The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
asoMansoury opened this issue · comments
I have registered one sub domain on cloudflare(enable proxid). my subdomain(test.dakhoshe.com)
I also used an irans server for tunneling all 888 traffic to my original server.
For tunneling I used gost technique to bypass iranian policy.(https://gost.run/). As you might understod IPv6 has been closed in iran.
by using above technique I was able to get access to my vpnhood server, but the problem is that I get below error.
The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
Do you have any idea how to resolve this problem?
Hi, I can not understand what you have done with GST!
- Why don't just forward the 443 traffic from your Iranian server to the original server and set the PublicEndPoint in token to your forwarder?
- What does Cloudflare do here?
Hi, I can not understand what you have done with GST!
1. Why don't just forward the 443 traffic from your Iranian server to the original server and set the PublicEndPoint in token to your forwarder? 2. What does Cloudflare do here?
Ipv6 has been blocked overally in iran and we can not use direct forward directly anymore. Now the only remain way is to use cloudflare proxy by using a proxy tool we name it gost(https://github.com/go-gost/gost/raw/master/install.sh) script.
After setting up gost on both my iran and foreign my traffic is going to the foreign using my irans server, but the problem is my above problem.
About IPv4, if we use this protocl it would be identified quickly and our server will be blocked!
it seems using this protocol is the only way and un-recognized way by government.
my irans server sends traffic with credential which is not trustable by vpnhood, I need a configuration to make public my vpnhood server to any untrusted traffic which comes to it.
Sorry, I can not understand how gost can help you.
After setting up gost on both my iran and foreign my traffic is going to the foreign using my irans server
IPv4, if we use this protocl it would be identified quickly and our server will be blocked!
The key is here: you said you don't have IPv6, and IPv4 does not work for you either and will get blocked. So, how can you send the traffic via IPv4 if it does not work?
Please check issue #547
It may be helpful to you.
Sorry, I can not understand how gost can help you.
After setting up gost on both my iran and foreign my traffic is going to the foreign using my irans server
IPv4, if we use this protocl it would be identified quickly and our server will be blocked!The key is here: you said you don't have IPv6, and IPv4 does not work for you either and will get blocked. So, how can you send the traffic via IPv4 if it does not work?
Please check issue #547 It may be helpful to you.
I have setup gost on both server, irans(provider), foreign(consumer) and they have been tunneled by gost(I used cloudflare subdomain, and gost works as another tunnel between my server), so when the client sends traffic to iran, itan will send the traffic to gost(test.dakhoshe.com proxy dns), then gost will redirect traffic to original, but when vpnhood gets the traffic it doesnt trust the credential(my guess)
So, do you connect to Cloudflare by ipv4 via gost?
Cloudflare can not help you because your domain will be blocked via TLS handshake, which is more common than blocking IPs.
I believe you just made the process complicated. In the end, your Gost proxy just sends the request using a subdomain to Cloudflare. It will have the same result if you simply forward the 443 port to the VPN server. You may think the government does not block Cloudflare IPs, but they easily block your domain.
Anyway, Cloudflare is an HTTP proxy, while VpnHood is a hybrid IP and a custom SOCKS proxy. VpnHood does not support Cloudflare. Also, as far as I know, it is against Cloudflare's policy to put any service except that HTTP server behind the Cloudflare proxy service. Also, Cloudflare has an upload cache system that prevents SOCKS tunnel work.
So, do you connect to Cloudflare by ipv4 via gost?
Cloudflare can not help you because your domain will be blocked via TLS handshake, which is more common than blocking IPs. I believe you just made the process complicated. In the end, your Gost proxy just sends the request using a subdomain to Cloudflare. It will have the same result if you simply forward the 443 port to the VPN server. You may think the government does not block Cloudflare IPs, but they easily block your domain.
Anyway, Cloudflare is an HTTP proxy, while VpnHood is a hybrid IP and a custom SOCKS proxy. VpnHood does not support Cloudflare. Also, as far as I know, it is against Cloudflare's policy to put any service except that HTTP server behind the Cloudflare proxy service. Also, Cloudflare has an upload cache system that prevents SOCKS tunnel work.
So based on your reply we should assume we couldn't use your service anymore. Im wonder why the vpnhood returns remoteInvalid, for it means the trqffic arrived the vpnhood.
Government uses bot to recognize vpn traffic over ipv4 and they weren't able to block ipv6 IPs so they decided to block all ipv6 except some critical domains like CloudFlare, and for using ipv6, we use cloudflare peoxy over ipv6 which has not been blocked yet And I believe it wont be blocked ever in iran.
Im wonder why the vpnhood returns remoteInvalid, for it means the trqffic arrived the vpnhood.
Cloudflare opens the request, modifies it, and resubmit every request. you may be able to use the valid domain for VpnHood to pass this problem, but more problems will occur after that. We don't support Cloudflare. We have already worked on that before.
Government uses bot to recognize vpn traffic over ipv4
VpnHood supports both IpV4 and IPV6. It deals with them, and I can assure you there is not much difference between IPv4 & IPV6 for bots. Also, VpnHood is acting like a legitimate HTTP server, there is no pattern or signature to be found. Perhaps they use other methods such as IP usage and it can happen on IPv6 too. If they block IPv6, it means they don't have the infrastructure or just want to limit the IP numbers as IPv6 costs are much cheaper, or they don't care to connect to world service at all.