Skip to content

SNI Tricks

Jump to bottom
krlvm edited this page Jul 1, 2020 · 9 revisions

WARNING:
This option is experimental and unstable.
Please, don't enable SNI Tricks if you're not an advanced PC user and don't have administrator rights.

Applies to:

  • PowerTunnel v1.12 and higher
  • PowerTunnel for Android v1.7 and higher

Summary: Internet Service Provider (ISP) filters your HTTPS traffic by looking on SNI - Server Name Indication. This method of filtering can be bypassed by removing or modifying SNI in your HTTPS requests.

Table of contents:

  1. What is SNI
  2. Configuring SNI Tricks in PowerTunnel
  3. Removing PowerTunnel Root CA
  4. Troubleshooting

What is SNI

Server Name Indication is an extension to the TLS protocol.

When you're attempting to connect to a HTTP website, the hostname is passed in the request headers, which are unencrypted.
If you're connecting with HTTPS, the request headers are encrypted, but the hostname can be read from SNI in ClientHello packet. That's how your ISP blocking HTTPS websites.

We have to remove or encrypt SNI to bypass filtering.
In recent years, ESNI - Encrypted SNI - has been developed to encrypt the hostname, but it's still experimental and most websites doesn't support it.

PowerTunnel supports some tricks with SNI, that allow you to remove or modify SNI in your HTTPS requests to blocked websites.
To do that, we need to replace the original SSL certificate, so you need to install it at the first.

This method may not work anywhere, because some DPI rejects HTTPS requests without SNI or when the SNI is encrypted, also this approach doesn't supported by the most of sites, especially the ones, who checking the SSL certificate.

Spoil SNI method is more efficient than Erase SNI.

Configuring SNI Tricks in PowerTunnel

The manual below is for the PC version of PowerTunnel. PowerTunnel for Android automatically suggests you to install the certificate when you have this option enabled.

You do the following actions on your risk.
Make sure that you run a genuine build of PowerTunnel (PC/Android) to keep your traffic safe.

Step 1: enable "SNI Tricks"

If you're running PowerTunnel in console mode, just add -sni-trick [trick] key, where [trick] is 1 for SPOIL and 2 for ERASE:
$ java -jar PowerTunnel.jar -sni-trick [trick]

You can enable this option from the user interface:
Step 1: enable "SNI Tricks" from the UI

Tip: disable "chunking" option to more stable work

Step 2: fill the government blocklist

Global mode is enabled by default, but this method can break the most of unblocked websites, so PowerTunnel uses selective SNI erasing.
Clean government-blocklist.txt and fill it with a list of the blocked domains in your country.

Step 3: install PowerTunnel Root CA

The certificate generates on the first run of the PowerTunnel with this option enabled.
All certificates are unique, neither PowerTunnel developers nor someone else has its password. The password is stored in settings.ini.
PowerTunnel never decrypts your traffic.

PowerTunnel re-crytps your HTTPS session to remove SNI, so you have to install PowerTunnel Root CA.

Manual for Windows:

  1. Open a blocked website
Open a blocked website
  1. Extract the root certificate
  • Open connection details
Open connection details
  • Select "Certificate"
Select "Certificate"
  • Go to "Certification Path -> View certificate"
Go to "Certification Path" Click "View certificate"
  • Go to "Details -> Copy to file"
Go to "Details" Click "Copy to file"

Follow instructions on your screen and extract the certificate to your desktop

  1. Install the root certificate
  • Open context menu and select "Install Certificate"
Open context menu and select "Install Certificate"
  • Install the certificate to "Trusted Root Certification Authorities"
Choose "Local Machine" Install the certificate to "Trusted Root Certification Authorities"
  1. Clear your browser cache and restart it

Removing PowerTunnel Root CA

Manual for Windows:

  1. Open the "Run" dialog (Win+R) and execute "certlm.msc"
Open the "Run" dialog
  1. Remove the certificate
Remove the certificate

Manual for Android:
Go to Settings -> Security -> Trusted Credentials -> User, select "PowerTunnel Root CA" and click "Remove"

Troubleshooting

Seems that this method doesn't work with your ISP's DPI. Keep in mind that some websites want to enforce you using their original certificates, so that method can't be applied to them.
Use "chunking" method or any encrypted connection, such as VPN or Tor.

Manual for PC:
If you can't access a blocked website check government-blacklist.txt.
If you still have problems with the Root CA, do following actions:

  1. Remove the Root CA from your system as described above
  2. Remove files powertunnel-root-ca.p12 and powertunnel-root-ca.pem in PowerTunnel folder
  3. Open settings.ini in PowerTunnel folder
  4. Remove the line starting with powertunnel.cert.password=
  5. Run PowerTunnel again

Manual for Android:
Just clear data of the PowerTunnel Android application.
Open your system settings, find PowerTunnel in applications section, choose "Data" and tap on "Clear data".
This also will reset PowerTunnel configuration.

Open an issue in the GitHub repository if you have any questsions.

Clone this wiki locally