{"id":48632739,"url":"https://github.com/boratanrikulu/gecit","last_synced_at":"2026-04-12T09:01:40.457Z","repository":{"id":349355176,"uuid":"1201969417","full_name":"boratanrikulu/gecit","owner":"boratanrikulu","description":"DPI bypass tool - eBPF on Linux, TUN on macOS/Windows.","archived":false,"fork":false,"pushed_at":"2026-04-07T10:43:14.000Z","size":1063,"stargazers_count":152,"open_issues_count":1,"forks_count":5,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-10T07:01:23.834Z","etag":null,"topics":["censorship","censorship-circumvention","dpi","dpi-bypass","ebpf","linux","macos","networking","sock-ops","tcp","windows"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/boratanrikulu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-05T12:18:05.000Z","updated_at":"2026-04-10T02:19:12.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/boratanrikulu/gecit","commit_stats":null,"previous_names":["boratanrikulu/gecit"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/boratanrikulu/gecit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boratanrikulu%2Fgecit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boratanrikulu%2Fgecit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boratanrikulu%2Fgecit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boratanrikulu%2Fgecit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/boratanrikulu","download_url":"https://codeload.github.com/boratanrikulu/gecit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boratanrikulu%2Fgecit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31673067,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-10T17:19:37.612Z","status":"online","status_checked_at":"2026-04-11T02:00:05.776Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["censorship","censorship-circumvention","dpi","dpi-bypass","ebpf","linux","macos","networking","sock-ops","tcp","windows"],"created_at":"2026-04-09T06:01:52.220Z","updated_at":"2026-04-11T08:01:11.179Z","avatar_url":"https://github.com/boratanrikulu.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gecit\n\nDPI bypass tool. Injects fake TLS ClientHello packets to desynchronize Deep Packet Inspection middleboxes. Includes built-in DoH DNS resolver.\n\n**Linux**: eBPF sock_ops — hooks directly into the kernel TCP stack. No proxy, no traffic redirection. \n**macOS/Windows**: TUN-based transparent proxy — intercepts all traffic at the IP layer via a virtual network interface.\n\n```\nsudo gecit run\n```\n\n\u003e **Disclaimer**: This project is for educational and research purposes only. gecit demonstrates eBPF and network programming capabilities in the context of TLS protocol analysis. It does NOT hide your IP address, encrypt your traffic, or provide anonymity. Use is entirely at your own risk. Users are responsible for complying with all applicable laws in their jurisdiction.\n\n## How it works\n\n```\nApp connects to target:443\n ↓\ngecit intercepts the connection\n Linux: eBPF sock_ops fires (inside kernel, before app sends data)\n macOS/Windows: TUN device captures packet, gVisor netstack terminates TCP\n ↓\nFake ClientHello with SNI \"www.google.com\" sent with low TTL\n ↓\nFake reaches DPI → DPI records \"google.com\" → allows connection\nFake expires before server (low TTL) → server never sees it\n ↓\nReal ClientHello passes through → DPI already desynchronized\n```\n\nSome ISPs inspect the TLS ClientHello SNI field to identify and block specific domains. gecit sends a fake ClientHello with a different SNI (`www.google.com`) and a low TTL before the real one. The DPI processes the fake and lets the connection through. The fake packet expires before reaching the server due to its low TTL.\n\nAdditionally, some ISPs poison DNS responses. gecit includes a built-in DoH (DNS-over-HTTPS) server that resolves domains through encrypted HTTPS, bypassing DNS-level blocking.\n\n## Installation\n\n### Pre-built binaries\n\nDownload from [releases](https://github.com/boratanrikulu/gecit/releases):\n\n```bash\n# Linux (amd64)\ncurl -L https://github.com/boratanrikulu/gecit/releases/latest/download/gecit-linux-amd64 -o gecit\nchmod +x gecit\nsudo ./gecit run\n\n# Linux (arm64)\ncurl -L https://github.com/boratanrikulu/gecit/releases/latest/download/gecit-linux-arm64 -o gecit\nchmod +x gecit\nsudo ./gecit run\n\n# macOS (Apple Silicon)\ncurl -L https://github.com/boratanrikulu/gecit/releases/latest/download/gecit-darwin-arm64 -o gecit\nchmod +x gecit\nsudo ./gecit run\n\n# macOS (Intel)\ncurl -L https://github.com/boratanrikulu/gecit/releases/latest/download/gecit-darwin-amd64 -o gecit\nchmod +x gecit\nsudo ./gecit run\n\n# Windows (amd64) — requires Npcap (npcap.com)\ncurl -L https://github.com/boratanrikulu/gecit/releases/latest/download/gecit-windows-amd64.exe -o gecit.exe\ngecit.exe run\n```\n\n### Building from source\n\nRequires Go 1.24+. Linux builds need kernel 5.10+, clang, and llvm-strip for BPF compilation. Windows builds need [Npcap SDK](https://npcap.com/guide/npcap-devguide.html).\n\n```bash\ngit clone https://github.com/boratanrikulu/gecit.git\ncd gecit\n\nmake gecit-linux-amd64 # Linux x86_64\nmake gecit-linux-arm64 # Linux ARM64\nmake gecit-darwin-arm64 # macOS Apple Silicon\nmake gecit-darwin-amd64 # macOS Intel\nmake gecit-windows-amd64 # Windows x86_64 (requires Npcap SDK)\n\nsudo ./bin/gecit-linux-arm64 run\n```\n\ngecit sets up everything automatically:\n- **DoH DNS server** on `127.0.0.1:53` (bypasses DNS poisoning)\n- **System DNS** pointed to the local DoH server\n- **Linux**: eBPF program attached to cgroup (fake injection + MSS fragmentation)\n- **macOS/Windows**: TUN virtual interface with automatic routing (all apps intercepted)\n\nPress `Ctrl+C` to stop — everything is restored (DNS, routes, BPF programs). Windows requires [Npcap](https://npcap.com) for full DPI bypass support.\n\nIf gecit crashes, run `sudo gecit cleanup` to restore system settings.\n\n## Usage\n\n```bash\n# Default settings (TTL=8, DoH via Cloudflare 1.1.1.1)\nsudo gecit run\n\n# Custom TTL (adjust based on hop count to DPI)\nsudo gecit run --fake-ttl 12\n\n# Custom DoH upstream\nsudo gecit run --doh https://8.8.8.8/dns-query\n\n# Check system capabilities\nsudo gecit status\n\n# Restore system settings after a crash\nsudo gecit cleanup\n```\n\n### CLI flags\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--fake-ttl` | `8` | TTL for fake packets (must reach DPI but expire before server) |\n| `--doh` | `https://1.1.1.1/dns-query` | DoH upstream URL |\n| `--mss` | `40` | TCP MSS for ClientHello fragmentation (Linux) |\n| `--ports` | `443` | Target destination ports |\n| `--interface` | auto | Network interface |\n| `-v` | off | Verbose/debug logging |\n\n### Finding the right TTL\n\nThe fake packet TTL must be high enough to reach the DPI (typically 2-4 hops) but low enough to expire before the server (typically 10+ hops).\n\n```bash\ntraceroute -n target.com\n```\n\nThe DPI is usually at the first few ISP hops. Default TTL=8 works for most networks.\n\n## Platform differences\n\n| | Linux | macOS | Windows |\n|---|---|---|---|\n| **Engine** | eBPF sock_ops | TUN + gVisor netstack | TUN + gVisor netstack |\n| **Connection detection** | BPF perf events | TUN packet interception | TUN packet interception |\n| **Fake injection** | Raw socket | Raw socket | Raw socket via Npcap |\n| **DNS bypass** | DoH + `/etc/resolv.conf` | DoH + `networksetup` | DoH + `netsh` |\n| **App configuration** | None needed | None needed (all apps via TUN) | None needed (all apps via TUN) |\n| **Root required** | Yes (`CAP_BPF`) | Yes (TUN + raw socket) | Yes (Administrator) |\n\n## FAQ\n\n**Does this hide my IP address?**\nNo. Your ISP can still see which IP addresses you connect to. gecit only prevents the ISP from reading the domain name (SNI) in the TLS handshake.\n\n**Does this work against all DPI?**\nIt works against DPI systems that inspect individual TCP segments without full reassembly. More sophisticated systems (like those used in China) may detect and block this technique.\n\n**Is this a VPN?**\nNo. There is no tunnel, no encryption of traffic, and no remote server involved. gecit operates entirely locally. On macOS/Windows, it uses a TUN interface (similar to VPN plumbing) but traffic goes directly to the internet — no remote server.\n\n**Why eBPF on Linux?**\neBPF hooks into the kernel's TCP stack synchronously — the fake packet is sent before the application can write any data. This guarantees correct ordering without needing a proxy or packet interception. Only the handshake touches userspace; data flows through the kernel at full speed.\n\n**Why TUN on macOS/Windows?**\nThese platforms don't expose kernel-level hooks like eBPF. A TUN virtual interface intercepts all traffic at the IP layer, providing the same coverage as eBPF but with traffic flowing through userspace.\n\n## Architecture\n\n### Linux (eBPF)\n\n```\n┌──────────┐ ┌────────────────────┐ ┌────────────┐\n│ eBPF │──\u003e│ Perf Event Buffer │──\u003e│ Go │\n│ sock_ops │ │ (conn details) │ │ goroutine │\n│ │ └────────────────────┘ │ │\n│ Sets MSS │ │ Sends fake │\n│ per-conn │ │ via raw │\n│ │ │ socket │\n└──────────┘ └────────────┘\n │ │\n ▼ ▼\n┌────────────────────────────────────────────────────┐\n│ Linux Kernel TCP Stack │\n│ (fragments ClientHello due to small MSS) │\n└────────────────────────────────────────────────────┘\n```\n\n### macOS/Windows (TUN)\n\n```\n┌──────────┐ ┌────────────────────┐ ┌────────────┐\n│ App │──\u003e│ TUN device │──\u003e│ gVisor │\n│ connects │ │ (utun on macOS) │ │ netstack │\n│ to :443 │ └────────────────────┘ │ terminates │\n│ │ │ TCP │\n└──────────┘ └────────────┘\n │\n ▼\n ┌────────────┐\n │ gecit │\n │ handler │\n │ │\n │ 1. Dial │\n │ server │\n │ 2. Inject │\n │ fake │\n │ 3. Forward │\n │ real │\n │ 4. Pipe │\n └────────────┘\n```\n\n## Roadmap\n\n- [x] Linux — eBPF sock_ops\n- [x] macOS — TUN transparent proxy\n- [x] DoH DNS resolver\n- [x] Windows — TUN transparent proxy\n- [ ] Auto-TTL detection (traceroute to find DPI hop count)\n- [ ] ECH (Encrypted Client Hello) support\n\n## License\n\nGPL-3.0. See [LICENSE](LICENSE).\n\nCopyright (c) 2026 Bora Tanrikulu \\\u003cme@bora.sh\\\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboratanrikulu%2Fgecit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fboratanrikulu%2Fgecit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboratanrikulu%2Fgecit/lists"}