Psiphon is not widely known as a self-hosted censorship circumvention utility / circumvention building block, however this is probably the most feature-complete anti-censorship tunneling software in a single package.
It includes the following protocols:
- SSH and Obfuscated SSH (OSSH) protocols with custom authorization methods as a main tunneling protocol
- Domain fronting support with meek (over HTTP, HTTPS and QUIC), for maximum compatibility with any CDN
- “Unfronted” meek (over HTTP/HTTPS/QUIC), for direct connection to SSH/OSSH server with HTTP/HTTPS-like tunnel.
- OSSH over QUIC (UDP)
- Tapdance and Conjure decoy routing protocols of Refraction Networking — makes proxy out of almost any HTTPS website if the traffic is routed over the transit ISP with refraction hardware installed
Contains the following features:
- TLS fingerprint mimicry and randomization to avoid fingerprint filtering
- Different QUIC versions support
- SSH banner randomization
- Upstream proxy support
- BPF bytecode for socket on Linux, to filter out TCP RSTs and other undesirable network packets
- TCP packet fragmentation (segmentation), seeded with a PRNG, which could be saved later as a “good PRNG” seed which allowed the connection and reused for another connection
- Very flexible server list file format which allows providing front hostname list or regexp generation rule, as well as the domain name list or regexp to be used for DNS resolving, as well as pre-resolved IP addresses and third-party DNS resolvers
- Very flexible configuration file format which allows providing custom fronting hostnames and regexes (overriding server list provided ones), custom pre-resolved DNS CIDRs for different CDN providers, limit protocols, setup using of resolve/pre-resolved address probability, fragmentation probability and plenty of other internal parameters
- Split tunneling support (exclude a list of countries by geoip from being tunneled), although it’s a server-side thus a bit slow (when the client makes the connection, the server may reply with “don’t tunnel this” packet, so it always asks server whether it should tunnel this connection first)
The program also include “tactics” layer which remember and store working connection methods and modes to speed up tunnel establishment for subsequent runs, and also upload this information to the server with the country information, to be reused by other Psiphon users.
The server can provide the client with server list and configuration updates, including BFP bytecode, TCP fragmentation tactic and third-party DNS resolvers.
There’s hardly any documentation, that is probably the main reason why Psiphon is not known as a circumvention building block. However many configuration options and functions contain excessive comments, which eases learning of the source code.