About the features of using VPN Zaborona on routers to bypass blocking in Ukraine

    Hello.

    Earlier it was written about blocking sites in Ukraine , and about workarounds , and actually about the excellent Zaborona.Help resource for solving this problem ( zhovner great respect and thank you!)

    The following is a personal practical experience that may be useful to other users working in Ukraine. All the rest can only be interested in the theoretical aspect.

    So, there is a small network that works through a router. In my specific example, the Asus router running under the latest custom Merlin firmware. The description of the settings for this router is indicated here - and it worked perfectly until the onset of 2018 :)

    The fact is that a number of providers have organized a new type of blocking - now a fake resolving to an internal resource is organized at the DNS level - in total, pings pass, but the resource does not open. The most advanced configured DNS so that fake resolving occurs only for the internal network, for example:

    For external queries:
    $ nslookup www.yandex.ru 194.50.85.5
    DNS: dns-5.la.net.ua
    Address: 194.50.85.5

    www.YANDEX.ru
    Addresses: 2a02: 6b8: a :: a
    77.88.55.50
    5.255.255.77
    77.88.55.60
    5.255.255.50
    For queries within the network:
    $ nslookup www.yandex.ru 194.50.85.5
    DNS: dns-5.la.net.ua
    Address: 194.50.85.5

    www.yandex.ru
    Address: 194.50.85.44
    In the original instructions on Zaborona.Help for Asus routers, there are no indications about additional DNS settings (neither for Merlin , nor for the original firmware ), although there is one for the same DD WRT . At the same time, the option block-outside-dns settings, which solves the problem when running on the Windows client, obviously does not work on * nix and router firmware.

    The obvious solution is to simply replace your ISP DNS with Google’s (8.8.8.8, 8.8.4.4) or even those proposed by Zaborona.Help itself (74.82.42.42, 77.88.8.8), however, in this case, some intranet resources (IPTV, for example) will work with problems, or even completely stop working.

    In Merlin firmware for Asus (and possibly in others, I didn’t check it) there is an option to configure a VPN client called “Accept DNS Configuration”. According to the idea of ​​the authors,
    Disabled = DNS servers sent by VPN-provided DNS server are ignored
    Relaxed = DNS servers sent by VPN-provided DNS server are prepended to the current list of DNS servers, of which any can be used
    Strict = DNS servers sent by the VPN-provided DNS server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN-provided ones don't respond)
    Exclusive = only the VPN-provided DNS servers are used
    - it looks like our whole solution to the problem is to switch the setting to “Strict”, and in this case, the DNS from the VPN will be of paramount priority, and the provider DNS will only be used if there is no answer from the VPN, which in theory will solve the problem with intranet resources. Perhaps this works in Tomato, but at the moment, for Merlin, this option really only works for assigning a policy of redirect traffic (Redirect Internet traffic - Policy Rules).

    OK, I tried to do a double job (now routing is automatically configured by the Zaborona.Help server, but ok - we'll write it on the router too) and used a simple script:

    #!/bin/sh
    #      $1 is the VPN Client instance  # Required
    #      $2 is the LAN source/subnet    # Optional - default is 'all'
    if [ -z "$1" ];then
       logger -st "($(basename $0))" $$ "Missing VPN Client arg1"
       exit 999
    fi
    SRC='all'
    if [ ! -z "$2" ];then
       SRC=$2
    fi
    for IP in $(curl https://zaborona.help/ips.txt -s | grep -v ":" | grep -v "^#" | grep .)
     do
      ip rule del from $SRC to $IP table ovpnc$1 prio 8000 2> /dev/null > /dev/null
      ip rule add from $SRC to $IP table ovpnc$1 prio 8000
     done

    The code was automatically launched on the router upon an OpenVPN client connection event, with Accept DNS Configuration = Strict. In this case, everything works.

    There is a dual feeling - the problem is solved, but through crutches:

    1. For some reason, the Accept DNS Configuration option on Merlin firmware works in an incomprehensible way: without setting up a redirect, it is useless.
    2. I'd like to believe that zaborona.help/ips.txt is always relevant.

    PS Zaborona.Help administration was notified of problems with the settings yesterday, while no response was received, nothing has changed. The authors of Merlin firmware have also been notified of the problem with Accept DNS Configuration, there has been no reaction.
    PPS A big request to politicized readers to stop writing nonsense to me in PM, threaten with minuses in karma, etc. There are separate resources for you that are not related to IT. Thanks.

    Also popular now: