Installing RuAntiblock using a script (module for OpenWRT) to completely bypass blocking, including YouTube

In this article I will tell you how to install RuAntiBlock to bypass blocking, including YouTube. I have collected all the current methods for speeding up YouTube in tg channel – for Smart TV, Android, IOS, PC, etc.

The installation using the installer script is described below (autoinstall.sh), which will install the necessary dependencies, download files from the repository and perform the initial setup.

Initial requirements

  • VPN configuration requires a configured and working VPN connection.

  • In the OpenWrt network settings (in the Interfaces section), you need to create an interface with the name VPN. The interface protocol depends on the type of your VPN: for some popular ones (Wireguard, OpenConnect, PPTP, etc.) there are corresponding options in the selection list; in the case of OpenVPN – an unmanaged interface to which the network device is bound tun0. Example of creating an unmanaged interface for OpenVPN (network device tun0) from the console using UCI:

uci batch << EOI
set network.VPN='interface'
set network.VPN.proto='none'
set network.VPN.device="tun0"
set network.VPN.defaultroute="0"
set network.VPN.peerdns="0"
set network.VPN.delegate="0"
set network.VPN.auto='1'
EOI
uci commit network
service network restart

Next, you need to add a new firewall zone called vpn (allow outgoing traffic and masquerading, prohibit incoming traffic and redirection) and add the previously created OpenWrt interface to it VPN

section_name=$(uci add firewall zone)
uci batch << EOI
set firewall.${section_name}.name="vpn"
set firewall.${section_name}.input="REJECT"
set firewall.${section_name}.output="ACCEPT"
set firewall.${section_name}.forward='REJECT'
set firewall.${section_name}.masq='1'
add_list firewall.${section_name}.network='VPN'
EOI
section_name=$(uci add firewall forwarding)
uci batch << EOI
set firewall.${section_name}.src="https://habr.com/ru/articles/844180/lan"
set firewall.${section_name}.dest="vpn"
EOI
uci commit firewall
service firewall restart

For all types of VPN, it is necessary to disable the default route to the VPN tunnel (otherwise all traffic will be completely wrapped in the VPN) and the use of DNS received from the VPN server:

uci set network.VPN.defaultroute=0
uci set network.VPN.peerdns=0`
uci commit network

  • When using OpenVPN, the OpenVPN client configuration file must contain the parameter route-noexecotherwise OpenVPN will add a default routing rule to its interface and all traffic will go through it.

  • In the standard configuration, nftset and dnsmasq configs with block lists are written to tmpfs during an update, i.e. to RAM (/tmp/ruantiblock And /tmp/dnsmasq.d respectively). When the system starts after rebooting, the blacklist is automatically updated. If there is insufficient memory (128 MB or less) or simply for convenience, you can transfer the data directories to an external drive after installation.

Dependencies

  • dnsmasq-full

  • Tor configuration: tor, tor-geoip

  • For VPN configuration, you must first install and configure a VPN connection.

  • In the transparent proxy configuration, you also need to install and configure all the necessary components in advance (for example, Shadowsocks + ss-redir, etc.)

Installation

You need to download the script autoinstall.sh V /tmpallow execution and run:

wget --no-check-certificate -O /tmp/autoinstall.sh https://raw.githubusercontent.com/gSpotx2f/ruantiblock_openwrt/master/autoinstall/current/autoinstall.sh && chmod +x /tmp/autoinstall.sh && /tmp/autoinstall.sh

2. After launching, the script will ask several configuration questions:

  • Proxy mode: Tor, VPN or transparent proxy.

  • Select a block list: your own list (user entries only) or the entire blacklist.

  • Installing luci-app-ruantiblock. Application for LuCI (OpenWrt web interface)

When selecting a Tor configuration, the script installs Tor (if not installed), downloads the file torrc from the repository and installs it instead of the current config (the old config is backed up there in /etc/tor). At the final stage, a task to update the blacklist is added to cron: 0 3 */3 * * /usr/bin/ruantiblock update (adjust to suit your requirements).

3. After installation

  • In Tor configurations – if Tor entry nodes are unavailable, you need to configure bridges. Next, an example of a configuration with masking Tor traffic using the obfs4proxy utility. Installing obfs4proxy:

opkg install obfs4proxy

You can get the addresses of the bridges on the page https://bridges.torproject.org/options/. Select an option obfs4 in the drop-down list. Each line is the address of an entry node. You need to add them to the Tor config (/etc/torrc), preceding each with a directive Bridgeenable the use of bridges and connect obfs4proxy. Example of an entry in /etc/torrc:

Bridge obfs4 217.160.214.85:8080 B90D1A479D416987DE8CE14BD80B22C0B90917CE cert=A2NvKQ6Fb/sovF+i3qmZqCN8WJsYtupPKltQbmFCLmm4CyMD0LSkN6J+i+E04rUJzAY0DQ iat-mode=0
Bridge obfs4 51.158.146.93:9003 74EEC1AA79F664B6827D092A44C69FF6738A8F58 cert=JySUZrPCrLEVNm9O/oMV2EGueXyJlqNjHRm6ie6FBOAti/nA4arWKAM30PRi/5EFZSXieA iat-mode=0
Bridge obfs4 185.177.207.179:8443 35B6556F164FB4568F90A9570428724B2C77D353 cert=Zdsd5ZgCxGV/ok/GwRFLN/6zIVVTdBbhJ3f7AhO1fvJ370nENc2Z7wk3lRJE07tgLK2FZg iat-mode=0
UseBridges 1
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy

After making changes, check that Tor is working:

/etc/init.d/tor start

In the VPN configuration – specify the name of the VPN interface (for OpenVPN usually tun0for Wireguard, OpenConnect, PPTP, etc. the name is defined by the user when creating the interface):

uci set ruantiblock.config.if_vpn='tun0'
uci commit ruantiblock

The VPN interface can also be set in the web application: Ruantiblock -> Настройки -> Режим VPN.

In the transparent proxy configuration, set the TCP port value on which the transparent proxy accepts connections:

uci set ruantiblock.config.t_proxy_port_tcp='1100'
uci commit ruantiblock

Using Shadowsocks as an example using ss-redir: The TCP port value must match the local port specified in the ss-redir configuration (startup parameter value ss-redir -l <порт> or parameter local_port in the Shadowsocks config /etc/shadowsocks.json or parameter local_port in UCI config /etc/config/shadowsocks-libev in the corresponding server block). If you need the traffic of local router applications to also bypass blocking, then the Shadowsocks configuration parameter local_address (or the value of the launch parameter ss-redir -b <ip адрес>) must be installed in 0.0.0.0. In this configuration, Shadowsocks will accept connections on all available addresses (including localhost 127.0.0.1required for redirecting local router traffic). It is also necessary to disable traffic redirection in shadowsocks:

uci set shadowsocks-libev.ss_rules.disabled="1"
uci commit shadowsocks-libev
/etc/init.d/shadowsocks-libev restart

Using Redsocks as an example: in the configuration file (/etc/redsocks.conf) parameter local_port in the block redsocks. Also, the transparent proxy must accept incoming connections on the LAN address of the router (in the example 192.168.0.1) or at all addresses (0.0.0.0), but not on localhost (127.0.0.1)!

redsocks {
    ...
    local_ip = 192.168.0.1;
    local_port = 1100;
    ...
}

If Redsocks is connected to a local service, i.e. running on a router, then you need to disable proxying of traffic of local router applications in the ruantiblock settings:

uci set ruantiblock.config.proxy_local_clients="0"
uci commit ruantiblock

otherwise Redsocks will not be able to connect to the local service!

uci set ruantiblock.config.bypass_ip_mode="1"
uci add_list ruantiblock.config.bypass_ip_list="217.23.3.91"
uci commit ruantiblock

In VPN and transparent proxy configurations, it makes sense to add the IP address of your VPN server (or proxy server) to the list of IP addresses excluded from bypassing blocking. This ensures that the service traffic of the VPN tunnel itself (or connection to the proxy) will always pass directly, without falling into the ruantiblock rules. For example, if the IP address of the VPN server is 217.23.3.91:

uci set ruantiblock.config.bypass_ip_mode="1"
uci add_list ruantiblock.config.bypass_ip_list="217.23.3.91"
uci commit ruantiblock

The configs created during updates with the list of nftables and dnsmasq blockings will be located in /tmp/ruantiblock And /tmp/dnsmasq.d. If your router has USB (or eSATA, etc.), it is strongly recommended to transfer directories with data to an external drive.

It is worth mentioning that when calling the script /usr/bin/ruantiblock with parameters: start, update or destroy – dnsmasq is always restarted.

Also, it is necessary to configure encryption of DNS traffic (dnscrypt-proxy, https-dns-proxy etc.) and interception of third-party DNS traffic of local network hosts. In blocking bypass mode fqdnall hosts in the local network (for which blocking bypass will work) must use the router's DNS server. Therefore, in the settings of mobile devices and browsers, you need to disable the “secure DNS” option (i.e. the configuration in which the device or program uses third-party encrypted DNS servers, ignoring the router).

First launch

After completing the setup, reboot the device, then check if ruantiblock is enabled and if the list of blockings was updated at startup:

/usr/bin/ruantiblock status

If no errors occur, try updating your block list:

/usr/bin/ruantiblock update

After all the above, try to visit any blocked site from your PC or other device in the local network. Please note that after launching Tor may take several minutes to initialize…

You can check whether packets are going through nftables rules in the ruantiblock status output in the console:

/usr/bin/ruantiblock status

Block Nftables rules: contains counters of rules for IP addresses, CIDR ranges and IP addresses that dnsmasq adds. When a blocked site or IP is requested, the corresponding counters increase.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *