OpenWRT + OpenVPN: point bypass blocking
As a person who is constantly working on the Internet, I am accustomed to full and unimpeded access to all of its resources, regardless of the content of these resources, and because I provide some of the resources (I work in a hosting provider), I simply need such access.
To bypass the lock is not so difficult, there are many ways. The most common and stable of them is VPN. But VPN has a big drawback - it’s a loss of speed, ping is overstated, etc. Based on this, I had an idea, to use VPN only to bypass locks, and to go to other resources through the provider.
I will do all this on the TP-Link WR841N router to ensure unhindered access to the Internet for all network devices, and not just for the work computer.
First we need to raise the OpenVPN server or use the services of a VPN provider. If you decide to raise your own server, I would recommend using the OpenVPN Access Server , since with it, you can easily and quickly deploy it, and also has a web interface. Simply install the package and set a password for your openvpn account.
')
I will not describe how to flash a router under OpenWRT, there is already such an article . I will say even more, there is even a solution to the problem of the lack of OpenVPN in the OpenWRT firmware under TP-Link WR841N - this is the article . The only thing from this article was that I had to tweak the init script a bit, since there was a problem with autorun, and also I added a condition under which the script will not download the OpenVPN distribution at every launch, but only at the first one.
So, let's say we have a router with the OpenWRT and OpenVPN firmware installed. The correct file is the OpenVPN connection configuration, I have it located in /etc/openvpn/my.cnf. Add the following parameters to it:
Create the /etc/openvpn/login.conf file in the following format:
Accordingly, yourlogin and yourpassword need to be replaced with your authorization data, if someone does not understand.
Create a script /etc/openvpn/unban.sh, which will upload the list of blocked IP and prescribe routes:
I will describe some nuances:
1. My provider, as it turned out, intercepts DNS requests and gives me a false IP of blocked sites, respectively, to avoid this, you must send DNS requests through VPN. If you use other DNS servers, you should correct the lines:
replacing the Google and Yandex DNS IPs with the IP of their DNS servers.
2. The MIN_ROUTES variable specifies the minimum number of existing routes for which further script execution is possible. Usually, before running this script, I have no more than 15 routes in the table, if you have more routes, you should change the value of the MIN_ROUTES variable to the minimum, but the number should not be less than the existing ones. You can verify this by issuing the command route | wc -l.
3. Because I have a very weak router, it cannot manage all 30,000 routes, sometimes it drops them, and it took about 5 minutes, or even more, to register all 30k routes. So I had to figure out how to shorten the list of routes. The solution was to add routes with / 24 subnets, which made it possible to reduce the list to more than 8,000. If your router allows you to register a large number of routes, then replace the LIST variable with:
4. The subnet in which my VPN server was in the list of blockings, because of this, I was resetting the route to the VPN server itself, I had to add lines to the script:
If you do not have such a problem, it can be removed from the script.
Next, turn on the cron task scheduler and activate autorun:
Run the crontab -e command and add the task to the scheduler:
The script will run every 5 minutes and check whether you need to register routes. Starting frequency can be changed at your discretion.
Perhaps many will want to ask why use cron, if you can just add OpenVPN connections to the config file, something like “up unban.sh” and the script will be executed immediately after the connection. My answer is: when the VPN connection is restarted, the routes are reset, and the script is not executed again.
PS Just in case: all the material in this article is for informational purposes only and is not a call to action.
To bypass the lock is not so difficult, there are many ways. The most common and stable of them is VPN. But VPN has a big drawback - it’s a loss of speed, ping is overstated, etc. Based on this, I had an idea, to use VPN only to bypass locks, and to go to other resources through the provider.
I will do all this on the TP-Link WR841N router to ensure unhindered access to the Internet for all network devices, and not just for the work computer.
First we need to raise the OpenVPN server or use the services of a VPN provider. If you decide to raise your own server, I would recommend using the OpenVPN Access Server , since with it, you can easily and quickly deploy it, and also has a web interface. Simply install the package and set a password for your openvpn account.
')
I will not describe how to flash a router under OpenWRT, there is already such an article . I will say even more, there is even a solution to the problem of the lack of OpenVPN in the OpenWRT firmware under TP-Link WR841N - this is the article . The only thing from this article was that I had to tweak the init script a bit, since there was a problem with autorun, and also I added a condition under which the script will not download the OpenVPN distribution at every launch, but only at the first one.
Here is the script
#!/bin/sh /etc/rc.common START=99 start() { local TMPPATH=/tmp/openvpn if [ ! -f "${TMPPATH}/usr/sbin/openvpn" ]; then sleep 60; [ ! -d ${TMPPATH} ] && mkdir ${TMPPATH} cd ${TMPPATH} opkg update || exit 1 tar xzf $(opkg download libopenssl | grep Downloaded | cut -d\ -f4 | sed '$s/.$//') tar xzf data.tar.gz tar xzf $(opkg download openvpn-openssl | grep Downloaded | cut -d\ -f4 | sed '$s/.$//') tar xzf data.tar.gz rm -f pkg.tar.gz data.tar.gz control.tar.gz debian-binary getopenvpn.sh for i in $(ls ${TMPPATH}/usr/lib) do [ ! -f /usr/lib/$i ] && ln -s /tmp/openvpn/usr/lib/$i /usr/lib/$i done fi ${TMPPATH}/usr/sbin/openvpn --writepid /tmp/ovpn_ciberterminal.pid --daemon --cd /etc/openvpn --config my.conf } stop() { PIDOF=$(ps | egrep openvpn | egrep -v grep | awk '{print $1}') kill ${PIDOF} } So, let's say we have a router with the OpenWRT and OpenVPN firmware installed. The correct file is the OpenVPN connection configuration, I have it located in /etc/openvpn/my.cnf. Add the following parameters to it:
route-noexec # default route. auth-user-pass login.conf # keepalive 3 10 # persist-tun # tun/tap persist-key # Create the /etc/openvpn/login.conf file in the following format:
yourlogin yourpassword Accordingly, yourlogin and yourpassword need to be replaced with your authorization data, if someone does not understand.
Create a script /etc/openvpn/unban.sh, which will upload the list of blocked IP and prescribe routes:
unban.sh
#!/bin/sh TUN=`ifconfig | grep tun | awk '{print $1}'` MIN_ROUTES="15" if [ "$TUN" == "" ]; then exit; fi CHECK_ROUTES=`route | wc -l` if [ "$CHECK_ROUTES" -gt "$MIN_ROUTES" ]; then exit; fi route add 8.8.8.8/32 dev $TUN; route add 8.8.4.4/32 dev $TUN; route add 77.88.8.8/32 dev $TUN; wget "http://reestr.rublacklist.net/api/ips" -O /tmp/ip_list; LIST=`cat /tmp/ip_list | sed 's/;/\n/g' | grep -v '"' | awk -F. '{print $1"."$2"."$3".0/24"}' | sort | uniq` for IP in $LIST do echo "Adding $IP..." route add -net $IP dev $TUN; done REMOTE_IP=`cat /etc/openvpn/my.conf | grep remote | tail -n1 | awk '{print $2}'`; DEFAULT_GW=`route | grep default | awk '{print $2}'` route add ${REMOTE_IP}/32 gw $DEFAULT_GW; rm -rf /tmp/ip_list; I will describe some nuances:
1. My provider, as it turned out, intercepts DNS requests and gives me a false IP of blocked sites, respectively, to avoid this, you must send DNS requests through VPN. If you use other DNS servers, you should correct the lines:
route add 8.8.8.8/32 dev $ TUN;
route add 8.8.4.4/32 dev $ TUN;
route add 77.88.8.8/32 dev $ TUN;
replacing the Google and Yandex DNS IPs with the IP of their DNS servers.
2. The MIN_ROUTES variable specifies the minimum number of existing routes for which further script execution is possible. Usually, before running this script, I have no more than 15 routes in the table, if you have more routes, you should change the value of the MIN_ROUTES variable to the minimum, but the number should not be less than the existing ones. You can verify this by issuing the command route | wc -l.
3. Because I have a very weak router, it cannot manage all 30,000 routes, sometimes it drops them, and it took about 5 minutes, or even more, to register all 30k routes. So I had to figure out how to shorten the list of routes. The solution was to add routes with / 24 subnets, which made it possible to reduce the list to more than 8,000. If your router allows you to register a large number of routes, then replace the LIST variable with:
LIST=`cat /tmp/ip_list | sed 's/;/\n/g' | grep -v '"' | sort | uniq` 4. The subnet in which my VPN server was in the list of blockings, because of this, I was resetting the route to the VPN server itself, I had to add lines to the script:
REMOTE_IP=`cat /etc/openvpn/my.conf | grep remote | tail -n1 | awk '{print $2}'`; DEFAULT_GW=`route | grep default | awk '{print $2}'` route add ${REMOTE_IP}/32 gw $DEFAULT_GW; If you do not have such a problem, it can be removed from the script.
Next, turn on the cron task scheduler and activate autorun:
/etc/init.d/cron start /etc/init.d/cron enable Run the crontab -e command and add the task to the scheduler:
*/5 * * * * /bin/sh /etc/openvpn/unban.sh The script will run every 5 minutes and check whether you need to register routes. Starting frequency can be changed at your discretion.
Perhaps many will want to ask why use cron, if you can just add OpenVPN connections to the config file, something like “up unban.sh” and the script will be executed immediately after the connection. My answer is: when the VPN connection is restarted, the routes are reset, and the script is not executed again.
PS Just in case: all the material in this article is for informational purposes only and is not a call to action.
Source: https://habr.com/ru/post/317354/
All Articles