|Project Name||Stars||Downloads||Repos Using This||Packages Using This||Most Recent Commit||Total Releases||Latest Release||Open Issues||License||Language|
|Censortracker||319||16 hours ago||24||mit||HTML|
|Censor Tracker is a censorship circumvention extension for Google Chrome and Mozilla Firefox.|
|Dpitunnel||294||a year ago||8||mit||C|
|DPITunnel is an android app made for censorship bypass|
|A proxy server that helps to bypass the DPI systems implemented by various ISPs.|
|Bebasit||16||a day ago||gpl-3.0||Shell|
|bebasit is a project to bypass deep packet inspection|
|Bypasstouchid||5||a year ago||1|
|Bypass TouchID Lab released under CC BY-NC 4.0 licensing|
|Dpi_killer||2||4 years ago||mit||C#|
|A simple & handy tool combining goodbyedpi & dncrypt_proxy to bypass DPI for HTTPS websites in Iran (For Windows)|
A zero dependency proxy server that helps to bypass the Deep Packet Inspection (DPI) systems implemented by various ISPs.
Although traffic over an HTTPS connection is encrypted, the client and server exchange some information during the initial TLS handshake to negotiate the encryption. In this initial handshake, the client sends the name of the server it is contacting in clear text (ClientHello packet) so that the server knows which certificate to provide. Deep Packet Inspection (DPI) systems can intercept this communication and block the connection. To avoid detection, Demergi fragments and modifies this initial packet.
There are promising solutions to the problem of hiding as much information as possible in the initial handshake of a TLS connection, one being Encrypted Client Hello (ECH). However, until these solutions are fully deployed, tools such as Demergi can be useful as evasion mechanisms.
To learn more about how a TLS connection works, I recommend these excellent resources:
For HTTP traffic, Demergi also modifies the packet header to make interception more difficult, but as the traffic is not encrypted, this should be avoided where possible.
Demergi should not be used as a replacement for a VPN if you are concerned about the consequences of your traffic being detected, as the techniques used are not infallible, but are good enough to access blocked content from your own network without the need for a VPN.
Demergi is an HTTP/HTTPS proxy server designed to be deployed within the network where traffic is being blocked. Either on the device you wish to access the content from or on a network appliance.
Simply deploy it and adjust the proxy settings of your browser or other software to connect through Demergi.
You can install Demergi with npm:
npm install -g demergi
Or directly download the latest version from the releases section.
If you want to install it as a service, you can use the following systemd unit as a reference.
Once installed, you can run it with the
$ demergi --help Usage: demergi [OPTION]... A proxy server that helps to bypass the DPI systems implemented by various ISPs. Proxy: -A, --addrs STR, $DEMERGI_ADDRS The address list separated by commas or spaces to bind the server to ("[::]:8080" by default). -H, --hosts STR, $DEMERGI_HOSTS The host list separated by commas or spaces to apply the evasion techniques, will be applied to all hosts if unspecified (unspecified by default). -W, --workers NUM, $DEMERGI_WORKERS The number of workers (0 by default). --tls-ca STR, $DEMERGI_TLS_CA Path to the TLS certificate bundle used to verify the client identity (unspecified by default). --tls-key STR, $DEMERGI_TLS_KEY Path to the server TLS key (unspecified by default). --tls-cert STR, $DEMERGI_TLS_CERT Path to the server TLS certificate (unspecified by default). --inactivity-timeout NUM, $DEMERGI_INACTIVITY_TIMEOUT Maximum time in ms before the connection is closed due to inactivity (60000 by default). --happy-eyeballs BOOL, $DEMERGI_HAPPY_EYEBALLS Enable Happy Eyeballs algorithm (RFC 8305) (EXPERIMENTAL) (false by default). --happy-eyeballs-timeout NUM, $DEMERGI_HAPPY_EYEBALLS_TIMEOUT Maximum time in ms for IPv6 before trying IPv4 (250 by default). Resolver: --dns-mode STR, $DEMERGI_DNS_MODE The DNS resolver mode, valid values are "plain", "doh" and "dot" ("doh" by default). --dns-cache-size NUM, $DEMERGI_DNS_CACHE_SIZE The maximum number of entries in the DNS cache (100000 by default). --doh-url STR, $DEMERGI_DOH_URL The DoH server URL ("https://184.108.40.206/dns-query" by default). --doh-tls-servername STR, $DEMERGI_DOH_TLS_SERVERNAME The server name to check in the DoH server certificate (unspecified by default). --doh-tls-pin STR, $DEMERGI_DOH_TLS_PIN The pin to check in the DoH server certificate. The pin must be a base64 encoded SHA256 hash of the public key (unspecified by default). --dot-server STR, $DEMERGI_DOT_SERVER The DoT server host and optionally port ("220.127.116.11" by default). --dot-tls-servername STR, $DEMERGI_DOT_TLS_SERVERNAME The server name to check in the DoT server certificate (unspecified by default). --dot-tls-pin STR, $DEMERGI_DOT_TLS_PIN The pin to check in the DoT server certificate. The pin must be a base64 encoded SHA256 hash of the public key (unspecified by default). HTTPS: --https-clienthello-size NUM, $DEMERGI_HTTPS_CLIENTHELLO_SIZE The maximum chunk size in bytes for the ClientHello packet. A less than 1 value disables fragmentation (40 by default). --https-clienthello-tlsv STR, $DEMERGI_HTTPS_CLIENTHELLO_TLSV The TLS protocol version to set in the ClientHello packet, valid values are "1.0", "1.1", "1.2" and "1.3" ("1.3" by default). HTTP: --http-newline-separator STR, $DEMERGI_HTTP_NEWLINE_SEPARATOR The string to use to separate new lines ("\r\n" by default). --http-method-separator STR, $DEMERGI_HTTP_METHOD_SEPARATOR The string to use to separate the HTTP method from the target (" " by default). --http-target-separator STR, $DEMERGI_HTTP_TARGET_SEPARATOR The string to use to separate the target from the HTTP version (" " by default). --http-host-header-separator STR, $DEMERGI_HTTP_HOST_HEADER_SEPARATOR The string to use to separate the host header key from its value (":" by default). --http-mix-host-header-case BOOL, $DEMERGI_HTTP_MIX_HOST_HEADER_CASE Alternate upper and lower case in the host header (true by default). Info: -l, --log-level STR, $DEMERGI_LOG_LEVEL The log level, valid values are "debug", "info", "warn", "error" and "none" ("info" by default). -v, --version Show version and quit. -h, --help Show this help and quit.
Demergi is also distributed in container images. The default behaviour can be changed using environment variables or container arguments.
docker run -p 8080:8080 docker.io/hectorm/demergi:latest
docker run -p 8080:8080 ghcr.io/hectorm/demergi:latest