dpi

package

v0.6.82 Latest Latest Go to latest Published: Mar 27, 2026 License: AGPL-3.0, AGPL-3.0-or-later Imports: 24 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Warp-net/warpnet

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
type CamouflageConn
type Option
type SpoofConn
type SpoofTransport
- func NewSpoofTransport(upgrader transport.Upgrader, rcmgr network.ResourceManager, ...) (*SpoofTransport, error)

Constants ¶

View Source

const (
	// DefaultFragmentSize is the number of bytes per TCP segment during
	// the handshake phase. Small values (1-3) are most effective at defeating
	// DPI signature matching on the first segment.
	DefaultFragmentSize = 2

	// DefaultHandshakeLen is the number of initial bytes subject to
	// fragmentation. This covers the TLS ClientHello (~500 bytes) with margin.
	DefaultHandshakeLen = 1024

	// DefaultMaxDelay is the upper bound for the random delay inserted
	// between handshake fragments. Keeping this small avoids noticeable
	// connection latency.
	DefaultMaxDelay = 5 * time.Millisecond
)

View Source

const (
	BrowserChrome  = "chrome"
	BrowserFirefox = "firefox"
	BrowserSafari  = "safari"
	BrowserEdge    = "edge"
	BrowserIOS     = "ios"
	BrowserAndroid = "android"
)

Well-known browser fingerprint identifiers for WithBrowserFingerprint.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type CamouflageConn ¶

type CamouflageConn struct {
	// contains filtered or unexported fields
}

CamouflageConn wraps a TCP connection with a real TLS tunnel. The client side uses uTLS to present a genuine browser TLS fingerprint (Chrome, Firefox, etc.), while the server side uses standard crypto/tls with a plausible certificate chain. All traffic inside the tunnel is indistinguishable from normal HTTPS browsing to DPI middleboxes.

func (*CamouflageConn) Close ¶

func (cc *CamouflageConn) Close() error

func (*CamouflageConn) CloseRead ¶

func (cc *CamouflageConn) CloseRead() error

CloseRead forwards to the underlying connection if supported.

func (*CamouflageConn) CloseWrite ¶

func (cc *CamouflageConn) CloseWrite() error

CloseWrite sends a TLS close_notify alert if the underlying TLS connection supports half-close.

func (*CamouflageConn) LocalAddr ¶

func (cc *CamouflageConn) LocalAddr() net.Addr

func (*CamouflageConn) LocalMultiaddr ¶

func (cc *CamouflageConn) LocalMultiaddr() ma.Multiaddr

func (*CamouflageConn) Read ¶

func (cc *CamouflageConn) Read(b []byte) (int, error)

func (*CamouflageConn) RemoteAddr ¶

func (cc *CamouflageConn) RemoteAddr() net.Addr

func (*CamouflageConn) RemoteMultiaddr ¶

func (cc *CamouflageConn) RemoteMultiaddr() ma.Multiaddr

func (*CamouflageConn) SetDeadline ¶

func (cc *CamouflageConn) SetDeadline(t time.Time) error

func (*CamouflageConn) SetReadDeadline ¶

func (cc *CamouflageConn) SetReadDeadline(t time.Time) error

func (*CamouflageConn) SetWriteDeadline ¶

func (cc *CamouflageConn) SetWriteDeadline(t time.Time) error

func (*CamouflageConn) Write ¶

func (cc *CamouflageConn) Write(b []byte) (int, error)

type Option ¶

type Option func(*SpoofTransport) error

func WithBrowserFingerprint ¶

func WithBrowserFingerprint(browser string) Option

WithBrowserFingerprint selects which browser's TLS fingerprint to mimic. Use the Browser* constants (e.g. BrowserChrome, BrowserFirefox). Defaults to Chrome if empty or unknown.

func WithConnectTimeout ¶

func WithConnectTimeout(d time.Duration) Option

WithConnectTimeout sets the TCP connect timeout. Non-positive values are ignored.

func WithFragmentSize ¶

func WithFragmentSize(size int) Option

WithFragmentSize sets the number of bytes per TCP segment during the handshake phase.

func WithHandshakeLen ¶

func WithHandshakeLen(n int) Option

WithHandshakeLen sets the total number of bytes subject to fragmentation.

func WithHandshakeTimeout ¶

func WithHandshakeTimeout(d time.Duration) Option

WithHandshakeTimeout sets the maximum duration for the TLS handshake. Connections that do not complete the handshake within this window are closed, defending against slow-handshake active probing. Non-positive values are ignored.

func WithMaxDelay ¶

func WithMaxDelay(d time.Duration) Option

WithMaxDelay sets the upper bound for random inter-fragment delays. Zero disables delays; negative values are ignored.

func WithSNI ¶

func WithSNI(sni string) Option

WithSNI sets the Server Name Indication value used in the TLS ClientHello. Defaults to "www.googleapis.com".

type SpoofConn ¶

type SpoofConn struct {
	manet.Conn
	// contains filtered or unexported fields
}

SpoofConn wraps a manet.Conn and transparently splits Write calls into small TCP segments while the connection is in the handshake phase (the first handshakeLen bytes). After the handshake, writes pass through without modification.

func (*SpoofConn) CloseRead ¶

func (c *SpoofConn) CloseRead() error

CloseRead forwards to the underlying connection if supported.

func (*SpoofConn) CloseWrite ¶

func (c *SpoofConn) CloseWrite() error

CloseWrite forwards to the underlying connection if supported.

func (*SpoofConn) Write ¶

func (c *SpoofConn) Write(b []byte) (int, error)

Write fragments b into small segments if the handshake phase is still active; otherwise it delegates directly to the underlying connection.

type SpoofTransport ¶

type SpoofTransport struct {
	// contains filtered or unexported fields
}

SpoofTransport is a libp2p transport that wraps TCP connections with real TLS camouflage (uTLS browser fingerprint) and handshake-phase traffic fragmentation to evade DPI.

func NewSpoofTransport ¶

func NewSpoofTransport(
	upgrader transport.Upgrader,
	rcmgr network.ResourceManager,
	sharedTCP *tcpreuse.ConnMgr,
	opts ...Option,
) (*SpoofTransport, error)

NewSpoofTransport creates a DPI-evasion transport. The constructor signature is compatible with libp2p.Transport() dependency injection: the framework injects the upgrader, resource manager, and shared TCP manager automatically.

func (*SpoofTransport) CanDial ¶

func (t *SpoofTransport) CanDial(addr ma.Multiaddr) bool

CanDial returns true if the transport can dial the given multiaddr.

func (*SpoofTransport) Dial ¶

func (t *SpoofTransport) Dial(ctx context.Context, raddr ma.Multiaddr, p peer.ID) (transport.CapableConn, error)

Dial dials the remote peer, wrapping the raw TCP connection with SpoofConn + real TLS camouflage before the Noise handshake.

func (*SpoofTransport) Listen ¶

func (t *SpoofTransport) Listen(laddr ma.Multiaddr) (transport.Listener, error)

Listen creates a TCP listener whose accepted connections are wrapped with SpoofConn + real TLS camouflage so that the TLS handshake completes before the Noise upgrade.

Note: we intentionally bypass sharedTCP demultiplexed listening because our connections start with a real TLS ClientHello (0x16...), not multistream select. Using demultiplexed conn type multistream select would cause incoming connections to be misclassified.

func (*SpoofTransport) Protocols ¶

func (t *SpoofTransport) Protocols() []int

Protocols returns the set of protocols handled by this transport.

func (*SpoofTransport) Proxy ¶

func (t *SpoofTransport) Proxy() bool

Proxy always returns false.

func (*SpoofTransport) String ¶

func (t *SpoofTransport) String() string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL