Skip to content

Commit

Permalink
Feat: control scramble via env
Browse files Browse the repository at this point in the history
  • Loading branch information
xtrime-ru committed Aug 19, 2024
1 parent 6d0b508 commit 51c7c9c
Show file tree
Hide file tree
Showing 9 changed files with 37 additions and 14 deletions.
3 changes: 0 additions & 3 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@
.vs*
/data/
/keys/
/temp/
/result/
/config/
/.adguard/
18 changes: 11 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,13 @@ Easy-to-use Docker image based upon original [AntiZapret LXD image](https://bitb

# Improvements

- Patches: [Apple](./rootfs/etc/knot-resolver/kresd.conf#L53-L61), [IDN](./rootfs/root/patches/parse.patch#L16), [RU](./rootfs/etc/knot-resolver/kresd.conf#L63-L73)
- [Community-driven list](./rootfs/root/antizapret/config/include-hosts-dist.txt) with geoblocked and unlisted domains
- Option to use [openvpn-dco](https://openvpn.net/as-docs/tutorials/tutorial--turn-on-openvpn-dco.html), a kernel extension for improving performance
- Patches: [Apple](https://github.com/xtrime-ru/antizapret-vpn-docker/blob/master/rootfs/etc/knot-resolver/kresd.conf), [IDN](https://github.com/xtrime-ru/antizapret-vpn-docker/blob/master/rootfs/root/patches/parse.patch)
- [Community-driven list](https://github.com/xtrime-ru/antizapret-vpn-docker/blob/master/rootfs/root/antizapret/config/include-hosts-dist.txt) with geoblocked and unlisted domains: youtube, microsoft, openai and more
- [openvpn-dco](https://openvpn.net/as-docs/tutorials/tutorial--turn-on-openvpn-dco.html) - a kernel extension for improving performance
- Option to [forwarding queries](./rootfs/init.sh#L21-L35) to an external resolver
- [XOR Tunneblick patch](https://tunnelblick.net/cOpenvpn_xorpatch.html)
- Support regex in custom rules
- [Support regex in custom rules](#adding-domainsips)
- [XOR Tunneblick patch](https://tunnelblick.net/cOpenvpn_xorpatch.html)


# Installation
Expand Down Expand Up @@ -91,6 +92,7 @@ You can define these variables in docker-compose.yml file for your needs:
- `DNS=1.1.1.1` — DNS server to resolve domains (default: host DNS server)
- `DNS_RU=77.88.8.8` — russian DNS server; used to fix issues with geo zones mismatch for domains like [apple.com](apple.com)
- `CBC_CIPHERS=1` - Enable support of [legacy clients](#legacy-clients). WIll disable [DCO](#enable-openvpn-data-channel-offload-dco)
- `SCRAMBLE=1` - Enable additional obfuscation [XOR Tunneblick patch](https://tunnelblick.net/cOpenvpn_xorpatch.html)


## Enable OpenVPN Data Channel Offload (DCO)
Expand All @@ -102,7 +104,8 @@ Kernel extensions can be installed only on <u>a host machine</u>, not in a conta
### Ubuntu 24.04
```bash
sudo apt update
sudo apt upgrade # reboot your system after upgrade
sudo apt upgrade
echo "#### Please reboot your system after upgrade ###" && sleep 100
sudo apt install -y efivar
sudo apt install -y openvpn-dco-dkms
```
Expand All @@ -111,13 +114,14 @@ sudo apt install -y openvpn-dco-dkms
```bash
deb=openvpn-dco-dkms_0.0+git20231103-1_all.deb
sudo apt update
sudo apt upgrade # reboot your system after upgrade
sudo apt upgrade
echo "#### Please reboot your system after upgrade ###" && sleep 100
sudo apt install -y efivar dkms linux-headers-$(uname -r)
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openvpn-dco-dkms/$deb
sudo dpkg -i $deb
```

## Legacy clients
## Legacy clients support

If your clients do not have GCM chiphers support you can use legacy CBC ciphers.
DCO is incompatable with legacy ciphers and will be disabled. This is also increase CPU load.
Expand Down
5 changes: 5 additions & 0 deletions docker-build.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/usr/bin/env bash

SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"

docker buildx build --platform linux/amd64,linux/arm64 -t xtrime/antizapret-vpn:latest "$@" --push "$SCRIPT_DIR"
1 change: 1 addition & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ services:
- DOMAIN
- PORT
- CBC_CIPHERS
- SCRAMBLE
- DNS
- DNS_RU
ports:
Expand Down
3 changes: 1 addition & 2 deletions rootfs/etc/openvpn/server/antizapret-tcp.conf
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,13 @@ server 192.168.104.0 255.255.252.0
push "route 10.224.0.0 255.254.0.0"
push "dhcp-option DNS 192.168.104.1"
push "block-outside-dns"
push "scramble obfuscate password"

txqueuelen 1000
keepalive 2 10
persist-tun
persist-key
tun-mtu 1420
scramble obfuscate password
#scramble obfuscate password
tcp-nodelay

user nobody
Expand Down
3 changes: 1 addition & 2 deletions rootfs/etc/openvpn/server/antizapret.conf
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,13 @@ server 192.168.100.0 255.255.252.0
push "route 10.224.0.0 255.254.0.0"
push "dhcp-option DNS 192.168.100.1"
push "block-outside-dns"
push "scramble obfuscate password"

txqueuelen 1000
keepalive 2 10
persist-tun
persist-key
tun-mtu 1420
scramble obfuscate password
#scramble obfuscate password
fast-io

user nobody
Expand Down
16 changes: 16 additions & 0 deletions rootfs/init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,25 @@ function set_ciphers () {
sed -i "s|data-ciphers .*|data-ciphers \"$ARGS\"|g" /etc/openvpn/server/*.conf
}

function set_scramble () {
local ENABLE=$1
if [[ "$ENABLE" == 1 ]]; then
sed -i "s/^#scramble/scramble/g" /root/openvpn/templates/*.conf
sed -i "s/^#scramble/scramble/g" /etc/openvpn/server/*.conf
else
sed -i "s/^scramble/#scramble/g" /root/openvpn/templates/*.conf
sed -i "s/^scramble/#scramble/g" /etc/openvpn/server/*.conf
fi

}


# save DNS variables to /etc/default/antizapret
# in order to systemd services can access them

cat << EOF | sponge /etc/default/antizapret
CBC_CIPHERS=${CBC_CIPHERS:-0}
SCRAMBLE=${SCRAMBLE:-0}
DNS=$(resolve $DNS)
DNS_RU=$(resolve $DNS_RU 77.88.8.8)
PYTHONUNBUFFERED=1
Expand All @@ -60,6 +73,9 @@ done
# swap between legacy ciphers and DCO-required ciphers
[[ "$CBC_CIPHERS" == 1 ]] && set_ciphers AES-128-CBC:AES-256-CBC || set_ciphers

# enable tunneblick xor scramble patch
set_scramble "$SCRAMBLE"


# output systemd logs to docker logs since container boot
postrun 'journalctl --boot --follow --lines=all --no-hostname'
Expand Down
1 change: 1 addition & 0 deletions rootfs/root/openvpn/templates/tcp.conf
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ dev tun
proto tcp
keepalive 2 10
tun-mtu 1420
#scramble obfuscate antizapret
sndbuf 3670016
rcvbuf 3670016
tcp-nodelay
Expand Down
1 change: 1 addition & 0 deletions rootfs/root/openvpn/templates/udp.conf
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ dev tun
proto udp
keepalive 2 10
tun-mtu 1420
#scramble obfuscate password
sndbuf 3670016
rcvbuf 3670016
fast-io
Expand Down

0 comments on commit 51c7c9c

Please sign in to comment.