Tutorial Using TOR to unblock sites blocked by ISP on [Fork] Asuswrt-Merlin 374 LTS

[MON@H Rasta]

1. Install MicroSD into device.
2. Format MicroSD as a single partition and install Entware on it using amtm.
3. Spoiler: Installing the required packages

   opkg update ; opkg upgrade ; opkg install tor tor-geoip bind-dig

4. Spoiler: Initialize ipset, create multiple unblock IP addresses

   Create another file

   nano /jffs/scripts/init_ipset.sh

   Insert this and save the file

   modprobe ip_setmodprobe ip_set_iphash
   modprobe ip_set_nethash
   modprobe ip_set_setlist
   
   ipset --create unblock iphash

   Now give execution rights

   chmod +x /jffs/scripts/init_ipset.sh

   Create another file

   nano /jffs/scripts/services-start

   Insert this and save the file

   #!/bin/sh
   # This script get called after all other system services
   # have been started at boot on router
   # ---------------------------------------------------------
   
   # Cron job to install after reboot
   cru a unblock-ipset "3 3 * * * /jffs/scripts/unblock_update.sh"

   Now give execution rights

   chmod +x /jffs/scripts/services-start

   Create another file

   nano /jffs/scripts/nat-start

   Insert this code

   #!/bin/sh
   iptables -t nat -A PREROUTING -i br0 -p tcp -m set --set unblock dst -j REDIRECT --to-port 9141

   Save and give execution rights

   chmod +x /jffs/scripts/nat-start

5. Spoiler: Configuring Tor

   cat /dev/null > /opt/etc/tor/torrc

   nano /opt/etc/tor/torrc

   And insert your edited settings. Please note that admin is the username that is used to log into the router's web interface! If changed, replace with your own

   User admin
   PidFile /opt/var/run/tor.pid
   ExcludeExitNodes {RU},{UA},{AM},{KG},{BY}
   StrictNodes 1
   TransPort 192.168.1.1:9141
   ExitRelay 0
   ExitPolicy reject *:*
   ExitPolicy reject6 *:*
   GeoIPFile /opt/share/tor/geoip
   GeoIPv6File /opt/share/tor/geoip6
   DataDirectory /opt/var/lib/tor

   Spoiler: Description

   Exclude output nodes: Russia, Ukraine, Armenia, Kyrgyzstan, Belarus.
   Hang up a "transparent" proxy at 192.168.1.1, port 9141.
   Forbid being an exit point.
6. Spoiler: List of domains / IPs to bypass blocking (unblock.txt)

   unblock.txt - a simple list to unblock. You can unblock domain or IP address. One line - one item. Blank lines (including those with spaces and tabs) are ignored. You can use the # character at the beginning of a line to ignore. Create a new file with the command

   nano /tmp/mnt/microsd/dnsmasq/unblock.txt

   Insert our list into it. Use your own list, this is just an example!

   ###Torrent-trackersrutracker.org
   rutor.info
   rutor.is
   mega-tor.org
   kinozal.tv
   nnm-club.me
   nnm-club.ws
   tfile.me
   tfile-home.org
   tfile1.cc
   megatfile.cc
   megapeer.org
   megapeer.ru
   tapochek.net
   tparser.org
   tparser.me
   rustorka.com
   uniongang.tv
   fast-torrent.ru
   
   ###Media content directories for programs
   rezka.ag
   hdrezka.ag
   hdrezka.me
   filmix.co
   filmix.cc
   seasonvar.ru
   
   ###Books
   lib.rus.ec
   flibusta.is
   flibs.me
   flisland.net
   flibusta.site
   
   ###Telegram
   telegram.org
   tdesktop.com
   tdesktop.org
   tdesktop.info
   tdesktop.net
   telesco.pe
   telegram.dog
   telegram.me
   t.me
   telegra.ph
   web.telegram.org
   desktop.telegram.org
   updates.tdesktop.com
   venus.web.telegram.org
   flora.web.telegram.org
   vesta.web.telegram.org
   pluto.web.telegram.org
   aurora.web.telegram.org
   
   ###misc
   7-zip.org
   edem.tv
   4pna.com
   2019.vote
   
   ###Tor check
   check.torproject.org
   
   ###Example of unblocking by IP (remove the # at the beginning of the line)
   #195.82.146.214

7. Spoiler: Script for filling the set of unblock with IP addresses of a given list of domains (unblock_ipset.sh)

   Create a new file with the command

   nano /jffs/scripts/unblock_ipset.sh

   Insert the following into it

   #!/bin/sh
   until ADDRS=$(dig +short google.com @localhost) && [ -n "$ADDRS" ] > /dev/null 2>&1; do sleep 5; done
   
   while read line || [ -n "$line" ]; do
   
   [ -z "$line" ] && continue
   [ "${line:0:1}" = "#" ] && continue
   
   addr=$(echo $line | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
   
   if [ ! -z "$addr" ]; then
   if ipset --test unblock $addr | grep NOT; then
   ipset -q --add unblock $addr
   continue
   fi
   fi
   
   dig +short $line @localhost | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("if ipset --test unblock " $1 " | grep NOT; then ipset -q --add unblock " $1 "; fi")}'
   
   done < /tmp/mnt/microsd/dnsmasq/unblock.txt

   Save the file and give the rights to execute it

   chmod +x /jffs/scripts/unblock_ipset.sh

8. Spoiler: Script for generating an additional dnsmasq configuration file from a given list of domains (unblock_dnsmasq.sh)

   Create a new file with the command

   nano /jffs/scripts/unblock_dnsmasq.sh

   Insert the following into it

   #!/bin/sh
   cat /dev/null > /tmp/mnt/microsd/dnsmasq/unblock.dnsmasq
   
   while read line || [ -n "$line" ]; do
   
   [ -z "$line" ] && continue
   [ "${line:0:1}" = "#" ] && continue
   
   echo $line | grep -Eq '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' && continue
   
   echo "ipset=/$line/unblock" >> /tmp/mnt/microsd/dnsmasq/unblock.dnsmasq
   
   done < /tmp/mnt/microsd/dnsmasq/unblock.txt

   Save the file and give rights to execute

   chmod +x /jffs/scripts/unblock_dnsmasq.sh

   Then we execute the script

   /jffs/scripts/unblock_dnsmasq.sh

   Check that the file has been created and there are records in it

   cat /tmp/mnt/microsd/dnsmasq/unblock.dnsmasq

   There must be something like this

   # cat /tmp/mnt/microsd/dnsmasq/unblock.dnsmasqipset=/rutracker.org/unblock
   ipset=/rutor.info/unblock
   ipset=/rutor.is/unblock
   ipset=/mega-tor.org/unblock
   ipset=/kinozal.tv/unblock
   ipset=/nnm-club.me/unblock
   ipset=/nnm-club.ws/unblock
   ipset=/tfile.me/unblock
   ipset=/tfile-home.org/unblock
   ipset=/tfile1.cc/unblock
   ipset=/megatfile.cc/unblock
   ipset=/megapeer.org/unblock
   ipset=/megapeer.ru/unblock
   ipset=/tapochek.net/unblock
   ipset=/tparser.org/unblock
   ipset=/tparser.me/unblock
   ipset=/rustorka.com/unblock
   ipset=/uniongang.tv/unblock
   ipset=/fast-torrent.ru/unblock

9. Spoiler: Script for manual forced system update after editing the list of domains (unblock_update.sh)

   Create a new file with the command

   nano /jffs/scripts/unblock_update.sh

   Insert the following into it

   #!/bin/sh
   ipset --flush unblock
   
   /jffs/scripts/unblock_dnsmasq.sh
   service restart_dnsmasq
   sleep 3
   /jffs/scripts/unblock_ipset.sh &

   Save the file and give rights to execute

   chmod +x /jffs/scripts/unblock_update.sh

   After editing your unblock.txt file, you simply run this script to apply the new configuration without need to restart the router.
10. Spoiler: Script for automatic filling of the unblock set when the router boots (S99unblock)

    Create a new file with the command

    nano /opt/etc/init.d/S99unblock

    Insert the following into it

    [ "$1" != "start" ] && exit 0
    
    /jffs/scripts/init_ipset.sh
    /jffs/scripts/unblock_ipset.sh
    service restart_firewall

    save the file and give rights to execute

    chmod +x /opt/etc/init.d/S99unblock

11. Spoiler: Connecting an additional config file to dnsmasq

    We need to connect the created unblock.dnsmasq file to dnsmasq. To do this, open the file in the editor

    nano /jffs/configs/dnsmasq.conf.add

    Add at the end:

    conf-file=/tmp/mnt/microsd/dnsmasq/unblock.dnsmasq

    If you want (this is optional), you can add an additional server for resolving and reliability:

    server=8.8.8.8

    
    
    Spoiler: old problem, now solved

    I have a ton of spam in log like

    Dec 8 23:17:11 dnsmasq[30532]: failed to update ipset unblock: File exists
    Dec 8 23:17:11 dnsmasq[30532]: failed to update ipset unblock: File exists
    Dec 8 23:17:11 dnsmasq[30532]: failed to update ipset unblock: File exists
    Dec 8 23:17:11 dnsmasq[30532]: failed to update ipset unblock: File exists
    Dec 8 23:17:11 dnsmasq[30532]: failed to update ipset unblock: File exists
    Dec 8 23:17:11 dnsmasq[30532]: failed to update ipset unblock: File exists
    Dec 8 23:17:12 dnsmasq[30532]: failed to update ipset unblock: File exists
    Dec 8 23:17:12 dnsmasq[30532]: failed to update ipset unblock: File exists

    I guess I need to check if IP is already in IP_SET before adding it there, so my question is how to modify the script propertly? And any other suggestions are welcomed as well.

UPD: script updated, no more spam.

 

[ColinTaylor]

I don't have the same setup as you so I can't confirm this but I don't see why you are putting those two commands in /jffs/scripts/post-mount.

If the idea is that they need to run after the USB drive is mounted (because Entware is required) then they should be in /opt/etc/init.d/S99unblock. (I'm assuming Entware is installed on /tmp/mnt/microsd)

Also, you shouldn't really be running nat-start directly but using service restart_firewall instead.

 

[MON@H Rasta]

@ColinTaylor, I need to add this to iptable on router startup:

#!/bin/sh
iptables -t nat -A PREROUTING -i br0 -p tcp -m set --set unblock dst -j REDIRECT --to-port 9141

File name was chosen according to this. I don't really understand how it related to service restart_firewall

And yes, post-mount was chosen to be sure that MicroSD is mounted (again, according to this).
How running init.d can guarantee that MicroSD is mounted?

 

[ColinTaylor]

@ColinTaylor, I need to add this to iptable on router startup:

#!/bin/sh
iptables -t nat -A PREROUTING -i br0 -p tcp -m set --set unblock dst -j REDIRECT --to-port 9141

File name was chosen according to this. I don't really understand how it related to service restart_firewall

Those scripts are designed to run when certain events occur on the router, e.g. the WAN interface comes up. They are not intended to be run directly. If you need to make changes to the firewall then you should run service restart_firewall which (among other things) will call nat-start in the correct manner.

And yes, post-mount was chosen to be sure that MicroSD is mounted (again, according to this).
How running init.d can guarantee that MicroSD is mounted?

When you installed Entware it would have made all the necessary changes to the startup scripts. /opt/etc/init.d/ is the Entware startup directory and resides on the USB drive (/opt is a symbolic link) therefore for that directory to exist it must have already been mounted. Startup scripts that use Entware functions (like dig) should be run from /opt/etc/init.d/ to guarantee those functions are available.

This is assuming that you have a single USB partition (/tmp/mnt/microsd) that contains Entware and your unblock.txt file. If you have files spread across multiple partitions things become much more complicated because you cannot guarantee the order in which they are mounted.

 

[MON@H Rasta]

@ColinTaylor, got it, thanks. Modified tutorial according to this.

Now only question of proper usage of IP_SET to avoid spam remains. I have modified first part of script to check if IP is in IP_SET before adding it, but not sure how to add this check to second part of the script

if [ ! -z "$addr" ]; then
  if [ ! ipset -T unblock $addr ]; then
    ipset -q --add unblock $addr
    continue
  fi
fi

dig +short $line @localhost | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("ipset -q --add unblock "$1)}'

Spoiler: ipset --help

RT-N66U:/jffs/scripts# ipset --help
ipset v4.5

Usage: ipset -N new-set settype [options]
       ipset -[XFLSH] [set] [options]
       ipset -[EW] from-set to-set
       ipset -[ADT] set IP
       ipset -R
       ipset -v
       ipset -h (print this help information)

Commands:
Either long or short options are allowed.
  --create  -N setname settype <options>
                    Create a new set
  --destroy -X [setname]
                    Destroy a set or all sets
  --flush   -F [setname]
                    Flush a set or all sets
  --rename  -E from-set to-set
                    Rename from-set to to-set
  --swap    -W from-set to-set
                    Swap the content of two existing sets
  --list    -L [setname] [options]
                    List the IPs in a set or all sets
  --save    -S [setname]
                    Save the set or all sets to stdout
  --restore -R [option]
                    Restores a saved state
  --add     -A setname IP
                    Add an IP to a set
  --del     -D setname IP
                    Deletes an IP from a set
  --test    -T setname IP
                    Tests if an IP exists in a set.
  --help    -H [settype]
                    Prints this help, and settype specific help
  --version -V
                    Prints version information

Options:
  --sorted     -s   Numeric sort of the IPs in -L
  --numeric    -n   Numeric output of addresses in a -L (default)
  --resolve    -r   Try to resolve addresses in a -L
  --quiet      -q   Suppress any output to stdout and stderr.

 

[ColinTaylor]

Might I suggest that you change service restart_dhcpd to service restart_dnsmasq as your objective is to restart the DNS server not change the state of the DHCP server (even though in reality they are the same process).

 

[dave14305]

I would also look into piping ipset add statements into a | awk '!x[$0]++' | ipset restore statement like Adamm does throughout Skynet. The awk eliminates duplicates. Not a full solution here, but a hint on how to get ideas from others' scripts.

 

[john9527]

I think the dnsmasq logs may be because you are trying to add the FQDN entries twice....once in the ipset script with the dig statement and then again with dnsmasq ipset=. Just use the dnsmasq setup.

 

[MON@H Rasta]

@ColinTaylor, fixed, thanks.
@dave14305, you mean this one (github)?
@john9527, the issue is that in original manual author is using

ipset -exist add unblock

but ipset v4.5 doesn't support -exists, so I need to add a check if IP exists before adding it.

Something like this, I guess

if [ ! -z "$addr" ]; then
  if [ ! ipset -T unblock $addr ]; then
    ipset -q --add unblock $addr
    continue
  fi
fi

dig +short $line @localhost | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("if [ ! ipset --test unblock " $1 " ]; then ipset -q --add unblock " $1 "; fi")}'

But I get [: --test: unknown operand

 

[MON@H Rasta]

I know this is old, but in case someone ever wonder, the solution was simple, no more spam in log

#!/bin/sh

until ADDRS=$(dig +short google.com @localhost) && [ -n "$ADDRS" ] > /dev/null 2>&1; do sleep 5; done

while read line || [ -n "$line" ]; do

  [ -z "$line" ] && continue
  [ "${line:0:1}" = "#" ] && continue

  addr=$(echo $line | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')

  if [ ! -z "$addr" ]; then
    if ipset --test unblock $addr | grep NOT; then
      ipset -q --add unblock $addr
      continue
    fi
  fi
 
  dig +short $line @localhost | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("if ipset --test unblock " $1 " | grep NOT; then ipset -q --add unblock " $1 "; fi")}'

done < /tmp/mnt/microsd/dnsmasq/unblock.txt

 

[sbsnb]

How many ISPs are actually blocking sites versus tinkering with DNS? It seems like at ISP scales it would be resource intensive to actually block packets destined for certain domains as you'd have to intercept the SSL/TLS handshake to grab the hostname and compare it to a list of banned domains.

 

[MON@H Rasta]

Well, IDK about your question, but I'm from Ukraine and we have a list of domains that ISPs must block because of government decision. In Russia there is even a federal executive agency called Roskomnadzor that forces ISPs to block sites. So for those who have similar problem or just want certain sites to be opened using TOR network for any other reason without need to install and configure TOR on client this tutorial may be useful.

 

[MON@H Rasta]

Decided to check once again and there are still those errors! Man how is that possible? I just have no idea!

I just added logger into it to see what happens and now I'm totally confused!

dig +short $line @localhost | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("logger " $1 " && if ipset --test unblock " $1 " | grep NOT; then ipset -q --add unblock " $1 "; fi")}'

I executed the script several times without any changes made and this what I got in log:

Spoiler: log

Jul 21 09:50:40 admin: unblock_ipset.sh: start
Jul 21 09:50:40 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:40 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:40 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:40 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:40 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:40 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:40 admin: 93.186.225.208
Jul 21 09:50:40 admin: 87.240.137.158
Jul 21 09:50:40 admin: 87.240.190.72
Jul 21 09:50:40 admin: 87.240.190.78
Jul 21 09:50:40 admin: 87.240.190.67
Jul 21 09:50:40 admin: 87.240.139.194
Jul 21 09:50:40 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:40 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:41 admin: 80.239.201.101
Jul 21 09:50:41 admin: 149.5.244.233
Jul 21 09:50:41 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:41 admin: 87.250.250.242
Jul 21 09:50:41 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:41 admin: 87.250.250.50
Jul 21 09:50:41 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:41 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:41 admin: 94.100.180.201
Jul 21 09:50:41 admin: 3.120.25.179
Jul 21 09:50:41 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:41 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:41 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:41 admin: 217.20.147.1
Jul 21 09:50:41 admin: 217.20.155.13
Jul 21 09:50:41 admin: 5.61.23.11
Jul 21 09:50:41 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:41 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:50:42 admin: 45.60.34.164
Jul 21 09:50:42 admin: 45.60.40.164
Jul 21 09:50:42 admin: 116.202.120.181
Jul 21 09:50:42 admin: unblock_ipset.sh: finish
Jul 21 09:51:33 admin: unblock_ipset.sh: start
Jul 21 09:51:33 admin: 87.240.139.194
Jul 21 09:51:34 admin: 87.240.190.67
Jul 21 09:51:34 admin: 87.240.190.78
Jul 21 09:51:34 admin: 87.240.190.72
Jul 21 09:51:34 admin: 87.240.137.158
Jul 21 09:51:34 admin: 93.186.225.208
Jul 21 09:51:34 admin: 149.5.244.233
Jul 21 09:51:34 admin: 80.239.201.101
Jul 21 09:51:34 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:51:34 admin: 87.250.250.242
Jul 21 09:51:34 admin: 87.250.250.50
Jul 21 09:51:34 admin: 3.120.25.179
Jul 21 09:51:34 admin: 94.100.180.201
Jul 21 09:51:34 admin: 5.61.23.11
Jul 21 09:51:34 admin: 217.20.155.13
Jul 21 09:51:34 admin: 217.20.147.1
Jul 21 09:51:34 admin: 45.60.40.164
Jul 21 09:51:34 admin: 45.60.34.164
Jul 21 09:51:35 admin: 116.202.120.181
Jul 21 09:51:35 admin: unblock_ipset.sh: finish
Jul 21 09:53:57 admin: unblock_ipset.sh: start
Jul 21 09:53:57 admin: 93.186.225.208
Jul 21 09:53:57 admin: 87.240.139.194
Jul 21 09:53:57 admin: 87.240.190.67
Jul 21 09:53:57 admin: 87.240.190.78
Jul 21 09:53:57 admin: 87.240.190.72
Jul 21 09:53:57 admin: 87.240.137.158
Jul 21 09:53:57 admin: 80.239.201.101
Jul 21 09:53:57 admin: 149.5.244.233
Jul 21 09:53:58 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:53:58 admin: 87.250.250.242
Jul 21 09:53:58 admin: 87.250.250.50
Jul 21 09:53:58 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:53:58 dnsmasq[1297]: failed to update ipset unblock: File exists
Jul 21 09:53:58 admin: 3.120.25.179
Jul 21 09:53:58 admin: 94.100.180.201
Jul 21 09:53:58 admin: 217.20.147.1
Jul 21 09:53:58 admin: 5.61.23.11
Jul 21 09:53:58 admin: 217.20.155.13
Jul 21 09:53:58 admin: 45.60.34.164
Jul 21 09:53:58 admin: 45.60.40.164
Jul 21 09:53:58 admin: 116.202.120.181
Jul 21 09:53:58 admin: unblock_ipset.sh: finish

so I added more logger like this:

logger "1"
  dig +short $line @localhost | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("logger " $1 " && if ipset --test unblock " $1 " | grep NOT; then logger adding " $1 " && ipset -q --add unblock " $1 "; fi")}'
logger "2"

Then I executed

ipset --flush

And then I executed script several times

Spoiler: Log

Jul 21 10:22:46 admin: unblock_ipset.sh: start
Jul 21 10:22:46 admin: 1
Jul 21 10:22:46 admin: 87.240.190.72
Jul 21 10:22:46 admin: 87.240.190.67
Jul 21 10:22:46 admin: 87.240.139.194
Jul 21 10:22:46 admin: 87.240.137.158
Jul 21 10:22:46 admin: 93.186.225.208
Jul 21 10:22:46 admin: 87.240.190.78
Jul 21 10:22:46 admin: 2
Jul 21 10:22:46 admin: 1
Jul 21 10:22:47 admin: 149.5.244.203
Jul 21 10:22:47 admin: 80.239.201.100
Jul 21 10:22:47 admin: 2
Jul 21 10:22:47 admin: 1
Jul 21 10:22:47 admin: 87.250.250.242
Jul 21 10:22:47 admin: 2
Jul 21 10:22:47 admin: 1
Jul 21 10:22:47 admin: 87.250.250.50
Jul 21 10:22:47 admin: adding 87.250.250.50
Jul 21 10:22:47 admin: 2
Jul 21 10:22:47 admin: 1
Jul 21 10:22:47 admin: 94.100.180.201
Jul 21 10:22:47 admin: 3.120.25.179
Jul 21 10:22:47 admin: 2
Jul 21 10:22:47 admin: 1
Jul 21 10:22:47 admin: 5.61.23.11
Jul 21 10:22:47 admin: adding 5.61.23.11
Jul 21 10:22:47 admin: 217.20.147.1
Jul 21 10:22:47 admin: adding 217.20.147.1
Jul 21 10:22:47 admin: 217.20.155.13
Jul 21 10:22:47 admin: adding 217.20.155.13
Jul 21 10:22:47 admin: 2
Jul 21 10:22:47 admin: 1
Jul 21 10:22:47 admin: 45.60.40.164
Jul 21 10:22:47 admin: adding 45.60.40.164
Jul 21 10:22:47 admin: 45.60.34.164
Jul 21 10:22:47 admin: adding 45.60.34.164
Jul 21 10:22:47 admin: 2
Jul 21 10:22:48 admin: 1
Jul 21 10:22:48 admin: 116.202.120.181
Jul 21 10:22:48 admin: adding 116.202.120.181
Jul 21 10:22:48 admin: 2
Jul 21 10:22:48 admin: unblock_ipset.sh: finish
Jul 21 10:22:49 admin: unblock_ipset.sh: start
Jul 21 10:22:49 admin: 1
Jul 21 10:22:50 admin: 87.240.190.78
Jul 21 10:22:50 admin: 93.186.225.208
Jul 21 10:22:50 admin: 87.240.137.158
Jul 21 10:22:50 admin: 87.240.139.194
Jul 21 10:22:50 admin: 87.240.190.67
Jul 21 10:22:50 admin: 87.240.190.72
Jul 21 10:22:50 admin: 2
Jul 21 10:22:50 admin: 1
Jul 21 10:22:50 admin: 80.239.201.100
Jul 21 10:22:50 admin: 149.5.244.203
Jul 21 10:22:50 admin: 2
Jul 21 10:22:50 admin: 1
Jul 21 10:22:50 admin: 87.250.250.242
Jul 21 10:22:50 admin: 2
Jul 21 10:22:50 admin: 1
Jul 21 10:22:50 admin: 87.250.250.50
Jul 21 10:22:50 admin: 2
Jul 21 10:22:50 admin: 1
Jul 21 10:22:50 admin: 3.120.25.179
Jul 21 10:22:50 admin: 94.100.180.201
Jul 21 10:22:50 admin: 2
Jul 21 10:22:50 admin: 1
Jul 21 10:22:50 admin: 217.20.155.13
Jul 21 10:22:51 admin: 5.61.23.11
Jul 21 10:22:51 admin: 217.20.147.1
Jul 21 10:22:51 admin: 2
Jul 21 10:22:51 admin: 1
Jul 21 10:22:51 admin: 45.60.34.164
Jul 21 10:22:51 admin: 45.60.40.164
Jul 21 10:22:51 admin: 2
Jul 21 10:22:51 admin: 1
Jul 21 10:22:51 admin: 116.202.120.181
Jul 21 10:22:51 admin: 2
Jul 21 10:22:51 admin: unblock_ipset.sh: finish
Jul 21 10:22:53 admin: unblock_ipset.sh: start
Jul 21 10:22:53 admin: 1
Jul 21 10:22:53 admin: 87.240.190.72
Jul 21 10:22:54 admin: 87.240.190.78
Jul 21 10:22:54 admin: 93.186.225.208
Jul 21 10:22:54 admin: 87.240.137.158
Jul 21 10:22:54 admin: 87.240.139.194
Jul 21 10:22:54 admin: 87.240.190.67
Jul 21 10:22:54 admin: 2
Jul 21 10:22:54 admin: 1
Jul 21 10:22:54 admin: 149.5.244.203
Jul 21 10:22:54 admin: 80.239.201.100
Jul 21 10:22:54 admin: 2
Jul 21 10:22:54 admin: 1
Jul 21 10:22:54 admin: 87.250.250.242
Jul 21 10:22:54 admin: 2
Jul 21 10:22:54 admin: 1
Jul 21 10:22:54 admin: 87.250.250.50
Jul 21 10:22:54 admin: 2
Jul 21 10:22:54 admin: 1
Jul 21 10:22:54 admin: 94.100.180.201
Jul 21 10:22:54 admin: 3.120.25.179
Jul 21 10:22:54 admin: 2
Jul 21 10:22:54 admin: 1
Jul 21 10:22:54 admin: 217.20.147.1
Jul 21 10:22:54 admin: 217.20.155.13
Jul 21 10:22:54 admin: 5.61.23.11
Jul 21 10:22:54 admin: 2
Jul 21 10:22:54 admin: 1
Jul 21 10:22:54 admin: 45.60.40.164
Jul 21 10:22:54 admin: 45.60.34.164
Jul 21 10:22:55 admin: 2
Jul 21 10:22:55 admin: 1
Jul 21 10:22:55 admin: 116.202.120.181
Jul 21 10:22:55 admin: 2
Jul 21 10:22:55 admin: unblock_ipset.sh: finish

What was that error? Why it's gone after ipset --flush? Does anyone have any idea what is going on?
It's not a bit deal, all works like expected since I configurated this years ago, just was trying to clearify log and understand what a hell is this error

 

[sbsnb]

Well, IDK about your question, but I'm from Ukraine and we have a list of domains that ISPs must block because of government decision. In Russia there is even a federal executive agency called Roskomnadzor that forces ISPs to block sites. So for those who have similar problem or just want certain sites to be opened using TOR network for any other reason without need to install and configure TOR on client this tutorial may be useful.

What I mean is that usually "blocking" is done at the DNS level. All that's needed to bypass the block is to use a different DNS server.

 

[Vas99]

The script above works great for clients in LAN, however if you connect to the router via VPN (build-in OpenVPN) the script does not work. I guess there should be another "iptables -t nat..." in nat-start script to forward requests from VPN clients. Could you please update the script to enable VPN clients to use tor.