Censorship on the Internet is getting worse, not better. The free flow of information is key to learning and making change. Because of this, we started FreeSocks, a service that provides free, open & uncensored Outline (Shadowsocks) proxies to people in countries experiencing a high level of Internet censorship late last year (2023).
Since then, the service has seen a considerable amount of growth. Over 1,000 access keys have been issued to people all around the world wanting to hide their Internet traffic from oppressive governments, and access the open Internet without restriction. Seeing the impact that the service has made is inspiring, and it’s why we’ve been working towards something quite special. Today, we are open sourcing the code that makes FreeSocks work, the FreeSocks Control Plane (FCP), which runs entirely on the serverless Cloudflare Workers platform for free. This allows anyone to launch their own FreeSocks-like service.
GitHub Repository: github.com/unredacted/freesocks-control-plane
Understanding the FreeSocks flow
Understanding the FreeSocks flow is key to understanding how FreeSocks really works. It’s designed with security in mind, while also being simple enough for any decently technical person to understand.
Breaking down the flow:
- A user visits an HTTP endpoint such as freesocks.org/get on their web browser. The request is terminated in an edge network datacenter close to them.
- The user solves a captcha/challenge, and submits their request.
- The FCP calculates the latency between the edge network datacenter the user reached, and the available Outline servers by sending HTTP requests over QUIC tunnels to their API endpoints. The available endpoints are stored in and retrieved from a Workers KV namespace.
- The Outline server with the best latency and lowest access key count is chosen by the FCP.
- The FCP initiates another request to the Outline server’s API to create a new access key, which is returned to the user with a definable expiry date if they don’t use the access key at all.
- The user enters the access key in their Outline (or Shadowsocks) application and connects to the server, allowing them to access the open Internet. As long as they continue to use the access key, it won’t expire. If they stop using it, it will be deleted in definable number of days.
FCP architectural design choices
By now you know that the FCP is used for access key retrieval by users, and allows administrators to delete unused access keys from the Outline VPN servers they manage. The code behind it is written in JavaScript. The FCP is designed to be fast, flexible and expandable for the future.
Operating the FreeSocks Control Plane (FCP) on top of a serverless platform was a core design choice for many reasons.
- It allows others to run the FCP for free (as is the case with Cloudflare Workers).
- It’s easy to stand up on multiple domains for optimal censor evasion. Let them play whack a mole.
- It’s easier to manage with tools like Cloudflare Wrangler.
- It’s more difficult for censors to block serverless edge networks, because they control a large portion of the Internet.
- Serverless edge networks are beneficial in determining latency between edge and Outline servers to provide the lowest latency server to users without exposing servers to users. In that way, it’s hard for a censor to discover all available servers from their interaction with the FCP.
While many may not trust large cloud providers to process potentially sensitive information, there’s no doubt that they make it harder for censors to block. FreeSocks is intended to circumvent censorship. At the same time, it makes the FCP very fast and efficient since requests are terminated all over the world in datacenters close to users. We believe the potential privacy tradeoff is worth it.
While we have to place our trust in cloud infrastructure providers here, we can say with certainty that the FCP code itself does not trigger anything to store personally identifiable information (PII). This makes FreeSocks a fairly privacy friendly service to use.
How can I run my own FreeSocks?
Since the FCP is now open source, anyone can run their own FreeSocks-like platform to distribute access keys to people. As time goes on, we’ll write more documentation on how this can be done. For those that are tech-savvy enough, you might figure it out without our help. If you do, please let us know – we’re very interested in hearing your feedback. Contributions to the codebase are welcome too!
Where does FreeSocks go from here?
FreeSocks will continue to be developed and expanded based on demand. We’ll continue to gather user feedback, and implement features in the FCP so that we can fight censorship.
However, we need your help! If you enjoy what we do, please consider making a donation. Unredacted is a non-profit organization that provides free and open services that help people evade censorship and protect their right to privacy.