GoodbyeDPI 是一個被動深度包檢測攔截器和主動 DPI 規避實用程序。

該軟件旨在繞過許多 Internet 服務提供商中的深度包檢測系統，這些系統會阻止訪問某些網站。

它處理使用分光器或端口鏡像（被動 DPI）連接的DPI，這些DPI不會阻止任何數據，而只是比請求的目的地更快地回復，并按順序連接主動 DPI。

Windows 7、8、8.1 和 10需要管理員權限。

Usage: goodbyedpi.exe [OPTION...]
 -p          block passive DPI
 -r          replace Host with hoSt
 -s          remove space between host header and its value
 -m          mix Host header case (test.com -> tEsT.cOm)
 -f   set HTTP fragmentation to value
 -k   enable HTTP persistent (keep-alive) fragmentation and set it to value
 -n          do not wait for first segment ACK when -k is enabled
 -e   set HTTPS fragmentation to value
 -a          additional space between Method and Request-URI (enables -s, may break sites)
 -w          try to find and parse HTTP traffic on all processed ports (not only on port 80)
 --port            additional TCP port to perform fragmentation on (and HTTP tricks with -w)
 --ip-id           handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
                          This option can be supplied multiple times.
 --dns-addr        redirect UDP DNS requests to the supplied IP address (experimental)
 --dns-port        redirect UDP DNS requests to the supplied port (53 by default)
 --dnsv6-addr      redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)
 --dnsv6-port      redirect UDPv6 DNS requests to the supplied port (53 by default)
 --dns-verb               print verbose DNS redirection messages
 --blacklist     perform circumvention tricks only to host names and subdomains from
                          supplied text file (HTTP Host/TLS SNI).
                          This option can be supplied multiple times.
 --set-ttl         activate Fake Request Mode and send it with supplied TTL value.
                          DANGEROUS! May break websites in unexpected ways. Use with care.
 --auto-ttl    [decttl]   activate Fake Request Mode, automatically detect TTL and decrease
                          it from standard 64 or 128 by decttl (128/64 - TTL - 4 by default).
 --wrong-chksum           activate Fake Request Mode and send it with incorrect TCP checksum.
                          May not work in a VM or with some routers, but is safer than set-ttl.
 --wrong-seq              activate Fake Request Mode and send it with TCP SEQ/ACK in the past.
 --native-frag            fragment (split) the packets by sending them in smaller packets, without
                          shrinking the Window Size. Works faster (does not slow down the connection)
                          and better.
 --reverse-frag           fragment (split) the packets just as --native-frag, but send them in the
                          reversed order. Works with the websites which could not handle segmented
                          HTTPS TLS ClientHello (because they receive the TCP flow "combined").


LEGACY modesets:
 -1          -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode)
 -2          -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)
 -3          -p -r -s -e 40 (better speed for HTTP and HTTPS)
 -4          -p -r -s (best speed)

Modern modesets (more stable, more compatible, faster):
 -5          -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)
 -6          -f 2 -e 2 --wrong-seq --reverse-frag

要檢查你的ISP的DPI是否可以被規避，首先要確保你的供應商不通過在瀏覽器中啟用 "Secure DNS（通過 HTTPS 的DNS）"選項來 poison DNS answers。

• Chrome: Settings → Privacy and security > Use secure DNS → With: NextDNS
• Firefox: Settings → Network Settings → Enable DNS over HTTPS → Use provider: NextDNS

然后在沒有任何選項的情況下運行 goodbyedpi.exe 可執行文件。如果它起作用了--恭喜你！你可以按原樣使用它，或者進一步配置，例如，如果你知道被封鎖的網站名單，就使用-黑名單選項。你可以按原樣使用，也可以進一步配置，例如，如果你所在的國家有已知的被屏蔽的網站名單，就可以使用-黑名單選項。

如果你的供應商攔截了 DNS 請求，你可能想使用 --dns-addr 選項到一個運行在非標準端口的公共 DNS resover（如Yandex DNS 77.88.8.8:1253）或使用第三方應用程序通過 HTTPS/TLS 配置 DNS。

檢查 .cmd 腳本并根據你的偏好和網絡條件進行修改。