Bepass is an advanced tool designed to bypass Iran's Deep Packet Inspection (DPI) system using a TLS client hello splitting attack. It also enables the deployment of a VLESS-like proxy on Cloudflare Workers. This README provides an overview of the project's features, build instructions, deployment guidelines, and more.
- DPI Bypass: Supports all of Iran's network carriers with customized TLS hello packet length adjustments.
- DNS Over HTTPS (DOH) Support: Facilitates secure and private DNS resolution.
- Server Name Indication DNS (SDNS) Support: Enhances DNS resolution efficiency.
- Cross-Platform Compatibility: Suitable for various operating systems.
You can run the CLI version of Bepass as follows:
- download the latest release from here based on your operating system
- extract the zip file
- create a
config.json
file in the same directory as the executable file - run the executable file
Example Configuration(config.json
file) for IR-MCI:
{
"TLSHeaderLength": 5,
"TLSPaddingEnabled": false,
"TLSPaddingSize": [
40,
80
],
"RemoteDNSAddr": "https://1.1.1.1/dns-query",
"EnableDNSFragmentation": false,
"DnsCacheTTL": 3000000,
"DnsRequestTimeout": 10,
"BindAddress": "0.0.0.0:8085",
"ChunksLengthBeforeSni": [
2000,
2000
],
"SniChunksLength": [
1,
2
],
"ChunksLengthAfterSni": [
2000,
2000
],
"DelayBetweenChunks": [
10,
20
],
"WorkerAddress": "https://<your_worker>.workers.dev/dns-query",
"WorkerIPPortAddress": "104.16.246.91:8443",
"WorkerEnabled": true,
"WorkerDNSOnly": false,
"EnableLowLevelSockets": false,
"Hosts": [
{
"Domain": "yarp.lefolgoc.net",
"IP": "5.39.88.20"
}
],
"UDPBindAddress": "0.0.0.0",
"UDPReadTimeout": 120,
"UDPWriteTimeout": 120,
"UDPLinkIdleTimeout": 120
}
-
"TLSHeaderLength": 5
: Specifies the length of the TLS header, which is set to 5 bytes. -
"TLSPaddingEnabled": false
: Disables/Enable TLS padding. -
"TLSPaddingSize": [40, 80]
: Sets the TLS padding size range to be between 40 and 80 bytes. -
"RemoteDNSAddr": "https://1.1.1.1/dns-query"
: Specifies the remote DNS address for DNS queries. In this case, it's set to Cloudflare's DNS over HTTPS (DOH) service. -
"EnableDNSFragmentation": false
: Disables/Enable DNS fragmentation. -
"DnsCacheTTL": 3000000
: Sets the Time To Live (TTL) for DNS cache entries(seconds). -
"DnsRequestTimeout": 10
: Sets the timeout for DNS requests to 10 seconds. -
"BindAddress": "0.0.0.0:8085"
: Sets the bind address for the proxy server to listen on all available network interfaces (0.0.0.0
) on port8085
. -
"ChunksLengthBeforeSni": [2000, 2000]
: Specifies the length of chunks before the Server Name Indication (SNI) in the TLS handshake to be 2000 bytes. -
"SniChunksLength": [5, 10]
: Sets the SNI chunk length to be between 5 and 10 bytes. -
"ChunksLengthAfterSni": [2000, 2000]
: Specifies the length of chunks after the SNI in the TLS handshake to be 2000 bytes. -
"DelayBetweenChunks": [10, 20]
: Sets the delay between sending chunks to be between 10 and 20 milliseconds. -
"WorkerAddress": "https://<your_worker>.workers.dev/dns-query"
: Specifies the Cloudflare Worker address for proxy services. -
"WorkerIPPortAddress": "104.17.196.93:2096"
: Sets the IP address and port for the Cloudflare Worker.find clean CF IP and repalce it with this one to get better performance based on your internet quality and isp. -
"WorkerEnabled": true
: Disables/Enable the use of the Cloudflare Worker. -
"WorkerDNSOnly": false
: Indicates whether the Cloudflare Worker should be used for DNS queries only(If you just want to use the DOH over the worker settrue
. But if you want a full-fledged TCP SOCKS5 proxy over the worker setfalse
). -
"EnableLowLevelSockets": false
: Disables/Enable low-level socket functionality. -
"Hosts": [{ "Domain": "yarp.lefolgoc.net", "IP": "5.39.88.20" }]
: Specifies a list of custom hosts to map domain names to IP addresses. In this example, "yarp.lefolgoc.net" is mapped to "5.39.88.20." -
"UDPBindAddress": "0.0.0.0"
: Sets the UDP bind address to listen on all available network interfaces (0.0.0.0
). -
"UDPReadTimeout": 120
: Sets the UDP read timeout to 120 seconds. -
"UDPWriteTimeout": 120
: Sets the UDP write timeout to 120 seconds. -
"UDPLinkIdleTimeout": 120
: Sets the UDP link idle timeout to 120 seconds.
Please note that you should replace <your_worker>
in "WorkerAddress"
with your actual Cloudflare Worker address. Additionally, ensure that you configure other settings as needed for your specific use case.
You can build the CLI version of Bepass as follows:
git clone https://github.com/uoosef/bepass.git
cd bepass/bepass
make # Build CLI debug version
make release # Build CLI release version
You can build GUI debug and release versions as follows:
git clone https://github.com/uoosef/bepass.git
cd bepass/bepass
make gui # For GUI debug version
make gui-release # For GUI release version
A graphical user interface (GUI) version of Bepass is under development. Stay tuned for updates on its availability.
You can download the latest build from the release or just install Go 1.19+ and run:
git clone https://github.com/uoosef/bepass.git
cd bepass/bepass
go build ./cmd/cli/main.go
It should give you an executable file, or you can simply run it in place.
git clone https://github.com/uoosef/bepass.git
cd bepass/bepass
go run ./cmd/cli/main.go -c config.json
project roadmap includes:
- Self-Hosted DOH (Completed)
- TCP Proxy Over Worker (Completed)
- GUI Version (Work in Progress)
- Android Version (Work in Progress)
- Finding a Way to Bypass Blocked IPs
This project is open-source and licensed under the MIT License. Feel free to contribute and use it in accordance with the license terms.
⚠ Use this tool responsibly and ensure compliance with local laws and regulations. ⚠