Doxx/Darkflare: DarkFlare TCPoCDN (TCP over CDN)

You could straight up connect to the destination (over TCP) from Cloudflare without needing relays; a project I wrote demonstrates TCP over HTTP (for Deno Deploy) and TCP over WebSockets (for Workers): <a href="https:&#x2F;&#x2F;github.com&#x2F;serverless-proxy&#x2F;serverless-proxy">https:&#x2F;&#x2F;github.com&#x2F;serverless-proxy&#x2F;serverless-proxy</a><p>Proxying projects utilising HTTP&#x2F;TLS are popular in the anti-censorship community (discussion board: <a href="https:&#x2F;&#x2F;github.com&#x2F;net4people&#x2F;bbs">https:&#x2F;&#x2F;github.com&#x2F;net4people&#x2F;bbs</a>) and there are many variants of it; ex:<p>- KCP (over UDP): <a href="https:&#x2F;&#x2F;github.com&#x2F;xtaci&#x2F;kcp-go">https:&#x2F;&#x2F;github.com&#x2F;xtaci&#x2F;kcp-go</a><p>- Bepass: <a href="https:&#x2F;&#x2F;github.com&#x2F;bepass-org&#x2F;bepass-worker">https:&#x2F;&#x2F;github.com&#x2F;bepass-org&#x2F;bepass-worker</a>

&gt; Services like Cloudflare, Akamai Technologies, Fastly, and Amazon CloudFront ... support millions of websites across critical sectors, including government and healthcare, making them indispensable<p>The author is pretty naive. There is a reason why Google was left out of the list, in the 2010s people argue &quot;Google is too important and China never dare to block it&quot; then google&#x27;s whole IP range is blocked.<p>Amazon Cloudfront, Akmai, Fastly are also (partially) blocked and barely working.<p>IMHO cleve tricks like &quot;domain fronting&quot; is just freebooting

There seems another way to achieve this, using Cloudflare&#x27;s own cloudflared tunnel.<p>Install a cloudflared tunnel on your remote server, configure it to forward traffic to that server&#x27;s hosts proxy server(maybe Shadowsocks) using Zero Trust dashboard, and run the following command on your local computer:<p>cloudflared access tcp --hostname some.your-domain.tld --url localhost:8080<p>Then localhost:8080&#x27;s traffic will be forwarded to cloudflareds&#x27; host, the whole traffic is using HTTP2 so might look legitimate to Firewall.<p>For example if using Shadowsocks on server, your Shadowsocks&#x27;s local client can connect to localhost:8080 as server to forward traffic.

I made a similar thing once to relay UDP traffic over WebSocket and it supports Cloudflare if needed: <a href="https:&#x2F;&#x2F;github.com&#x2F;ameshkov&#x2F;udptlspipe">https:&#x2F;&#x2F;github.com&#x2F;ameshkov&#x2F;udptlspipe</a><p>The use case is to relay WireGuard over TCP&#x2F;CF in a restrictive network, confirmed to work in China, obviously not too fast.

chisel is a similar tool in this space <a href="https:&#x2F;&#x2F;github.com&#x2F;jpillora&#x2F;chisel">https:&#x2F;&#x2F;github.com&#x2F;jpillora&#x2F;chisel</a><p>I don’t get why headers and requests need to be spoofed if all traffic is over https?

&gt;&quot;Why CDNs?<p>Services like Cloudflare, Akamai Technologies, Fastly, and Amazon CloudFront are not only widely accessible but also integral to the global internet infrastructure. In regions with restrictive networks, alternatives such as CDNetworks in Russia, ArvanCloud in Iran, or ChinaCache in China may serve as viable proxies. These CDNs support millions of websites across critical sectors, including government and healthcare, making them indispensable.<p><i>Blocking them risks significant collateral [commercial, commerce] damage, which inadvertently makes them reliable pathways for bypassing restrictions.</i>&quot;<p>(There&#x27;s also TCP&#x2F;IP (Internet) via HAM radio (packet radio) and&#x2F;or StarLink (or more broadly, satellite Internet)...)<p>Observation: If a large enough commercial corporation has an interest relating to commerce (in whatever area), then if that commerce conflicts with a government block (foreign or domestic) of whatever sort, then the large commercial interest, given enought time, will usually (*) win (they can usually hire better Lawyers, foreign or domestic...)<p>(*) But not always...

Is this something like WebTunnel from the Tor Project?<p><a href="https:&#x2F;&#x2F;gitlab.torproject.org&#x2F;tpo&#x2F;anti-censorship&#x2F;pluggable-transports&#x2F;webtunnel" rel="nofollow">https:&#x2F;&#x2F;gitlab.torproject.org&#x2F;tpo&#x2F;anti-censorship&#x2F;pluggable-...</a>

Is there any tool that does the other way around? I simply need an alternative to cloudflared tunnel (<a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;tunnel-for-everyone&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;tunnel-for-everyone&#x2F;</a>) for exposing localhost port to a public domain that lets me supports anonymous clients. All cloud solutions charge based on users so they unfortunately doesn’t work

How does this differ from tunneling a VPN over something like wstunnel?<p>We&#x27;ve been running that in prod for several years without any issues, also going through cloudflare

Reminds me of how people forward requests through CloudFlare workers as a cheap way to get around IP-based rate limits.