时光

时光的时光轴

寄以时间,予以文字
telegram
github
微信公众号

Start using Google One VPN

Recently, I saw a netizen sharing a post titled "VPN that can be directly connected in mainland China" on the internet, which immediately sparked my interest.

With the support of the local area, a 2TB Google One subscription costs only RMB12.59¥, and can be shared with up to 5 family members, with an average price of as low as RMB2.1¥ per person. This is equivalent to the cost of a bottle of water per month, almost like not spending any money.

Google One is an upgraded version of the original cloud storage, which can be used for Gmail and photo storage, and also comes with some benefits and better customer support. It is different from Apple One.

The additional storage space is self-explanatory. When purchasing storage space, the shared space will only be occupied after the user has used up their own free space. For example, if Google gives users 15GB of free space, the shared storage space will only be occupied after the user has used up the 15GB. In other words, if you buy 2TB and the family is full, the total theoretical space is 2138GB. (I don't need to mention who should be named here)

Because I mainly use Apple devices and don't have a large demand, and I can't access it without flipping like Onedrive, it's not useful for me.

As for better customer support, I wanted to try to urge the development of Google One VPN for Linux through customer service, and then try to see if there is a method that does not connect to port 443 (mentioned later). I found a customer service representative, and the experience was very slow.

The first time was a phone call, and the person who answered the phone was a Taiwanese girl. The voice was initially very vague... but I could hear it clearly later. During the conversation, there were various conversations to confirm your identity, and finally asked me to complete: log out and log in again, download again, and restart, these three steps (but I didn't do them, I know the reason in my heart).

The second time was an online chat. I found English help, and I told them that I was using the Ubuntu system. They kept asking me to try downloading, and even sent me an .msi file in the end. I replied angrily, "I AM USING LINUX NOT WINDOWS", and they replied, "Linux platform is not supported at the moment."

This customer support was a waste of time for me.

The additional benefits are all trivial things, but this "VPN" is really worth talking about.

This VPN was originally called "Google Fi VPN". From the user experience, it has the following advantages:

  • Direct connection under certain conditions, with access points nearby in Taiwan and Japan
  • No traffic restrictions, it is said that the speed limit is 100Mbps
  • The latency is quite good, and it is well optimized for Google services (such as Youtube)
  • Supports UDP forwarding, which can accelerate UDP services such as games
  • 4/6 dual stack
  • The obtained IP is the IP of Google Wifi. At present, it is not considered as a proxy or data center by websites like https://whoer.net
  • Currently, it can directly unlock streaming media
  • It is easy to change the landing IP, and it is easy to run globally in supported regions, and it is provided by the nearest access point

To connect to the VPN, according to the tests during this period, Google One VPN is roughly as follows:

First, when connecting to the VPN, it will first check your "region", but this region does not rely on location or phone region, but only on the "access IP".

The servers for detecting regions are independent of the access points. Because of the existence of this phenomenon, some implementations mentioned later become possible.

Only need to use a proxy when accessing the detection server, and subsequent connections can be made without disguise or flipping (the access points are temporarily not blocked)

And the subsequent connection to the access point is a direct connection, with a certain degree of guarantee for latency and speed.

And during the connection process, the access point only verifies the user identity and does not verify the IP of the connector again. The landing is responsible for the subsequent network by the access point, which means that you can get good speed no matter where you fly around the world.

However, I quickly encountered a problem. The client on the Android device is connected to the access point using the 2153/udp port, while other platforms are assigned the 443/udp port. Based on my tests, the traffic of 443/udp is currently blocked by domestic operators. Although I can't guarantee the accuracy of the wording, it may be packet loss, but according to feedback, no one has connected via 443/udp.

Android devices can use "Clash for magisk" to configure front-end proxies, specifically to deceive the "region detection server", so that one device can directly connect, but what about other devices?

Use a software router for proxy. Because 443/udp is lost in China, it is completely possible to use the existing proxy for connection, so as to use it as a "landing optimization" and obtain some benefits of Google One VPN.

This part is actually very simple. Here is a summary of the Clash rules I have come up with:

rule-providers:
  google_vpn:
    type: http
    behavior: ipcidr
    url: "rule set URL"
    path: ./ruleset/google_vpn.yaml
    interval: 86400 

script:
    shortcuts:
      google_vpn: match_provider('google_vpn') and dst_port == 443 and network == 'udp'

rules:
	- DOMAIN-SUFFIX,cloud.cupronickel.goog,🪜Google VPN
	- SCRIPT,google_vpn,🪜Google VPN

Rule set:

payload:
  - '136.22.64.0/24'
  - '136.22.65.0/24'
  - '136.22.67.0/24'
  - '136.22.76.0/24'
  - '136.22.83.0/24'
  - '136.22.85.0/24'
  - '136.22.86.0/24'
  - '136.22.87.0/24'
  - '136.22.92.0/24'
  - '136.22.93.0/24'
  - '136.22.94.0/24'
  - '136.22.95.0/24'
  - '136.22.96.0/24'
  - '136.22.97.0/24'
  - '136.22.98.0/24'
  - '136.22.99.0/24'
  - '136.22.100.0/24'
  - '136.22.101.0/24'
  - '136.22.102.0/24'
  - '136.22.103.0/24'
  - '136.22.104.0/24'
  - '136.22.105.0/24'
  - '136.22.106.0/24'
  - '136.22.107.0/24'
  - '136.22.108.0/24'
  - '136.22.109.0/24'
  - '136.22.110.0/24'

The addresses come from AS36492, you can visit here to check. I have only encountered addresses in 136.22.0.0/16 so far, so you can directly write this (funny).

However, you may find that your own nodes may not be able to complete the connection to Google One VPN, or only some nodes can do it, so this is the second problem of connecting to Google One VPN: "There are requirements for the IP connected to the access point".

After testing, the access point will reject some data center IP connections, but this problem is easy to solve and can make the connection more elegant.

For example, if you use Azure to directly connect to the United States, it will always be stuck in the "connecting" state.
95be16c2-5792-4fe3-8457-a12173f3c877.png

The solution is to "separately route" the proxy connected to the access point, and route it to a node that can be connected to and has a fast speed.

This way, there is a trick that you can find all kinds of "free" proxies on the Internet, no matter how fast or good the proxies are, as long as they can deceive the "region detection server", you can jump around the world.

What if I want to use it outside? Not everywhere has a software router that can flip. What if I can't root the device?

The solution provided by a V2ex user @a342191555 is:

Even an unrooted Android device can do it. The general process is as follows:

1. Use Clash to connect to a supported country, such as the United States, Japan, Taiwan, etc. Only use proxy mode, not global mode. If necessary, override the listening http port (assuming the listening http port is 8888)

2. Turn off Wi-Fi, in the settings of the data card, set a new APN, miui allows free settings, other systems need to find it themselves, set the proxy server in the APN to 127.0.0.1,8888

3. Connect directly to Google One VPN, and the connection will remain even if you turn on Wi-Fi or turn off Clash

4. If Clash is turned off, the APN settings will make it impossible for Google One to connect in data traffic mode

If step 3 cannot connect, troubleshoot as follows:

1. Prompted not in a specific country or region: Are the APN settings effective? You can access any website to check if the proxy is still working

2. Always stuck in the "connecting" state: The IP is relatively black, try another one

They also provided a solution for iPhone, but it failed.

Using a Windows server to set up a server

Here I use Trojan-go for setup, you can choose the server according to your own needs.

First, connect to Google One VPN on the server#

If you can't connect, it may be that your IP is blacklisted, so changing the IP is a good solution.

Download and configure Trojan-go#

Because there is no one-click script or panel for you to use on Windows, you need to edit your own configuration based on the official documentation: https://p4gefau1t.github.io/trojan-go/basic/config/

Then, enable Google One VPN to route all traffic, so just keep the default routing.

Local connection test#

Add the node to the original Clash configuration, and you can remotely use Google One VPN!

The speed is okay. I have seen other users reach speeds of over 200Mbps. Because I have added a layer of CDN, the growth trend and speed may be affected, but this speed is completely fine for watching videos!

No need to wait for Warp to frantically change IP to watch Netflix anymore!

Failed attempts#

UDP forwarding#

I thought since 443/udp is not allowed, why not forward it to 2153/udp?

iShot_2023-02-04_23.38.12.png
This is the result of my test of whether UDP forwarding is possible. Although it can achieve forwarding, the Google One VPN client does not allow you to connect.

I tried to manipulate DNS resolution to achieve this, and after some testing, I came to a conclusion: the Google One VPN client may have built-in IP range maintenance, and it will reject connections if the obtained IP is not within the range.

Transparent proxy with Clash on Mac#

Failed, reason unknown.

Capturing packets to see if the 443 port can be replaced#

Failed, the transmitted content is encrypted (decrypted HTTPS traffic)

Decompiling to find port configuration#

Failed, couldn't find it (then I can only guess that the configuration is requested remotely)

Wine#

Cannot be installed

These are the approximate records of using Google One VPN during this period. Putting aside the complexity of the connection, it is actually a very good service. It has unlimited traffic, can be used to watch Netflix, and the latency is satisfactory.

And because it uses the system VPN, it means that you can still maintain a connection with the access point even if you switch traffic/Wifi (currently only available on Android)

Some interesting ideas#

I have a few ideas, but it's too troublesome to go online after wasting so much effort. Interested friends can try:

  • Use an Android virtual machine/Android phone to connect, and then run a V2ray server locally for local use or use port forwarding to access it remotely.
  • Use Docker-Android, which may require installing the full set of Google services.

Looking forward to the update of the client, providing a Linux client, preferably like "Warp cli", so that the IP of Google One VPN will be used by everyone as a high-quality landing for our nodes, and get a better internet experience.

After all, the cost can be reduced to about RMB3¥ per month, and free nodes can be used when connecting.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.