From fa0552ba662527093ece29bdd51058233516e1b6 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Thu, 15 Aug 2024 14:10:38 +0300 Subject: [PATCH 1/6] #71 --- owrt/537-youtubeUnblock.nft | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/owrt/537-youtubeUnblock.nft b/owrt/537-youtubeUnblock.nft index 88c6881..eab155a 100644 --- a/owrt/537-youtubeUnblock.nft +++ b/owrt/537-youtubeUnblock.nft @@ -1,5 +1,5 @@ #!/usr/sbin/nft -f # This file install nftables rules for openwrt -insert rule inet fw4 mangle_forward tcp dport 443 ct original packets < 20 counter queue num 537 bypass +add rule inet fw4 mangle_forward tcp dport 443 ct original packets < 20 counter queue num 537 bypass insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept From 551fb5d38dc694182e27585107259342436a6efe Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Sat, 17 Aug 2024 12:55:08 +0300 Subject: [PATCH 2/6] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b2beaaf..d187289 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ Bypasses Deep Packet Inspection (DPI) systems that relies on SNI. The package is The program was primarily developed to bypass YouTube Outage in Russia, but it works good with other websites blocked by SNI. Adjust the list of websites via `--sni-domains` flag for the program. -The program is compatible with routers based on OpenWRT, Entware(Keenetic/ASUS) and host machines. The program offers binaries via [Github Actions](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-ci.yml). If you haven't access to Github Actions, the program offers [development pre-release](https://github.com/Waujito/youtubeUnblock/releases/tag/continuous) which follows the latest commit in main branch with binaries included as assets. On OpenWRT you can check the architecture of your device with command `grep ARCH /etc/openwrt_release`. +The program is compatible with routers based on OpenWRT, Entware(Keenetic/ASUS) and host machines. The program offers binaries via Github Actions. The binaries of main branch are published in the [development pre-release](https://github.com/Waujito/youtubeUnblock/releases/tag/continuous). Check out [Github Actions](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-ci.yml) if you want to see all the binaries compiled ever. You should know the arcitecture of your hardware to use binaries. On OpenWRT you can check it with command `grep ARCH /etc/openwrt_release`. On both OpenWRT and Entware install the program with opkg. If you got read-only filesystem error you may unpack the binary manually or specify opkg path `opkg -o `. From e62d76e1d663896c6ec34100885e6fd4c3cebe0c Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Wed, 21 Aug 2024 11:53:10 +0300 Subject: [PATCH 3/6] pastseq by default Pastseq is a way more stable than randseq since some providers just drop packets with invalid conntrack state. --- config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.h b/config.h index beb08f4..5de4260 100644 --- a/config.h +++ b/config.h @@ -87,7 +87,7 @@ extern struct config_t config; #ifndef FAKING_STRATEGY -#define FAKING_STRATEGY FAKE_STRAT_RAND_SEQ +#define FAKING_STRATEGY FAKE_STRAT_PAST_SEQ #endif #if !defined(SILENT) && !defined(KERNEL_SPACE) From c10393983ae2ff13f64c9782a64a512f484904c3 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Wed, 21 Aug 2024 12:25:13 +0300 Subject: [PATCH 4/6] Fix bug with pastseq and frag-sni-faked --- logging.h | 7 +++++-- mangle.c | 9 +++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/logging.h b/logging.h index 60b21eb..29a6ba9 100644 --- a/logging.h +++ b/logging.h @@ -24,8 +24,11 @@ #define lgdebugmsg(msg, ...) \ (LOG_LEVEL >= VERBOSE_DEBUG ? printf(msg "\n", ##__VA_ARGS__) : 0) -#define lgtracemsg(msg, ...) \ -(LOG_LEVEL >= VERBOSE_TRACE ? printf(msg "\n", ##__VA_ARGS__) : 0) + +#define lgtrace(msg, ...) \ +(LOG_LEVEL >= VERBOSE_TRACE ? printf(msg, ##__VA_ARGS__) : 0) + +#define lgtracemsg(msg, ...) lgtrace(msg "\n", __VA_ARGS__) #define lgtrace_start(msg, ...) \ (LOG_LEVEL >= VERBOSE_TRACE ? printf("[TRACE] " msg " ( ", ##__VA_ARGS__) : 0) diff --git a/mangle.c b/mangle.c index bfb1932..4c0a83f 100644 --- a/mangle.c +++ b/mangle.c @@ -382,6 +382,12 @@ send_fake: } memcpy(fake_pad, frag2, iphfl + tcphfl); memset(fake_pad + iphfl + tcphfl, 0, f2len - iphfl - tcphfl); + struct tcphdr *fakethdr = (void *)(fake_pad + iphfl); + if (config.faking_strategy == FAKE_STRAT_PAST_SEQ) { + lgtrace("frag fake sent with %d -> ", ntohl(fakethdr->seq)); + fakethdr->seq = htonl(ntohl(fakethdr->seq) - dvs); + lgtrace("%d\n", ntohl(fakethdr->seq)); + } ret = fail4_packet(fake_pad, f2len); if (ret < 0) { lgerror("Failed to fail packet", ret); @@ -752,7 +758,10 @@ int fail4_packet(uint8_t *payload, uint32_t plen) { tcph->ack_seq = random(); #endif } else if (config.faking_strategy == FAKE_STRAT_PAST_SEQ) { + lgtrace("fake sent with %d -> ", ntohl(tcph->seq)); tcph->seq = htonl(ntohl(tcph->seq) - dlen); + lgtrace("%d\n", ntohl(tcph->seq)); + } else if (config.faking_strategy == FAKE_STRAT_TTL) { iph->ttl = config.faking_ttl; } From de9b42ae466c2b5d6a67a3ff7e689b39c9fcdbf5 Mon Sep 17 00:00:00 2001 From: Denis Strizhkin Date: Wed, 21 Aug 2024 18:33:05 +0300 Subject: [PATCH 5/6] add options of choosing to use system libs --- uspace.mk | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/uspace.mk b/uspace.mk index 127f6f1..db43b15 100644 --- a/uspace.mk +++ b/uspace.mk @@ -1,3 +1,6 @@ +#Check for using system libs +USE_SYS_LIBS := no + #Userspace app makes here BUILD_DIR := $(CURDIR)/build DEPSDIR := $(BUILD_DIR)/deps @@ -5,8 +8,14 @@ DEPSDIR := $(BUILD_DIR)/deps CC:=gcc CCLD:=$(CC) LD:=ld -override CFLAGS += -Wall -Wpedantic -Wno-unused-variable -I$(DEPSDIR)/include -std=gnu11 -override LDFLAGS += -L$(DEPSDIR)/lib + +ifeq ($(USE_SYS_LIBS), no) + override CFLAGS += -Wall -Wpedantic -Wno-unused-variable -I$(DEPSDIR)/include -std=gnu11 + override LDFLAGS += -L$(DEPSDIR)/lib + REQ = $(LIBNETFILTER_QUEUE) $(LIBMNL) $(LIBCRYPTO) +else + override CFLAGS += -Wall -Wpedantic -Wno-unused-variable -std=gnu11 +endif LIBNFNETLINK_CFLAGS := -I$(DEPSDIR)/include LIBNFNETLINK_LIBS := -L$(DEPSDIR)/lib @@ -67,11 +76,11 @@ $(LIBNETFILTER_QUEUE): $(LIBNFNETLINK) $(LIBMNL) $(MAKE) -C deps/libnetfilter_queue $(MAKE) install -C deps/libnetfilter_queue -$(APP): $(OBJS) $(LIBNETFILTER_QUEUE) $(LIBMNL) $(LIBCRYPTO) +$(APP): $(OBJS) $(REQ) @echo 'CCLD $(APP)' $(CCLD) $(OBJS) -o $(APP) $(LDFLAGS) -lmnl -lnetfilter_queue -lpthread -$(BUILD_DIR)/%.o: %.c $(LIBNETFILTER_QUEUE) $(LIBMNL) $(LIBCRYPTO) config.h +$(BUILD_DIR)/%.o: %.c $(REQ) config.h @echo 'CC $@' $(CC) -c $(CFLAGS) $(LDFLAGS) $< -o $@ @@ -93,8 +102,9 @@ clean: distclean: clean rm -rf $(BUILD_DIR) +ifeq ($(USE_SYS_LIBS), no) $(MAKE) distclean -C deps/libnetfilter_queue || true $(MAKE) distclean -C deps/libmnl || true $(MAKE) distclean -C deps/libnfnetlink || true #$(MAKE) distclean -C deps/openssl || true - +endif From 564820ce38231bcbbaecfd2a153da76721e47d47 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Mon, 26 Aug 2024 21:21:42 +0300 Subject: [PATCH 6/6] Related to #86 --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index d11fe58..cda92d0 100644 --- a/README.md +++ b/README.md @@ -126,6 +126,8 @@ curl -o/dev/null -k --connect-to ::google.com -k -L -H Host:\ mirror.gcr.io http ## Flags +Put flags to the **BINARY**, not an init script. If you are on OpenWRT you should put the flags inside the script: open `/etc/init.d/youtubeUnblock` with any text editor, like vi or nano and put your flags after `procd_set_param command /usr/bin/youtubeUnblock` line. + Available flags: - `--sni-domains=|all` List of domains you want to be handled by SNI. Use this string if you want to change default domain list. Defaults is `googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com`. You can pass **all** if you want for every *ClientHello* to be handled.