Indonesia | English
Following this instruction is in your own risk. I'm not responsible for content you are trying to access after following this tutorial or the damage you done during the installation process. Please use it wisely and follow the instruction carefully
- First, we login into our OpenWRT via SSH as admin by typing our IP from OpenWRT
- After login, run
opkg update
command in terminal and wait until it finished - After that, run
opkg install iptables ip6tables git git-http nano
command to install package that will be used for installation process of Zapret - Switch to tmp by running
cd /tmp
command in terminal - Run
git clone https://github.com/bol-van/zapret.git
and wait until it finished
Because Kominfo implemented National DNS that mandated every ISP to redirect Port 53 to their servers and because Zapret will use the results of DNS resolves from our OpenWRT for bypass method probing, we need to bypass ISP DNS first before installing Zapret
There are 4 methods to bypass:
- Using BebasID host
- Create a file named bebasid in system by typing
touch /etc/bebasid
in terminal - Open the file by typing
nano /etc/bebasid
- Copy the content of BebasID into the aforementioned file that we made and then save it
- Login to OpenWRT via web by typing the IP of OpenWRT, then go to Network >> DHCP & DNS
- Go to Resolv and Hosts Files, add
/etc/bebasid
within Additional hosts files and click + like this example below:
- Click Save & Apply
- To ensure that BebasID Host is already properly installed, run
nslookup lamanlabuh.aduankonten.id
in OpenWRT terminal
If the result is same as above, BebasID host configuration is successful
- Create a file named bebasid in system by typing
- Using DNS with port other than 53
- Login into OpenWRT
- Go to Network >> Interfaces and Edit WAN (or any interface used as your internet source)
- Go to Advanced Settings and uncheck
Use DNS servers advertised by peer
option - Setting DNS to 127.0.0.1 and click +
- Then Save dan Apply
- After that, go to Network >> DHCP and DNS
- At DNS Forwading, fill the DNS and alt-port with format
IP#PORT
For example:
Example of usage of DNS from BebasID with alt-port 1753
For Moratel/Oxygen users, do not use alt-port 5353 because Moratel blocked that port. Use DNS with alt-port other than 5353 if you are using it
- Then click + and Save & Apply
- Using DNS-over-TLS (Stubby)
- Before using DoT in OpenWRT, make sure that port 853 is not blocked by ISP
- Check by running
curl -v portquiz.net:853
in terminal
Make sure that `Port test successful!`
If not, use other methods like hosts, alt port, and DoH - If the test is successful, run
opkg update
in terminal - Then run
opkg install stubby
and wait until it finished
- Run
nano /etc/stubby/stubby.yml
to edit Stubby config - Note the used port
It will be used in DNS configuration - If you want to change the default DNS provider (Cloudflare 1.1.1.1), edit the
address-data:
andtls_auth_name:
section
As example, to change to DNS-over-TLS of BebasID:
- Save the result then run
nano /etc/config/stubby
- Change
option manual '0'
tooption manual '1'
then save
- Run
service stubby restart
andservice stubby enable
- After that, login into OpenWRT with Web Interface
- Go to Network >> Interfaces and Edit WAN (or any interface used as your internet source)
- Go to Advanced Settings and uncheck
Use DNS servers advertised by peer
option - Setting DNS to 127.0.0.1 and click +
- Save dan Apply
- Go to Network >> DHCP and DNS
- At DNS Forwarding, fill the DNS with the config
127.0.0.1#5453
- Click + and Save and Apply
- Check by nslookup into domain that blocked by Kominfo (Ex:
nslookup reddit.com
) Make sure that Internet Positif IP is not shown
- Using DNS-over-HTTPS
( TO BE CONTINUED... )
- After finished running git clone command in terminal and bypassed National / ISP DNS, navigate to /tmp/zapret by typing
cd /tmp/zapret
in terminal - Run
./install-easy.sh
in Terminal - If this message is shown
Proceed ahead by typing
easy install is supported only from default location : /opt/zapret currently its run from /tmp/zapret do you want the installer to copy it for you (default : N) (Y/N) ?
Y
and Enter - For Firewall, choose iptables by typing 1 and enter
- To enable IPv6 support, choose
Y
just in case
- For Mode, choose
3
and enter
- Make sure to enable HTTP support, HTTPS support by choosing
Y
during installation process
- After that click Enter and wait until it finished
- Delete Zapret folder in /tmp to conserve memory by going to
cd /tmp
and runningrm zapret -r
- Go to Zapret folder
cd /opt/zapret/
and run installation script./install_bin.sh
- If the process is successful, run
./blockpage.sh
to find optimal Zapret configuration for your ISP - If this message is shown:
Fill with domain that blocked by Kominfo (Example:
specify domain(s) to test. multiple domains are space separated. domain(s) (default: rutracker.org) :
reddit.com
,vimeo.com
,omegle.com
, etc) - If prompted with
ip protocol version
, adjust with your network configuration- For example, if your network only support IPv4, type
4
and enter - But, if your network supports IPv4 and IPv6, type
46
and enter
- For example, if your network only support IPv4, type
- Click enter and wait until you see
how many times to repeat each test (default: 1)
. Type2
and Enter - After that, you will see
do all test despite of result?
. Type Y and Enter - Wait until Zapret found optimal configuration for your ISP
- If finished, this will be shown:
Note the results - After that, stop Zapret service on OpenWRT by running
service zapret stop
- Edit Config by running
nano /opt/zapret/config
- Find this section inside the config file and replace with config that you already noted
Uncomment # on NFQWS
#NFQWS_OPT_DESYNC_HTTP= #NFQWS_OPT_DESYNC_HTTPS= #NFQWS_OPT_DESYNC_HTTP6= #NFQWS_OPT_DESYNC_HTTPS6=
For curl_test_https_tls12, fill in the HTTPS dan HTTPS6 section (Type after nfqws)
And, for curl_test_http, fill in the HTTP dan HTTP6 section (Type after nfqws)
As Example: (Adapt the section according to the results you already noted)NFQWS_OPT_DESYNC_HTTP="--hostcase" NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2" NFQWS_OPT_DESYNC_HTTP6="--hostcase" NFQWS_OPT_DESYNC_HTTPS6="--dpi-desync=split2"
- Then, save the results and start Zapret by running
service zapret start
- Do not forget to enable iptables and Zapret by running
service zapret enable
andservice iptables enable
to make sure that the services are started automatically during booting process
Many bank will reject your request if you activated Zapret on OpenWRT Router so we need to create whitelist to those bank sites
- Go to
/opt/zapret
folder then runnano whitelist.txt
- Fill with:
(Add more if needed)
bankbjb.co.id bankbsi.co.id bankmandiri.co.id bca.co.id bi.go.id blubybcadigital.id bni.co.id bri.co.id btn.co.id cimbniaga.co.id danamon.co.id hanabank.co.id hsbc.co.id jago.com klikbca.com maybank.co.id permatabank.com permatanet.com sc.com
- Then Save and run
chmod 755 whitelist.txt
in terminal - Edit Zapret config by running
nano config
- Find line with
NFQWS_OPT_DESYNC
and append--hostlist-exclude=/opt/zapret/whitelist.txt
on every end section before"
- As example, our Zapret Configuration:
# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list DESYNC_MARK=0x40000000 NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badsum" NFQWS_OPT_DESYNC_HTTP="--hostcase" NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2" NFQWS_OPT_DESYNC_HTTP6="--hostcase" NFQWS_OPT_DESYNC_HTTPS6="--dpi-desync=split2"
- We need to append
--hostlist-exclude=/opt/zapret/whitelist.txt
on every end section so they will look like this:# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list DESYNC_MARK=0x40000000 NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badsum --hostlist-exclude=/opt/zapret/whitelist.txt" NFQWS_OPT_DESYNC_HTTP="--hostcase --hostlist-exclude=/opt/zapret/whitelist.txt" NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2 --hostlist-exclude=/opt/zapret/whitelist.txt" NFQWS_OPT_DESYNC_HTTP6="--hostcase --hostlist-exclude=/opt/zapret/whitelist.txt" NFQWS_OPT_DESYNC_HTTPS6="--dpi-desync=split2 --hostlist-exclude=/opt/zapret/whitelist.txt"
- As example, our Zapret Configuration:
- Save and restart Zapret by running
service zapret restart