About the peculiarities of using VPN Zaborona on routers for bypassing locks in Ukraine
Hello.
Previously, it was written about blocking websites in Ukraine , and about workarounds , and about Zaborona.Help itself, a great resource for solving this problem ( zhovner great respect and thanks!)
Described below is personal practical experience that may be useful to other users working in Ukraine. All the rest may be interested only in the theoretical aspect.
So, there is a small network that works through a router. In my specific example, the Asus router, running under the latest version of Merlin custom firmware. A description of the settings of this router is indicated here - and it worked fine until the onset of 2018 :)
')
The fact is that a number of providers have organized a new type of blocking - now at the DNS level a fake session to the internal resource is organized - in total, the ping passes, and the resource does not open. The most advanced DNS has been configured so that the fake wake up happens only for the internal network, for example:
For external requests:
The obvious solution is to simply replace the provider DNS with Google’s (8.8.8.8, 8.8.4.4) or even offered by Zaborona.Help (74.82.42.42, 77.88.8.8), but in this case some internal resources (IPTV, for example) will work with problems, if not cease to work.
In the Merlin firmware for Asus (and perhaps not in others, it did not check) there is an option to configure the VPN client, called “Accept DNS Configuration”. According to the authors,
OK, I tried to do double work (now the routing is automatically configured by the Zaborona.Help server, but ok - we will also write it on the router) and use a simple script:
The code was automatically launched on the router upon the OpenVPN client connection event, while Accept DNS Configuration = Strict. In this case, everything works.
The dual feeling remains - the problem is solved, but through crutches:
PS The administration of Zaborona.Help was notified about the problems with the settings yesterday, until the answer was received, nothing has changed. The authors of the Merlin firmware were also notified about the problem with the Accept DNS Configuration, there was no reaction.
PPS A big request to politicized readers to stop writing nonsense to me in a personal, to threaten minuses in karma, etc. For you there are separate resources that are not related to IT. Thank.
Previously, it was written about blocking websites in Ukraine , and about workarounds , and about Zaborona.Help itself, a great resource for solving this problem ( zhovner great respect and thanks!)
Described below is personal practical experience that may be useful to other users working in Ukraine. All the rest may be interested only in the theoretical aspect.
So, there is a small network that works through a router. In my specific example, the Asus router, running under the latest version of Merlin custom firmware. A description of the settings of this router is indicated here - and it worked fine until the onset of 2018 :)
')
The fact is that a number of providers have organized a new type of blocking - now at the DNS level a fake session to the internal resource is organized - in total, the ping passes, and the resource does not open. The most advanced DNS has been configured so that the fake wake up happens only for the internal network, for example:
For external requests:
$ nslookup www.yandex.ru 194.50.85.5For requests within the network:
DNS: dns-5.la.net.ua
Address: 194.50.85.5
www.YANDEX.ru
Addresses: 2a02: 6b8: a :: a
77.88.55.50
5.255.255.77
77.88.55.60
5.255.255.50
$ nslookup www.yandex.ru 194.50.85.5In the original instructions on Zaborona.Help for Asus routers there are no instructions for additional DNS settings (neither for Merlin , nor for the original firmware ), although for the same DD WRT there is one. At the same time, the option block-outside-dns settings, which solves the problem when running on a Windows client, obviously does not work on * nix and router firmware.
DNS: dns-5.la.net.ua
Address: 194.50.85.5
www.yandex.ru
Address: 194.50.85.44
The obvious solution is to simply replace the provider DNS with Google’s (8.8.8.8, 8.8.4.4) or even offered by Zaborona.Help (74.82.42.42, 77.88.8.8), but in this case some internal resources (IPTV, for example) will work with problems, if not cease to work.
In the Merlin firmware for Asus (and perhaps not in others, it did not check) there is an option to configure the VPN client, called “Accept DNS Configuration”. According to the authors,
Disabled = DNS servers sent by VPN-provided DNS server are ignored- it looks like all our solution to the problem is to switch the settings to the “Strict” value, in which case the DNS from the VPN will have top priority, and the provider DNS will only be activated if there is no response from the VPN, which is supposed to solve the problem with on-line resources. Perhaps this is how it works in Tomato, but at the moment, this option really works for Merlin only for traffic redirect policy assignments (Redirect Internet traffic - Policy Rules).
Relaxed = DNS servers sent by the VPN server.
Strict = DNS servers (DNS servers are sent by the server); DNS servers are used for the VPN servers.
Exclusive = only the VPN-provided DNS servers are used
OK, I tried to do double work (now the routing is automatically configured by the Zaborona.Help server, but ok - we will also write it on the router) and use a simple script:
#!/bin/sh # $1 is the VPN Client instance # Required # $2 is the LAN source/subnet # Optional - default is 'all' if [ -z "$1" ];then logger -st "($(basename $0))" $$ "Missing VPN Client arg1" exit 999 fi SRC='all' if [ ! -z "$2" ];then SRC=$2 fi for IP in $(curl https://zaborona.help/ips.txt -s | grep -v ":" | grep -v "^#" | grep .) do ip rule del from $SRC to $IP table ovpnc$1 prio 8000 2> /dev/null > /dev/null ip rule add from $SRC to $IP table ovpnc$1 prio 8000 done The code was automatically launched on the router upon the OpenVPN client connection event, while Accept DNS Configuration = Strict. In this case, everything works.
The dual feeling remains - the problem is solved, but through crutches:
- For some reason, the Accept DNS Configuration option on the Merlin firmware works in an incomprehensible way: it is useless without setting up a redirect.
- I'd like to believe that zaborona.help/ips.txt is always relevant.
PS The administration of Zaborona.Help was notified about the problems with the settings yesterday, until the answer was received, nothing has changed. The authors of the Merlin firmware were also notified about the problem with the Accept DNS Configuration, there was no reaction.
PPS A big request to politicized readers to stop writing nonsense to me in a personal, to threaten minuses in karma, etc. For you there are separate resources that are not related to IT. Thank.
Source: https://habr.com/ru/post/346386/
All Articles