From 946121476e8476e9c49f67df35e66df3b8ec592d Mon Sep 17 00:00:00 2001 From: awslawsl233 <89617778+awslawsl233@users.noreply.github.com> Date: Tue, 14 Dec 2021 16:50:00 +0800 Subject: [PATCH] Update readme.eng.md --- docs/readme.eng.md | 215 ++++++++++++++++++++++----------------------- 1 file changed, 107 insertions(+), 108 deletions(-) diff --git a/docs/readme.eng.md b/docs/readme.eng.md index abd1c2d..28ee212 100644 --- a/docs/readme.eng.md +++ b/docs/readme.eng.md @@ -47,6 +47,113 @@ as it should, it is useless to deceive him. BUT. Only small providers can afford using squid, since it is very resource intensive. Large companies usually use DPI, which is designed for much greater bandwidth. +## Installation + +### desktop linux system + +Simple install works on most modern linux distributions with systemd or openrc, OpenWRT and MacOS. +Run install_easy.sh and answer its questions. + +### OpenWRT + +install_easy.sh works on openwrt but there're additional challenges. +They are mainly about possibly low flash free space. +Simple install will not work if it has no space to install itself and required packages from the repo. + +Another challenge would be to bring zapret to the router. You can download zip from github and use it. +Do not repack zip contents in Windows, because this way you break chmod and links. +Install openssh-sftp-server and unzip to openwrt and use sftp to transfer the file. + +The best way to start is to put zapret dir to /tmp and run /tmp/zapret/install_easy.sh from there. +After installation remove /tmp/zapret to free RAM. + +The absolute minimum for openwrt is 64/8 system, 64/16 is comfortable, 128/extroot is recommended. + + +### Android + +Its not possible to use nfqws and tpws in transparent proxy mode without root privileges. +Without root tpws can run in --socks mode. + +I have no NFQUEUE presence statistics in stock android kernels, but its present on my MTK device. +If NFQUEUE is present nfqws works. + +There's no ipset support unless you run custom kernel. In common case task of bringing up ipset +on android is ranging from "not easy" to "almost impossible", unless you find working kernel +image for your device. + +Android does not use /etc/passwd, tpws --user won't work. There's replacement. +Use numeric uids in --uid option. +Its recommended to use gid 3003 (AID_INET), otherwise tpws will not have inet access. +Example : --uid 1:3003 +In iptables use : "! --uid-owner 1" instead of "! --uid-owner tpws". + +Write your own shell script with iptables and tpws, run it using your root manager. +Autorun scripts are here : +magisk : /data/adb/service.d +supersu : /system/su.d + +I haven't checked whether android can kill iptable rules at its own will during wifi connection/disconnection, +mobile data on/off, ... + +How to run tpws on root-less android. +You can't write to /system, /data, can't run from sd card. +Selinux prevents running executables in /data/local/tmp from apps. +Use adb and adb shell. +mkdir /data/local/tmp/zapret +adb push tpws /data/local/tmp/zapret +chmod 755 /data/local/tmp/zapret /data/local/tmp/zapret/tpws +chcon u:object_r:system_file:s0 /data/local/tmp/zapret/tpws +Now its possible to run /data/local/tmp/zapret/tpws from any app such as tasker. + + +### FreeBSD, OpenBSD, MacOS + +see docs/bsd.eng.txt + + +### Windows (WSL) + +Using WSL (Windows subsystem for Linux) it's possible to run tpws in socks mode under rather new builds of +windows 10 and windows server. +Its not required to install any linux distributions as suggested in most articles. +tpws is static binary. It doesn't need a distribution. + +Install WSL : dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all +Copy binaries/x86_64/tpws_wsl.tgz to the target system. +Run : wsl --import tpws "%USERPROFILE%\tpws" tpws_wsl.tgz +Run tpws : wsl --exec /tpws --uid=1 --no-resolve --socks --bind-addr=127.0.0.1 --port=1080 +Configure socks as 127.0.0.1:1080 in a browser or another program. + +Cleanup : wsl --unregister tpws + +Tested in windows 10 build 19041 (20.04). + +NOTICE. There is native windows solution GoodByeDPI. It works on packet level like nfqws. + + +### Other devices + +Author's goal does not include easy supporting as much devices as possibles. +Please do not ask for easy supporting firmwares. It requires a lot of work and owning lots of devices. Its counterproductive. +As a devices owner its easier for you and should not be too hard if firmware is open. +Most closed stock firmwares are not designed for custom usage and sometimes actively prevent it. +In the latter case you have to hack into it and reverse engineer. Its not easy. +Binaries are universal. They can run on almost all firmwares. +You will need : + * root shell access. true sh shell, not microtik-like console + * startup hook + * r/w partition to store binaries and startup script with executable permission (+x) + * tpws can be run almost anywhere but nfqws require kernel support for NFQUEUE. Its missing in most firmwares. + * too old 2.6 kernels are unsupported and can cause errors +If binaries crash with segfault (rare but happens on some kernels) try to unpack upx like this : upx -d tpws. +First manually debug your scenario. Run iptables + daemon and check if its what you want. +Write your own script with iptables magic and run required daemon from there. Put it to startup. +Dont ask me how to do it. Its different for all firmwares and requires studying. +Find manual or reverse engineer yourself. +Check for race conditions. Firmware can clear or modify iptables after your startup script. +If this is the case then run another script in background and add some delay there. + ## How to put this into practice in the linux system In short, the options can be classified according to the following scheme: @@ -656,111 +763,3 @@ And you can start or stop the demons separately from the firewall: /opt/zapret/init.d/sysv/zapret start-daemons /opt/zapret/init.d/sysv/zapret stop-daemons ``` - -## Installation - -### desktop linux system - -Simple install works on most modern linux distributions with systemd or openrc, OpenWRT and MacOS. -Run install_easy.sh and answer its questions. - -### OpenWRT - -install_easy.sh works on openwrt but there're additional challenges. -They are mainly about possibly low flash free space. -Simple install will not work if it has no space to install itself and required packages from the repo. - -Another challenge would be to bring zapret to the router. You can download zip from github and use it. -Do not repack zip contents in Windows, because this way you break chmod and links. -Install openssh-sftp-server and unzip to openwrt and use sftp to transfer the file. - -The best way to start is to put zapret dir to /tmp and run /tmp/zapret/install_easy.sh from there. -After installation remove /tmp/zapret to free RAM. - -The absolute minimum for openwrt is 64/8 system, 64/16 is comfortable, 128/extroot is recommended. - - -### Android - -Its not possible to use nfqws and tpws in transparent proxy mode without root privileges. -Without root tpws can run in --socks mode. - -I have no NFQUEUE presence statistics in stock android kernels, but its present on my MTK device. -If NFQUEUE is present nfqws works. - -There's no ipset support unless you run custom kernel. In common case task of bringing up ipset -on android is ranging from "not easy" to "almost impossible", unless you find working kernel -image for your device. - -Android does not use /etc/passwd, tpws --user won't work. There's replacement. -Use numeric uids in --uid option. -Its recommended to use gid 3003 (AID_INET), otherwise tpws will not have inet access. -Example : --uid 1:3003 -In iptables use : "! --uid-owner 1" instead of "! --uid-owner tpws". - -Write your own shell script with iptables and tpws, run it using your root manager. -Autorun scripts are here : -magisk : /data/adb/service.d -supersu : /system/su.d - -I haven't checked whether android can kill iptable rules at its own will during wifi connection/disconnection, -mobile data on/off, ... - -How to run tpws on root-less android. -You can't write to /system, /data, can't run from sd card. -Selinux prevents running executables in /data/local/tmp from apps. -Use adb and adb shell. -mkdir /data/local/tmp/zapret -adb push tpws /data/local/tmp/zapret -chmod 755 /data/local/tmp/zapret /data/local/tmp/zapret/tpws -chcon u:object_r:system_file:s0 /data/local/tmp/zapret/tpws -Now its possible to run /data/local/tmp/zapret/tpws from any app such as tasker. - - -### FreeBSD, OpenBSD, MacOS - -see docs/bsd.eng.txt - - -### Windows (WSL) - -Using WSL (Windows subsystem for Linux) it's possible to run tpws in socks mode under rather new builds of -windows 10 and windows server. -Its not required to install any linux distributions as suggested in most articles. -tpws is static binary. It doesn't need a distribution. - -Install WSL : dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all -Copy binaries/x86_64/tpws_wsl.tgz to the target system. -Run : wsl --import tpws "%USERPROFILE%\tpws" tpws_wsl.tgz -Run tpws : wsl --exec /tpws --uid=1 --no-resolve --socks --bind-addr=127.0.0.1 --port=1080 -Configure socks as 127.0.0.1:1080 in a browser or another program. - -Cleanup : wsl --unregister tpws - -Tested in windows 10 build 19041 (20.04). - -NOTICE. There is native windows solution GoodByeDPI. It works on packet level like nfqws. - - -### Other devices - -Author's goal does not include easy supporting as much devices as possibles. -Please do not ask for easy supporting firmwares. It requires a lot of work and owning lots of devices. Its counterproductive. -As a devices owner its easier for you and should not be too hard if firmware is open. -Most closed stock firmwares are not designed for custom usage and sometimes actively prevent it. -In the latter case you have to hack into it and reverse engineer. Its not easy. -Binaries are universal. They can run on almost all firmwares. -You will need : - * root shell access. true sh shell, not microtik-like console - * startup hook - * r/w partition to store binaries and startup script with executable permission (+x) - * tpws can be run almost anywhere but nfqws require kernel support for NFQUEUE. Its missing in most firmwares. - * too old 2.6 kernels are unsupported and can cause errors -If binaries crash with segfault (rare but happens on some kernels) try to unpack upx like this : upx -d tpws. -First manually debug your scenario. Run iptables + daemon and check if its what you want. -Write your own script with iptables magic and run required daemon from there. Put it to startup. -Dont ask me how to do it. Its different for all firmwares and requires studying. -Find manual or reverse engineer yourself. -Check for race conditions. Firmware can clear or modify iptables after your startup script. -If this is the case then run another script in background and add some delay there. -