ByeDPI + Redsocks on OpenWRT: giving freedom to a local network on wood (using the example of ASUS RT-N12 ROM

The solution to the problem of bypassing blocking for all devices on a home network often comes down to a cheap, ancient router that does its job properly. In this article I will tell you how to set up a combination of ByeDPI and Redsocks on a router with OpenWRT, even if your device is far from top in terms of characteristics.

However, this information will also be useful to owners of more modern routers – the method is quite universal and relatively easy to set up.

Help: Basic DPI Bypass Methods

Before moving on to the main part, I’ll briefly talk about existing methods for bypassing DPI (Deep Packet Inspection) systems, which are used to filter Internet traffic.

• GoodbyeDPI is one of the most popular tools designed to bypass DPI in Windows. It modifies or fragments data packets so that they are difficult to recognize correctly.

• Ban – another solution, most often used for routers running OpenWRT, which also masks or fragments packets.
  On the plus side: there is an automatic search for a working configuration to bypass, which, however, does not always work.
  Of the minuses: it requires installing a bunch of dependencies and is quite complicated to configure.

• ByeDPI is a solution for Linux, for various architectures, on the basis of which applications for Android are created.

Why do we need ByeDPI and Redsocks?

ByeDPI is a utility (not to be confused with an Android application) for bypassing DPI (Deep Packet Inspection), which changes network packets so that they are not recognized by traffic filtering systems.
But ByeDPI only raises a SOCKS5 server, and in order to send traffic through it, you need to configure a proxy in each specific application.
Unfortunately, the VPN tunnel is implemented only in the ByeDPI application for Android (and its currently faster-developing fork ByeByeDPI).

Redsocks is a proxy tool that redirects traffic through a SOCKS or HTTP proxy, even if the application does not directly support proxy configuration.

Combining these two tools on your router allows you to bypass router-level blocks, giving you freedom on your home network without the need to install software on every device.

Installing OpenWRT on ASUS ASUS RT-N12

Here I will briefly describe the process of installing OpenWRT on the ASUS RT-N12 VP B1 router. If your router already has OpenWRT installed, you can safely move on to the next section.

In general, installing OpenWRT on the ASUS RT-N12 router is quite trivial and is described in detail Here And HereI’ll highlight just a few points:

• My latest firmware OpenWRT 23.05.5 was unstable due to lack of memory, there is also a warning on the official website that the Wi-Fi driver in it does not work correctly;

• But the firmware worked great 19.07.4 +/- mwan3 which adds a proprietary Wi-Fi driver.

• True, the ByeDPI package for OpenWRT 23.05.5 refused to work on this firmware, but it worked for OpenWRT 21.05.5 (more on that later).

Method 1:

1. First you need to download and install the utility ASUS Firmware Restoration 2.1.0.3but you can try without it, just go to 192.168.1.1 through the browser, there you can flash or reset the NVRAM.

2. Go to the properties of the network card and manually enter the addresses: IP address 192.168.1.10, subnet mask 255.255.255.0, default gateway 192.168.1.1

3. It is strongly recommended to disable unnecessary network adapters, especially virtual ones (VPN, NAT from VMWare, etc.)

4. Turn off the router with the button

5. Insert the network cable into any LAN port

6. Press and hold the Reset button (next to the power button) for 5-10 seconds

7. Keep the button pressed and turn on the router

8. When the power indicator starts flashing quickly, you can release the Reset button. Your router is in recovery mode

9. Open the utility, select the firmware file and flash it

But I have ASUS Firmware Restoration categorically refused to find the router, and there was nothing in recovery mode at 192.168.1.1so I had to use the second method, for which you need to enable SSH access in the router settings.

Method 2:

1. Uploading the firmware file 19.07.4 +/- mwan3 to the tmp folder via the console (scp) or using the WinSCP program

   In the terminal, in the folder with the downloaded and unzipped firmware file, execute the commands:

scp openwrt-19.07.4-rt-n12vp_b1-mwan3-squashfs-sysupgrade.bin root@192.168.1.1:/tmp  
ssh root@192.168.1.1   
cd /tmp  
mtd-unlock -d linux  
mtd-write -i openwrt-19.07.4-rt-n12vp_b1-mwan3-squashfs-sysupgrade.bin -d linux
rm openwrt-19.07.4-rt-n12vp_b1-mwan3-squashfs-sysupgrade.bin
reboot

2. We try to access 192.168.1.1 in the browser. If the web interface opens, then move on; if not, try resetting the settings or flashing using method 1.

3. Next, go in without a password and turn on Wi-Fi in the software tab this instruction.

Installing ByeDPI and Redsocks

First you need to download the ByeDPI package suitable for your version of OpenWRT from here.

We drop it into the tmp folder via the console (scp) or using the WinSCP program

scp .\byedpi_0.14.1-1_mipsel_24kc.ipk root@192.168.1.1:/tmp

Login via SSH

ssh root@192.168.1.1

If space allows, we install optional packages for faster installation and operation testing

opkg update
opkg install coreutils-sort curl grep gzip

We try to install Redsocks using script with the following command:

cd /tmp && wget https://github.com/emoncd /tmp && wget https://github.com/emonbhuiyan/Redsocks-OpenWRT/raw/main/install.sh && chmod +x install.sh && clear && sh install.sh && rm install.sh && clearbhuiyan/Redsocks-OpenWRT/raw/main/install.sh && chmod +x install.sh && clear && sh install.sh && rm install.sh && clear

If the error wget error: SSL support not available appears, then you need to install the certificates with the command:

opkg install libustream-mbedtls ca-bundle ca-certificates

Next, open the Redsocks config

vi /etc/redsocks.conf

And enter the following parameters in it:

base {
        log_debug = off;
        log_info = on;
        log = "syslog:local7";
        daemon = on;
        redirector = iptables;
}

redsocks {
        local_ip = 0.0.0.0;
        local_port = 1337;
        ip = 127.0.0.1;
        port = 1080;
        type = socks5;
}

Restart and enable the Redsocks service

service redsocks restart

service redsocks enable

Install the previously downloaded ByeDPI package

opkg install /tmp/byedpi_0.14.1-1_mipsel_24kc.ipk

Open the ByeDPI config

vi /etc/config/byedpi

Here we write down a configuration for bypassing blocking found on the Internet and suitable for your provider. You can test the configuration before applying it here using the application ByeDPIAndroid on the phone.

config byedpi 'main'
	option enabled 1

	#	if set, all other uci settings are ignored
	option cmd_opts '--hosts /etc/config/byedpi.hosts'

The –hosts option specifies a file with a list of (potentially) blocked domains to which DPI bypass will be applied. This file can be created via WinSCP or with the command

vi /etc/config/byedpi.hosts

The contents of the file are something like this

####Список доменных имен для обхода ограничений

### YouTube
youtube.com
youtu.be
ggpht.com
ytimg.com
i.ytimg.com
i9.ytimg.com
yt3.ggpht.com
l.google.com
play.google.com
youtubei.googleapis.com
wide-youtube.l.google.com
nhacmp3youtube.com
googleusercontent.com
yt3.googleusercontent.com
googleapis.com
googlevideo.com
youtubei.googleapis.com
1e100.net

###Google google.com
mtalk.google.com
manifests.googlevideo.com
googleapis.com
youtube.googleapis.com
gmailpostmastertools.googleapis.com
NS1.google.com
NS2.google.com
NS3.google.com
NS4.google.com
play.google.com
gstatic.com
googleads.g.doubleclick.net

###Новостные и погодные сервисы
msnbc.com
foxnews.com
cnn.com
dw.com
bbc.com
bbc.com/weather
bbc.co.uk
bbc.co.uk/weather
static.files.bbci.co.uk
mybbc-analytics.files.bbci.co.uk
weather.files.bbci.co.uk
nav.files.bbci.co.uk
m.files.bbci.co.uk
inforesist.org
france24.com
accuweather.com
meteoblue.com
open-meteo.com
openweathermap.org
weatherstack.com
worldweatheronline.com
wunderground.com
currenttime.tv

###Мессенджеры
whatsapp.com
whatsapp.net
static.whatsapp.net
g.whatsapp.net
time.android.com
web.whatsapp.com
signal.org
getsession.org
amazon.com
amazonaws.com

###Социальные сети
facebook.com
x.com
twitter.com
instagram.com

###Торрент-трекеры
rutracker.org
rutor.info
rutor.is
mega-tor.org
kinozal.tv
#nnm-club.me
#nnm-club.ws
#tfile.me
#tfile-home.org
#tfile1.cc
#megatfile.cc
#megapeer.org
#megapeer.ru
tapochek.net
#tparser.org
#tparser.me
rustorka.com
#uniongang.tv
fast-torrent.ru

###Каталоги медиаконтента для программ 
rezka.ag
hdrezka.ag
hdrezka.me
filmix.co
filmix.cc
seasonvar.ru

###Книги
lib.rus.ec
flibusta.is
flibs.me
flisland.net
flibusta.site

###Разное
7-zip.org
edem.tv
msfree.su
4pda.to
protonvpn.com
proton.me
drive.proton.me
tuta.com
whois.domaintools.com
dnsleaktest.com
ipleak.net
github.com
objects.githubusercontent.com
openvpn.net
community.openvpn.net
openwrt.org
lastpass.com
delinea.com
dnscheck.tools
cloudflare.com
cloudflare-dns.com
1dot1dot1dot1.cloudflare-dns.com
controld.com
umbrella.com
cisco.com
quad9.net
deb.oxen.io
ntc.party
akamaitechnologies.com
deploy.static.akamaitechnologies.com
akamaistream.net
AX0.AKAMAISTREAM.NET
AX1.AKAMAISTREAM.NET
AX2.AKAMAISTREAM.NET
AX3.AKAMAISTREAM.NET
NS2-32.AKAMAISTREAM.NET
NS3-32.AKAMAISTREAM.NET
NS6-32.AKAMAISTREAM.NET
P5.AKAMAISTREAM.NET
P6.AKAMAISTREAM.NET
P7.AKAMAISTREAM.NET
P8.AKAMAISTREAM.NET
149.34.0.0/16
cloudfront.net
datapacket.com
wholesale.adamo.es

###Ubuntu и форки ubuntu.com
archive.ubuntu.com
linuxmint.com
packages.linuxmint.com
tuxedocomputers.com
os.tuxedocomputers.com
mirror.init7.net
kde.org
ubuntucinnamon.org
23.192.0.0/11
23.128.64.0/23

###Проверка Tor
check.torproject.org

Restart and enable the ByeDPI service

service byedpi restart

service byedpi enable

You can check the result by testing the loading speed of the googlevideo.com domain

curl --connect-to ::speedtest.selectel.ru https://manifest.googlevideo.com/100MB -k -o/dev/null