Windows executable & Obfuscation

Last week ArkC released a Windows executable for the client-side utility upon user requests. It can be used as a substitute with a full Python developing environment.

Note: It can only work with appropriate settings and server-side support. Should you discover any bugs in it please report it to [email protected] Ddeerreekk is working to create a easier to use toolset for setting and debugging on Windows.

So far we have no intention to provide a server-side utility as we recommend users to run Linux or Unix in their servers, which can be much safer and portable with Tor, Shadowsocks and other tools.


Besides that, we would like to let you know about our obfuscation attempt with Obfs4 by Tor project. We are integrating a ptproxy shell script into with our code so that obfuscation will be a default setting. So far, as we’ve tested, ArkC can work well integrated with Obfs4, though it requires ptproxy to run a portable proxy alone.

DNS function enabled

On Nov.28, ArkC’s dns branch is merged into master branch, after intense debugging and testing efforts.

Now ArkC starts a connection via querying certain DNS records to any local or remote standard DNS servers.

Latest status can be found at our github page.

What is ArkC? Explore key ideas

ArkC & ArkC Network

Technology Overview — Original documents when our work started

Part A. ArkC Protocol

  1. Protocol Description

ArkC protocol includes various connection wrappers and both TCP and UDP transmission support. It transmits proxy traffic in the form of ordinary connections, using plug-ins called “wrapper”. When data is transmitted using TCP connections, it allows server to take the position to initialize connections, thus create a virtually reverse TCP connection. (Reverse-initialization)

During transmission, all the data should be encrypted, using various available algorithms.

  1. Protocol Features

Typical wrappers for ArkC protocol includes SMTP (MTA to MTA), SMTP (Client to Server), HTTP and etc. The abundance of wrappers makes it harder to detect and reset ArkC connections, or locate server IP addresses. In particular, the ordinary essence of wrapping protocols hides ArkC connections in ordinary (even essential) Internet service. Massive unstable Internet service conditions deter censurers from reset all suspicious connections.

The reverse-initialization feature, provides further tools for hiding server IP addresses. Since server may initialize a connection using Tor or other public proxies, censurers cannot discover the real server. Such feature is similar to Tor Hidden Service, but different in that the clients need not connect to the Tor network.

The feature of SMTP (MTA to MTA) makes obfuscation with third-party servers possible. Mail servers and Web servers are both decentralized.

3. Shortcomings

Various features of ArkC protocol depends on client and server network conditions. Considerable number of family users are behind NAT and unless preset, incoming TCP requests can’t be answered. However, UDP-pouching may be used instead.

It probably can be solved using ArkC Network, though.

Wrappers and encryption may delays the connection speed, especially when initializing a new connection. Buffer and heartbeat maybe implemented so that connections can be smoother.



Part B. ArkC Network

  1. Description

The ArkC network is composed of users (clients) within censored countries (e.g. China Mainland) and servers in uncensored countries or uncensored Internet environment. It is a centered network with certain trusted authorities.

The ArkC network provides geographically optimized connections and ensure that users behind NAT can access to ArkC servers abroad. Optimized proxy connections may yield higher speed that direct connections in certain ISP environments.

The ArkC network further helps to conceal real IPs of overseas ArkC servers, making it harder to block them. Owner of those server can more confidently set up an ArkC network daemon, without worrying that there server may be blocked.

  1. Features

Central authority servers determine that fastest route for clients of the network to send/receive data from overseas servers. Static contents may be buffered to increase its speed. [Encryption may be compromised, though.]

Nodes of the network in censored countries interact with overseas servers, using reversed connections. Those nodes also listen to connection from other domestic clients. Relay between those nodes may be implemented to conceal origin IP (similar to Tor). Clients behind NAT only connects to domestic nodes, using standard encrypted TCP connections. Censorship of all internal traffic is extremely costly and hard to deploy.

  1. Detailed Structure & Technologies

Clients and nodes use DNS query to locate other nodes. DNS authority is set to certain authority servers with global DNS relay.

CDN network and “Attached Freedom” principle helps to make authority servers available to users. Authority servers allocate routes and receive reports only, thus transmission between them and users are trivial.

ICMP (Ping) protocol maybe used to ensure connection between domestic users and authority servers.

The authority servers need to deliver commands of obfuscation, start SMTP traffic or internal relay data.

The authority servers need to assess the conditions of each nodes, and enforce continual audit. (Refer to Tor project)

  1. Shortcomings

Domestic nodes are often unreliable. The regime may use MITM attacks for origin server IPs.

Host of domestic nodes may be threatened with imprisonment or persecution.


ArkC Network