Geph (迷霧通) is a modular Internet censorship circumvention system designed specifically to deal with national filtering.
geph4-client
is the command-line Geph client.
To install geph4-client
, you need to first install Rust, then run
cargo install geph4-client
in a terminal. To see a list of the subcommands and flags available, simply run
geph4-client -h
Below is how each subcommand works.
1. connect
Given user credentials and other optional inputs, connect
establishes a network connection to a Geph exit server. If that exit server is blocked from the client, connect
proxyies the connection through dynamical bridge servers that are not blocked in the region.
A typical connect
command might look like:
geph4-client connect --exit-server 2.mtl.ca.ngexits.geph.io auth-password --username public5 --password public5
Internally, connect
- makes a
ClientTunnel
that manages asosistab2
Multiplex
session to the specified remote Geph server, and - enables
socks5
andhttp
proxies through thisClientTunnel
, as well as routing VPN packets.
A tunnel starts and keeps alive the best sosistab Multiplex
session it can given the specified connect
parameters.
A sosistab2 Multiplex
is a single end-to-end connection between a client and a server. This can be thought of as analogous to TcpStream, except all reads and writes are datagram-based and unreliable. For more on Multiplex
, see sosistab2
.
The Multiplex
session consists of several routes to the exit server, both through different bridges and without bridges. (If the user is in China, then we only provide routes that use bridges, because all the exit servers are blocked by the Great Firewall.) The sositab protocol then monitors the routes and switches seamlessly to the best working route. Finally, The ClientTunnel
actively updates the set of bridges used by its Multiplex
to switch out servers that get blocked.
Finally, ClientTunnel
exposes channels to the Multiplex
for handling proxy requests and packet forwarding for VPN mode.
connect
sets up two proxy servers on localhost. By default, the socks5
server listens on 127.0.0.1:9909
, and http
listens on 127.0.0.1:9910
. These ports can be changed with the --socks5-listen
and --http-listen
flags. These localhost servers accept proxy connections and fulfills requests by forwarding them to the ClientTunnel
, after which they are proxied through the exit server.
When the socks5
server accepts a connection, it establishes a sosistab2
reliable stream along with a task to forward all traffic from the socks5
connection to the sosistab
stream.
The http
server is the socks5
server converted using an adaptation of the socks2http
repo.
VPN mode takes packets from the source specified by --vpn-mode
and sends them over a UDP-like unreliable connection on the ClientTunnel
.
Starting geph4-client
in VPN mode on Linux might look like:
sudo $(which geph4-client) connect --vpn-mode tun-route --exit-server 2.mtl.ca.ngexits.geph.io auth-password --username public5 --password public5
Note that VPN mode requires us to run geph4-client
with root privileges. We use $(which geph4-client)
because geph4-client
might not be in root
's path.
- On Linux, use
--vpn-mode tun-route
. This startsgeph4-client
in VPN mode, starts a TUN device, and route all packets to it usingiptables
. - On Windows, use
--vpn-mode windivert
. This routes packets to it usingWindivert
. - VPN mode is currently not support for MacOS. Contributions are welcome!
2. sync
sync
takes in a user's credentials and obtains the latest information about the user's subscription status, as well as what exits there are.
To bypass censorship, we connect to the binder using domain fronting. To mitigate attacks in the case that an attacker compromises the central Geph binder, we verify the exit list given by the binder against a public record on the Mel blockchain. You can read more about Geph's use of the blockchain here.
sync
is designed to be used by the GUI interface around geph4-client
.
3. binder_proxy
binder_proxy
creates a BinderClient
that is a JSON-RPC
client to the Geph binder. This is used by gephgui
for things like obtaining exit statistics and user registration and deletion.
4. debugpack
geph4-client debugpack --export-to /your/preferred/path/
exports an SQLite
database containing Geph's debug logs to /your/preferred/path/
.
geph4-client
also supports compiling as a universal C
library for calling on iOS (this is because you cannot start a new process on iOS; on other platforms we start geph4-client
in a new process). One difference to note is that this version of geph4-client
completely avoids using stdin/out
for any communication, as doing so would crash the app on iOS. Most of the logic surrounding iOS support is in ios.rs
.