Psiphon — great featureful tool

Psiphon is not widely known as a self-hosted censorship circumvention utility / circumvention building block, however this is probably the most feature-complete anti-censorship tunneling software in a single package.

It includes the following protocols:

  • SSH and Obfuscated SSH (OSSH) protocols with custom authorization methods as a main tunneling protocol
  • Domain fronting support with meek (over HTTP, HTTPS and QUIC), for maximum compatibility with any CDN
  • “Unfronted” meek (over HTTP/HTTPS/QUIC), for direct connection to SSH/OSSH server with HTTP/HTTPS-like tunnel.
  • OSSH over QUIC (UDP)
  • Tapdance and Conjure decoy routing protocols of Refraction Networking — makes proxy out of almost any HTTPS website if the traffic is routed over the transit ISP with refraction hardware installed

Contains the following features:

  • TLS fingerprint mimicry and randomization to avoid fingerprint filtering
  • Different QUIC versions support
  • SSH banner randomization
  • Upstream proxy support
  • BPF bytecode for socket on Linux, to filter out TCP RSTs and other undesirable network packets
  • TCP packet fragmentation (segmentation), seeded with a PRNG, which could be saved later as a “good PRNG” seed which allowed the connection and reused for another connection
  • Very flexible server list file format which allows providing front hostname list or regexp generation rule, as well as the domain name list or regexp to be used for DNS resolving, as well as pre-resolved IP addresses and third-party DNS resolvers
  • Very flexible configuration file format which allows providing custom fronting hostnames and regexes (overriding server list provided ones), custom pre-resolved DNS CIDRs for different CDN providers, limit protocols, setup using of resolve/pre-resolved address probability, fragmentation probability and plenty of other internal parameters
  • Split tunneling support (exclude a list of countries by geoip from being tunneled), although it’s a server-side thus a bit slow (when the client makes the connection, the server may reply with “don’t tunnel this” packet, so it always asks server whether it should tunnel this connection first)

The program also include “tactics” layer which remember and store working connection methods and modes to speed up tunnel establishment for subsequent runs, and also upload this information to the server with the country information, to be reused by other Psiphon users.
The server can provide the client with server list and configuration updates, including BFP bytecode, TCP fragmentation tactic and third-party DNS resolvers.

There’s hardly any documentation, that is probably the main reason why Psiphon is not known as a circumvention building block. However many configuration options and functions contain excessive comments, which eases learning of the source code.

Для мобильных устройств самое то! Вот бы десктоп тоже.

А в чем проблема?

Да вроде для Десктопа есть, причем рабочий.

На macos нет клиента
К тому же, он же на go. Можно и самому собрать.

Интересный факт: существует больше 10 не пересекающихся, или слабо пересекающихся, псифон множеств со своим каналом распространения. Каждый со своими серверами, которые спонсируют и распространяют для разных пользователей. Например публично доступный канал с id 92AACC5BABE0944C, или от Deutsche Welle c id CB07515CC91464B7.

Я слышал, что консольная версия это полуфабрикат. Вот интересно много ли полезных возможностей добавлено в готовую графическую версию.
Кстати, может тоже кто не знал. Psiphon ограничивает скорость в зависимости от страны пользователя. Например, людям из стран, где нет цензуры, скорость ограничивается до 160 кбайт/с (это видно в логе и на практике). Русским пользователям скорость не ограничивается. Хотя, вот вчера запустил и увидел, что стали резать русским до 384 кайт/с (или 256, точно не помню).
У меня консольная версия с PropagationChannelId 92AACC5BABE0944C.
А еще, когда amazon РКН резанул, с нуля не подключалось. А бутстрапнутая работала.

Public stats are available at