Installing RuAntiblock using a script (module for OpenWRT) to completely bypass blocking, including YouTube
In this article I will tell you how to install RuAntiBlock to bypass blocking, including YouTube. I have collected all the current methods for speeding up YouTube in tg channel – for Smart TV, Android, IOS, PC, etc.
The installation using the installer script is described below (autoinstall.sh
), which will install the necessary dependencies, download files from the repository and perform the initial setup.
Initial requirements
VPN configuration requires a configured and working VPN connection.
In the OpenWrt network settings (in the Interfaces section), you need to create an interface with the name
VPN
. The interface protocol depends on the type of your VPN: for some popular ones (Wireguard, OpenConnect, PPTP, etc.) there are corresponding options in the selection list; in the case of OpenVPN – an unmanaged interface to which the network device is boundtun0
. Example of creating an unmanaged interface for OpenVPN (network devicetun0
) from the console using UCI:
uci batch << EOI
set network.VPN='interface'
set network.VPN.proto='none'
set network.VPN.device="tun0"
set network.VPN.defaultroute="0"
set network.VPN.peerdns="0"
set network.VPN.delegate="0"
set network.VPN.auto='1'
EOI
uci commit network
service network restart
Next, you need to add a new firewall zone called vpn
(allow outgoing traffic and masquerading, prohibit incoming traffic and redirection) and add the previously created OpenWrt interface to it VPN
section_name=$(uci add firewall zone)
uci batch << EOI
set firewall.${section_name}.name="vpn"
set firewall.${section_name}.input="REJECT"
set firewall.${section_name}.output="ACCEPT"
set firewall.${section_name}.forward='REJECT'
set firewall.${section_name}.masq='1'
add_list firewall.${section_name}.network='VPN'
EOI
section_name=$(uci add firewall forwarding)
uci batch << EOI
set firewall.${section_name}.src="https://habr.com/ru/articles/844180/lan"
set firewall.${section_name}.dest="vpn"
EOI
uci commit firewall
service firewall restart
For all types of VPN, it is necessary to disable the default route to the VPN tunnel (otherwise all traffic will be completely wrapped in the VPN) and the use of DNS received from the VPN server:
uci set network.VPN.defaultroute=0
uci set network.VPN.peerdns=0`
uci commit network
When using OpenVPN, the OpenVPN client configuration file must contain the parameter
route-noexec
otherwise OpenVPN will add a default routing rule to its interface and all traffic will go through it.
In the standard configuration, nftset and dnsmasq configs with block lists are written to tmpfs during an update, i.e. to RAM (
/tmp/ruantiblock
And/tmp/dnsmasq.d
respectively). When the system starts after rebooting, the blacklist is automatically updated. If there is insufficient memory (128 MB or less) or simply for convenience, you can transfer the data directories to an external drive after installation.
Dependencies
dnsmasq-full
Tor configuration: tor, tor-geoip
For VPN configuration, you must first install and configure a VPN connection.
In the transparent proxy configuration, you also need to install and configure all the necessary components in advance (for example, Shadowsocks + ss-redir, etc.)
Installation
You need to download the script autoinstall.sh
V /tmp
allow execution and run:
wget --no-check-certificate -O /tmp/autoinstall.sh https://raw.githubusercontent.com/gSpotx2f/ruantiblock_openwrt/master/autoinstall/current/autoinstall.sh && chmod +x /tmp/autoinstall.sh && /tmp/autoinstall.sh
2. After launching, the script will ask several configuration questions:
Proxy mode: Tor, VPN or transparent proxy.
Select a block list: your own list (user entries only) or the entire blacklist.
Installing luci-app-ruantiblock. Application for LuCI (OpenWrt web interface)
When selecting a Tor configuration, the script installs Tor (if not installed), downloads the file torrc
from the repository and installs it instead of the current config (the old config is backed up there in /etc/tor
). At the final stage, a task to update the blacklist is added to cron: 0 3 */3 * * /usr/bin/ruantiblock update
(adjust to suit your requirements).
3. After installation
In Tor configurations – if Tor entry nodes are unavailable, you need to configure bridges. Next, an example of a configuration with masking Tor traffic using the obfs4proxy utility. Installing obfs4proxy:
opkg install obfs4proxy
You can get the addresses of the bridges on the page https://bridges.torproject.org/options/. Select an option obfs4
in the drop-down list. Each line is the address of an entry node. You need to add them to the Tor config (/etc/torrc
), preceding each with a directive Bridge
enable the use of bridges and connect obfs4proxy. Example of an entry in /etc/torrc
:
Bridge obfs4 217.160.214.85:8080 B90D1A479D416987DE8CE14BD80B22C0B90917CE cert=A2NvKQ6Fb/sovF+i3qmZqCN8WJsYtupPKltQbmFCLmm4CyMD0LSkN6J+i+E04rUJzAY0DQ iat-mode=0
Bridge obfs4 51.158.146.93:9003 74EEC1AA79F664B6827D092A44C69FF6738A8F58 cert=JySUZrPCrLEVNm9O/oMV2EGueXyJlqNjHRm6ie6FBOAti/nA4arWKAM30PRi/5EFZSXieA iat-mode=0
Bridge obfs4 185.177.207.179:8443 35B6556F164FB4568F90A9570428724B2C77D353 cert=Zdsd5ZgCxGV/ok/GwRFLN/6zIVVTdBbhJ3f7AhO1fvJ370nENc2Z7wk3lRJE07tgLK2FZg iat-mode=0
UseBridges 1
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy
After making changes, check that Tor is working:
/etc/init.d/tor start
In the VPN configuration – specify the name of the VPN interface (for OpenVPN usually tun0
for Wireguard, OpenConnect, PPTP, etc. the name is defined by the user when creating the interface):
uci set ruantiblock.config.if_vpn='tun0'
uci commit ruantiblock
The VPN interface can also be set in the web application: Ruantiblock
-> Настройки
-> Режим VPN
.
In the transparent proxy configuration, set the TCP port value on which the transparent proxy accepts connections:
uci set ruantiblock.config.t_proxy_port_tcp='1100'
uci commit ruantiblock
Using Shadowsocks as an example using ss-redir: The TCP port value must match the local port specified in the ss-redir configuration (startup parameter value ss-redir -l <порт>
or parameter local_port
in the Shadowsocks config /etc/shadowsocks.json
or parameter local_port
in UCI config /etc/config/shadowsocks-libev
in the corresponding server block). If you need the traffic of local router applications to also bypass blocking, then the Shadowsocks configuration parameter local_address
(or the value of the launch parameter ss-redir -b <ip адрес>
) must be installed in 0.0.0.0
. In this configuration, Shadowsocks will accept connections on all available addresses (including localhost 127.0.0.1
required for redirecting local router traffic). It is also necessary to disable traffic redirection in shadowsocks:
uci set shadowsocks-libev.ss_rules.disabled="1"
uci commit shadowsocks-libev
/etc/init.d/shadowsocks-libev restart
Using Redsocks as an example: in the configuration file (/etc/redsocks.conf
) parameter local_port
in the block redsocks
. Also, the transparent proxy must accept incoming connections on the LAN address of the router (in the example 192.168.0.1
) or at all addresses (0.0.0.0
), but not on localhost (127.0.0.1
)!
redsocks {
...
local_ip = 192.168.0.1;
local_port = 1100;
...
}
If Redsocks is connected to a local service, i.e. running on a router, then you need to disable proxying of traffic of local router applications in the ruantiblock settings:
uci set ruantiblock.config.proxy_local_clients="0"
uci commit ruantiblock
otherwise Redsocks will not be able to connect to the local service!
uci set ruantiblock.config.bypass_ip_mode="1"
uci add_list ruantiblock.config.bypass_ip_list="217.23.3.91"
uci commit ruantiblock
In VPN and transparent proxy configurations, it makes sense to add the IP address of your VPN server (or proxy server) to the list of IP addresses excluded from bypassing blocking. This ensures that the service traffic of the VPN tunnel itself (or connection to the proxy) will always pass directly, without falling into the ruantiblock rules. For example, if the IP address of the VPN server is 217.23.3.91:
uci set ruantiblock.config.bypass_ip_mode="1"
uci add_list ruantiblock.config.bypass_ip_list="217.23.3.91"
uci commit ruantiblock
The configs created during updates with the list of nftables and dnsmasq blockings will be located in /tmp/ruantiblock
And /tmp/dnsmasq.d
. If your router has USB (or eSATA, etc.), it is strongly recommended to transfer directories with data to an external drive.
It is worth mentioning that when calling the script /usr/bin/ruantiblock
with parameters: start
, update
or destroy
– dnsmasq is always restarted.
Also, it is necessary to configure encryption of DNS traffic (dnscrypt-proxy, https-dns-proxy etc.) and interception of third-party DNS traffic of local network hosts. In blocking bypass mode fqdn
all hosts in the local network (for which blocking bypass will work) must use the router's DNS server. Therefore, in the settings of mobile devices and browsers, you need to disable the “secure DNS” option (i.e. the configuration in which the device or program uses third-party encrypted DNS servers, ignoring the router).
First launch
After completing the setup, reboot the device, then check if ruantiblock is enabled and if the list of blockings was updated at startup:
/usr/bin/ruantiblock status
If no errors occur, try updating your block list:
/usr/bin/ruantiblock update
After all the above, try to visit any blocked site from your PC or other device in the local network. Please note that after launching Tor may take several minutes to initialize…
You can check whether packets are going through nftables rules in the ruantiblock status output in the console:
/usr/bin/ruantiblock status
Block Nftables rules:
contains counters of rules for IP addresses, CIDR ranges and IP addresses that dnsmasq adds. When a blocked site or IP is requested, the corresponding counters increase.