Fingerprint browser unable to connect to residential IP? Unveiling the GeoIP defense mechanism in X-UI scripts | Overseas Network Special Report [023]

This video isOverseas Network Special ReportIn this 23rd installment, we'll discuss the topic of nested proxy chains. For users in mainland China, enabling a global proxy and using a fingerprint browser is equivalent to wrapping a residential service provider's IP proxy B with a self-built node proxy A, forming a nested proxy chain to ensure normal data transmission.

However, if you frequently use residential IP services, you may encounter a situation where your purchased residential IP can be pinged and relayed normally on remote servers located overseas; but on your local computer, you cannot connect regardless of whether you enable "global mode," use the TUN virtual network adapter, or modify the router's routing rules.

Why is that?

Coincidentally, I encountered this situation while testing a residential IP service provider called Thordata.

Thordata's products are quite interesting. In addition to the common dynamic IP and static IP, they also offer less common unlimited servers. I've demonstrated a similar operation for this product before.

In addition, it offers a wide range of data scraping tools and solutions. For example, the SERP API allows users to view keyword ranking performance across different search engines. Those involved in overseas marketing will definitely appreciate this feature.

Therefore, using Thordata merely as an IP service provider is a waste of its potential. Its value lies more in data collection. Those interested can learn more about it.

Of course, in this video, we'll first address the issue of how users in mainland China can use Thordata normally.

So, I'd like to share with you all what I've learned in "Fingerprint Browser — Self-built Proxy Node — Residential IP Gateway — Target Website"In this proxy chain, which configurations should be modified?"

I. The Truth: GeoIP Rules Accidentally Harmed People

If you don't care about the underlying principles, then just two confirmations and three modifications are usually enough to solve this problem.

Two confirmations:

• Normal connection confirmed: The service is functioning normally as confirmed using the curl command.
• Service Provider Gateway IP Confirmation: Use the curl command to view the source of the service provider gateway IP.

Three revisions:

• Disable node sniffing.
• In the direct connection settings of XUI outbound configuration, add the service provider's gateway domain name and IP address.
• Replace the gateway domain name with the gateway IP in the fingerprint browser.

The rest of the video will focus on explaining these five key points clearly and thoroughly.

First, let's answer the first question: Why is it said that GeoIP rules caused the problem?

When using XUI one-click scripts to build nodes on a VPS, these scripts typically have a default defense mechanism: blocking all IPs destined for mainland China, also known as the Blocked black hole rule. The method for identifying IP sources is the GeoIP database. Our commonly used traffic splitting syntax, geoip/geosite, relies on geoIP data to categorize and identify the origin of domains/IPs.

GeoIP database identifies countries based on pre-defined IP address ranges. This leads to a problem: overseas data centers of Chinese companies like Alibaba Cloud and Tencent Cloud often have their IP ranges uniformly classified as Chinese IPs (CN) by GeoIP. Once identified as CN, the Blocked rule is triggered, and the data is destroyed.

Then, in order to provide high-concurrency dynamic IP extraction services, some residential IP service providers may deploy their proxy gateway servers, which are the domain names we see, in multiple cloud server vendors around the world, including overseas data centers of Tencent Cloud and Alibaba Cloud.

Therefore, the truth behind why Chinese users cannot use these residential IP services through self-built nodes is that your data is not being transmitted from the VPS, but rather mistakenly deleted by Xray's underlying GeoIP rules. However, direct server connections are unaffected by this rule. Therefore, if you remotely log into the VPS via SSH and use the curl command, the residential IP will appear to be usable normally.

So, let's take a look at the methods for troubleshooting and resolving this issue.

II. Investigation and Resolution

Now that we understand the problem, we need to do two things: identify the gateway server of the residential IP service provider and modify the outbound settings in the proxy chain.

2.1 Confirm whether the residential IP service is working properly.

Do not test on a fingerprint browser or local computer. Log in to the VPS remotely and run the following command:

# HTTP协议测试：
curl -v -x http://你的账号:你的密码@网关域名或IP:端口 ip.sb

# SOCKS5协议测试（很多静态ISP代理用这个）：
curl -v -x socks5://你的账号:你的密码@网关域名或IP:端口 ip.sb

thordata is:

curl -v -x http://td-customer-cCBS1yZqi4w6gk-country-US-state-California-city-Losangeles-asn-AS701-sessid-USl49bhlx0bvh8716-sesstime-30:[email protected]:9999 ip.sb

Result determination:

• If an overseas IP address is successfully returned: This indicates that the residential IP service is functioning normally and your VPS is not under the other party's risk control measures. Problem 100% lies in your VPS outbound rules or local network configuration.
• If prompt Connection refused or 407 Proxy AuthThis indicates that your account password is incorrect, or your service provider's risk control has blocked your VPS data center IP.

2.2 Confirm the gateway's real IP address

Actually, you can already see the real gateway IP in the runtime logs in step 2.1. But if you don't know how to read it, you can use this method:

After disabling all proxies on your local computer, run the following command in the terminal:

ping 网关域名

For example, Thordata is:

ping sadiqrwv.na.thordata.net

There's a common misconception here: if you've enabled a proxy, running this command in your local terminal will result in "...".198.18.0.x"such a"Fake-IP(Fake IP)Fake-IP It's a virtual IP automatically generated by proxy software to prevent DNS pollution and speed up domain name resolution; this IP has no real value.

2.3 Enable "Global" on the local computer

First and foremost, it must be emphasized that a global proxy must be enabled when using a fingerprint browser. Additionally, many fingerprint browsers bypass the system proxy layer and directly access the underlying network adapter to prevent the leakage of your real IP address. Therefore, regardless of the software you use, it's best to enable TUN mode (virtual network adapter).

Secondly, for residential IP service providers like Thordata that use Tencent Cloud's overseas data centers, simply enabling "global" access on the local computer is insufficient. This is because our proxy access is actually divided into two segments:

The first paragraph, "From PC to VPS," explains that enabling a "global proxy" on the local computer is the solution.

The second paragraph, "From VPS to Residential IP Gateway," states that because Xray identifies Tencent Cloud's overseas data center IP as "China," although the computer's traffic enters the VPS, it is directly triggered by the Blocked rule within the VPS and then destroyed, thus failing to reach the residential IP gateway.

2.4 Modify XUI outbound configuration

Next, we need to enable Xray to allow the domain names and IPs of Tencent Cloud's overseas data centers to pass through independently, which means modifying the outbound configuration of XUI (opening a whitelist).

If you've already read my XUI traffic splitting tutorial, you'll probably be more familiar with it:

Log in to XUI—left-hand “Panel Settings”—Xray outbound settings configuration, roughly in the middle, find it.routing -> rules Array. To use in **geoip:cnAdd a rule above the existing rule:

      {
        "type": "field",
        "ip": [
          "43.153.52.244", 
          "95.134.95.63" 
        ],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "domain": [
          "sadiqrwv.na.thordata.net", 
          "thordata.online"
        ],
        "outboundTag": "direct"
      },

After filling in the information, save and restart the panel.

2.5 Disable node sniffing

Even if the outbound rules are changed, you still can't connect if sniffing isn't turned off!

In the "Inbound List" of the X-ui panel, edit the node you are currently using.Force disable the "Sniffing" feature..

This is because VPS servers enable sniffing by default to extract the real domain name contained in data packets (such as the domain name you want to access). google.comThis is to enable precise rule-based traffic distribution or ad removal.

However, this is not suitable for our nested proxy operations! When your fingerprint browser attempts to access Google via ThorData, if sniffing is enabled, the VPS will detect that the target address is Google, and it will...By tampering with the routing, data was sent directly to Google, completely abandoning the ThorData gateway..

The result was that Google received a proxy request packet with ThorData password verification, which it couldn't understand at all, and directly gave you a Connection Reset.

Therefore, in order to ensure the integrity of the proxy handshake protocol, the relay node needs to disable the sniffing function.

2.6 Modify fingerprint browser settings

Does this mean everything is settled?

No!

Finally, in the fingerprint browser, we still need to change one setting: change the proxy server's hostname from the domain name to the gateway's real IP address.

In actual use, we find that even if both the gateway domain name and IP are added to Xray's outbound direct connection whitelist, the following situation still occurs:

• Unable to connect after entering the domain name
• Enter the IP address and connect successfully.

The circumstances surrounding this problem are also quite complex.

This is because our local proxy software (such as Clash/Shadowrocket) may experience issues. Cases of Fake-IP reverse lookup failureWhen you enter a domain name in the fingerprint browser, the local proxy software sends a fake IP address to the browser (e.g., ...). 198.18.0.XLogically, proxy software should send the domain name to the VPS, but sometimes it directly sends the internal fake IP address. 198.18.0.X It was sent to the VPS! The VPS used this strange internal IP address to compare it with its whitelist, but couldn't find the address, and the connection ultimately failed.

Furthermore, directly entering the IP address can perfectly bypass the multi-IP load balancing behind the gateway domain name, preventing the resolution of new IPs not on the whitelist. Since what truly affects dynamic IP changes is the account's... sessid Therefore, a fixed gateway IP address will not affect your ability to obtain a new residential IP address.

Therefore, the simplest and most permanent solution is to change the gateway domain name in the fingerprint browser to the real IP address we captured:43.153.52.244 This completely eliminates the uncertainties brought about by DNS resolution and the Fake-IP mechanism.

Three Summary

Finally, let's summarize as usual.

When using a residential IP service provider, if you encounter a situation where overseas servers connect normally but domestic connections fail:

1. First, confirm the IP source of the gateway domain (whether it has been blocked by GeoIP).
2. Modify Xray's outbound configuration to add it to the whitelist for permission;
3. Create a clean node with sniffing disabled;
4. Change the proxy server in the fingerprint browser from a domain name to an IP address.

Generally speaking, after completing these four steps, the complex cross-border proxy chain from the local computer—VPS—residential IP gateway to the target website can be truly operational.

Okay, that's all for this video. If you found it helpful, please subscribe to my channel.