Skip to content

Latest commit

 

History

History
202 lines (194 loc) · 12.6 KB

openwrt-tutorial.en.md

File metadata and controls

202 lines (194 loc) · 12.6 KB
Raw

DPI BYPASS TUTORIAL USING OPENWRT

Indonesia | English

Following this instruction is in your own risk. I'm not responsible for content you are trying to access after following this tutorial or the damage you done during the installation process. Please use it wisely and follow the instruction carefully

Installation Preparation Step

  1. First, we login into our OpenWRT via SSH as admin by typing our IP from OpenWRT
  2. After login, run opkg update command in terminal and wait until it finished
  3. After that, run opkg install iptables ip6tables git git-http nano command to install package that will be used for installation process of Zapret
  4. Switch to tmp by running cd /tmp command in terminal
  5. Run git clone https://github.com/bol-van/zapret.git and wait until it finished

Bypass National DNS

Because Kominfo implemented National DNS that mandated every ISP to redirect Port 53 to their servers and because Zapret will use the results of DNS resolves from our OpenWRT for bypass method probing, we need to bypass ISP DNS first before installing Zapret

There are 4 methods to bypass:

  • Using BebasID host
    • Create a file named bebasid in system by typing touch /etc/bebasid in terminal
    • Open the file by typing nano /etc/bebasid
    • Copy the content of BebasID into the aforementioned file that we made and then save it
    • Login to OpenWRT via web by typing the IP of OpenWRT, then go to Network >> DHCP & DNS
      image
    • Go to Resolv and Hosts Files, add /etc/bebasid within Additional hosts files and click + like this example below:
      image
    • Click Save & Apply
    • To ensure that BebasID Host is already properly installed, run nslookup lamanlabuh.aduankonten.id in OpenWRT terminal


      If the result is same as above, BebasID host configuration is successful


  • Using DNS with port other than 53
    • Login into OpenWRT
    • Go to Network >> Interfaces and Edit WAN (or any interface used as your internet source) image
    • Go to Advanced Settings and uncheck Use DNS servers advertised by peer option image
    • Setting DNS to 127.0.0.1 and click +
    • Then Save dan Apply
    • After that, go to Network >> DHCP and DNS
      image
    • At DNS Forwading, fill the DNS and alt-port with format IP#PORT For example:
      image
      Example of usage of DNS from BebasID with alt-port 1753

      For Moratel/Oxygen users, do not use alt-port 5353 because Moratel blocked that port. Use DNS with alt-port other than 5353 if you are using it

    • Then click + and Save & Apply
  • Using DNS-over-TLS (Stubby)
    • Before using DoT in OpenWRT, make sure that port 853 is not blocked by ISP
    • Check by running curl -v portquiz.net:853 in terminal


      Make sure that `Port test successful!`
      If not, use other methods like hosts, alt port, and DoH

    • If the test is successful, run opkg update in terminal
    • Then run opkg install stubby and wait until it finished
      image
    • Run nano /etc/stubby/stubby.yml to edit Stubby config
    • Note the used port
      image
      It will be used in DNS configuration
    • If you want to change the default DNS provider (Cloudflare 1.1.1.1), edit the address-data: and tls_auth_name: section
      image
      As example, to change to DNS-over-TLS of BebasID:
      image
    • Save the result then run nano /etc/config/stubby
    • Change option manual '0' to option manual '1' then save
      image
    • Run service stubby restart and service stubby enable
    • After that, login into OpenWRT with Web Interface
    • Go to Network >> Interfaces and Edit WAN (or any interface used as your internet source) image
    • Go to Advanced Settings and uncheck Use DNS servers advertised by peer option image
    • Setting DNS to 127.0.0.1 and click +
    • Save dan Apply
    • Go to Network >> DHCP and DNS
      image
    • At DNS Forwarding, fill the DNS with the config 127.0.0.1#5453 image
    • Click + and Save and Apply
    • Check by nslookup into domain that blocked by Kominfo (Ex: nslookup reddit.com) Make sure that Internet Positif IP is not shown
      image
  • Using DNS-over-HTTPS

( TO BE CONTINUED... )

Zapret Installation

  1. After finished running git clone command in terminal and bypassed National / ISP DNS, navigate to /tmp/zapret by typing cd /tmp/zapret in terminal
  2. Run ./install-easy.sh in Terminal
  3. If this message is shown 
    easy install is supported only from default location : /opt/zapret 
currently its run from /tmp/zapret
do you want the installer to copy it for you (default : N) (Y/N) ?
    Proceed ahead by typing Y and Enter
  4. For Firewall, choose iptables by typing 1 and enter
    image
  5. To enable IPv6 support, choose Y just in case
    image
  6. For Mode, choose 3 and enter
    image
  7. Make sure to enable HTTP support, HTTPS support by choosing Y during installation process
    image
  8. After that click Enter and wait until it finished
  9. Delete Zapret folder in /tmp to conserve memory by going to cd /tmp and running rm zapret -r

Zapret Configuration

  1. Go to Zapret folder cd /opt/zapret/ and run installation script ./install_bin.sh
  2. If the process is successful, run ./blockpage.sh to find optimal Zapret configuration for your ISP
  3. If this message is shown: 
    specify domain(s) to test. multiple domains are space separated.
domain(s) (default: rutracker.org) :
    Fill with domain that blocked by Kominfo (Example: reddit.com, vimeo.com, omegle.com, etc)
  4. If prompted with ip protocol version, adjust with your network configuration
    • For example, if your network only support IPv4, type 4 and enter
    • But, if your network supports IPv4 and IPv6, type 46 and enter
  5. Click enter and wait until you see how many times to repeat each test (default: 1). Type 2 and Enter
  6. After that, you will see do all test despite of result?. Type Y and Enter
  7. Wait until Zapret found optimal configuration for your ISP
  8. If finished, this will be shown:
    image
    Note the results
  9. After that, stop Zapret service on OpenWRT by running service zapret stop
  10. Edit Config by running nano /opt/zapret/config
  11. Find this section inside the config file and replace with config that you already noted 
    #NFQWS_OPT_DESYNC_HTTP=
#NFQWS_OPT_DESYNC_HTTPS=
#NFQWS_OPT_DESYNC_HTTP6=
#NFQWS_OPT_DESYNC_HTTPS6=
    Uncomment # on NFQWS
    For curl_test_https_tls12, fill in the HTTPS dan HTTPS6 section (Type after nfqws)
    And, for curl_test_http, fill in the HTTP dan HTTP6 section (Type after nfqws)

    As Example: (Adapt the section according to the results you already noted) 
    NFQWS_OPT_DESYNC_HTTP="--hostcase"
NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2"
NFQWS_OPT_DESYNC_HTTP6="--hostcase"
NFQWS_OPT_DESYNC_HTTPS6="--dpi-desync=split2"
  12. Then, save the results and start Zapret by running service zapret start
  13. Do not forget to enable iptables and Zapret by running service zapret enable and service iptables enable to make sure that the services are started automatically during booting process

Problem with banking application (Credit to One for the step)

Many bank will reject your request if you activated Zapret on OpenWRT Router so we need to create whitelist to those bank sites

  1. Go to /opt/zapret folder then run nano whitelist.txt
  2. Fill with: 
    bankbjb.co.id
bankbsi.co.id
bankmandiri.co.id
bca.co.id
bi.go.id
blubybcadigital.id
bni.co.id
bri.co.id
btn.co.id
cimbniaga.co.id
danamon.co.id
hanabank.co.id
hsbc.co.id
jago.com
klikbca.com
maybank.co.id
permatabank.com
permatanet.com
sc.com
    (Add more if needed)
  3. Then Save and run chmod 755 whitelist.txt in terminal
  4. Edit Zapret config by running nano config
  5. Find line with NFQWS_OPT_DESYNC and append --hostlist-exclude=/opt/zapret/whitelist.txt on every end section before "
    • As example, our Zapret Configuration: 
      # CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
DESYNC_MARK=0x40000000
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badsum"
NFQWS_OPT_DESYNC_HTTP="--hostcase"
NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2"
NFQWS_OPT_DESYNC_HTTP6="--hostcase"
NFQWS_OPT_DESYNC_HTTPS6="--dpi-desync=split2"
    • We need to append --hostlist-exclude=/opt/zapret/whitelist.txt on every end section so they will look like this: 
      # CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
DESYNC_MARK=0x40000000
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badsum --hostlist-exclude=/opt/zapret/whitelist.txt"
NFQWS_OPT_DESYNC_HTTP="--hostcase --hostlist-exclude=/opt/zapret/whitelist.txt"
NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2 --hostlist-exclude=/opt/zapret/whitelist.txt"
NFQWS_OPT_DESYNC_HTTP6="--hostcase --hostlist-exclude=/opt/zapret/whitelist.txt"
NFQWS_OPT_DESYNC_HTTPS6="--dpi-desync=split2 --hostlist-exclude=/opt/zapret/whitelist.txt"
  6. Save and restart Zapret by running service zapret restart