Jumping the Great FireWall With Creative Ladders

Andy Lyu
The Startup
Published in
5 min readAug 15, 2020

Quick note: compiled firmware for the GL.iNet-AR750S can be accessed here

Advanced firewall and content filtration services are able to utilize technologies to identify the kinds of networking connections you are making. Something as trivial as an OpenVPN connection can be easily fingerprinted and if need be, blocked. Tor is also somewhat easy to block when you can pull lists of the publicly available entry nodes and block some domains for bridge requests, not to mention its less than optimal speeds. We need a solution that is good enough to get around those firewalls, but not too good in which we sacrifice speeds for the ultimate privacy-conscious experience.

In recent years, people have found out that those firewall systems have evolved to the point where not only are they able to detect outgoing traffic, they are able to actively probe servers that are marked as suspicious in an attempt to enumerate the services that are running. To demonstrate that, I will show you a crudely designed chart that somewhat resembles what the system does:

What I think a part of the firewall does

In some alleged cases, it seems the firewall is able to also spoof the user’s IP address to make a more convincing probing connection, the introduction of this mechanism coincided with the more aggressive ban waves that occur during the beginning every June. It seems the system gathers to be blacklisted servers and hand out mass bans during that time.

Through probing the server, the firewall system has direct unencrypted access into what the server is doing. Some protocols may ask for authentication, but for the purpose of the firewall, it only cares about what service it is running. Once identified, the server address will be blocked.

— Let’s get around that.

A travel router is quite nice for many occasions, whether it’s converting an Ethernet-only connection to WiFi-enabled devices or having a hardware VPN enabled connection. GL.iNet offers a nice range of travel routers that are compact and unique in its easy to tinker with capabilities.

GL.iNet-AR750S, the router I have chosen (not sponsored… unless?)

For the average user, travel routers are no more than a tool to make that hotel stays a bit easier on the tech side. However, for those who live in places where not everything is easily accessible via the internet, some creativity and DIY needs to be involved.

Income OpenWRT, an open-source, embedded Linux operating system designed to enhance existing routers or turn any old laptop into a wireless access point. As GL.iNet already uses a modified version of OpenWRT for its operating system, there is a lot of support on the forums when it comes to installing a custom version.

However, the software we need takes a bit of digging for a beginner like me to find.

We now have three requirements for the software:

  1. The ability to bypass the firewall
  2. The ability to have high-speed connections
  3. The ability for the proxy server to resist active/passive probe requests from the firewall

Trojan (nice name), is a software that allows for all of our requirements to be checked. Its mechanism of resisting probing attempts are quite simple (to explain, not to implement!).

A simple diagram to show the proxy’s anti probing method

The trojan protocol responds to special traffic which is designed to look like HTTPS. In the case of firewall probing, since the firewall has no way to tell what the client is doing other than sending HTTPS traffic, it will do the same. However, this normal HTTPS traffic will trigger the probing protection response. The server will respond to the request with a legitimate webpage, acting as if it were a normal webpage all the time.

Remember that little travel router I mentioned? We’ll have to somehow install the trojan client-side software onto it. Luckily, as everything in this process is open source, someone has already beat me to it.

Lean‘s OpenWRT is a custom maintained branch of the OpenWRT source code which adds in a lot of Chinese language localizations and custom packages designed for specific internet access needs. The package we are looking for is SSR+, which by default is not enabled. After enabling the repository, we can start working on compiling the firmware for the GL.iNet Slate.

The Slate uses its 16MB NAND storage for firmware, which means our final compiled version cannot exceed that size. This means we are unable to pack in too many packages during compile, but we can always install packages later on.

First, clone the proper repositories and enable the helloworld repository in the feeds.conf.default file, then run:

./scripts/feeds update -a
./scripts/feeds install -a

These two commands will run a script that grabs and installs the needed packages before compiling. Since I have already made a config file on the github repository, we can use that as the .config file instead.

To ensure the first compilation process goes without error, use one thread to compile by issuing make -j1 V=s.

After the compilation process (which may take hours depending on your CPU), the finished firmware image should reside in lede/bin/targets/ath79/nand/openwrt-ath79-nand-glinet_gl-ar750s-nor-nand-squashfs-factory.img

To flash the firmware, we need to put the Slate into UBoot, to do that, press down on the power button before plugging in the power source. After giving it power, wait for the 5G power LED to flash 5 times before letting go. Connect only 1 Ethernet cable to a laptop, and navigate to 192.168.1.1

A webpage should appear with the option to upload firmware, upload the one you (or I) have compiled.

Leave the router to do its own thing for around 5 to 10 minutes, and it should boot itself backup. The default username is root and the password is password

My compiled version of Lean’s OpenWRT for the GL.iNet-AR750S

Steps on establishing a trojan server would be up to you. For now, I will leave you with the tools to connect, and good luck on your journey to achieve internet freedom.

--

--