From 680d7fbdc71aedd912d0550d89ffc1c7b2643562 Mon Sep 17 00:00:00 2001 From: CodeRoK7 <58553260+CodeRoK7@users.noreply.github.com> Date: Tue, 16 Sep 2025 07:29:01 +0000 Subject: [PATCH] Step one by Add Zapret --- config_files/50-discord-media | 36 ++++++++++++ config_files/50-stun4all | 31 ++++++++++ config_files/50-wg4all | 32 +++++++++++ config_files/zapret | 57 +++++++++++++++++++ config_files/zapret-hosts-user.txt | 1 + universal_config_new_podkop.sh | 90 ++++++++++++++++++------------ 6 files changed, 212 insertions(+), 35 deletions(-) create mode 100644 config_files/50-discord-media create mode 100644 config_files/50-stun4all create mode 100644 config_files/50-wg4all create mode 100644 config_files/zapret create mode 100644 config_files/zapret-hosts-user.txt diff --git a/config_files/50-discord-media b/config_files/50-discord-media new file mode 100644 index 0000000..37d16e9 --- /dev/null +++ b/config_files/50-discord-media @@ -0,0 +1,36 @@ +# this custom script runs desync to all discord media packets +# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22) + +# can override in config : +NFQWS_OPT_DESYNC_DISCORD_MEDIA="${NFQWS_OPT_DESYNC_DISCORD_MEDIA:---dpi-desync=fake --dpi-desync-repeats=2}" +DISCORD_MEDIA_PORT_RANGE="${DISCORD_MEDIA_PORT_RANGE:-50000-50099}" + +alloc_dnum DNUM_DISCORD_MEDIA +alloc_qnum QNUM_DISCORD_MEDIA + +zapret_custom_daemons() +{ + # $1 - 1 - add, 0 - stop + + local opt="--qnum=$QNUM_DISCORD_MEDIA $NFQWS_OPT_DESYNC_DISCORD_MEDIA" + do_nfqws $1 $DNUM_DISCORD_MEDIA "$opt" +} +# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000 +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + local DISABLE_IPV6=1 + local port_range=$(replace_char - : $DISCORD_MEDIA_PORT_RANGE) + local f="-p udp --dport $port_range -m u32 --u32" + # this is simplified test to skip writing monstrous rule. instead of checking 64 bytes for zeroes only check 2 dwords for zero + fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x52&&0>>22&0x3C@8=0x00010046&&0>>22&0x3C@16=0&&0>>22&0x3C@76=0" '' $QNUM_DISCORD_MEDIA +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + local DISABLE_IPV6=1 + local f="udp dport $DISCORD_MEDIA_PORT_RANGE udp length == 82 @ih,0,32 0x00010046 @ih,64,128 0x00000000000000000000000000000000 @ih,192,128 0x00000000000000000000000000000000 @ih,320,128 0x00000000000000000000000000000000 @ih,448,128 0x00000000000000000000000000000000" + nft_fw_nfqws_post "$f" '' $QNUM_DISCORD_MEDIA +} diff --git a/config_files/50-stun4all b/config_files/50-stun4all new file mode 100644 index 0000000..6e5a35c --- /dev/null +++ b/config_files/50-stun4all @@ -0,0 +1,31 @@ +# this custom script runs desync to all stun packets +# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22) + +# can override in config : +NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---dpi-desync=fake --dpi-desync-repeats=2}" + +alloc_dnum DNUM_STUN4ALL +alloc_qnum QNUM_STUN4ALL + +zapret_custom_daemons() +{ + # $1 - 1 - add, 0 - stop + + local opt="--qnum=$QNUM_STUN4ALL $NFQWS_OPT_DESYNC_STUN" + do_nfqws $1 $DNUM_STUN4ALL "$opt" +} +# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000 +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + local f='-p udp -m u32 --u32' + fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=28:65535&&0>>22&0x3C@12=0x2112A442&&0>>22&0x3C@8&0xC0000003=0" "$f 44>>16=28:65535&&52=0x2112A442&&48&0xC0000003=0" $QNUM_STUN4ALL +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + local f="udp length >= 28 @ih,32,32 0x2112A442 @ih,0,2 0 @ih,30,2 0" + nft_fw_nfqws_post "$f" "$f" $QNUM_STUN4ALL +} diff --git a/config_files/50-wg4all b/config_files/50-wg4all new file mode 100644 index 0000000..c725eb3 --- /dev/null +++ b/config_files/50-wg4all @@ -0,0 +1,32 @@ +# this custom script runs desync to all wireguard handshake initiation packets +# NOTE: this works for original wireguard and may not work for 3rd party implementations such as xray +# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22) + +# can override in config : +NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake --dpi-desync-repeats=2}" + +alloc_dnum DNUM_WG4ALL +alloc_qnum QNUM_WG4ALL + +zapret_custom_daemons() +{ + # $1 - 1 - add, 0 - stop + + local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG" + do_nfqws $1 $DNUM_WG4ALL "$opt" +} +# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000 +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + local f='-p udp -m u32 --u32' + fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + local f="udp length 156 @ih,0,32 0x01000000" + nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL +} diff --git a/config_files/zapret b/config_files/zapret new file mode 100644 index 0000000..7fa3e0f --- /dev/null +++ b/config_files/zapret @@ -0,0 +1,57 @@ + +config main 'config' + option run_on_boot '1' + option FWTYPE 'nftables' + option POSTNAT '1' + option FLOWOFFLOAD 'none' + option INIT_APPLY_FW '1' + option DISABLE_IPV4 '0' + option DISABLE_IPV6 '1' + option FILTER_TTL_EXPIRED_ICMP '1' + option MODE_FILTER 'hostlist' + option DISABLE_CUSTOM '0' + option WS_USER 'daemon' + option DAEMON_LOG_ENABLE '0' + option DAEMON_LOG_FILE '/tmp/zapret+++.log' + option AUTOHOSTLIST_RETRANS_THRESHOLD '3' + option AUTOHOSTLIST_FAIL_THRESHOLD '3' + option AUTOHOSTLIST_FAIL_TIME '60' + option AUTOHOSTLIST_DEBUGLOG '0' + option NFQWS_ENABLE '1' + option DESYNC_MARK '0x40000000' + option DESYNC_MARK_POSTNAT '0x20000000' + option NFQWS_PORTS_TCP '80,443' + option NFQWS_PORTS_UDP '443' + option NFQWS_TCP_PKT_OUT '9' + option NFQWS_TCP_PKT_IN '3' + option NFQWS_UDP_PKT_OUT '9' + option NFQWS_UDP_PKT_IN '0' + option NFQWS_PORTS_TCP_KEEPALIVE '0' + option NFQWS_PORTS_UDP_KEEPALIVE '0' + option NFQWS_OPT ' +--filter-tcp=80 +--dpi-desync=fake,fakedsplit +--dpi-desync-autottl=2 +--dpi-desync-fooling=badsum +--new +--filter-tcp=443 --hostlist=/opt/zapret/ipset/zapret-hosts-google.txt +--dpi-desync=fake,multidisorder +--dpi-desync-split-pos=1,midsld +--dpi-desync-repeats=11 +--dpi-desync-fooling=badsum +--dpi-desync-fake-tls-mod=rnd,dupsid,sni=www.google.com +--new +--filter-udp=443 --hostlist=/opt/zapret/ipset/zapret-hosts-google.txt +--dpi-desync=fake +--dpi-desync-repeats=11 +--dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_www_google_com.bin +--new +--filter-udp=443 +--dpi-desync=fake +--dpi-desync-repeats=11 +--new +--filter-tcp=443 +--dpi-desync=multidisorder +--dpi-desync-split-pos=1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1 +' + diff --git a/config_files/zapret-hosts-user.txt b/config_files/zapret-hosts-user.txt new file mode 100644 index 0000000..75a1a0b --- /dev/null +++ b/config_files/zapret-hosts-user.txt @@ -0,0 +1 @@ +test.com diff --git a/universal_config_new_podkop.sh b/universal_config_new_podkop.sh index 40056ea..97e0d2b 100644 --- a/universal_config_new_podkop.sh +++ b/universal_config_new_podkop.sh @@ -491,7 +491,7 @@ checkPackageAndInstall "curl" "1" checkPackageAndInstall "unzip" "1" #checkPackageAndInstall "sing-box" "1" checkPackageAndInstall "opera-proxy" "1" -checkPackageAndInstall "youtubeUnblock" "1" +checkPackageAndInstall "zapret" "1" ########### manage_package "podkop" "enable" "stop" @@ -533,9 +533,9 @@ if [ -z "$INSTALLED_VERSION" ]; then fi ########### -opkg upgrade youtubeUnblock -opkg upgrade luci-app-youtubeUnblock -manage_package "youtubeUnblock" "enable" "start" +opkg upgrade zapret +opkg upgrade luci-app-zapret +manage_package "zapret" "enable" "start" #проверяем установлени ли пакет dnsmasq-full if opkg list-installed | grep -q dnsmasq-full; then @@ -553,11 +553,11 @@ uci set dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d' uci commit dhcp DIR="/etc/config" -DIR_BACKUP="/root/backup3" +DIR_BACKUP="/root/backup4" config_files="network firewall doh-proxy -youtubeUnblock +zapret dhcp dns-failsafe-proxy" URL="https://raw.githubusercontent.com/routerich/RouterichAX3000_configs/refs/heads/beta_zapret" @@ -654,34 +654,29 @@ then uci commit firewall fi -printf "\033[32;1mCheck work youtubeUnblock..\033[0m\n" +printf "\033[32;1mCheck work zapret.\033[0m\n" #install_youtubeunblock_packages -opkg upgrade youtubeUnblock -opkg upgrade luci-app-youtubeUnblock -manage_package "youtubeUnblock" "enable" "start" -wget -O "/etc/config/youtubeUnblock" "$URL/config_files/youtubeUnblockSecond" +opkg upgrade zapret +opkg upgrade luci-app-zapret +manage_package "zapret" "enable" "start" +wget -O "/etc/config/zapret" "$URL/config_files/zapret" manage_package "podkop" "enable" "stop" -service youtubeUnblock restart +service zapret restart -isWorkYoutubeUnBlock=0 +isWorkZapret=0 curl -f -o /dev/null -k --connect-to ::google.com -L -H "Host: mirror.gcr.io" --max-time 120 https://test.googlevideo.com/v2/cimg/android/blobs/sha256:2ab09b027e7f3a0c2e8bb1944ac46de38cebab7145f0bd6effebfe5492c818b6 # Проверяем код выхода if [ $? -eq 0 ]; then - printf "\033[32;1myoutubeUnblock well work...\033[0m\n" - cronTask="0 4 * * * service youtubeUnblock restart" - str=$(grep -i "0 4 \* \* \* service youtubeUnblock restart" /etc/crontabs/root) + printf "\033[32;1mzapret well work...\033[0m\n" + cronTask="0 4 * * * service zapret restart" + str=$(grep -i "0 4 \* \* \* service zapret restart" /etc/crontabs/root) if [ -z "$str" ] then - echo "Add cron task auto reboot service youtubeUnblock..." + echo "Add cron task auto reboot service zapret..." echo "$cronTask" >> /etc/crontabs/root fi - isWorkYoutubeUnBlock=1 -else - manage_package "youtubeUnblock" "disable" "stop" - printf "\033[32;1myoutubeUnblock not work...\033[0m\n" - isWorkYoutubeUnBlock=0 str=$(grep -i "0 4 \* \* \* service youtubeUnblock restart" /etc/crontabs/root) if [ ! -z "$str" ] then @@ -689,6 +684,25 @@ else cp -f "/etc/crontabs/temp" "/etc/crontabs/root" rm -f "/etc/crontabs/temp" fi + isWorkZapret=1 +else + manage_package "zapret" "disable" "stop" + printf "\033[32;1mzapret not work...\033[0m\n" + isWorkZapret=0 + str=$(grep -i "0 4 \* \* \* service youtubeUnblock restart" /etc/crontabs/root) + if [ ! -z "$str" ] + then + grep -v "0 4 \* \* \* service youtubeUnblock restart" /etc/crontabs/root > /etc/crontabs/temp + cp -f "/etc/crontabs/temp" "/etc/crontabs/root" + rm -f "/etc/crontabs/temp" + fi + str=$(grep -i "0 4 \* \* \* service zapret restart" /etc/crontabs/root) + if [ ! -z "$str" ] + then + grep -v "0 4 \* \* \* service zapret restart" /etc/crontabs/root > /etc/crontabs/temp + cp -f "/etc/crontabs/temp" "/etc/crontabs/root" + rm -f "/etc/crontabs/temp" + fi fi isWorkOperaProxy=0 @@ -925,30 +939,30 @@ else isWorkWARP=0 fi -echo "isWorkYoutubeUnBlock = $isWorkYoutubeUnBlock, isWorkOperaProxy = $isWorkOperaProxy, isWorkWARP = $isWorkWARP" +echo "isWorkZapret = $isWorkZapret, isWorkOperaProxy = $isWorkOperaProxy, isWorkWARP = $isWorkWARP" -if [ "$isWorkYoutubeUnBlock" = "1" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "1" ] +if [ "$isWorkZapret" = "1" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "1" ] then varByPass=1 -elif [ "$isWorkYoutubeUnBlock" = "0" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "1" ] +elif [ "$isWorkZapret" = "0" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "1" ] then varByPass=2 -elif [ "$isWorkYoutubeUnBlock" = "1" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "0" ] +elif [ "$isWorkZapret" = "1" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "0" ] then varByPass=3 -elif [ "$isWorkYoutubeUnBlock" = "0" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "0" ] +elif [ "$isWorkZapret" = "0" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "0" ] then varByPass=4 -elif [ "$isWorkYoutubeUnBlock" = "1" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "0" ] +elif [ "$isWorkZapret" = "1" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "0" ] then varByPass=5 -elif [ "$isWorkYoutubeUnBlock" = "0" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "1" ] +elif [ "$isWorkZapret" = "0" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "1" ] then varByPass=6 -elif [ "$isWorkYoutubeUnBlock" = "1" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "1" ] +elif [ "$isWorkZapret" = "1" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "1" ] then varByPass=7 -elif [ "$isWorkYoutubeUnBlock" = "0" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "0" ] +elif [ "$isWorkZapret" = "0" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "0" ] then varByPass=8 fi @@ -966,12 +980,18 @@ messageComplete="" case $varByPass in 1) nameFileReplacePodkop="podkopNewNoYoutube" - printf "\033[32;1mStop and disabled service 'ruantiblock'...\033[0m\n" + printf "\033[32;1mStop and disabled service 'ruantiblock' and 'youtubeUnblock'...\033[0m\n" manage_package "ruantiblock" "disable" "stop" - wget -O "/etc/config/youtubeUnblock" "$URL/config_files/youtubeUnblockSecond" - service youtubeUnblock restart + manage_package "youtubeUnblock" "disable" "stop" + wget -O "/etc/config/zapret" "$URL/config_files/zapret" + wget -O "/opt/zapret/ipset/zapret-hosts-user.txt" "$URL/config_files/zapret-hosts-user.txt" + wget -O "/opt/zapret/init.d/openwrt/custom.d/50-stun4all" "$URL/config_files/50-stun4all" + wget -O "/opt/zapret/init.d/openwrt/custom.d/50-wg4all" "$URL/config_files/50-wg4all" + chmod +x "/opt/zapret/init.d/openwrt/custom.d/50-stun4all" + chmod +x "/opt/zapret/init.d/openwrt/custom.d/50-wg4all" + service zapret restart deleteByPassGeoBlockComssDNS - messageComplete="ByPass block for Method 1: AWG WARP + youtubeunblock + Opera Proxy...Configured completed..." + messageComplete="ByPass block for Method 1: AWG WARP + zapret + Opera Proxy...Configured completed..." ;; 2) nameFileReplacePodkop="podkopNew"