██████╗ ██╗ █████╗ ██████╗██╗ ██╗ ██████╗ ██╗ ██╗████████╗
██╔══██╗██║ ██╔══██╗██╔════╝██║ ██╔╝██╔═══██╗██║ ██║╚══██╔══╝
██████╔╝██║ ███████║██║ █████╔╝ ██║ ██║██║ ██║ ██║
██╔══██╗██║ ██╔══██║██║ ██╔═██╗ ██║ ██║██║ ██║ ██║
██████╔╝███████╗██║ ██║╚██████╗██║ ██╗╚██████╔╝╚██████╔╝ ██║
╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
██╗ ██╗██╗████████╗
██║ ██╔╝██║╚══██╔══╝
█████╔╝ ██║ ██║
██╔═██╗ ██║ ██║
██║ ██╗██║ ██║
╚═╝ ╚═╝╚═╝ ╚═╝
DPI Bypass & Censorship Circumvention Toolkit
A unified command-line toolkit that orchestrates 13+ bypass engines, auto-switches on failure, sets your system proxy automatically, and includes a full network diagnostic suite — all in one place.
🇮🇷 Iran · 🇨🇳 China · 🇮🇶 Iraq · 🇬🇧 United Kingdom · 🇺🇸 United States
- Why Blackout Kit
- Supported Countries
- Engines
- Installation
- Quick Start
- All Commands
- Security Modes
- Settings Reference
- How It Works
- Two Versions
- Troubleshooting
- Roadmap
- Disclaimer
Most bypass tools are single-purpose: one protocol, one config, one point of failure.
Blackout Kit is different. It is a coordinator — it manages multiple bypass engines simultaneously, auto-switches to the next one when the current one fails, monitors connection health, and recovers automatically. When Iran's TIC flips to whitelist mode during unrest, Blackout Kit's emergency mode tries every engine until something gets through.
Key design decisions:
- Zero internet required to start — the Full version ships with all binaries bundled. Unzip and run. No GitHub downloads during a blackout.
- One command —
blackout connectis all most users need. - Self-healing — the daemon monitors the connection and auto-restarts failed engines.
- Country-aware — detects your ISP and automatically recommends the right engine and DNS for your region.
- Privacy tiers — three security modes (SPEED / PRIVATE / LEGEND) let you trade performance for anonymity.
| Country | Censorship Level | Best Engine | Notes |
|---|---|---|---|
| 🇮🇷 Iran | HIGH | SNI → WARP → Psiphon | TIC uses hardware DPI. TCP fragmentation alone no longer works. SNI sequence injection is most effective. |
| 🇨🇳 China | EXTREME | XRay → Psiphon | Great Firewall blocks IPs + SNI simultaneously. V2Ray/VLESS over TLS is most reliable. |
| 🇮🇶 Iraq | MEDIUM | SNI → WARP → GoodbyeDPI | ISP-level DPI similar to Iran. SNI spoofing highly effective. |
| 🇬🇧 United Kingdom | LOW | GoodbyeDPI → WARP | Ofcom ISP content filtering (Pirate Bay etc.). Light DPI, easy to bypass. |
| 🇺🇸 United States | MINIMAL | WARP → Psiphon | ISP throttling and geo-restrictions only. No deep inspection. |
Auto-detection: Blackout Kit reads your ISP info at startup and silently selects the optimal engine order and DNS for your country. You can also pin a country manually:
blackout country set IR
blackout country set CN
blackout country reset ← back to auto-detect
Blackout Kit coordinates 13 bypass engines. Each serves a different threat model.
| Engine | Protocol | What It Does | Best For |
|---|---|---|---|
| SNI Spoofing | TCP injection | Injects a fake TLS ClientHello before the real handshake — the DPI sees an allowed domain | Iran, Iraq: ISP-level DPI |
| XRay / V2Ray | VLESS · Trojan · WS+TLS | Encrypted proxy tunnel with TLS fingerprint camouflage | All countries |
| GoodbyeDPI | TCP fragmentation | Splits TCP packets so the DPI engine can't reassemble the SNI field | UK, light DPI |
| Cloudflare WARP | WireGuard / MASQUE | Tunnels through Cloudflare's network | All countries |
| Psiphon | Multi-protocol VPN | Automatic protocol switching: SSH, meek, obfuscated SSH | Heavy blackouts |
| Tor | Onion routing | 3-hop anonymized routing | Max privacy |
| TUN (sing-box) | System-level tunnel | Routes ALL app traffic — not just proxy-aware apps | Stubborn apps |
| IKEv2 / L2TP | Windows native VPN | No extra binary — uses Windows built-in RAS | Corporate networks |
| WireGuard | WireGuard VPN | Fast, kernel-level, modern UDP VPN | Speed + privacy |
| OpenVPN | OpenVPN | Battle-tested TLS-based VPN, works over TCP:443 | Wide compatibility |
| SoftEther | SSL-VPN | VPN over HTTPS — indistinguishable from web traffic | Extreme filtering |
| mhrv | Rust MITM proxy | HTTP+SOCKS5 proxy with custom obfuscation | Experimental |
| Google Apps Script | HTTPS relay | Domain-fronts traffic through script.google.com | Last resort |
Download blackout.exe from the Releases page.
This executable is fully standalone. No Python installation required. Just double-click blackout.exe and it will automatically extract its internal engines and open the CLI.
Note: The
.execomes pre-packed with native C/C++ DLLs. On first run, it drops them into~/.blackout-kit/bins/so they can be securely updated later.
git clone https://github.com/kiacoder/blackout-kit.git
cd blackout-kit
pip install -r requirements.txt
python blackout.py bins downloadbins download auto-downloads all necessary binaries from their official sources with a progress bar.
Warning: The Source version requires internet to download binaries and dependencies. If you are already in a blackout, use the standalone
.exeinstead.
- Python 3.9+
- Windows 10 or 11 (x64)
- Administrator privileges (for kill switch, Defender exclusion, VPN engines)
- The packages in
requirements.txt:rich,httpx,psutil,cryptography
:: 1. Run the app — shows an interactive menu
python blackout.py
:: 2. Let the doctor check everything first
python blackout.py doctor
:: 3. Connect (auto-picks the best engine for your country)
python blackout.py connect
:: 4. If that fails, try all engines one by one
python blackout.py emergencyThat's it. Blackout Kit handles the rest — sets your system proxy, monitors the connection, and auto-switches if the engine drops.
blackout connect Auto-select best engine and connect
blackout connect sni Connect with a specific engine
blackout connect xray
blackout connect warp
blackout connect psiphon
blackout connect gdpi
blackout connect tor
blackout connect tun
blackout connect wireguard
blackout connect openvpn
blackout connect softether
blackout connect ikev2
blackout connect mhrv
blackout connect appsscript
blackout connect --background Run in background (daemon mode)
blackout connect sni --background
blackout emergency Try all engines in order until one works
blackout emergency --background
blackout stop Stop the background daemon
blackout status Show daemon status + connection health
blackout logs View daemon log
blackout logs --lines 200 Show last 200 lines
blackout scan Scan Cloudflare IPs + test SNI domains
blackout scan --ips Scan IPs only
blackout scan --sni Test SNI domains only
blackout scan --count 300 Scan 300 IPs (default: 100)
blackout config list List saved V2Ray/proxy configs
blackout config add <uri> Add a vless:// or trojan:// URI
blackout config import <url> Import from a subscription URL
blackout config remove <n> Remove config by number
blackout bins Show all binaries: installed? size?
blackout bins download Download all missing binaries
blackout bins download xray Download a specific binary
blackout bins update Update all installed binaries to latest
blackout country Show detected country + recommended engines
blackout country set IR Pin country (IR / US / GB / CN / IQ)
blackout country reset Remove pin — return to auto-detect
blackout mode Show current security mode
blackout mode speed Max speed, no overhead (default)
blackout mode private Random TLS fingerprint + DoH DNS
blackout mode legend Full privacy: multi-hop, kill switch, encrypted configs
blackout tools ping [host] TCP ping test
blackout tools speedtest Download speed test (Cloudflare)
blackout tools dns-bench Benchmark all DNS servers
blackout tools dns-set cloudflare Switch DNS (cloudflare / google / shecan / electro / 403 / begzar / alibaba / tencent)
blackout tools dns-flush Flush DNS cache
blackout tools adapters List network adapters
blackout tools mtu [host] Detect path MTU
blackout tools traceroute [host] Traceroute
blackout tools hotspot Toggle Windows Mobile Hotspot
blackout tools share-vpn Share VPN over hotspot (ICS)
blackout tools netfix Auto-fix common network problems (Winsock + TCP/IP reset)
blackout tools cert-check <host> Check TLS certificate for a host
blackout tools cert-check <host> --allow Manually allow a host in LEGEND mode
blackout network Show IP, ISP, country, and connection status
blackout network isp Detailed ISP info + country censorship context
blackout doctor Run all diagnostic checks
blackout doctor --fix Auto-fix everything fixable
blackout doctor --fix-av Add bins/ to Windows Defender exclusions
blackout fix Quick network repair (Winsock + DNS + TCP reset)
blackout settings list Show all 90+ settings with descriptions
blackout settings get <key> Get a single setting value
blackout settings set <key> <val> Change a setting
blackout settings reset Reset all settings to defaults
blackout help Show help overview
blackout help engines Engine descriptions and when to use each
blackout help countries Country profiles and recommended engines
blackout help security Security modes explained
blackout help cert TLS certificate bypass system
blackout help troubleshoot Common issues and fixes
blackout help quick_start 5-minute getting started guide
Blackout Kit has three security tiers. Switch with blackout mode <name>.
Just get through. Maximum compatibility, zero overhead.
- TLS fingerprint: Chrome
- Logging: none
- MUX: disabled
- Cert checking: silent bypass (
allowInsecure=Truealways) - Kill switch: off
Best for: daily use, streaming, browsing.
Harder to fingerprint. Slightly slower.
- TLS fingerprint: random (rotates per session)
- Logging: none
- MUX: enabled
- Cert checking: warns if server cert is invalid, but still connects
- Background cert probing after connect
Best for: users who want to avoid traffic analysis without sacrificing reliability.
Near-untraceable. Multi-hop. Hard fail on bad certs.
- TLS fingerprint: random
- MUX: enabled
- Routing: SNI → XRay → Tor (3-hop)
- Cert checking: refuses to connect if certificate is known-bad (unless manually allowed)
- Kill switch: auto-enabled
- Config encryption: AES-256-GCM tied to machine hardware ID
Best for: journalists, activists, high-risk users. Slow but maximally private.
blackout mode legend
blackout tools cert-check myvpnserver.com ← check cert first
blackout tools cert-check myvpnserver.com --allow ← if self-signed, manually trust it
blackout connect xray
Run blackout settings list to see all 90+ settings. Key ones:
| Setting | Default | Description |
|---|---|---|
security_mode |
speed |
Active security mode |
xray_socks_port |
10808 |
XRay SOCKS5 proxy port |
xray_http_port |
10809 |
XRay HTTP proxy port |
xray_fingerprint |
chrome |
TLS fingerprint (chrome/firefox/random) |
xray_mux_enabled |
false |
Enable connection multiplexing |
sni_listen_port |
40443 |
SNI spoofer listen port |
sni_connect_ip |
"" |
Best Cloudflare IP (set after scanning) |
sni_fake_sni |
www.hcaptcha.com |
Fake SNI domain to inject |
auto_set_proxy |
true |
Auto-configure Windows system proxy |
engine_order |
[] |
Emergency mode engine order (empty = country profile default) |
country |
"" |
Pinned country code (empty = auto-detect) |
kill_switch |
false |
Block all non-proxy traffic |
wg_config_file |
"" |
Path to WireGuard .conf file |
openvpn_config |
"" |
Path to .ovpn file |
ikev2_server |
"" |
IKEv2 VPN server address |
softether_host |
"" |
SoftEther server hostname |
psiphon_egress_country |
"" |
Psiphon exit country code |
Iran's TIC uses hardware DPI at the internet gateway. It reads the SNI field in the TLS ClientHello to identify which site you're connecting to.
Blackout Kit defeats this with TCP sequence injection:
[Your App]
│
▼
[XRay — SOCKS5 :10808]
│ Trojan/VLESS over TLS
▼
[SNI Spoofer — :40443]
│
├─── Fake ClientHello ──► [Cloudflare IP :443]
│ SNI = "www.hcaptcha.com" DPI sees: "hcaptcha — allowed ✓"
│ (out-of-window TCP seq) Real server: drops silently
│
└─── Real TLS Handshake ► [Cloudflare IP :443]
SNI = "your-actual-server.com" DPI: connection already whitelisted
The fake packet uses an out-of-window TCP sequence number so the target server drops it without responding. The DPI only sees the first packet's SNI and marks the connection as allowed. The real handshake follows immediately.
Fragments TCP packets at the IP layer so the DPI engine receives split packets and cannot reconstruct the SNI field for inspection. Works against simple stateless DPI that doesn't reassemble packets.
Note: Does NOT work against Iran's TIC (2025+). Their hardware does full TCP reassembly before SNI inspection.
When a normal connect fails, emergency tries engines in order:
1. sni → failed (blocked)
2. gdpi → failed (reassembly DPI)
3. warp → failed (IP blocked)
4. psiphon ← CONNECTED ✓
The order defaults to your country's recommended profile but can be overridden:
blackout settings set engine_order xray,warp,psiphon,tor
Standalone .exe |
Source Code | |
|---|---|---|
| Contains | Code + native DLL engines | Code only |
| Download size | ~63 MB | ~2 MB |
| Works offline/blackout | ✅ Yes | ❌ No — needs internet for bins download |
| Who it's for | End users, general public | Developers, contributors |
| GitHub Release asset | blackout.exe |
Source code.zip |
Always share the blackout.exe version with people who need it RIGHT NOW. The Source version is for developers and people who install it before a crisis.
blackout doctor
The doctor will identify the specific problem — missing binary, wrong port, Defender blocking the exe, etc.
blackout doctor --fix-av
This adds bins/ to Defender's exclusion list. Run as Administrator.
blackout settings set auto_set_proxy true
Requires the app to be run as Administrator for the first time.
The server's TLS certificate failed strict validation. You have two options:
:: Option 1 — Check what's wrong
blackout tools cert-check yourserver.com
:: Option 2 — Manually trust this specific server
blackout tools cert-check yourserver.com --allow
Run blackout logs to see the error. Common causes:
- Port already in use — change
xray_socks_portin settings - Config file issue — run
blackout doctor - Defender quarantined xray.exe — run
blackout doctor --fix-av
blackout bins download
Or if you have the Full version, make sure you're running from the correct folder where bins/ exists.
blackout tools dns-flush
blackout tools netfix
blackout country
blackout country set IR ← pin manually
See ROADMAP.md for the full version plan.
Highlights coming in v1.1:
- Hysteria2 — QUIC-based protocol, extremely hard to block
- TUIC — Low-latency QUIC tunnel
- TLS Record-Layer Fragmentation — Fragment at TLS level, not TCP. Overwhelms Iran's DPI hardware.
blackout connect --iran— One-flag profile: ArvanCloud SNI + TLS fragment + Firefox fingerprint- DoH bootstrapping — Resolve proxy server via DNS-over-HTTPS before connecting
MIT — Free and open source. Use it, build on it, share it.
See LICENSE for full text.
This tool is for legitimate personal use only — accessing blocked entertainment, educational resources, development tools, and personal communications.
Do not use this tool for illegal activities. Users are fully responsible for their own actions. The author bears no responsibility for misuse.
Made by Kiacoder — for everyone who just wants to use the internet.