xeovo

We are finally ready to show you our biggest update yet. This is our first major redesign, bringing many new features, bug fixes, and improvements.

Why redesign?

We want to highlight this question and explain why we did it in the first place.

Our previous design was great: highly experimental and different from competitors on the market. It achieved its goals. However, it had limitations and UI/UX issues that started to pile up over time. That’s why we decided we needed a full redesign. One with a more common layout, but still maintaining our experimental approach.

This is not just a simple redesign, but a strong new foundation for the future. It will allow us to be more flexible and ship better updates and new products. We will miss our old design for sure and we hope you will enjoy the new one.

Block ads and trackers

You now have the option to choose DNS that blocks ads and trackers. This feature is available only for WireGuard, AmneziaWG, and OpenVPN.

To use it, simply open the generator, show the advanced settings, select the "Block Ads & Trackers" option, and download your new configuration files. Improve your browsing experience and reduce tracking from analytics and other trackers today.

For those interested in more details, we use the following block lists:

• pgl.yoyo.org
• adaway.org
• big.oisd.nl

Note: This feature might break some websites.

Improved generators

Everything is now more straightforward and streamlined.

The biggest changes come to the Stealth Proxy Generator. Our previous generator was overcomplicated and difficult to use. We've now found the best way to provide configuration files and will only support clients that allow subscriptions.

The option to generate single configuration files for a specific protocol or country has been removed. Additionally, we've added support for more third-party clients, with plans to test and add even more throughout the year.

Bug Bounty Program

We’ve launched a Bug Bounty Program to make Xeovo even more secure. If you discover a vulnerability, you can now report it and earn a reward. This initiative is part of our ongoing commitment to transparency, community involvement and improving the overall quality of our services.

We will make separate announcement for this one to get more attention is the near future.

New locations

As with every big update, we’re excited to introduce two new server locations:

• 🇧🇷 Brazil, São Paulo
• 🇩🇪 Germany, Falkenstein

Want your location featured in the next update? Let us know in the feedback channel. We will do our best to make it happen.

Status Page 3.0

The new status page will be slightly delayed, but it's almost here.

The major improvements include:

• Seeing all available servers, their status, tags, P2P/Bittorrent support and load

• A new “Service Availability” section that shows which protocols are accessible in countries with heavy internet censorship

These changes should make it easier for users to choose the right protocol and server.

What's next?

First, we want to hear your feedback and find any remaining bugs in the new version. Based on your input, we’ll polish things further.

Next, we’ll re-write all existing guides and re-record all tutorial videos. The new guides will be more in-depth and likely include voice-over commentary.

After that, we’ll move on to even bigger projects that will overshadow this update in the future.

Changelog

Added:

• Brand new design and many new pages
• Block Ads & Trackers DNS (WireGuard and OpenVPN)
• Custom DNS option in generators (WireGuard and OpenVPN)
• Advanced settings for generators
• Mirrors for subscriptions (Stealth Proxies)
• Option to generate random username on sign up
• 2FA support (OTP)
• Option to delete account
• Option to delete tickets
• Option to export data
• More Stealth Proxy clients available (Clash Verge Rev, v2rayA, Karing, Hiddify)
• Status page now shows in which locations we allow P2P/Bittorent
• Status page now shows availability of protocols in countries that block access to VPN's
• New location: Brazil, São Paulo
• New location: Germany, Falkenstein

Removed:

• Support for multiple keys for Stealth Proxies
• Option to select single protocol/country for Stealth Proxies

We’ve just deployed two new servers in ㅤ‎ㅤㅤTirana, Albaniaㅤㅤㅤㅤㅤㅤㅤ 🇦🇱 to start 2025. This new location brings some cool additional benefits. You can find more information here.

If you use WireGuard or OpenVPN, you need to download a new configuration file in the generator. For Stealth Proxies, just update your subscription inside your client of choice.

This year, we might focus on even more exotic and interesting locations like Albania.

This year, we are improving the overview of our transparency report after receiving our first legal request.

Law enforcement and police requests

• Total requests received = 1
• Valid requests received = 1
• Valid requests with data disclosed = 0

---

• Search warrants = 0
• Court orders = 0

Other legal requests

We receive other requests such as DMCA, DDoS, login attempts, spam, port scanning, etc. Due to our strict no-logs policy, we have no data to share and can’t comply with any requests.

How we handle requests?

Our legal department handles all the requests and ensures that they are legit. They do investigate every request, but as we don't store any information, we do not have any data to provide when requested.

Got questions?

Send your email to legal@xeovo.com

Last week, we quietly rolled out an update to our Stealth Proxy infrastructure. We wanted to ensure everything was working smoothly before making an official announcement. Here’s a breakdown of the changes and how the naming system for Stealth Proxy servers works.

How server names work

Here’s how a typical proxy server name is structured:
[Location] - [Optimization Tag] - [Server Type] - [Server Number] - [Domain]

For this explanation, we’ll use Japan as an example.

More complex example:

Key Terms Explained

• Global. The server is available to all users and is not optimized for a specific region.
• Region-Specific. If you see a region code like CN (China) instead of "Global," it means the server is optimized for users in that region. This server won't work if you are not connecting from China.
• If "CDN" is present in the name, it indicates that the server utilizes a Content Delivery Network (CDN). This hides the server’s origin IP address and reduces IP blocks.
• Floating Servers (1-99). Servers numbered 1-99 are considered Floating. These servers can be replaced or removed from the pool at any time, usually when their IP addresses get blocked.
• Fixed Servers (0). Servers with the number 0 are classified as Fixed. These servers offer more stable connectivity and are never replaced, making them ideal for devices like routers that require a consistent configuration. However, since they maintain a fixed IP, they are more susceptible to being blocked.

The introduction of Fixed servers addresses the need for more stable connections, especially for devices that require static configuration.

New Stealth Proxy servers

• 🇱🇹 Lithuania, Kaunas (lt-global1)
• 🇳🇱 Netherlands (nl-global0 and nl-GlobalCDN1)
• 🇳🇴 Norway (no-global0)

During the next year we plan to add more fixed servers.

Our team worked hard to create something special. Not just another community hosted on a big social platform, but a space we can truly call our own. With the Xeovo Hub, we wanted to build a place that feels like home for us and our customers. A place where privacy and security come first, and where we don’t have to rely on the ever-changing rules of other platforms.

Social media today isn’t what it used to be — platforms change, owners change, and before you know it, everything starts falling apart. Your data is sold, your content is monetized, and your posts are used to train AI algorithms with no control over how they're used.

We’ve seen forums rise and fall over the years, with many being overshadowed by platforms like Reddit and Discord. Instead of trying to replace those spaces, we’re just building something for ourselves. Think of it as a return to the old days, but with all the improvements we can make.

What is Hub exactly?

Hub is more than a community. Hub will replace blog, guides and provide a simple way to share feedback. You can propose new ideas, vote on suggestions, and discuss ideas shared by others.

You can also join conversations about privacy, security, and censorship. Additionally, we plan to have content creation for rewards and test out categories like community support.

And maybe exclusive 👀 content that is only available to our customers.

How can I join Xeovo Hub?

To sign up on Hub you need to be connected to our VPN or Stealth Proxy servers. This requirement helps us reduce spam, simplify moderation and bring more meaningful conversations.

Xeovo Hub will remain fully private during this beta phase. Over time, most categories will become publicly accessible, while some will stay private for members only.

Why do I need a separate account for Hub?

For privacy and security reasons we didn't implement sync with your main account and Hub. We think that both accounts should be separated. The account is not required to access the most important categories such as updates, blog and guides.

Hub is also deployed on separated server and sub domain.

Why do I need an email to sign up on Hub?

We would like to have a username only, but there are a couple of reasons why we decided to leave email (for now):

1. Spam prevention. If we decide to make Hub publicly accessible in the future, having an email helps us reduce spam and abuse.
2. Newsletter replacement: Since the Hub will replace our blog, the newsletter will also transition here. This is essential for users who want to receive emails about our updates and changes.

If you wish not to share email with us you can use any temporary email. Or don't sign up at all, because this is not mandatory.

How are feature requests prioritized?

Our team will check and respond to every proposed idea. Most impactful and practical suggestions are prioritized. While community upvotes help identify popular requests they need to align with our goals and available resources.

Will there be custom groups or statuses?

We haven't come up with names, requirements or additional benefits for such users, but this is already possible and planned.

What are the rules?

Rules will be available in the left sidebar once you're logged in. Please take the time to read them carefully and follow them.

Are you looking for mods?

Not at this moment.

What happens to existing blog posts?

All posts will be moved to Hub. If you want to continue to receive newsletters from us, simply open the category you are interested in and hit the "Follow" button. You can subscribe to any category you want.

Why exactly did you launch this instead of X thing?

You might not see (yet) the bigger picture and impact of the Hub, but this will change with time. It will simplify many processes for us and you. To keep it short due to upcoming changes we would be required to deploy and maintain separate docs, blog and feedback system. Instead of this, we are centralizing everything in one place with additional benefits on top.

Hub's design and blog image look different

That's correct. Count it as a small teaser for upcoming updates. New colors are used to make clear difference between our main website and the Hub.

Highly requested support for AmneziaWG is now live. You can now download configuration files that will work in the AmneziaWG clients. As the Russian government becomes increasingly aggressive in its efforts to block VPNs, many of our WireGuard and OpenVPN servers have been affected.

If you're connecting from Russia and find that AmneziaWG doesn't work for you, don't worry — simply switch to Stealth Proxies, which are designed to bypass DPI effectively.
What is AmneziaWG?

In short, AmenziaWG is a fork of WireGuard that adds "Junk" packets. This often makes it hard for DPI systems to detect and block traffic. For a more detailed explanation of how AmneziaWG works, we recommend checking out the official documentation.
How to setup AmneziaWG?

The setup process is the same as the WireGuard that we have in our guides, but you need to download separate configuration files and AmneziaWG clients:

1. Open the WireGuard generator, select AmneziaWG as the client, and download the configuration files.
2. Download and install AmneziaWG on your system:
   >Android
   >Windows
   >MacOS and iOS
   >Routers (only Keenetic is supported at the moment)
   >Linux
3. Add configuration files to AmneziaWG and connect. That's it.

Is it safe to use AmneziaWG?

There are no known security issues and the code is open-sourced. There are also no changes to encryption. AmneziaWG has not passed any 3rd party security audits. Modifying packet headers and adding "junk" data introduces additional processing steps. If these steps are not handled correctly, they could create vulnerabilities or reduce the stability of the connection.

Any known issues with AmneziaWG clients?

So far the only issue we encountered during our testing is that initial connection takes more time than usual. Usually around ₁₅ seconds. We will update this section in case we find out new issues.

Does AmneziaWG work in China or Iran?

Most likely not, because these countries have more advanced filters and will detect and block it. However, you still can try it out and see yourself.

How is the future looking?

Our team is working hard on many things. Priority at this moment is to expand the infrastructure for Stealth Proxies. In a recent couple of weeks, we added 5 new locations to keep up with the demand.

This end of the year is expected to be busy and we hope to deliver more good updates. We usually don't spoil what is in the next update, but the main keyword for the next update is going to be "Hub" or maybe "Space". 👀

---

And message for our customers. Thank you for your support and trust in us. There’s much more to come.

It's that time of year again, and we're happy to share our 2023 transparency report. At our company, we believe in being open, and we'll keep putting out these reports every year. Feel free to check out last year's transparency report.

Law enforcement and police requests

• Search warrants - 0
• Subpoenas - 0
• Court orders - 0

Other legal requests

We receive other requests such as DMCA, DDoS, login attempts, spam, port scanning, etc. Due to our strict no-logs policy, we have no data to share and can’t comply with any requests.

How we handle requests?

Our legal department handles all the requests and ensures that they are legit. They do investigate every request, but as we don't store any information, we do not have any data to provide when requested.

Got questions?

Send your email to legal@xeovo.com

Due to increased stealth proxy usage, our team worked hard on reworking stealth proxies. The main goal was to simplify and improve the experience for all the users.

Subscription first

Instead of downloading each configuration separately we now recommend using a subscription URL. This way you get access to all available protocols and servers we provide.

Additionally, if we add or remove protocols and servers they will get updated automatically, which comes super handy for regular user! You don't need to visit proxy generator for each update.

You can still generate configuration files for specific location/protocol in case your client (for example Outline) does not support subscriptions.

New guides

Stealth proxies are more complicated compared to common VPN protocols and usually raise more questions. That's why we added different categories to cover all frequently asked questions. We recommend reading them before you start using stealth proxies.

Every guide is now focused on a specific OS and client to simplify things.

Notice that guides are still a work in progress and videos are missing, but we will eventually add them. If you have any suggestions regarding guides please contact us through email or create a new ticket.

You only need one key

Now one key covers all protocols and locations there is no need to generate a new key for each device/location as before. This made sense in the past because each key could be assigned only to a specific country.

In the future, we most likely re-design the page and leave only one key available with a reset option to simplify setup. You can still have 5 active connections per account just like before.

Old keys

If your keys are older than 2 weeks you need to generate a new key to get access to all the new features. If your key view has a default view with "URL List / All Protocols" selected it means that your key is up-to-date and you don't need to generate a new one.

Protocols change

We removed support for VLESS (XTLS) due incompatibility with most clients and low usage. To balance this change we decided to add support for Trojan (WS+TLS).

New proxy locations:

• France, Paris
• Luxembourg, Roost
• Poland, Warsaw
• USA, Las Vegas
• USA, New York

Remember that available locations for proxies are not permanent and might be removed/replaced anytime. This usually happens, because our IP ranges get blocked.

Future plans

At the moment we are testing new protocol "VLESS + XTLS-Reality". At this stage we think it's too early to implement it and it needs to mature more before we can use it in production.

We plan to test more clients and add subscription support for Surge, sing-box, Surfboard, Stash, Quantumult X, Loon and Pharos. However this will depend how much requests we get from our customers.

We will keep expanding our network for both VPN and stealth proxies. New locations will be available before 2024.

Try it out today!

Even if you are already familiar with stealth proxies we recommend checking out our new guides and trying out subscriptions.

♥️ A heartfelt thank you goes out to our customers for their invaluable feedback. It helped a lot to shape the stealth proxies we have today.

---

Changelog:
Add Shadowrocket subscription
Add flags for Clash and Shadowrocket subscriptions
Add global key support with all locations/protocols
Add possibility to select specific country/protocol
Limit keys from 10 to 3
Improve stealth proxy performance
Remove support for VLESS (XTLS)
Add support for Trojan (WS+TLS)
Rewrite guides for stealth proxies
Add .onion mirror for the website
Improve fallback for proxies

What is Tor?

Tor is free, open-source software for anonymous communication. When you connect to the internet via Tor, your internet traffic is routed through a worldwide network of volunteer relays, protecting your privacy and keeping your online activities private.

Developed in the 1990s, Tor is now a global tool for anonymous internet browsing. It's often utilized by journalists and activists in repressive environments. To access special sites, known as onion sites, you'll need the Tor Browser installed on your device.

Why use Tor?

We introduced Tor mirror mainly to help people access our website if it gets blocked in your country. Additionally routing your traffic through Tor makes it challenging for anyone to trace your connection and identify that you are using our services.

How to access our Tor mirror?

1. Download and install the Tor Browser from the official website.
2. Launch the Tor Browser and ensure your connection is established.
3. Visit our .onion Tor mirror by typing in the following address:

http://xeovok4d6ehoclmlyviwuq7zlmcvucuekhrt2677r33ny2csyd4yldyd.onion

It's that time of year again - we are excited to share our transparency report for 2022 with you. At our company, we believe in the importance of transparency and will continue to publish these reports annually. You can read the transparency report for the previous year here.

Law enforcement and police requests

Search warrants - 0
Subpoenas - 0
Court orders - 0

Other legal requests

We receive other requests such as DMCA, DDoS, login attempts, spam, port scanning, etc. Due to our strict no-logs policy, we have no data to share and can’t comply with any requests.

How we handle requests?

Our legal department handles all the requests and ensures that they are legit. They do investigate every request, but as we don't store any information, we do not have any data to provide when requested.

Got questions?

Send your email to legal@xeovo.com

During this year we focused on improving existing server locations. However we are introducing new ones. Enjoy new locations!

New VPN servers:

🇳🇴 Norway, Sandefjord
🇨🇭 Switzerland, Zurich

New stealth proxy servers:

🇱🇻 Latvia, Riga
🇯🇵 Japan, Tokyo (for CN)
🇸🇬 Singapore (for CN)

Stealth proxies updates

It's been almost a year since we introduced stealth proxies. This year, we faced several new challenges and have primarily focused on improving the experience and availability for all users.

Stability and location availability

Stealth proxies will always have locations that are subject to change. This means that we may remove any server at any time and potentially replace it with a new one or remove it altogether.

Reason for this is that our hosting providers get blocked by countries, or does not meet our requirements anymore. Please remember the following:

• Do not expect the same stability as on our VPN servers
• Prepare to download new configuration files often
• Follow our status page for important updates and changes
• ocations are not permanent and could be removed/replaced

Update for users from China:

Previously, GFW was blocking our IPs every 1-2 weeks, but we have found a solution that significantly reduces detections and blocks. However, this solution does come with a small drawback, as only the following protocols are now available:

• VLESS (WS+TLS)
• VMess (WS+TLS)

In the future, we will remove other protocols from the generator for users who select CN optimized locations.

If you are connecting from China, we recommend selecting South Korea as your primary choice, with fallback options being Japan, Singapore, and Romania.

Update for users from Iran:

You might need to make small tweaks in configuration files to make stealth proxies work, but usually they work without any changes.

• Connect directly through IP, instead of domain name
• Use alternative ports 36083, 49681, 23179, 31136 or 15047
• Modify uTLS settings in your proxy client
• Do not use Shadowsocks, because it does not work in Iran anymore
• Do not use CN optimized locations

Update for users from Uzbekistan:

We have received reports that our WireGuard and OpenVPN servers are no longer working in Uzbekistan. At this time, the only solution is to switch to stealth proxies and we recommend using Shadowsocks.

Update for users from Turkemenistan:

Previously, only one location was available for users in Turkmenistan, but it eventually got blocked. Most ASNs are blocked in Turkmenistan and we have been unable to find hosting providers that will work. If you know of any providers that are not blocked in Turkmenistan, please let us know by emailing us at support@xeovo.com.

Update for users from Russia:

Currently, you don't need to use stealth proxies. WireGuard and OpenVPN are still working. However, you should be prepared to switch to stealth proxies at any time.
What's next?

In the coming year, we will focus on improving stealth proxies and addressing communication issues between all regions. We may also introduce separate channels for users in China, Iran, Uzbekistan, Turkmenistan and Russia to provide more frequent updates.

We want to take a moment to thank all our customers for their support throughout the year. As we move into the new year, we wish you all a happy, healthy, and successful 2023.

Thank you again for choosing us, and we look forward to continuing to serve you in the coming year.

You've got questions, we've got answers. During the summer we had an online survey, that helped us to stay on the right track and get to know our customers better. We also wanted to see, if people have any questions for us and we got plenty of them!

In this blog post, we cover most of your questions. We rephrased some of them and removed similar ones.

Could you announce more often the new features that are coming?

We don't announce new features in case we don't deliver them in time. Less pressure, no artificial deadlines and we won't upset anyone.

Are you planning to add tutorials for Mikrotik routers

Yes. We will add new section and include other router models as well.

Do you consider countermeasures in case Xeovo gets blocked in Russia?

Yes. We have already shipped stealth proxy protocols for this reason. As a bonus, we will deploy mirrors, in case our domain gets blocked.

Why V2Ray is not available on all servers?‌‌

Stealth proxy servers have more requirements compared to VPN servers. We have to find niche local hosting providers, which are less known to the public. On top of that, we have to keep in mind that locations should fit users who need stealth proxies.

This means that we try to find servers close to the countries which use DPI. That way we can ensure that users have good routing, stable connection, and low ping.
Why OpenVPN has lower latency compared to Wireguard?

You most likely did not connect to the same server/country during the test. If there is a latency difference it should be minuscule between OpenVPN and WireGuard.

I am a developer myself and wonder why did Xeovo team decide to make a VPN?‌‌

We started VPN, because our team shares similar vision and goals. We wanted to make a product, which will help people in countries with heavy censorship and the rest is history.

Are there plans to add more locations? I am mainly interested in the next locations Russia and Ukraine.‌‌

Russia definitely no. We get this question asked quite often. We won't have any presence in Russia due to their current regime, anti-privacy laws and sanctions. Period.

Ukraine is already on the wishlist and we will consider adding it in the future.

Can you add protocols like Outline VPN and IKEv2?‌‌

First of all Outline is not a protocol. It is a proxy client compatible with Shadowsocks. You can simply copy our Shadowsocks link to the Outline client and it will work. Keep in mind that Outline is made by Google. We don't endorse Google products.

We won't add IKEv2 or any other new protocol at the moment.

Is V2Ray safe?

V2Ray has not undergone proper degrees of security auditing. Use it only if WireGuard/OpenVPN is not working in your country.

Will you continue improving the stealth proxy project?

Yes! Recently we made many improvements and improved the experience for users from China and Iran.

Plans to ditch Cloudflare as a proxy?

Yes we would like to do that eventually, but we are not ready yet. Mainly, because of great DDoS protection. Cloudflare also makes our website accessible in some countries which block VPN websites but don't dare to block Cloudflare (yet).

Plans to make an official client?

Yes, but we don't just want to wrap WireGuard/OpenVPN and call it a day. We want to bring additional functionality on top and add stealth proxies support. At this moment we are in the research phase.

Plans to add more locations?

Yes. Expect new locations and the end of the year. This time we might introduce fewer new locations because we want to take a step back to improve already existing locations.

Please make it possible to add Windows applications to VPN exceptions.

This is only possible if you use Shadowsock's official client for Windows. This feature will be available if we make our custom client.

Can you add SOCKS5 proxy to support Android devices using NetGuard?

Unfortunately, we don't have plans to add SOCKS5 support at the moment.

Will you add a payment method for users from Russia?

We don't think that will be possible. Users from Russia can pay with cryptocurrencies or check alternative payment methods here.

Will the energy crisis in the EU affect your services and pricing?

No. Everything will remain the same.

---

Did no find an answer to your question? Feel free to contact us at support@xeovo.com or submit a new ticket.

We're kicking off the new year by introducing censorship resistant proxy protocols Shadowsocks, VLESS, VMess and TrojanGFW.

Recent studies and news show that internet censorship grows aggressively and more countries start using DPI (Deep Packet Inspection), which allows to detect and block major VPN protocols.

That's why we added stealth proxies to protect our customers who one day might never be able to use OpenVPN and WireGuard.

Stealth proxies will give us access to the new markets where VPN providers are not working or decided to stop operating. Our team worked hard to make this update happen and will keep stealth proxies alive.

So many protocols! Which one to pick?

➞ Shadowsocks is SOCKS5 with encryption and well battle-tested. Initially, it was made to bypass the Chinese Great Firewall. However, the Chinese government has managed to block it. At this moment, this is the best option for people outside China.

➞ Additionally you can use Shadowsocks + V2ray. This plugin obfuscates the traffic packets and makes inspection more difficult. This method might work in China.

➞ VMess is a stateless protocol that transfers data directly between the client and the server without handshaking. Recommended for users in China.

➞ VLESS is an improved version of VMess. It supports TLS encapsulation. Also recommended for users in China.

➞ TrojanGFW is a newer protocol designed to act like HTTPS. Trojan features multiple protocols over TLS to avoid both active/passive detections and ISP QoS limitations. Highly recommended for users from China.

Is it safe to use?

All protocols are open source and actively maintained by the community, but none of them has any security audits. Clients are not audited either. The only exception is Outline client made by Google, which was audited by Radically Open Security (we don't endorse Google products).

❗ At this point, we recommend using stealth proxies only with well-maintained clients (which we recommend in our guides) and if WireGuard and OpenVPN are blocked in your country.

New locations

With this update, we are bringing 3 new locations:

🇨🇦 Canada, Montreal (VPN + stealth proxies)
🇷🇴 Romania, Bucharest (VPN + stealth proxies)
🇰🇷 South Korea, Seoul (Only stealth proxies)

The number of locations will be limited for stealth proxies and most of them will be strategically close to countries with restrictive firewalls/DPI. For example, South Korea has an optimized routing (low ping) to China and should be mainly used by people from China.

Guides

We did revamp our guides page to make it more accessible. Some of the guides or videos are still missing for stealth proxies, but we will add them soon.

The next step for guides will be to re-record all existing videos for WireGuard and OpenVPN. After that, we want to focus on adding guides for routers and include videos for them as well.

Full changelog

Brand new page for guides
Proxy generator page
QR code support for proxies
Add Shadowsocks
Add Shadowsocks + v2ray (Websocket)
Add Trojan (TLS)
Add VLESS (XTLS, for Xray)
Add VLESS (WS+TLS, for Xray)
Add VMess (WS+TLS, for V2Ray)
Add OOC v1 subscription
Add Shadowsocks SIP008
Add Clash subscription
Add URL list for all proxy protocols
Add "Stealth proxy" on the home page
Remove fullpage.js for scrolling
Add text highlight selection color
We improved our website and squashed some bugs

It's that time of the year again. Just like last year we are publishing our new transparency report for 2021. We believe that transparency reports are an important part of our company. We will keep publishing them annually.

Law enforcement and police requests

• Search warrants - 0
• Subpoenas - 0
• Court orders - 0

Other legal requests

We receive other requests such as DMCA, DDoS, login attempts, spam, port scanning, etc. Currently, we don't include this in the report. All of these requests have been denied because we have no information to provide.

How we handle requests?

Our legal department handles all the requests and ensures that they are legit. They do investigate every request, but as we don't store any information, we do not have any data to provide when requested.

Got questions?

Send your email to legal@xeovo.com

China is known to have one of the most repressive censoring regimes. They have been developing and deploying notoriously sophisticated censorship techniques since 2003. To achieve and maintain such results, the Chinese government has hired research institutes and technology providers around the world.

Many foreign companies played a crucial part in developing GFW by providing research, devices, routers and other hardware. Most known are Cisco, Nortel Networks, Motorola and Sun Microsystems.

Nowadays, most of the hardware comes from Chinese companies Huawei and Semptian.

GFWatch has tested over 534 million distinct domains and found out that China is blocking over 255 741 domains and it keeps growing every day.

But that's just the tip of the iceberg. There are more companies that help build censorship tools for the Chinese government. We would like to list all of them, but it will require us to do a proper investigation and a separate post.

Even with all the best technologies available, GFW will not provide enough control for the Chinese Communist Party (CCP). That's why they have strict laws that mandate Chinese companies to be responsible for user-generated/public content. Social networks, blogs and messengers have mostly automated moderation tools to the level that you won't even be able to spread any "forbidden" information in the first place.

Want to see an example yourself? Try using the popular Chinese search engine "Baidu" to search for "Tiananmen Square" and compare results with other search engines. Baidu will show you only nice pictures of the square with flowers. You can also compare results for "Falun Gong".

How does GFW work?

GFW uses active filtering with many different methods such as:

1. IP blocking

The Chinese firewall maintains a list of IP ranges that are automatically dropped (network black-holing).

2. DNS Spoofing, filtering and redirection
One part of the Chinese firewall is made of liar DNS servers and DNS hijackers returning incorrect IP addresses. Studies seems to point out that this censorship is keyword-based.

3. URL filtering using transparent proxies
The Chinese firewall is made of transparent proxies filtering web traffic. These proxies scan the requested URI, the "Host" Header and the content of the web page (for HTTP requests) or the Server Name Indication (for HTTPS requests) for target keywords.

4. Traffic Pattern Analysis
Since 2012, the GFW is able to "learn, filter and block" users based on traffic behavior, using deep packet inspection.

5. Packet forging and TCP reset attacks

The Chinese firewall may arbitrarily terminate TCP transmissions, using packet forging. The blocking is performed using a TCP reset attack. This attack does not block TCP requests nor TCP replies, but send a malicious TCP RST packet to the sender, simulating an end-of-connection.

6. Man-in-the-middle attacks with TLS

The Chinese National Intelligence Law theoretically allows the Chinese government to request and use the root certificate from any Chinese certificate authority, such as CNNIC, to make MITM attacks with valid certificates.

Is it possible to bypass GFW?

We asked the same question ourselves this year and the answer is yes. Our team started working on implementing proxy protocols this year. We hope that this will help the Chinese and other people with similar restrictive firewalls. We are almost ready and currently in the last testing phase. We aim to release a new update with stealth proxies support during January 2022.

What makes it hard to bypass is that GFW uses a combination of passive traffic analysis and active probing to detect and block VPN, Tor and even stealth proxy protocols such as Shadowsocks.

Shadowsocks is a lightweight socks5 proxy, originally written in Python by clowwindy.

GFW also scrapes and monitors VPN/Proxy providers and actively blocks their IP addresses. VPN/Proxy detection also varies between different ISP and cities. Some of them are more aggressive.

Currently, the minimum requirements are:

• Censorship-resistant proxy protocols such as VLESS, TrojanGFW, and Vmess, which are superior compared to Shadowsocks.
• Server obfuscation
• Optimized servers and network for China / IPLC or CN2
• Dynamic IP's if available in case your IP gets banned by GFW

Why should I care about this?

Internet is fragile and countries such as China are impacting on free internet more than you think. Authoritarian states take notes from China and want the same technology to control their citizens.

Combining this technology with internet shutdowns creates a perfect tool for any authoritarian state. Rights to free expression and privacy are violated and no one seems to care about it.

China has already started exporting its technology to other countries, for example Belarus, Russia, Egypt, Venezuela, Bolivia, Cuba, Ecuador, Rwanda, Zimbabwe, Saudi Arabia, Pakistan and Iran.

In the worst-case scenario, more countries will join this list next year. One day it might be your country.
What should I do?

As an individual, one of the best things you can do is to share information about censorship. Teach other people how to bypass restrictive firewalls such as GFW and be prepared yourself in case it happens. Knowledge is power.

Sources and further reading.