Does the DPI Bypass "zapret" work with Merlin firmware?

[Sora]

Although the DOT function was added to the merlin firmware. but
I need to bypass DPI because I live in a country where isp censors the Internet.
I've been very stressed since I started censoring at my country ISP last month.
An alternative is to install goodbyedpi( https://github.com/ValdikSS/GoodbyeDPI )
and green tunnel( https://github.com/SadeghHayeri/GreenTunnel ) on the device,
but I want to do DPI bypass at the router level.

https://github.com/bol-van/zapret/blob/master/docs/readme.eng.txt
https://github.com/bol-van/zapret

There is a manual that can be installed on Openwrt, but I would like to install and work on the merlin firmware.
I'm a simple user so I don't know the details
I would be grateful if someone could give me the information .
If not, please tell me how to use the DPI bypass on the Merlin firmware.Thank you.
--------
Please understand that my English is lacking.

 

[luzumsuz]

It could be perfect if merlin can do it.

 

[Sora]

It could be perfect if merlin can do it.

Yes this is a really necessary feature.
If so, it would be perfect.
Someone please help

 

[Martineau]

Yes this is a really necessary feature.
If so, it would be perfect.

Simply entering these four commands allows the crucial NFQUEUE firewall rule to be activated for the two current IPv4 IPs for 'kinozal.tv'

modprobe xt_NFQUEUE

ipset create zapret hash:net

nslookup kinozal.tv;for IP in $(nslookup "kinozal.tv" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add zapret $IP;done;ipset list zapret

iptables -t mangle -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num 200 --queue-bypass

No idea if it does what it is supposed to do when you then attempt to access 'kinozal.tv'.

However, if DPI seemingly can't be bypassed using the 'splitting a request into segments' PREROUTING method, try the 'mangle "Host:" HTTP header' POSTROUTING method

iptables -t mangle -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num 200 --queue-bypass 2>/dev/null

iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:5 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass

 

[ssechaud]

So would these commands need to be entered for every site that is being blocked or is there a way to enable it for all sites?

 

[PrivatePerson]

Topic is relevant, but still not disclosed.Perhaps there are detailed instructions on how to install DPI bypass?

 

[hackvan]

I have an Asus RT-N66U router and unfortunately on the latest firmware Asuswrt Merlin 380.70 DPI bypass "zapret" does not work because of old kernel version.

I did some digging.

admin@RT-N66U:/tmp/mnt/sda1/git/zapret/tpws# ./tpws --bind-addr 192.168.1.1 --port 999 --disorder --tlsrec=sni --split-pos=2 --pidfile /opt/var/run/tpws.pid
setsockopt (IP_TRANSPARENT): Protocol not available

ip(7) - Linux manual page

IP_TRANSPARENT (since Linux 2.6.24)
   Setting this boolean option enables transparent proxying
   on this socket.  This socket option allows the calling
   application to bind to a nonlocal IP address and operate
   both as a client and a server with the foreign address as
   the local endpoint.  NOTE: this requires that routing be
   set up in a way that packets going to the foreign address
   are routed through the TProxy box (i.e., the system
   hosting the application that employs the IP_TRANSPARENT
   socket option).  Enabling this socket option requires
   superuser privileges (the CAP_NET_ADMIN capability).

IP_TRANSPARENT option available since Linux 2.6.24 but Asuswrt Merlin 380.70 runs on 2.6.22.19

admin@RT-N66U:/tmp/mnt/sda1/git/zapret/tpws# uname -a
Linux RT-N66U 2.6.22.19 #1 Sun Apr 8 14:03:49 EDT 2018 mips ASUSWRT-Merlin

Maybe someone can compile a firmware on a newer kernel? BTW a bugfix release has recently appeared https://www.asus.com/supportonly/rt-n66u (ver.b1)/helpdesk_bios/

 

[KevTech]

Maybe someone can compile a firmware on a newer kernel?

Not going to happen as no longer supported.
If you want the latest update use stock firmware from the Asus site.
380.70 is the last for Merlin.

 

[devhell]

What about this thread?

 

[devhell]

Dear friends
I think I made it work on my AX88U

 

[devhell]

First step

opkg update
opkg install coreutils-sort curl git-http grep gzip ipset iptables kmod_ndms nano xtables-addons_legacy nmap nmap-ssl netcat procps-ng-sysctl procps-ng-pgrep procps-ng
cd /opt/
git clone --depth=1 https://github.com/bol-van/zapret.git
cd zapret
./install_easy.sh

Now need send answer on multiple questions
My config is

# this file is included from init scripts
# change values here

# can help in case /tmp has not enough space
#TMPDIR=/opt/zapret/tmp

# redefine user for zapret daemons. required on Keenetic
WS_USER=nobody

# override firewall type : iptables,nftables,ipfw
FWTYPE=iptables

# options for ipsets
# maximum number of elements in sets. also used for nft sets
SET_MAXELEM=522288
# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
# too large hashsize will waste lots of RAM
IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
# dynamically generate additional ip. $1 = ipset/nfset/table name
#IPSET_HOOK="/etc/zapret.ipset.hook"

# options for ip2net. "-4" or "-6" auto added by ipset create script
IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
# options for auto hostlist
AUTOHOSTLIST_RETRANS_THRESHOLD=3
AUTOHOSTLIST_FAIL_THRESHOLD=3
AUTOHOSTLIST_FAIL_TIME=60
# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
AUTOHOSTLIST_DEBUGLOG=0

# number of parallel threads for domain list resolves
MDIG_THREADS=30

# ipset/*.sh can compress large lists
GZIP_LISTS=1
# command to reload ip/host lists after update
# comment or leave empty for auto backend selection : ipset or ipfw if present
# on BSD systems with PF no auto reloading happens. you must provide your own command
# set to "-" to disable reload
#LISTS_RELOAD="pfctl -f /etc/pf.conf"

# override ports
#HTTP_PORTS=80-81,85
#HTTPS_PORTS=443,500-501
#QUIC_PORTS=443,444

# CHOOSE OPERATION MODE
# MODE : nfqws,tpws,tpws-socks,filter,custom
# nfqws : nfqws for dpi desync
# tpws : tpws transparent mode
# tpws-socks : tpws socks mode
# filter : no daemon, just create ipset or download hostlist
# custom : custom mode. should modify custom init script and add your own code
MODE=nfqws
# apply fooling to http
MODE_HTTP=1
# for nfqws only. support http keep alives. enable only if DPI checks for http request in any outgoing packet
MODE_HTTP_KEEPALIVE=0
# apply fooling to https
MODE_HTTPS=1
# apply fooling to quic
MODE_QUIC=1
# none,ipset,hostlist,autohostlist
MODE_FILTER=autohostlist

# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
DESYNC_MARK=0x40000000
DESYNC_MARK_POSTNAT=0x20000000
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badsum"
#NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
#NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
#NFQWS_OPT_DESYNC_HTTP6="--dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none"
#NFQWS_OPT_DESYNC_HTTPS6="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none"
NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-repeats=6"
#NFQWS_OPT_DESYNC_QUIC6="--dpi-desync=hopbyhop"

# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"

# openwrt only : donttouch,none,software,hardware
FLOWOFFLOAD=donttouch

# openwrt: specify networks to be treated as LAN. default is "lan"
#OPENWRT_LAN="lan lan2 lan3"
# openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
#OPENWRT_WAN4="wan vpn"
#OPENWRT_WAN6="wan6 vpn6"

# for routers based on desktop linux and macos. has no effect in openwrt.
# CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
# or leave them commented if its not router
# it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
# if IFACE_WAN6 is not defined it take the value of IFACE_WAN
IFACE_LAN=br0
IFACE_WAN=eth0
#IFACE_WAN6="ipsec0 wireguard0 he_net"

# should start/stop command of init scripts apply firewall rules ?
# not applicable to openwrt with firewall3+iptables
INIT_APPLY_FW=1
# firewall apply hooks
#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"

# do not work with ipv4
#DISABLE_IPV4=1
# do not work with ipv6
DISABLE_IPV6=1

# select which init script will be used to get ip or host list
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
# comment if not required
#GETLIST=

Now you can change user hosts, for example:

youtube.com
youtu.be
googlevideo.com
gstatic.com
yt3.ggpht.com

Run /opt/zapret/ipset/get_user.sh

And run

/opt/zapret/init.d/sysv/zapret start

You can add start command to /jffs/scripts/post-mount script

/opt/zapret/init.d/sysv/zapret start & # Zapret

thelonelycoder
Maybe it can easily added to amtm

 

[PlayGround]

First step

opkg update
opkg install coreutils-sort curl git-http grep gzip ipset iptables kmod_ndms nano xtables-addons_legacy nmap nmap-ssl netcat procps-ng-sysctl procps-ng-pgrep procps-ng
cd /opt/
git clone --depth=1 https://github.com/bol-van/zapret.git
cd zapret
./install_easy.sh

Now need send answer on multiple questions
My config is

# this file is included from init scripts
# change values here

# can help in case /tmp has not enough space
#TMPDIR=/opt/zapret/tmp

# redefine user for zapret daemons. required on Keenetic
WS_USER=nobody

# override firewall type : iptables,nftables,ipfw
FWTYPE=iptables

# options for ipsets
# maximum number of elements in sets. also used for nft sets
SET_MAXELEM=522288
# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
# too large hashsize will waste lots of RAM
IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
# dynamically generate additional ip. $1 = ipset/nfset/table name
#IPSET_HOOK="/etc/zapret.ipset.hook"

# options for ip2net. "-4" or "-6" auto added by ipset create script
IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
# options for auto hostlist
AUTOHOSTLIST_RETRANS_THRESHOLD=3
AUTOHOSTLIST_FAIL_THRESHOLD=3
AUTOHOSTLIST_FAIL_TIME=60
# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
AUTOHOSTLIST_DEBUGLOG=0

# number of parallel threads for domain list resolves
MDIG_THREADS=30

# ipset/*.sh can compress large lists
GZIP_LISTS=1
# command to reload ip/host lists after update
# comment or leave empty for auto backend selection : ipset or ipfw if present
# on BSD systems with PF no auto reloading happens. you must provide your own command
# set to "-" to disable reload
#LISTS_RELOAD="pfctl -f /etc/pf.conf"

# override ports
#HTTP_PORTS=80-81,85
#HTTPS_PORTS=443,500-501
#QUIC_PORTS=443,444

# CHOOSE OPERATION MODE
# MODE : nfqws,tpws,tpws-socks,filter,custom
# nfqws : nfqws for dpi desync
# tpws : tpws transparent mode
# tpws-socks : tpws socks mode
# filter : no daemon, just create ipset or download hostlist
# custom : custom mode. should modify custom init script and add your own code
MODE=nfqws
# apply fooling to http
MODE_HTTP=1
# for nfqws only. support http keep alives. enable only if DPI checks for http request in any outgoing packet
MODE_HTTP_KEEPALIVE=0
# apply fooling to https
MODE_HTTPS=1
# apply fooling to quic
MODE_QUIC=1
# none,ipset,hostlist,autohostlist
MODE_FILTER=autohostlist

# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
DESYNC_MARK=0x40000000
DESYNC_MARK_POSTNAT=0x20000000
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badsum"
#NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
#NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
#NFQWS_OPT_DESYNC_HTTP6="--dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none"
#NFQWS_OPT_DESYNC_HTTPS6="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none"
NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-repeats=6"
#NFQWS_OPT_DESYNC_QUIC6="--dpi-desync=hopbyhop"

# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"

# openwrt only : donttouch,none,software,hardware
FLOWOFFLOAD=donttouch

# openwrt: specify networks to be treated as LAN. default is "lan"
#OPENWRT_LAN="lan lan2 lan3"
# openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
#OPENWRT_WAN4="wan vpn"
#OPENWRT_WAN6="wan6 vpn6"

# for routers based on desktop linux and macos. has no effect in openwrt.
# CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
# or leave them commented if its not router
# it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
# if IFACE_WAN6 is not defined it take the value of IFACE_WAN
IFACE_LAN=br0
IFACE_WAN=eth0
#IFACE_WAN6="ipsec0 wireguard0 he_net"

# should start/stop command of init scripts apply firewall rules ?
# not applicable to openwrt with firewall3+iptables
INIT_APPLY_FW=1
# firewall apply hooks
#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"

# do not work with ipv4
#DISABLE_IPV4=1
# do not work with ipv6
DISABLE_IPV6=1

# select which init script will be used to get ip or host list
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
# comment if not required
#GETLIST=

Now you can change user hosts, for example:

youtube.com
youtu.be
googlevideo.com
gstatic.com
yt3.ggpht.com

Run /opt/zapret/ipset/get_user.sh
View attachment 61429

And run

/opt/zapret/init.d/sysv/zapret start

You can add start command to /jffs/scripts/post-mount script

/opt/zapret/init.d/sysv/zapret start & # Zapret

thelonelycoder
Maybe it can easily added to amtm

Thank you very much for the instruction!

I did extactly what you wrote and used your config file, but YouTube still doesn't work, maybe you have any ideas what can be wrong there if I exactly copied all you wrote?

Thank again!

 

[devhell]

can you show work nfqws process or not

ps | grep nfqws

 

[PlayGround]

can you show work nfqws process or not

ps | grep nfqws

Sure!

All is working! The main problem is that zapret has started as you showed on your screenshot, the only reason it doesn't help to make YouTube work properly

 

[devhell]

You can't use the configuration what i'm provided
You should read the documentation of Zapret to select the necessary parameters
For example in my config NFQWS_OPT_DESYNC_HTTPS has comment but it cant work properly

 

[PlayGround]

You can't use the configuration what i'm provided
You should read the documentation of Zapret to select the necessary parameters
For example in my config NFQWS_OPT_DESYNC_HTTPS has comment but it cant work properly

I really appreciate your answer!

Yes, I made some changes in the config file and everything works fine now! I'm really happy with it!

I uncommented all the NFQWS_OPT_DESYNC_* fields and it worked!

 

[devhell]

You can vote for support this with amtm

Zapret integration · Issue #28 · decoderman/amtm

Hello all Maybe it needed for someone and amtm can help with it https://www.snbforums.com/threads/does-the-dpi-bypass-zapret-work-with-merlin-firmware.60099/post-925618 Its integration with Zapret ...

github.com

 

[Ripshod]

This won't make it to amtm. It's not been tested on the whole range of devices.
Once you have it at a stage where it works with all the router's without having to edit the config manually then it may likely be considered. You can install one of the current amtm scripts and see how it automatically detects the router/firmware and just asks a few questions as part of the install, then integrates itself into entware. Further configuration is done in cli menus. A basic RT-AX88U only script, that works outside of the current system just just won't cut it.

You can't use the configuration what i'm provided

Check out BACKUPMON to see how it should be done. Or see if you can get one of our established coders on board to help you polish this up.

 

[devhell]

This won't make it to amtm. It's not been tested on the whole range of devices.
Once you have it at a stage where it works with all the router's without having to edit the config manually then it may likely be considered. You can install one of the current amtm scripts and see how it automatically detects the router/firmware and just asks a few questions as part of the install, then integrates itself into entware. Further configuration is done in cli menus. A basic RT-AX88U only script, that works outside of the current system just just won't cut it.

Check out BACKUPMON to see how it should be done. Or see if you can get one of our established coders on board to help you polish this up.

thx for your reply

 

[euphoreka7]

i have RT-AC86U with 386.14 merlin firmware

# uname -a
Linux RT-AC86U 4.1.27 #2 SMP PREEMPT Sat Jul 20 13:50:04 EDT 2024 aarch64 ASUSWRT-Merlin

# modprobe xt_NFQUEUE
modprobe: module xt_NFQUEUE not found in modules.dep

# opkg install kmod_ndms
Unknown package 'kmod_ndms'.
Collected errors:
* opkg_install_cmd: Cannot install package kmod_ndms.

no kmod_ndms for aarch64-k3.10 architecture
how can i get it? should i install something additionally using amtm?