1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Does the DPI Bypass "zapret" work with Merlin firmware?

Discussion in 'Asuswrt-Merlin' started by Sora, Nov 13, 2019.

Tags:
  1. Sora

    Sora New Around Here

    Joined:
    Aug 11, 2019
    Messages:
    3
    Although the DOT function was added to the merlin firmware. but
    I need to bypass DPI because I live in a country where isp censors the Internet.
    I've been very stressed since I started censoring at my country ISP last month.
    An alternative is to install goodbyedpi( https://github.com/ValdikSS/GoodbyeDPI )
    and green tunnel( https://github.com/SadeghHayeri/GreenTunnel ) on the device,
    but I want to do DPI bypass at the router level.

    https://github.com/bol-van/zapret/blob/master/docs/readme.eng.txt
    https://github.com/bol-van/zapret

    There is a manual that can be installed on Openwrt, but I would like to install and work on the merlin firmware.
    I'm a simple user so I don't know the details
    I would be grateful if someone could give me the information .
    If not, please tell me how to use the DPI bypass on the Merlin firmware.Thank you.
    --------
    Please understand that my English is lacking.
     
    Last edited: Nov 13, 2019
  2. luzumsuz

    luzumsuz New Around Here

    Joined:
    Apr 10, 2019
    Messages:
    4
    It could be perfect if merlin can do it.
     
  3. Sora

    Sora New Around Here

    Joined:
    Aug 11, 2019
    Messages:
    3
    Yes this is a really necessary feature.
    If so, it would be perfect.
    Someone please help
     
  4. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,455
    Location:
    UK
    Simply entering these four commands allows the crucial NFQUEUE firewall rule to be activated for the two current IPv4 IPs for 'kinozal.tv'
    Code:
    modprobe xt_NFQUEUE
    
    ipset create zapret hash:net
    
    nslookup kinozal.tv;for IP in $(nslookup "kinozal.tv" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add zapret $IP;done;ipset list zapret
    
    iptables -t mangle -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num 200 --queue-bypass
    
    No idea if it does what it is supposed to do when you then attempt to access 'kinozal.tv'.

    However, if DPI seemingly can't be bypassed using the 'splitting a request into segments' PREROUTING method, try the 'mangle "Host:" HTTP header' POSTROUTING method
    Code:
    iptables -t mangle -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num 200 --queue-bypass 2>/dev/null
    
    iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:5 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass
     
    Last edited: Nov 13, 2019