Does the DPI Bypass "zapret" work with Merlin firmware?

[antonf]

Dear friends
I think I made it work on my AX88U

View attachment 61428

Hi! I'm trying to setup zapret with nfqws on my AX88U. I don't have package "kmod_ndms" in entware. Do we need it? Kernel modules
xt_multiport.ko, xt_connbytes.ko, xt_NFQUEUE.ko are also absent. Do you have them? Are they required? Thanks!

 

[antonf]

Hi! I'm trying to setup zapret with nfqws on my AX88U. I don't have package "kmod_ndms" in entware. Do we need it? Kernel modules
xt_multiport.ko, xt_connbytes.ko, xt_NFQUEUE.ko are also absent. Do you have them? Are they required? Thanks!

Ok. Reply to myself. kmod_ndms and kernel modules xt_multiport.ko, xt_connbytes.ko, xt_NFQUEUE.ko are not required for AX88U Merlin+Entware. zapret works perfectly.

 

[Overmaxx]

Ok. Reply to myself. kmod_ndms and kernel modules xt_multiport.ko, xt_connbytes.ko, xt_NFQUEUE.ko are not required for AX88U Merlin+Entware. zapret works perfectly.

Can you share guide how to start zapret on ax88u?

 

[antonf]

Can you share guide how to start zapret on ax88u?

0) backup your settings, update stock firmware, buy USB Flash
1) Install Merlin firmware:

AsusWRT install Entware

Ultimate repo for embedded devices. Contribute to Entware/Entware development by creating an account on GitHub.

github.com

Install on Asus stock firmware

Ultimate repo for embedded devices. Contribute to Entware/Entware development by creating an account on GitHub.

github.com

2) Follow these instructions: https://www.snbforums.com/threads/d...t-work-with-merlin-firmware.60099/post-925618
3) Change /opt/zapret/config. It can be different for your provider. I use:
NFQWS_OPT_DESYNC="--dpi-desync=fake,disorder2 --dpi-desync-split-pos=1 --dpi-desync-ttl=0 --dpi-desync-fooling=md5sig,badsum --dpi-desync-repeats=6 --dpi-desync-any-protocol --dpi-desync-cutoff=d4 --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin"

NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-ttl=0 --dpi-desync-any-protocol --dpi-desync-cutoff=d4 --dpi-desync-fooling=md5sig,badsum --dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_google_com.bin"

(thanks to Keenet https://habr.com/ru/articles/834826/)
4) Add hosts to /opt/zapret/ipset/zapret-hosts-user.txt
For example:
youtube.com
youtu.be
googlevideo.com
ytimg.com
gstatic.com
ggpht.com
1e100.net
youtubei.googleapis.com
l.google.com
googleusercontent.com
gvt1.com
video.google.com
youtube-nocookie.com
youtubeeducation.com
youtubekids.com
yt.be
play.google.com
nhacmp3youtube.com
apis.google.com
doubleclick.net

 

[IlyaKh]

First step

opkg update
opkg install coreutils-sort curl git-http grep gzip ipset iptables kmod_ndms nano xtables-addons_legacy nmap nmap-ssl netcat procps-ng-sysctl procps-ng-pgrep procps-ng
cd /opt/
git clone --depth=1 https://github.com/bol-van/zapret.git
cd zapret
./install_easy.sh

Now need send answer on multiple questions
My config is

# this file is included from init scripts
# change values here

# can help in case /tmp has not enough space
#TMPDIR=/opt/zapret/tmp

# redefine user for zapret daemons. required on Keenetic
WS_USER=nobody

# override firewall type : iptables,nftables,ipfw
FWTYPE=iptables

# options for ipsets
# maximum number of elements in sets. also used for nft sets
SET_MAXELEM=522288
# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
# too large hashsize will waste lots of RAM
IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
# dynamically generate additional ip. $1 = ipset/nfset/table name
#IPSET_HOOK="/etc/zapret.ipset.hook"

# options for ip2net. "-4" or "-6" auto added by ipset create script
IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
# options for auto hostlist
AUTOHOSTLIST_RETRANS_THRESHOLD=3
AUTOHOSTLIST_FAIL_THRESHOLD=3
AUTOHOSTLIST_FAIL_TIME=60
# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
AUTOHOSTLIST_DEBUGLOG=0

# number of parallel threads for domain list resolves
MDIG_THREADS=30

# ipset/*.sh can compress large lists
GZIP_LISTS=1
# command to reload ip/host lists after update
# comment or leave empty for auto backend selection : ipset or ipfw if present
# on BSD systems with PF no auto reloading happens. you must provide your own command
# set to "-" to disable reload
#LISTS_RELOAD="pfctl -f /etc/pf.conf"

# override ports
#HTTP_PORTS=80-81,85
#HTTPS_PORTS=443,500-501
#QUIC_PORTS=443,444

# CHOOSE OPERATION MODE
# MODE : nfqws,tpws,tpws-socks,filter,custom
# nfqws : nfqws for dpi desync
# tpws : tpws transparent mode
# tpws-socks : tpws socks mode
# filter : no daemon, just create ipset or download hostlist
# custom : custom mode. should modify custom init script and add your own code
MODE=nfqws
# apply fooling to http
MODE_HTTP=1
# for nfqws only. support http keep alives. enable only if DPI checks for http request in any outgoing packet
MODE_HTTP_KEEPALIVE=0
# apply fooling to https
MODE_HTTPS=1
# apply fooling to quic
MODE_QUIC=1
# none,ipset,hostlist,autohostlist
MODE_FILTER=autohostlist

# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
DESYNC_MARK=0x40000000
DESYNC_MARK_POSTNAT=0x20000000
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badsum"
#NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
#NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
#NFQWS_OPT_DESYNC_HTTP6="--dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none"
#NFQWS_OPT_DESYNC_HTTPS6="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none"
NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-repeats=6"
#NFQWS_OPT_DESYNC_QUIC6="--dpi-desync=hopbyhop"

# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"

# openwrt only : donttouch,none,software,hardware
FLOWOFFLOAD=donttouch

# openwrt: specify networks to be treated as LAN. default is "lan"
#OPENWRT_LAN="lan lan2 lan3"
# openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
#OPENWRT_WAN4="wan vpn"
#OPENWRT_WAN6="wan6 vpn6"

# for routers based on desktop linux and macos. has no effect in openwrt.
# CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
# or leave them commented if its not router
# it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
# if IFACE_WAN6 is not defined it take the value of IFACE_WAN
IFACE_LAN=br0
IFACE_WAN=eth0
#IFACE_WAN6="ipsec0 wireguard0 he_net"

# should start/stop command of init scripts apply firewall rules ?
# not applicable to openwrt with firewall3+iptables
INIT_APPLY_FW=1
# firewall apply hooks
#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"

# do not work with ipv4
#DISABLE_IPV4=1
# do not work with ipv6
DISABLE_IPV6=1

# select which init script will be used to get ip or host list
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
# comment if not required
#GETLIST=

Now you can change user hosts, for example:

youtube.com
youtu.be
googlevideo.com
gstatic.com
yt3.ggpht.com

Run /opt/zapret/ipset/get_user.sh
View attachment 61429

And run

/opt/zapret/init.d/sysv/zapret start

You can add start command to /jffs/scripts/post-mount script

/opt/zapret/init.d/sysv/zapret start & # Zapret

thelonelycoder
Maybe it can easily added to amtm

Hello.
I'm trying to run DPI according to your instructions on AX56U.
I get errors at the step with running the script /opt/zapret/ipset/get_user.sh.

I don't understand yet what I'm doing wrong. I'll be glad if you help me. Thanks!

 

[devhell]

can you provide output of `dig` command?

 

[antonf]

Hello.
I'm trying to run DPI according to your instructions on AX56U.
I get errors at the step with running the script /opt/zapret/ipset/get_user.sh.
View attachment 61650
I don't understand yet what I'm doing wrong. I'll be glad if you help me. Thanks!

What happens if you skip get_uset.sh step? Does your setup work with hostlist instead of ipset?

 

[IlyaKh]

After installing the "bind-dig" package, the script run successfully.
I see that the service starts successfully, but YouTube still doesn't work. Apparently, I need to experiment with the arguments in the configuration file. If anyone has any proven options, I would be very grateful.