{"id":48797107,"url":"https://github.com/therealaleph/sni-spoofing-rust","last_synced_at":"2026-04-20T02:00:47.095Z","repository":{"id":351176925,"uuid":"1209904048","full_name":"therealaleph/sni-spoofing-rust","owner":"therealaleph","description":"DPI bypass via fake TLS ClientHello injection with wrong TCP sequence number. Rust port of @patterniha's SNI-Spoofing. Linux, macOS, Windows. Works with v2ray/xray VLESS configs behind Cloudflare.","archived":false,"fork":false,"pushed_at":"2026-04-18T18:17:31.000Z","size":42,"stargazers_count":262,"open_issues_count":3,"forks_count":28,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-04-19T01:02:15.678Z","etag":null,"topics":["censorship-circumvention","cloudflare","dpi-bypass","proxy","rust","sni-spoofing","tcp","v2ray","vless","xray"],"latest_commit_sha":null,"homepage":"https://github.com/therealaleph/sni-spoofing-rust#setup-guide","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/therealaleph.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-13T22:39:41.000Z","updated_at":"2026-04-18T23:01:34.000Z","dependencies_parsed_at":null,"dependency_job_id":"6f749031-eb12-4498-a182-a8dd53204d04","html_url":"https://github.com/therealaleph/sni-spoofing-rust","commit_stats":null,"previous_names":["therealaleph/sni-spoofing-rust"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/therealaleph/sni-spoofing-rust","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealaleph%2Fsni-spoofing-rust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealaleph%2Fsni-spoofing-rust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealaleph%2Fsni-spoofing-rust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealaleph%2Fsni-spoofing-rust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/therealaleph","download_url":"https://codeload.github.com/therealaleph/sni-spoofing-rust/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealaleph%2Fsni-spoofing-rust/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32029857,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-20T00:18:06.643Z","status":"online","status_checked_at":"2026-04-20T02:00:06.527Z","response_time":94,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["censorship-circumvention","cloudflare","dpi-bypass","proxy","rust","sni-spoofing","tcp","v2ray","vless","xray"],"created_at":"2026-04-14T00:06:03.784Z","updated_at":"2026-04-20T02:00:47.025Z","avatar_url":"https://github.com/therealaleph.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sni-spoof-rs\n\nRust implementation of [patterniha's SNI-Spoofing](https://github.com/patterniha/SNI-Spoofing) DPI bypass technique. All credit for the original idea and method goes to [@patterniha](https://github.com/patterniha).\n\nA TCP forwarder that injects a fake TLS ClientHello with an intentionally wrong TCP sequence number right after the 3-way handshake. Stateful DPI reads the fake SNI and whitelists the flow. The real server drops the packet (out-of-window seq). Real traffic then passes through undetected.\n\n**[English Guide](#setup-guide)** | **[Persian Guide](#%D8%B1%D8%A7%D9%87%D9%86%D9%85%D8%A7%DB%8C-%D9%81%D8%A7%D8%B1%D8%B3%DB%8C)**\n\n## Platforms\n\n- **Linux** -- AF_PACKET raw sockets. Requires root or `CAP_NET_RAW`.\n- **macOS** -- BPF device. Requires root.\n- **Windows** -- WinDivert driver. Requires Administrator.\n\n## Build\n\n```\ncargo build --release\n```\n\nPre-built binaries for Linux (amd64/arm64), macOS (amd64/arm64), and Windows (amd64) are available on the [releases](https://github.com/therealaleph/sni-spoofing-rust/releases) page.\n\n## Setup Guide\n\nThis tool works with VLESS/VMess configs that go through Cloudflare (CDN-based configs). Your server must be behind Cloudflare.\n\n### Step 1: Find your server's Cloudflare IP\n\nYour v2ray/xray config has a server address (a domain like `myserver.example.com`). Resolve it to get the IP:\n\n```\nnslookup myserver.example.com\n```\n\nYou should get a Cloudflare IP (usually starts with `104.`, `172.67.`, `141.101.`, etc).\n\n### Step 2: Create config.json\n\n```json\n{\n  \"listeners\": [\n    {\n      \"listen\": \"0.0.0.0:40443\",\n      \"connect\": \"CLOUDFLARE_IP:443\",\n      \"fake_sni\": \"security.vercel.com\"\n    }\n  ]\n}\n```\n\nReplace `CLOUDFLARE_IP` with the IP from step 1. The `fake_sni` can be any domain that is allowed by your DPI (a well-known site behind Cloudflare works best).\n\n| Field | Description |\n|---|---|\n| `listen` | Local address and port to listen on |\n| `connect` | Cloudflare IP and port (must be an IP, not a hostname) |\n| `fake_sni` | SNI for the fake ClientHello (max 219 bytes) |\n\nMultiple listeners are supported -- each maps to one upstream.\n\n### Step 3: Edit your v2ray/xray config\n\nIn your VLESS/VMess client config, change:\n\n- **Address**: from `myserver.example.com` (or its IP) to `127.0.0.1`\n- **Port**: to the `listen` port from config.json (e.g. `40443`)\n- **Keep everything else the same** (SNI, host, path, UUID, etc.)\n\nExample -- if your original config has:\n```\naddress: myserver.example.com\nport: 443\n```\n\nChange it to:\n```\naddress: 127.0.0.1\nport: 40443\n```\n\nThe tool sits between your v2ray client and the server. Your client connects to the tool, the tool handles the DPI bypass, and forwards traffic to Cloudflare.\n\n### Step 4: Run\n\n```\n# Linux/macOS\nsudo ./sni-spoof-rs config.json\n\n# Windows (run as Administrator)\nsni-spoof-rs.exe config.json\n```\n\n**Windows note:** The Windows download is a zip containing `sni-spoof-rs.exe` and `WinDivert64.sys`. Keep both files in the same folder. The `.sys` file is the kernel driver that WinDivert needs to intercept packets.\n\nThen connect with your v2ray/xray client as usual.\n\n### Logging\n\nThe default log level is `warn` -- the tool runs silent unless something goes wrong. No connection metadata is logged by default.\n\nSet `RUST_LOG` for verbosity when debugging:\n\n```\nsudo RUST_LOG=info ./sni-spoof-rs config.json\nsudo RUST_LOG=debug ./sni-spoof-rs config.json\n```\n\n## How it works\n\n1. Client connects to the listener, tool dials the upstream, kernel does the TCP 3-way handshake normally.\n2. A raw packet sniffer captures the outbound SYN (records ISN) and the 3rd-handshake ACK.\n3. After the 3rd ACK, a fake TLS ClientHello is injected with `seq = ISN + 1 - len(fake)`. This sequence number is before the server's receive window.\n4. DPI parses the fake packet, sees an allowed SNI, and whitelists the connection.\n5. The server drops the fake packet (out-of-window).\n6. Tool waits for the server's ACK with `ack == ISN + 1` confirming the fake was ignored.\n7. Bidirectional relay starts. The real TLS handshake and all subsequent traffic flow normally.\n\n---\n\n## راهنمای فارسی\n\nاین ابزار با کانفیگ‌های VLESS/VMess که از Cloudflare عبور می‌کنند کار می‌کند. سرور شما باید پشت Cloudflare باشد.\n\n### مرحله ۱: پیدا کردن IP کلادفلر سرور\n\nآدرس سرور در کانفیگ v2ray شما یک دامنه است (مثل `myserver.example.com`). IP آن را پیدا کنید:\n\n```\nnslookup myserver.example.com\n```\n\nباید یک IP کلادفلر بگیرید (معمولا با `104.`، `172.67.`، `141.101.` شروع می‌شود).\n\n### مرحله ۲: ساخت config.json\n\n```json\n{\n  \"listeners\": [\n    {\n      \"listen\": \"0.0.0.0:40443\",\n      \"connect\": \"IP_CLOUDFLARE:443\",\n      \"fake_sni\": \"security.vercel.com\"\n    }\n  ]\n}\n```\n\nبه جای `IP_CLOUDFLARE` آی‌پی مرحله ۱ را بگذارید. مقدار `fake_sni` می‌تواند هر دامنه‌ای باشد که فیلتر نیست (یک سایت معروف پشت کلادفلر بهتر جواب می‌دهد).\n\n### مرحله ۳: تغییر کانفیگ v2ray/xray\n\nدر کانفیگ VLESS/VMess خود این تغییرات را بدهید:\n\n- **آدرس (address)**: عوض کنید به `127.0.0.1`\n- **پورت (port)**: عوض کنید به پورت listen از config.json (مثلا `40443`)\n- **بقیه تنظیمات را دست نزنید** (SNI، host، path، UUID و غیره)\n\nمثال -- اگر کانفیگ اصلی شما اینطوری است:\n```\naddress: myserver.example.com\nport: 443\n```\n\nتغییر دهید به:\n```\naddress: 127.0.0.1\nport: 40443\n```\n\n### مرحله ۴: اجرا\n\n```\n# لینوکس/مک\nsudo ./sni-spoof-rs config.json\n\n# ویندوز (با دسترسی Administrator اجرا کنید)\nsni-spoof-rs.exe config.json\n```\n\n**نکته ویندوز:** فایل دانلودی ویندوز یک zip است که شامل `sni-spoof-rs.exe` و `WinDivert64.sys` می‌باشد. هر دو فایل باید در یک پوشه باشند. فایل `.sys` درایور کرنل WinDivert است که برای رهگیری پکت‌ها لازم است.\n\nبعد از اجرا، کلاینت v2ray/xray خود را مثل همیشه وصل کنید.\n\n### دانلود\n\nفایل‌های اجرایی آماده برای لینوکس، مک و ویندوز از صفحه [releases](https://github.com/therealaleph/sni-spoofing-rust/releases) قابل دانلود هستند.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealaleph%2Fsni-spoofing-rust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftherealaleph%2Fsni-spoofing-rust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealaleph%2Fsni-spoofing-rust/lists"}