July 20, 2023
Restls is a response to the TLS-in-TLS detection and blocking of October 2022. It imitates a TLS connection, while disrupting the packet lengths that would be characteristic of TLS-in-TLS. Restls does this by injecting spoof packets and fragmenting real packets. The rules for manipulating packets are not hardcoded, but are determined at run time by a "script."
In this tutorial, you'll set up a server and client implementing Shadowsocks over Restls. The server is a small VPS that runs Ubuntu 22.04. The client may be macOS, Windows, or Linux.
The examples in this post use these values:
YOUR.SERVER.IP.ADDRESSh9n40xhka0i2cqmsbONgnNUylELevNbNFor more information on Restls, visit https://github.com/3andne/restls.
You do not need to open any firewall ports for Shadowsocks, since traffic will pass through Restls first.
Install Shadowsocks from the repositories:
apt update && apt upgrade -yapt install -y shadowsocks-libevEdit the Shadowsocks configuration file /etc/shadowsocks-libev/config.json. Of course, you can change the password from the one in the example, provided you make equivalent changes in your client configuration.
{
"server":"127.0.0.1",
"server_port":8388,
"method":"chacha20-ietf-poly1305",
"password":"h9n40xhka0i2cqms",
"mode":"tcp_only",
"fast_open":false
}
Restart Shadowsocks with the new configuration:
systemctl restart shadowsocks-libevOpen port tcp/443 in your server firewall.
Download the latest Restls binary for your server architecture from https://github.com/3andne/restls/releases. For example:
wget https://github.com/3andne/restls/releases/download/v0.1.0-pre5/restls-x86_64-unknown-linux-muslCopy the binary into a directory that is in your execution path, and give it a shorter name:
cp restls-x86_64-unknown-linux-musl /usr/local/bin/restlschmod +x /usr/local/bin/restlsStart a new screen session for Restls:
screen -S restlsRun Restls with the given script (this is all one long command):
restls -s "www.microsoft.com" -l "0.0.0.0:443" -p bONgnNUylELevNbN -f "127.0.0.1:8388" --script "200?100,400?100,1200?200<1,1100~300,1000~100<1,2500~500,1300~50,1300~50,100~1200"Typical response:
INFO Restls server started as www.microsoft.com:443 on 0.0.0.0:443, forwarding to 127.0.0.1:8388To detach from the screen session, do Ctrl+a immediately followed by d.
Restls is now listening on port tcp/443.
Your work on the server is done.
Now go to work on your client computer.
Download Clash.Meta with Restls Support from https://github.com/3andne/Clash.Meta/releases. Prebuilt binaries are available for macOS Intel, macOS ARM ("Apple Silicon"), Linux Intel, Linux ARM, Windows Intel, and Windows ARM.
Create a configuration file ~/.config/clash/config.yaml. You can use the one below as a template to start with. Consult the Clash wiki at https://clash.wiki (简体中文) or https://en.clash.wiki (English) to learn how Clash configuration works.
port: 7890
socks-port: 7891
mode: rule
proxies:
- name: restls-tls13
type: ss
server: YOUR.SERVER.IP.ADDRESS
port: 443
cipher: chacha20-ietf-poly1305
password: "h9n40xhka0i2cqms"
plugin: restls
plugin-opts:
host: "www.microsoft.com"
password: "bONgnNUylELevNbN"
version-hint: "tls13"
client-id: chrome
rules:
- IP-CIDR,127.0.0.0/8,DIRECT
- IP-CIDR,10.0.0.0/8,DIRECT
- IP-CIDR,192.168.0.0/16,DIRECT
- GEOIP,CN,DIRECT
- MATCH,restls-tls13
Run Clash.Meta from the command line. Since the configuration file is in the default location, you should not need to specify it explicitly.
Typical response:
INFO Start initial configuration in progress
INFO Geodata Loader mode: memconservative
WARN Deprecated: Use Sniff instead
INFO Initial configuration complete, total time: 0ms
INFO Sniffer is closed
INFO Start initial compatible provider default
INFO HTTP proxy listening at: 127.0.0.1:7890
INFO SOCKS proxy listening at: 127.0.0.1:7891Finally, configure your browser to use the SOCKS proxy on localhost port 7891. For example, in Firefox you can do that as follows:
127.0.0.1.7891.