Ex-output:
############################################### Username: fU8hjnoLSp
Password: ak8jX44rZy
Port: 9566
WebBasePath: EwAJmwAHwMk7FLK
###############################################

Example http://198.41.128.88:9566/EwAJmwAHwMk7FLK/
Once you access the web portal,use the username and password as above.
Setting up the panel

after logging in switch to latest the xray-core

In order to receive inbounds we must create an inbound rule within the panel.
We are choosing vmess (as protocol) + websocket (as trasport). copy the settings as below.
(you could change the port as of your liking)
VLESS does not provide built-in encryption, avoiding it for now. ref NOTE: VMess Requires to have time synced up.

Now you could try to connect to the server using QR Code or by using the vmess link.
(Click the QR to copy link) See Client Section

a vmess link will look like vmess://<uuid>@<hostname>:<port>?<other_params>#<remarks>
Client Installation

V2rayN

link

                            
$ unzip v2rayN-linux-64.zip 
...
$ cd v2rayN-linux-64/
$ chmod +x v2rayN 
$ ./v2rayN

Routing is used when you want to avoid proxy for regional websites.
(A direct connection without proxy will be made by the clientside app based-off IP or Domain name)

Ex. if we access 1tv.ru, with this setting turned on it will be resolved using our actual IP than our Proxy IP

Censorship Evasion technique #1 - Domain Fronting

Setting up a v2ray server alone doesnt bypass any censors(it would be obvious if we push a large amount of traffic),rather we use some methods to make the traffic look geniune.
One such method is called Domain Fronting

We will be using Fastly, since it offers a free CDN without CreditCard + 30-day Websocket support(free-trial)
Start by creating an account at Fastly

Create a new cdn service like this

In here we can use any domain name since its for internal routing within cdn.
(meaning that within the CDN domain zero-google.com will resolve to our v2ray IP )
origin willbe our v2ray inbound IP

then select the cdn name to edit the config

We edit the CDN config to change the port of our host and disable some settings that may cause issues

After that we change the port from 443 to 53254 (The port we used for receiving inbounds in our v2ray panel)

We can do inbounds to port 443(TLS port) and adjust inbound settings to have Fallback but that requires one to have an inbound config with TCP transport within the panel.

A Fallback is when you want to expose only one standard HTTP/HTTPS port(80,443) to receive inbounds but want to use different protocols like VMESS,Shadowsock... with the same port.
Fallback Can only be used with TCP/XTLS transport modes.

Now from Settings >>

we enable websocket.

Start the trial and it should look something like this

Now lets add VCL for HTTP Connection Upgrade(Since we want to switch to Websocket)


if (req.http.Upgrade) {
return (upgrade);
}

Clientside Setup

In this section we'll discuss how to connect to the prementioned setup using domain fronting technique.

Linux

Copy the server config from panel(by clicking the qr-code) to clipboard.
Open client app(v2rayN/nekoray)
Ctrl + V
and edit it as follows.
For testing in Linux we are using v2rayN

click Confirm

If the connection was successful you'll see your server IP along with delay(ms) in the logs as well as on bottom right corner like this.
You could toggle System Proxy to check connectivity, within browser and all.

Testing Tor

go to about:preferences#connection change proxy settings as follows.
(Proxy port shown in v2ray. So that connection made by tor will go through v2ray server)

If we were to save it and try to connect it will fail. (connection died in state handshaking). So enable Bridges

Set Bridges of Your Choice

This is how the traffic leaves the system.

As you could see, traffic goes to fastly server rather than tor nodes.
(You're seeing Websocket traffic to and from 192.168.1.2(LAN IP) to a Fastly CDN(Anycast IP))

And that's it! we managed to connect to an onion website, from a heavily-censored country, thanks to v2ray.

How to access Tor when you are in a heavily-censored country using v2ray (vmess / vless)

Introduction

Why should I use v2ray?

Project V and Project X

Some Principles to get started

Clients

Serverside Setup

Getting a VPS

Installing a panel

Setting up the panel

after logging in switch to latest the xray-core

Client Installation

Censorship Evasion technique #1 - Domain Fronting

Clientside Setup

Linux

Testing Tor

Nihilism

My Links

About Zer0