Due to mass censorship on the both sides of Russian reality, I want to have some semi/fully automatic solution to bypass them. This is it :)
DeBlocker is a simple and fully automatic service for generating eBGP prefixes of blocked "sites" that you use.
A flowchart is worth a thousand words so let's begin from it:
As you can see DeBlocker has a couple of parts:
- DNS server that:
- exports A/AAAA answers into BGP if we think that requested site must go over VPN
- schedules HTTPS site checker to make a decision
- HTTPS checker just make two HTTP requests - one over VPN interface and one over direct interface. After that, makes decision.
- BGP server that exports "blocked" prefixes from HTTPS checker or DNS server
So when I execute curl https://docs.splunk.com:
curlresolvesdocs.splunk.comthrough DeBlocker DNS server that:- checks it and must choose the VPN direction
- adds eBGP path for all the IP addresses that points to
*.splunk.com
- and makes a TCP connection that will be routed over VPN
- that's all, pretty simple
Of course sometimes I need to send request one more time, but this is not annoying me.
The full config can be found here
It is assumed that:
eth0- interface with direct connectioneu- interface with VPN connection. I prefer WireGuard, but you can use what you need65543- DeBlocker ASN65542- dynamic neighbor ASN
So, you have to:
- configure interfaces ;)
- add the BGP neighbor on your router
- use DeBlocker DNS at home
- that's all, folks :)
P.S.