From 1eb95f50f572f408e341566d4ca6462d8dbab268 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Sat, 3 Aug 2024 01:55:19 +0300 Subject: [PATCH] Kyber on Chromium --- README.md | 2 ++ owrt/537-youtubeUnblock.nft | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2baa680..14a41c9 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,8 @@ Available flags: - -DNO_FAKE_SNI This flag disables -DFAKE_SNI which forces youtubeUnblock to send at least three packets instead of one with TLS ClientHello: Fake ClientHello, 1st part of original ClientHello, 2nd part of original ClientHello. This flag may be related to some Operation not permitted error messages, so befor open an issue refer to FAQ for EPERMS. - -DNOUSE_GSO This flag disables fix for Google Chrome fat ClientHello. The GSO is well tested now, so this flag probably won't fix anything. +If you are on Chromium you may have to disable kyber (the feature that makes the TLS ClientHello very fat). I've got the problem with it on router, so to escape possibly errors it is better to just disable it: in chrome://flags search for kyber and switch it to disabled state. + ### Troubleshooting EPERMS (Operation not permitted) EPERM may occur in a lot of places but generally here are two: mnl_cb_run and when sending the packet via rawsocket (raw_frags_send and send fake sni). - mnl_cb_run Operation not permitted indicates that another instance of youtubeUnblock is running on the specified queue-num. diff --git a/owrt/537-youtubeUnblock.nft b/owrt/537-youtubeUnblock.nft index e774b46..34f7c84 100644 --- a/owrt/537-youtubeUnblock.nft +++ b/owrt/537-youtubeUnblock.nft @@ -1,5 +1,5 @@ #!/usr/sbin/nft -f # This file -add rule inet fw4 mangle_forward tcp dport 443 ct packets < 20 counter queue num 537 bypass +insert rule inet fw4 mangle_forward tcp dport 443 ct packets < 20 counter queue num 537 bypass insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept