From b4607d69f6865d2a2a659d28ee1465d2454037a5 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Sun, 11 Aug 2024 16:59:41 +0300 Subject: [PATCH 1/3] Update README.md --- README.md | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index d142402..0c85a60 100644 --- a/README.md +++ b/README.md @@ -14,35 +14,35 @@ When you got the packet, you should install it. Go to your router interface and So, if you are on iptables you should install: `kmod-ipt-nfqueue`, `iptables-mod-nfqueue`, `kmod-ipt-conntrack-extra`, `iptables-mod-conntrack-extra` and of course iptables user-space app should be available. On nftables the dependencies are: `kmod-nft-queue` and `kmod-nf-conntrack`. -Next step is to add required rules. For nftables on OpenWRT rules comes out-of-the-box and stored under /usr/share/nftables.d/ruleset-post/537-youtubeUnblock.nft. All you need is install requirements and do /etc/init.f/firewall reload. +Next step is to add required rules. For nftables on OpenWRT rules comes out-of-the-box and stored under /usr/share/nftables.d/ruleset-post/537-youtubeUnblock.nft. All you need is install requirements and do `/etc/init.d/firewall reload`. If no, go to Firewall configuration. -For hosts change FORWARD to OUTPUT chain in next rulesets. +Now we are ready to daemonize the application. +If you installed package from Github Actions or built it yourself with OpenWRT SDK, rc scripts are preinstalled. All you need is to do `/etc/init.d/youtubeUnblock start`. +Else copy `owrt/youtubeUnblock.owrt` to `/etc/init.d/youtubeUnblock` and put the program into /usr/bin/. (Don't forget to `chmod +x` both). Now run `/etc/init.d/youtubeUnblock start`. -### nftables rules +You can also run `/etc/init.d/youtubeUnblock enable` to force OpenWRT autostart the program on boot, but I don't recommend this since if the packet has bug you may lose access to the router (I think you will be able to reset it with reset settings tricks documented for your router). + +### PC configuration +On local host make sure to change FORWARD to OUTPUT chain in the Firewall rulesets. + +Copy `youtubeUnblock.service` to `/usr/lib/systemd/system` (you should change the path inside the file to the program position, for example `/usr/bin/youtubeUnblock`, also you may want to delete default iptables rule addition in systemd file to controll it manually). And run `systemctl start youtubeUnblock`. + +### Firewall configuration +#### nftables rules On nftables you should put next nftables rules: `nft add rule inet fw4 mangle_forward tcp dport 443 ct original "packets < 20" counter queue num 537 bypass` `nft insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept` -### Iptables rules +#### Iptables rules On iptables you should put next iptables rules: -`iptables -t mangle -A FORWARD -p tcp -m tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass` +`iptables -t mangle -A FORWARD -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass` `iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT` -Note that above rules are using conntrack to route only first 20 packets from the connection to youtubeUnblock. +Note that above rules use conntrack to route only first 20 packets from the connection to youtubeUnblock. If you got some troubles with it, for example youtubeUnblock doesn't detect youtube, try to delete connbytes from rules. But it is an unlikely behavior and you should probably check your ruleset. You can use `--queue-balance` with multiple instances of youtubeUnblock for performance. This behavior is supported via multithreading. Just pass --threads=n where n stands for an amount of threads you want to be enabled. The n defaults to 1. The maximum threads defaults to 16 but may be altered programatically. Note, that if you are about to increase it, here is 100% chance that you are on the wrong way. -To run the application pass the queue number to it. This number should be the same as --queue-num in firewall rules. - -Next step is to daemonize the application. -On OpenWRT: Copy `owrt/youtubeUnblock.owrt` to `/etc/init.d/youtubeUnblock` and put the program into /usr/bin/. (Don't forget to `chmod +x` both). Now run `/etc/init.d/youtubeUnblock start`. You can alo run `/etc/init.d/youtubeUnblock enable` to force OpenWRT autostart the program on boot, but I don't recommend this since if the packet has bug you may lose access to the router (I think you will be able to reset it with reset settings tricks documented for your router). - -On systemd: Copy `youtubeUnblock.service` to `/usr/lib/systemd/system` (you should change the path inside the file to the program position, for example `/usr/bin/youtubeUnblock`, also you may want to delete default iptables rule addition in systemd file to controll it manually). -And run `systemctl start youtubeUnblock`. - -If you have troubles with some sites being proxied, you can play with flags. For example, for someone `--fake-sni=ttl` works. - Also DNS over HTTPS (DOH) is preferred for additional anonimity. ## Flags @@ -57,8 +57,10 @@ Available flags: - `--silent` - Disables Google video detected debug logs. - `--frag={tcp,ip,none}` Specifies the fragmentation strategy for the packet. tcp is used by default. Ip fragmentation may be blocked by TSPU. None specifies no fragmentation. Probably this won't work, but may be will work for some fake sni strategies. -If you are on Chromium you may have to disable kyber (the feature that makes the TLS ClientHello very fat). I've got the problem with it on router, so to escape possibly errors it is better to just disable it: in chrome://flags search for kyber and switch it to disabled state. +## Troubleshooting +If you have troubles with some sites being proxied, you can play with flags. For example, for someone `--fake-sni=ttl` works. You should specify proper `--fake-sni-ttl=` where ttl is amount of hops between you and DPI. +If you are on Chromium you may have to disable kyber (the feature that makes the TLS ClientHello very fat). I've got the problem with it on router, so to escape possibly errors it is better to just disable it: in chrome://flags search for kyber and switch it to disabled state. If your browser is using quic it may not work properly. Disable it in chrome in chrome://flags and in Firefox network.http.http{2,3}.enable(d) in about:config ### Troubleshooting EPERMS (Operation not permitted) From fa631accb725f45459d7c522044c1b1f1a255268 Mon Sep 17 00:00:00 2001 From: spvkgn Date: Sun, 11 Aug 2024 20:18:39 +0500 Subject: [PATCH 2/3] Update README.md https://github.com/Waujito/youtubeUnblock/issues/54#issuecomment-2282490807 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0c85a60..bd9502e 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # youtubeUnblock Bypasses Googlevideo detection systems that relies on SNI. The package is for Linux only. The package is fully compatible with routers running OpenWRT. -The program offers binaries via [Github Actions](https://github.com/Waujito/youtubeUnblock/actions). You can find [packages for OpenWRT under this link](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-openwrt.yml). Also [static binaries for PCs are available here](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-alpine.yml). +The program offers binaries via [Github Actions](https://github.com/Waujito/youtubeUnblock/actions). You can find [packages for OpenWRT under this link](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-openwrt.yml). You can check the architecture of your device with command `grep ARCH /etc/openwrt_release`. Also [static binaries for PCs are available here](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-alpine.yml). The program is also compatible with routers driven by [Entware](https://github.com/Entware/Entware) (Keenetics/some Asuses). You can find binaries [here](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-entware.yml). And [here is an installation guide](https://help.keenetic.com/hc/ru/articles/360021214160-%D0%A3%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0-%D1%81%D0%B8%D1%81%D1%82%D0%B5%D0%BC%D1%8B-%D0%BF%D0%B0%D0%BA%D0%B5%D1%82%D0%BE%D0%B2-%D1%80%D0%B5%D0%BF%D0%BE%D0%B7%D0%B8%D1%82%D0%BE%D1%80%D0%B8%D1%8F-Entware-%D0%BD%D0%B0-USB-%D0%BD%D0%B0%D0%BA%D0%BE%D0%BF%D0%B8%D1%82%D0%B5%D0%BB%D1%8C). Install the package with opkg. If you got read-only filesystem error you may unpack the binary manually or specify opkg path `opkg -o `. From 05648cc7c206c2cb1002ad6e960763add4a66816 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Sun, 11 Aug 2024 21:34:21 +0300 Subject: [PATCH 3/3] fix --sni-domains=all --- youtubeUnblock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/youtubeUnblock.c b/youtubeUnblock.c index dbf04e3..33296ea 100644 --- a/youtubeUnblock.c +++ b/youtubeUnblock.c @@ -149,7 +149,7 @@ static int parse_args(int argc, char *argv[]) { config.use_gso = 0; break; case OPT_SNI_DOMAINS: - if (strcmp(optarg, "all")) { + if (!strcmp(optarg, "all")) { config.all_domains = 1; } config.domains_str = optarg;