jeka/ansible-openwrt-hirkn
1
0
Fork 0
mirror of https://github.com/itdoginfo/ansible-openwrt-hirkn.git synced 2025-12-11 17:44:29 +05:00
Code Issues Packages Projects Releases Wiki Activity

Added install script, openwrt 23.05, sing-box, tun2socks

Browse Source
This commit is contained in:
itdoginfo
2023-10-13 14:48:19 +03:00
parent fc9646eff1
commit 9b2bfbe1b3
10 changed files with 1499 additions and 558 deletions
Download Patch File Download Diff File Expand all files Collapse all files

132
README.md
View File

@@ -1,32 +1,70 @@
# Описание
Playbook для Ansible, автоматизирующий настройку обхода блокировок РКН через Wireguard на роутере с OpenWRT
Shell скрипт и playbook для Ansible. Автоматизируют настройку OpenWrt роутера для обхода блокировок по доменам и спискам IP-адресов.
Полное описание происходящего: [Статья на хабре](!!)
## Скрипт для установки
Запуск
```
!! wget bla bla
```
Подробности описаны в статье указаной выше.
## Ansible
Для взаимодействия c OpenWRT используется модуль [gekmihesg/ansible-openwrt](https://github.com/gekmihesg/ansible-openwrt)
Списки берутся с [antifilter.download](https://antifilter.download/)
Бонусом устанавливается и настраивается DNSCrypt2
Полное описание происходящего: https://itdog.info/tochechnyj-obhod-blokirovok-rkn-na-routere-s-openwrt-s-pomoshhyu-wireguard-i-dnscrypt/
И вот здесь: https://habr.com/ru/post/440030/
Поиск ошибок:
- https://itdog.info/tochechnyj-obhod-blokirovok-rkn-na-routere-s-openwrt-chast-2-poisk-i-ispravlenie-oshibok/
- https://habr.com/ru/post/702388/
Домены берутся из [отсюда](https://github.com/itdoginfo/allow-domains). Списки IP-адресов берутся с [antifilter.download](https://antifilter.download/)
Тестировалось с
- Ansible 2.9.27
- OpenWrt 21.02.5
- OpenWrt 22.03.3
- Ansible 2.10.8
# Использование
- OpenWrt 21.02.7
- OpenWrt 22.03.5
- OpenWrt 23.05.0-rc2
Для работы необходим wg сервер вне зоны действия РКН
## Выбор туннеля
- Wireguard настраивается автоматически через переменные
- OpenVPN устанавливается пакет, настраивается роутинг и зона. Само подключение (скопировать конфиг и перезапустить openvpn) нужно [настроить вручную](https://itdog.info/nastrojka-klienta-openvpn-na-openwrt/)
- Sing-box устанавливает пакет, настраивается роутинг и зона. Также кладётся темплейт в `/etc/sing-box/config.json`. Нужно настроить `config.json` и сделать `service sing-box restart`
Не работает под 21ой версией. Поэтому при его выборе playbook выдаст ошибку.
Для 22ой версии нужно установить пакет вручную.
- tun2socks настраивается только роутинг и зона. Всё остальное нужно настроить вручную
Для **tunnel** четыре возможных значения:
- wg
- openvpn
- singbox
- tun2socks
## Шифрование DNS
Если ваш провайдер не подменяет DNS-запросы, ничего устанавливать не нужно.
Для **dns_encrypt** три возможных значения:
- dnscrypt
- stubby
- false/закомментировано - пропуск, ничего не устанавливается и не настраивается
## Выбор страны
Для **county** три [возможных значения](https://github.com/itdoginfo/allow-domains):
- russia-inside
- russia-outside
- ukraine
## Списки IP-адресов и домены
Я советую использовать только домены
```
list_domains: true
```
Если вам требуются списки IP-адресов, они также поддерживаются.
## Использование
Установить модуль gekmihesg/ansible-openwrt
``` ansible-galaxy install gekmihesg.openwrt ```
```
ansible-galaxy install gekmihesg.openwrt
```
Скачать playbook и темплейты в /etc/ansible
@@ -47,43 +85,59 @@ rm -rf ansible-openwrt-hirkn README.md
```
vars:
ansible_template_dir: /etc/ansible/templates/
wg_server_address: wg_server_ip/url
list_domains: true
list_subnet: false
list_ip: false
list_community: false
tunnel: wg
dns_encrypt: false
country: russia-inside
wg_server_address: wg-server-host
wg_private_key: privatekey-client
wg_public_key: publickey-client
#wg_preshared_key: presharedkey-client
wg_listen_port: 51820
wg_client_port: 51820
wg_client_address: 192.168.100.3/24
download_utility: curl
list_subnet: true
list_ip: true
list_community: true
list_domains: false
wg_client_address: ip-client
```
Обязательно нужно задать:
Переменные **list_** обозначают, какие списки нужно установить. true - установить, false - не устанавливать и удалить, если уже есть
При использовании **list_domains** нужен пакет dnsmasq-full.
Для 23.05 устанавливается автоматически.
Для OpenWrt 22.03 версия dnsmasq-full должна быть => 2.87, её нет в официальном репозитории, но можно установить из dev репозитория. Если это условие не выполнено, плейбук завершится с ошибкой.
[Инструкция для OpenWrt 22.03](https://t.me/itdoginf/12)
[Инструкция для OpenWrt 21.02](https://t.me/itdoginfo/8)
В случае использования WG обязательно нужно задать:
**wg_server_address** - ip/url wireguard сервера
**wg_private_key**, **wg_public_key** - ключи для "клиента"
**wg_client_address** - адрес роутера в wg сети
Переменные **list_** обозначают, какие списки нужно установить. true - установить, false - не устанавливать и удалить, если уже есть
При использовании **list_domains** должен быть установлен пакет dnsmasq-full. А для OpenWrt 22.03 версия dnsmasq-full должна быть => 2.87, её нет в официальном репозитории, но можно установить из dev репозитория. Инструкция по установке есть [в моём тг канале](https://t.me/itdoginf/12). Если это условие не выполнено, плейбук завершится с ошибкой
Остальное можно менять, в зависимости от того как настроен wireguard сервер
Если ваш wg сервер использует preshared_key, то раскомментируйте **wg_preshared_key** и задайте ключ
**download_utility** можно использовать curl или wget. Curl не скачивает заново списки, если на роутере они ещё актуальны
Остальное можно менять, в зависимости от того, как настроен wireguard сервер
Запуск playbook
```
ansible-playbook playbooks/hirkn.yml
ansible-playbook playbooks/hirkn.yml --limit 192.168.1.1
```
После выполнения playbook роутер сразу начнёт выполнять обход блокировок через Wireguard сервер.
После выполнения playbook роутер сразу начнёт выполнять обход блокировок.
Если у вас были ошибки и они исправились при повторном запуске playbook, но при этом обход не разработал, сделайте рестарт сети и скрипта:
```
service network restart
service getdomains start
```
# Скрипт для проверки конфигурации
@@ -115,10 +169,8 @@ chmod +x check-hirkn.sh
./check-hirkn.sh dump
```
# DNSCrypt-proxy2
Поиск ошибок вручную: https://habr.com/ru/post/702388/
Если у вас уже стоит dnscrypt-proxy первой версии, его необходимо удалить
```
opkg remove dnscrypt-proxy
```
Во второй версии есть отказоустойчивость из коробки.
---
[Telegram-канал с обновлениями](https://t.me/+lW1HmBO_Fa00M2Iy)

297
check-hirkn.sh
View File

@@ -1,297 +0,0 @@
#!/bin/sh
HIRKN=/etc/init.d/hirkn
DUMP=/tmp/dump.txt
checkpoint_true() {
printf "\033[32;1m[\342\234\223] $1\033[0m\n"
}
checkpoint_false() {
printf "\033[31;1m[x] $1\033[0m\n"
}
output_21() {
if [ "$VERSION_ID" -eq 21 ]; then
echo "You are using OpenWrt 21.02. This check does not support it"
fi
}
# System Details
MODEL=$(grep machine /proc/cpuinfo | cut -d ':' -f 2)
RELEASE=$(grep OPENWRT_RELEASE /etc/os-release | awk -F '"' '{print $2}')
printf "\033[34;1mModel:$MODEL\033[0m\n"
printf "\033[34;1mVersion: $RELEASE\033[0m\n"
VERSION_ID=$(grep VERSION_ID /etc/os-release | awk -F '"' '{print $2}' | awk -F. '{print $1}')
RAM=$(free -m | grep Mem: | awk '{print $2}')
if [[ "$VERSION_ID" -ge 22 && "$RAM" -lt 150000 ]]
then
echo "Your router has less than 256MB of RAM. I recommend using only the vpn_domains list"
fi
# Check packages
DNSMASQ=$(opkg list-installed | grep dnsmasq-full | awk -F "-" '{print $3}' | tr -d '.' )
if [ $DNSMASQ -ge 287 ]; then
checkpoint_true "Dnsmasq-full package"
else
checkpoint_false "Dnsmasq-full package"
echo "If you don't use vpn_domains set, it's OK"
echo "Check version: opkg list-installed | grep dnsmasq-full"
echo "Required version >= 2.87. For openwrt 22.03 follow manual: https://t.me/itdoginfo/12"
if [ "$VERSION_ID" -eq 21 ]; then
echo "You are using OpenWrt 21.02. This check does not support it"
echo "Manual for openwrt 21.02: https://t.me/itdoginfo/8"
fi
fi
WIREGUARD=$(opkg list-installed | grep -c wireguard-tools )
if [ $WIREGUARD -eq 1 ]; then
checkpoint_true "Wireguard-tools package"
else
checkpoint_false "Wireguard-tools package"
echo "If you don't use WG, but OpenVPN for example, it's OK"
echo "Install: opkg install wireguard-tools"
fi
CURL=$(opkg list-installed | grep -c curl)
if [ $CURL -eq 2 ]; then
checkpoint_true "Curl package"
else
checkpoint_false "Curl package"
echo "Install: opkg install curl"
fi
# Check internet connection
CHECK_INTERNET=$(curl -Is https://community.antifilter.download/ | grep -c 200)
if [ $CHECK_INTERNET -ne 0 ]; then
checkpoint_true "Check Internet"
else
checkpoint_false "Check Internet"
if [ $CURL -lt 2 ]; then
echo "Install curl: opkg install curl"
else
echo "Check internet connection. If ok, check date on router. Details: https://cli.co/2EaW4rO"
echo "For more info run: curl -Is https://community.antifilter.download/"
fi
fi
# Check WG
WG_PING=$(ping -c 1 -q -I wg0 itdog.info | grep -c "1 packets received")
if [ $WG_PING -eq 1 ]; then
checkpoint_true "Wireguard"
else
checkpoint_false "Wireguard"
WG_TRACE=$(traceroute -i wg0 itdog.info -m 1 | grep ms | awk '{print $2}' | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ $WG_TRACE -eq 1 ]; then
echo "Tunnel to wg server is work, but routing to internet doesn't work. Check server configuration. Details: https://cli.co/RSCvOxI"
else
echo "Bad news: WG tunnel isn't work, check your WG configuration. Details: https://cli.co/hGUUXDs"
echo "If you don't use WG, but OpenVPN for example, it's OK"
fi
fi
# Check WG route_allowed_ips
if uci show network | grep -q ".route_allowed_ips='1'"; then
checkpoint_false "Wireguard route_allowed_ips"
echo "All traffic goes into the tunnel. Read more at: https://cli.co/SaxBzH7"
else
checkpoint_true "Wireguard route_allowed_ips"
fi
# Check route table
ROUTE_TABLE=$(ip route show table vpn | grep -c "default dev wg0 scope link" )
if [ $ROUTE_TABLE -eq 1 ]; then
checkpoint_true "Route table VPN"
else
checkpoint_false "Route table VPN"
echo "Details: https://cli.co/Atxr6U3"
fi
# Check sets
# vpn_domains set
vpn_domain_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_domains' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_domain_ipset_string=$(uci show firewall.@ipset[$vpn_domain_ipset_id] | grep -c "name='vpn_domains'\|match='dst_net'")
vpn_domain_rule_id=$(uci show firewall | grep -E '@rule.*vpn_domains' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_domain_rule_string=$(uci show firewall.@rule[$vpn_domain_rule_id] | grep -c "name='mark_domains'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_domains'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
if [ $((vpn_domain_ipset_string + vpn_domain_rule_string)) -eq 10 ]; then
checkpoint_true "vpn_domains set"
else
checkpoint_false "vpn_domains set"
echo "If you don't use vpn_domains set, it's OK"
echo "But if you want use, check config: https://cli.co/AwUGeM6"
fi
# vpn_ip set
vpn_ip_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_ip' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_ip_ipset_string=$(uci show firewall.@ipset[$vpn_ip_ipset_id] | grep -c "name='vpn_ip'\|match='dst_net'\|loadfile='/tmp/lst/ip.lst'")
vpn_ip_rule_id=$(uci show firewall | grep -E '@rule.*vpn_ip' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_ip_rule_string=$(uci show firewall.@rule[$vpn_ip_rule_id] | grep -c "name='mark_ip'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_ip'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
if [ $((vpn_ip_ipset_string + vpn_ip_rule_string)) -eq 11 ]; then
checkpoint_true "vpn_ip set"
else
checkpoint_false "vpn_ip set"
echo "If you don't use vpn_ip set, it's OK"
echo "But if you want use, check config: https://cli.co/AwUGeM6"
fi
# vpn_subnet set
vpn_subnet_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_subnet' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_subnet_ipset_string=$(uci show firewall.@ipset[$vpn_subnet_ipset_id] | grep -c "name='vpn_subnets'\|match='dst_net'\|loadfile='/tmp/lst/subnet.lst'")
vpn_subnet_rule_id=$(uci show firewall | grep -E '@rule.*vpn_subnet' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_subnet_rule_string=$(uci show firewall.@rule[$vpn_subnet_rule_id] | grep -c "name='mark_subnet'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_subnets'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
if [ $((vpn_subnet_ipset_string + vpn_subnet_rule_string)) -eq 11 ]; then
checkpoint_true "vpn_subnet set"
else
checkpoint_false "vpn_subnet set"
echo "If you don't use vpn_subnet set, it's OK"
echo "But if you want use, check config: https://cli.co/AwUGeM6"
fi
# vpn_community set
vpn_community_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_community' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_community_ipset_string=$(uci show firewall.@ipset[$vpn_community_ipset_id] | grep -c "name='vpn_community'\|match='dst_net'\|loadfile='/tmp/lst/community.lst'")
vpn_community_rule_id=$(uci show firewall | grep -E '@rule.*vpn_community' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_community_rule_string=$(uci show firewall.@rule[$vpn_community_rule_id] | grep -c "name='mark_community'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_community'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
if [ $((vpn_community_ipset_string + vpn_community_rule_string)) -eq 11 ]; then
checkpoint_true "vpn_community set"
else
checkpoint_false "vpn_community set"
echo "If you don't use vpn_community set, it's OK"
echo "But if you want use, check config: https://cli.co/AwUGeM6"
output_21
fi
# Check IPs in sets
# force resolve for vpn_domains
nslookup zona.media 127.0.0.1 > /dev/null
VPN_DOMAINS_IP=$(nft list ruleset | grep -A 10 vpn_domains | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ $VPN_DOMAINS_IP -ge 1 ]; then
checkpoint_true "IPs in vpn_domains"
else
checkpoint_false "IPs in vpn_domains"
echo "If you don't use vpn_domains, it's OK"
echo "But if you want use, check configs"
output_21
fi
VPN_IP_IP=$(nft list ruleset | grep -A 10 vpn_ip | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ $VPN_IP_IP -ge 1 ]; then
checkpoint_true "IPs in vpn_ip"
else
checkpoint_false "IPs in vpn_ip"
echo "If you don't use vpn_ip, it's OK"
echo "But if you want use, check configs"
output_21
fi
VPN_IP_SUBNET=$(nft list ruleset | grep -A 10 vpn_subnet | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ $VPN_IP_SUBNET -ge 1 ]; then
checkpoint_true "IPs in vpn_subnet"
else
checkpoint_false "IPs in vpn_subnet"
echo "If you don't use vpn_subnet, it's OK"
echo "But if you want use, check configs"
output_21
fi
VPN_COMMUNITY_IP=$(nft list ruleset | grep -A 10 vpn_community | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ $VPN_COMMUNITY_IP -ge 1 ]; then
checkpoint_true "IPs in vpn_community"
else
checkpoint_false "IPs in vpn_community"
echo "If you don't use vpn_community, it's OK"
echo "But if you want use, check configs"
output_21
fi
# Check dnsmasq
DNSMASQ_RUN=$(service dnsmasq status | grep -c 'running')
if [ $DNSMASQ_RUN -eq 1 ]; then
checkpoint_true "Dnsmasq service"
else
checkpoint_false "Dnsmasq service"
echo "Check config /etc/config/dhcp"
output_21
fi
# Check hirkn script
if [ -s "$HIRKN" ]; then
checkpoint_true "Script hirkn"
else
checkpoint_false "Script hirkn"
echo "Script don't exists in $HIRKN"
fi
HIRKN_CRON=$(crontab -l | grep -c "/etc/init.d/hirkn")
if [ $HIRKN_CRON -eq 1 ]; then
checkpoint_true "Script hirkn in crontab"
else
checkpoint_false "Script hirkn in crontab"
echo "Script is not enabled in crontab. Check: crontab -l"
fi
# DNSCrypt
DNSCRYPT=$(opkg list-installed | grep -c dnscrypt-proxy2 )
if [ $DNSCRYPT -eq 1 ]; then
checkpoint_true "Dnscrypt-proxy2 package"
else
checkpoint_false "Dnscrypt-proxy2 package"
echo "If you don't use Dnscrypt, it's OK"
echo "But if you want use, install: opkg install dnscrypt-proxy2"
fi
DNSCRYPT_RUN=$(service dnscrypt-proxy status | grep -c 'running')
if [ $DNSCRYPT_RUN -eq 1 ]; then
checkpoint_true "DNSCrypt service"
else
checkpoint_false "DNSCrypt service"
echo "If you don't use Dnscrypt, it's OK"
echo "But if you want use, check config: https://cli.co/wN-tc_S"
output_21
fi
DNSMASQ_NETWORK_STRING=$(uci show network.wan.peerdns | grep -c "peerdns='0'")
if [ $DNSMASQ_NETWORK_STRING -eq 1 ]; then
checkpoint_true "Network config for DNSCrypt"
else
checkpoint_false "Network config for DNSCrypt"
echo "If you don't use Dnscrypt, it's OK"
echo "But if you want use, check peerdns='0' in /etc/config/network"
fi
DNSMASQ_STRING=$(uci show dhcp.@dnsmasq[0] | grep -c "127.0.0.53#53\|noresolv='1'")
if [ $DNSMASQ_STRING -eq 2 ]; then
checkpoint_true "Dnsmasq config for DNSCrypt"
else
checkpoint_false "Dnsmasq config for DNSCrypt"
echo "If you don't use Dnscrypt, it's OK"
echo "But if you want use, check config: https://cli.co/rooc0uz"
fi
# Create dump
if [[ "$1" == dump ]]; then
printf "\033[36;1mCreate dump without private variables\033[0m\n"
date > $DUMP
/etc/init.d/hirkn start >> $DUMP 2>&1
uci show firewall >> $DUMP
uci show network | sed -r 's/(.*private_key=|.*preshared_key=|.*public_key=|.*endpoint_host=|.*wan.ipaddr=|.*wan.netmask=|.*wan.gateway=|.*wan.dns|.*.macaddr=).*/\1REMOVED/' >> $DUMP
echo "Dump is here: $DUMP"
echo "For download Linux/Mac use:"
echo "scp root@IP_ROUTER:$DUMP ."
echo "For Windows use PSCP or WSL"
fi
# Info
echo -e "\nTelegram channel: https://t.me/itdoginfo"
echo "Telegram chat: https://t.me/itdogchat"

393
getdomains-check.sh Executable file
View File

@@ -0,0 +1,393 @@
#!/bin/sh
HIRKN=/etc/init.d/hirkn
GETDOMAINS=/etc/init.d/getdomains
DUMP=/tmp/dump.txt
checkpoint_true() {
printf "\033[32;1m[\342\234\223] $1\033[0m\n"
}
checkpoint_false() {
printf "\033[31;1m[x] $1\033[0m\n"
}
output_21() {
if [ "$VERSION_ID" -eq 21 ]; then
echo "You are using OpenWrt 21.02. This check does not support it"
fi
}
# System Details
MODEL=$(grep machine /proc/cpuinfo | cut -d ':' -f 2)
RELEASE=$(grep OPENWRT_RELEASE /etc/os-release | awk -F '"' '{print $2}')
printf "\033[34;1mModel:$MODEL\033[0m\n"
printf "\033[34;1mVersion: $RELEASE\033[0m\n"
VERSION_ID=$(grep VERSION_ID /etc/os-release | awk -F '"' '{print $2}' | awk -F. '{print $1}')
RAM=$(free -m | grep Mem: | awk '{print $2}')
if [[ "$VERSION_ID" -ge 22 && "$RAM" -lt 150000 ]]
then
echo "Your router has less than 256MB of RAM. I recommend using only the vpn_domains list"
fi
# Check packages
CURL=$(opkg list-installed | grep -c curl)
if [ $CURL -eq 2 ]; then
checkpoint_true "Curl package"
else
checkpoint_false "Curl package"
echo "Install: opkg install curl"
fi
DNSMASQ=$(opkg list-installed | grep dnsmasq-full | awk -F "-" '{print $3}' | tr -d '.' )
if [ $DNSMASQ -ge 287 ]; then
checkpoint_true "Dnsmasq-full package"
else
checkpoint_false "Dnsmasq-full package"
echo "If you don't use vpn_domains set, it's OK"
echo "Check version: opkg list-installed | grep dnsmasq-full"
echo "Required version >= 2.87. For openwrt 22.03 follow manual: https://t.me/itdoginfo/12"
if [ "$VERSION_ID" -eq 21 ]; then
echo "You are using OpenWrt 21.02. This check does not support it"
echo "Manual for openwrt 21.02: https://t.me/itdoginfo/8"
fi
fi
# Check dnsmasq
DNSMASQ_RUN=$(service dnsmasq status | grep -c 'running')
if [ $DNSMASQ_RUN -eq 1 ]; then
checkpoint_true "Dnsmasq service"
else
checkpoint_false "Dnsmasq service"
echo "Check config /etc/config/dhcp"
output_21
fi
# Check internet connection
if curl -Is https://community.antifilter.download/ | grep -q 200; then
checkpoint_true "Check Internet"
else
checkpoint_false "Check Internet"
if [ $CURL -lt 2 ]; then
echo "Install curl: opkg install curl"
else
echo "Check internet connection. If ok, check date on router. Details: https://cli.co/2EaW4rO"
echo "For more info run: curl -Is https://community.antifilter.download/"
fi
fi
# Tunnels
WIREGUARD=$(opkg list-installed | grep -c wireguard-tools )
if [ $WIREGUARD -eq 1 ]; then
checkpoint_true "Wireguard-tools package"
WG=true
else
checkpoint_false "Wireguard-tools package"
echo "If you don't use WG it's OK"
fi
if [ "$WG" == true ]; then
WG_PING=$(ping -c 1 -q -I wg0 itdog.info | grep -c "1 packets received")
if [ $WG_PING -eq 1 ]; then
checkpoint_true "Wireguard"
else
checkpoint_false "Wireguard"
WG_TRACE=$(traceroute -i wg0 itdog.info -m 1 | grep ms | awk '{print $2}' | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ $WG_TRACE -eq 1 ]; then
echo "Tunnel to wg server is work, but routing to internet doesn't work. Check server configuration. Details: https://cli.co/RSCvOxI"
else
echo "Bad news: WG tunnel isn't work, check your WG configuration. Details: https://cli.co/hGUUXDs"
echo "If you don't use WG, but OpenVPN for example, it's OK"
fi
fi
# Check WG route_allowed_ips
if uci show network | grep -q ".route_allowed_ips='1'"; then
checkpoint_false "Wireguard route_allowed_ips"
echo "All traffic goes into the tunnel. Read more at: https://cli.co/SaxBzH7"
else
checkpoint_true "Wireguard route_allowed_ips"
fi
# Check route table
ROUTE_TABLE=$(ip route show table vpn | grep -c "default dev wg0 scope link" )
if [ $ROUTE_TABLE -eq 1 ]; then
checkpoint_true "Route table WG"
else
checkpoint_false "Route table VPN"
echo "Details: https://cli.co/Atxr6U3"
fi
fi
if opkg list-installed | grep -q openvpn; then
checkpoint_true "OpenVPN package"
OVPN=true
else
checkpoint_false "OpenVPN package"
echo "If you don't use OpenVPN it's OK"
fi
# Check OpenVPN
if [ "$OVPN" == true ]; then
if ping -c 1 -q -I tun0 itdog.info | grep -q "1 packets received"; then
checkpoint_true "OpenVPN"
else
checkpoint_false "OpenVPN"
if traceroute -i tun0 itdog.info -m 1 | grep ms | awk '{print $2}' | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; then
echo "Tunnel to OpenVPN server is work, but routing to internet doesn't work. Check server configuration."
else
echo "Bad news: OpenVPN tunnel isn't work, check your OpenVPN configuration."
fi
fi
# Check OpenVPN redirect-gateway
if grep -q redirect-gateway /etc/openvpn/*; then
checkpoint_false "OpenVPN redirect-gateway"
echo "All traffic goes into the tunnel. Read more at: https://cli.co/vzTNq_3"
else
checkpoint_true "OpenVPN redirect-gateway"
fi
# Check route table
if ip route show table vpn | grep -q "default dev tun0 scope link"; then
checkpoint_true "Route table OpenVPN"
else
checkpoint_false "Route table OpenVPN"
echo "Details: https://cli.co/Atxr6U3"
fi
fi
if opkg list-installed | grep -q sing-box; then
checkpoint_true "Sing-box package"
IP_EXTERNAL=$(curl -s ifconfig.me)
IFCONFIG=$(nslookup -type=a ifconfig.me | awk '/^Address: / {print $2}')
ip route add $IFCONFIG via 172.19.0.1 dev tun0
IP_VPN=$(curl -s ifconfig.me)
ip route del $IFCONFIG via 172.19.0.1 dev tun0
if [ "$IP_EXTERNAL" != $IP_VPN ]; then
checkpoint_true "Sing-box. VPN IP: $IP_VPN"
else
checkpoint_false "Sing-box. Check config: !!Add"
fi
else
checkpoint_false "Sing-box package"
echo "If you don't use sing-box it's OK"
fi
if which tun2socks | grep -q tun2socks; then
checkpoint_true "tun2socks package"
IP_EXTERNAL=$(curl -s ifconfig.me)
IFCONFIG=$(nslookup -type=a ifconfig.me | awk '/^Address: / {print $2}')
ip route add $IFCONFIG via 172.16.250.1 dev tun0
IP_VPN=$(curl -s ifconfig.me)
ip route del $IFCONFIG via 172.16.250.1 dev tun0
if [ "$IP_EXTERNAL" != $IP_VPN ]; then
checkpoint_true "tun2socks. VPN IP: $IP_VPN"
else
checkpoint_false "tun2socks. Check config: !!Add"
fi
else
checkpoint_false "tun2socks package"
echo "If you don't use tun2socks it's OK"
fi
# Check sets
# vpn_domains set
vpn_domain_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_domains' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_domain_ipset_string=$(uci show firewall.@ipset[$vpn_domain_ipset_id] | grep -c "name='vpn_domains'\|match='dst_net'")
vpn_domain_rule_id=$(uci show firewall | grep -E '@rule.*vpn_domains' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_domain_rule_string=$(uci show firewall.@rule[$vpn_domain_rule_id] | grep -c "name='mark_domains'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_domains'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
if [ $((vpn_domain_ipset_string + vpn_domain_rule_string)) -eq 10 ]; then
checkpoint_true "vpn_domains set"
# force resolve for vpn_domains. All list
nslookup terraform.io 127.0.0.1 > /dev/null
nslookup pochta.ru 127.0.0.1 > /dev/null
nslookup 2gis.ru 127.0.0.1 > /dev/null
VPN_DOMAINS_IP=$(nft list ruleset | grep -A 10 vpn_domains | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ $VPN_DOMAINS_IP -ge 1 ]; then
checkpoint_true "IPs in vpn_domains"
else
checkpoint_false "IPs in vpn_domains"
echo "If you don't use vpn_domains, it's OK"
echo "But if you want use, check configs"
output_21
fi
else
checkpoint_false "vpn_domains set"
echo "If you don't use vpn_domains set, it's OK"
echo "But if you want use, check config: https://cli.co/AwUGeM6"
fi
# vpn_ip set
vpn_ip_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_ip' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_ip_ipset_string=$(uci show firewall.@ipset[$vpn_ip_ipset_id] | grep -c "name='vpn_ip'\|match='dst_net'\|loadfile='/tmp/lst/ip.lst'")
vpn_ip_rule_id=$(uci show firewall | grep -E '@rule.*vpn_ip' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_ip_rule_string=$(uci show firewall.@rule[$vpn_ip_rule_id] | grep -c "name='mark_ip'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_ip'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
if [ $((vpn_ip_ipset_string + vpn_ip_rule_string)) -eq 11 ]; then
checkpoint_true "vpn_ip set"
VPN_IP_IP=$(nft list ruleset | grep -A 10 vpn_ip | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ $VPN_IP_IP -ge 1 ]; then
checkpoint_true "IPs in vpn_ip"
else
checkpoint_false "IPs in vpn_ip"
echo "But if you want use, check configs"
output_21
fi
else
checkpoint_false "vpn_ip set"
echo "If you don't use vpn_ip set, it's OK"
echo "But if you want use, check config: https://cli.co/AwUGeM6"
fi
# vpn_subnet set
vpn_subnet_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_subnet' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_subnet_ipset_string=$(uci show firewall.@ipset[$vpn_subnet_ipset_id] | grep -c "name='vpn_subnets'\|match='dst_net'\|loadfile='/tmp/lst/subnet.lst'")
vpn_subnet_rule_id=$(uci show firewall | grep -E '@rule.*vpn_subnet' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_subnet_rule_string=$(uci show firewall.@rule[$vpn_subnet_rule_id] | grep -c "name='mark_subnet'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_subnets'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
if [ $((vpn_subnet_ipset_string + vpn_subnet_rule_string)) -eq 11 ]; then
checkpoint_true "vpn_subnet set"
VPN_IP_SUBNET=$(nft list ruleset | grep -A 10 vpn_subnet | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ $VPN_IP_SUBNET -ge 1 ]; then
checkpoint_true "IPs in vpn_subnet"
else
checkpoint_false "IPs in vpn_subnet"
echo "But if you want use, check configs"
output_21
fi
else
checkpoint_false "vpn_subnet set"
echo "If you don't use vpn_subnet set, it's OK"
echo "But if you want use, check config: https://cli.co/AwUGeM6"
fi
# vpn_community set
vpn_community_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_community' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_community_ipset_string=$(uci show firewall.@ipset[$vpn_community_ipset_id] | grep -c "name='vpn_community'\|match='dst_net'\|loadfile='/tmp/lst/community.lst'")
vpn_community_rule_id=$(uci show firewall | grep -E '@rule.*vpn_community' | awk -F '[][{}]' '{print $2}' | head -n 1)
vpn_community_rule_string=$(uci show firewall.@rule[$vpn_community_rule_id] | grep -c "name='mark_community'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_community'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
if [ $((vpn_community_ipset_string + vpn_community_rule_string)) -eq 11 ]; then
checkpoint_true "vpn_community set"
VPN_COMMUNITY_IP=$(nft list ruleset | grep -A 10 vpn_community | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ $VPN_COMMUNITY_IP -ge 1 ]; then
checkpoint_true "IPs in vpn_community"
else
checkpoint_false "IPs in vpn_community"
echo "But if you want use, check configs"
output_21
fi
else
checkpoint_false "vpn_community set"
echo "If you don't use vpn_community set, it's OK"
echo "But if you want use, check config: https://cli.co/AwUGeM6"
output_21
fi
# hirkn script
if [ -s "$HIRKN" ]; then
checkpoint_true "Script hirkn"
if crontab -l | grep -q $HIRKN; then
checkpoint_true "Script hirkn in crontab"
else
checkpoint_false "Script hirkn in crontab"
echo "Script is not enabled in crontab. Check: crontab -l"
fi
else
checkpoint_false "Script hirkn"
echo "Script don't exists in $HIRKN. If you don't use old hirkn script, it's OK"
fi
# getdomains script
if [ -s "$GETDOMAINS" ]; then
checkpoint_true "Script getdomains"
if crontab -l | grep -q $GETDOMAINS; then
checkpoint_true "Script getdomains in crontab"
else
checkpoint_false "Script getdomains in crontab"
echo "Script is not enabled in crontab. Check: crontab -l"
fi
else
checkpoint_false "Script getdomains"
echo "Script don't exists in $GETDOMAINS. If you don't use getdomains, it's OK"
fi
# DNS
# DNSCrypt
if opkg list-installed | grep -q dnscrypt-proxy2; then
checkpoint_true "Dnscrypt-proxy2 package"
if service dnscrypt-proxy status | grep -q 'running'; then
checkpoint_true "DNSCrypt service"
else
checkpoint_false "DNSCrypt service"
echo "Check config: https://cli.co/wN-tc_S"
output_21
fi
DNSMASQ_STRING=$(uci show dhcp.@dnsmasq[0] | grep -c "127.0.0.53#53\|noresolv='1'")
if [ $DNSMASQ_STRING -eq 2 ]; then
checkpoint_true "Dnsmasq config for DNSCrypt"
else
checkpoint_false "Dnsmasq config for DNSCrypt"
echo "Check config: https://cli.co/rooc0uz"
fi
else
checkpoint_false "Dnscrypt-proxy2 package"
echo "If you don't use Dnscrypt, it's OK"
fi
# Stubby
if opkg list-installed | grep -q stubby; then
checkpoint_true "Stubby package"
if service stubby status | grep -q 'running'; then
checkpoint_true "Stubby service"
else
checkpoint_false "Stubby service"
echo "Check config: !!Add link"
output_21
fi
STUBBY_STRING=$(uci show dhcp.@dnsmasq[0] | grep -c "127.0.0.1#5453\|noresolv='1'")
if [ $STUBBY_STRING -eq 2 ]; then
checkpoint_true "Dnsmasq config for Stubby"
else
checkpoint_false "Dnsmasq config for Stubby"
echo "Check config: !!Add link"
fi
else
checkpoint_false "Stubby package"
echo "If you don't use Stubby, it's OK"
fi
# Create dump
if [[ "$1" == dump ]]; then
printf "\033[36;1mCreate dump without private variables\033[0m\n"
date > $DUMP
$HIRKN start >> $DUMP 2>&1
$GETDOMAINS start >> $DUMP 2>&1
uci show firewall >> $DUMP
uci show network | sed -r 's/(.*private_key=|.*preshared_key=|.*public_key=|.*endpoint_host=|.*wan.ipaddr=|.*wan.netmask=|.*wan.gateway=|.*wan.dns|.*.macaddr=).*/\1REMOVED/' >> $DUMP
echo "Dump is here: $DUMP"
echo "For download Linux/Mac use:"
echo "scp root@IP_ROUTER:$DUMP ."
echo "For Windows use PSCP or WSL"
fi
# Info
echo -e "\nTelegram channel: https://t.me/itdoginfo"
echo "Telegram chat: https://t.me/itdogchat"

594
getdomains-install.sh Executable file
View File

@@ -0,0 +1,594 @@
#!/bin/sh
#set -x
check_repo() {
printf "\033[32;1mChecking OpenWrt repo availability...\033[0m\n"
opkg update | grep -q "Failed to download" && printf "\033[32;1mopkg failed. Check internet or date. Command for force ntp sync: ntpd -p ptbtime1.ptb.de\033[0m\n" && exit 1
}
route_vpn () {
if [ "$TUNNEL" == wg ]; then
cat << EOF > /etc/hotplug.d/iface/30-rknroute
#!/bin/sh
ip route add table vpn default dev wg0
EOF
elif [ "$TUNNEL" == singbox ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then
cat << EOF > /etc/hotplug.d/iface/30-rknroute
#!/bin/sh
sleep 5
ip route add table vpn default dev tun0
EOF
fi
}
add_mark() {
grep -q "99 vpn" /etc/iproute2/rt_tables || echo '99 vpn' >> /etc/iproute2/rt_tables
if ! uci show network | grep -q mark0x1; then
printf "\033[32;1mConfigure mark rule\033[0m\n"
uci add network rule
uci set network.@rule[-1].name='mark0x1'
uci set network.@rule[-1].mark='0x1'
uci set network.@rule[-1].priority='100'
uci set network.@rule[-1].lookup='vpn'
uci commit
fi
}
add_tunnel() {
echo "We can automatically configure only Wireguard. OpenVPN, Sing-box(Shadowsocks2022, VMess, VLESS, etc) and tun2socks will need to be configured manually"
echo "Select a tunnel:"
echo "1) WireGuard"
echo "2) OpenVPN"
echo "3) Sing-box"
echo "4) tun2socks"
echo "5) Skip this step"
while true; do
read -r -p '' TUNNEL
case $TUNNEL in
1)
TUNNEL=wg
break
;;
2)
TUNNEL=ovpn
break
;;
3)
TUNNEL=singbox
break
;;
4)
TUNNEL=tun2socks
break
;;
5)
echo "Skip"
TUNNEL=0
break
;;
*)
echo "Choose from the following options"
;;
esac
done
if [ "$TUNNEL" == 'wg' ]; then
printf "\033[32;1mConfigure WireGuard\033[0m\n"
if opkg list-installed | grep -q wireguard-tools; then
echo "Wireguard already installed"
else
echo "Installed wg..."
opkg install wireguard-tools
fi
route_vpn
read -r -p "Enter the private key (from [Interface]):"$'\n' WG_PRIVATE_KEY
while true; do
read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (from [Interface]):"$'\n' WG_IP
if echo "$WG_IP" | egrep -oq '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+$'; then
break
else
echo "This IP is not valid. Please repeat"
fi
done
read -r -p "Enter the public key (from [Peer]):"$'\n' WG_PUBLIC_KEY
read -r -p "If use PresharedKey, Enter this (from [Peer]). If your don't use leave blank:"$'\n' WG_PRESHARED_KEY
read -r -p "Enter Enpoint host without port (Domain or IP) (from [Peer]):"$'\n' WG_ENDPOINT
read -r -p "Enter Enpoint host port (from [Peer]) [51820]:"$'\n' WG_ENDPOINT_PORT
WG_ENDPOINT_PORT=${WG_ENDPOINT_PORT:-51820}
if [ "$WG_ENDPOINT_PORT" = '51820' ]; then
echo $WG_ENDPOINT_PORT
fi
uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key=$WG_PRIVATE_KEY
uci set network.wg0.listen_port='51820'
uci set network.wg0.addresses=$WG_IP
if ! uci show network | grep -q wireguard_wg0; then
uci add network wireguard_wg0
fi
uci set network.@wireguard_wg0[0]=wireguard_wg0
uci set network.@wireguard_wg0[0].name='wg0_client'
uci set network.@wireguard_wg0[0].public_key=$WG_PUBLIC_KEY
uci set network.@wireguard_wg0[0].preshared_key=$WG_PRESHARED_KEY
uci set network.@wireguard_wg0[0].route_allowed_ips='0'
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
uci set network.@wireguard_wg0[0].endpoint_host=$WG_ENDPOINT
uci set network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
uci set network.@wireguard_wg0[0].endpoint_port=$WG_ENDPOINT_PORT
uci commit
fi
if [ "$TUNNEL" == 'ovpn' ]; then
if opkg list-installed | grep -q openvpn-openssl; then
echo "OpenVPN already installed"
else
echo "Installed openvpn"
opkg install openvpn-openssl
fi
printf "\033[32;1mConfigure route for OpenVPN\033[0m\n"
route_vpn
fi
if [ "$TUNNEL" == 'singbox' ]; then
if opkg list-installed | grep -q sing-box; then
echo "Sing-box already installed"
else
AVAILABLE_SPACE=$(df / | awk 'NR>1 { print $4 }')
if [[ "$AVAILABLE_SPACE" -gt 2000 ]]; then
echo "Installed sing-box"
opkg install sing-box
else
printf "\033[31;1mNo free space for a sing-box. Sing-box is not installed.\033[0m\n"
exit 1
fi
fi
if grep -q "option enabled '0'" /etc/config/sing-box; then
sed -i "s/ option enabled \'0\'/ option enabled \'1\'/" /etc/config/sing-box
fi
if grep -q "option user 'sing-box'" /etc/config/sing-box; then
sed -i "s/ option user \'sing-box\'/ option user \'root\'/" /etc/config/sing-box
fi
if grep -q "tun0" /etc/sing-box/config.json; then
printf "\033[32;1mConfig /etc/sing-box/config.json already exists\033[0m\n"
else
cat << 'EOF' > /etc/sing-box/config.json
{
"log": {
"level": "debug"
},
"inbounds": [
{
"type": "tun",
"interface_name": "tun0",
"domain_strategy": "ipv4_only",
"inet4_address": "172.19.0.1/30",
"auto_route": false,
"strict_route": false,
"sniff": true
}
],
"outbounds": [
{
"type": "$TYPE",
"server": "$HOST",
"server_port": $PORT,
"method": "$METHOD",
"password": "$PASS"
}
],
"route": {
"auto_detect_interface": true
}
}
EOF
printf "\033[32;1mCreate template config in /etc/sing-box/config.json. Edit it manually. Official doc: https://sing-box.sagernet.org/configuration/outbound/\033[0m\n"
printf "\033[32;1mOfficial doc: https://sing-box.sagernet.org/configuration/outbound/\033[0m\n"
printf "\033[32;1mManual with example SS: LINK STATYA \033[0m\n"
fi
printf "\033[32;1mConfigure route for Sing-box\033[0m\n"
route_vpn
fi
}
dnsmasqfull() {
if opkg list-installed | grep -q dnsmasq-full; then
printf "\033[32;1mdnsmasq-full already installed\033[0m\n"
else
printf "\033[32;1mInstalled dnsmasq-full\033[0m\n"
cd /tmp/ && opkg download dnsmasq-full
opkg remove dnsmasq && opkg install dnsmasq-full --cache /tmp/
[ -f /etc/config/dhcp-opkg ] && cp etc/config/dhcp etc/config/dhcp-old && mv /etc/config/dhcp-opkg /etc/config/dhcp
fi
}
remove_forwarding() {
if [ ! -z "$forward_id" ]; then
while uci -q delete firewall.@forwarding[$forward_id]; do :; done
fi
}
add_zone() {
if [ "$TUNNEL" == 0 ]; then
printf "\033[32;1mZone setting skipped\033[0m\n"
elif uci show firewall | grep -q "@zone.*name='$TUNNEL'"; then
printf "\033[32;1mZone already exist\033[0m\n"
else
printf "\033[32;1mCreate zone\033[0m\n"
# Delete exists zone
zone_tun_id=$(uci show firewall | grep -E '@zone.*tun0' | awk -F '[][{}]' '{print $2}' | head -n 1)
if [ "$zone_tun_id" == 0 ] || [ "$zone_tun_id" == 1 ]; then
printf "\033[32;1mtun0 zone has an identifier of 0 or 1. That's not ok. Fix your firewall. lan and wan zones should have identifiers 0 and 1. \033[0m\n"
exit 1
fi
if [ ! -z "$zone_tun_id" ]; then
while uci -q delete firewall.@zone[$zone_tun_id]; do :; done
fi
zone_wg_id=$(uci show firewall | grep -E '@zone.*wg0' | awk -F '[][{}]' '{print $2}' | head -n 1)
if [ "$zone_wg_id" == 0 ] || [ "$zone_wg_id" == 1 ]; then
printf "\033[32;1mwg0 zone has an identifier of 0 or 1. That's not ok. Fix your firewall. lan and wan zones should have identifiers 0 and 1. \033[0m\n"
exit 1
fi
if [ ! -z "$zone_wg_id" ]; then
while uci -q delete firewall.@zone[$zone_wg_id]; do :; done
fi
uci add firewall zone
uci set firewall.@zone[-1].name="$TUNNEL"
if [ "$TUNNEL" == wg ]; then
uci set firewall.@zone[-1].network='wg0'
elif [ "$TUNNEL" == singbox ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then
uci set firewall.@zone[-1].device='tun0'
fi
if [ "$TUNNEL" == wg ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].input='REJECT'
elif [ "$TUNNEL" == singbox ]; then
uci set firewall.@zone[-1].forward='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].input='ACCEPT'
fi
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci set firewall.@zone[-1].family='ipv4'
uci commit firewall
fi
if [ "$TUNNEL" == 0 ]; then
printf "\033[32;1mForwarding setting skipped\033[0m\n"
elif uci show firewall | grep -q "@forwarding.*name='$TUNNEL-lan'"; then
printf "\033[32;1mForwarding already configured\033[0m\n"
else
printf "\033[32;1mConfigured forwarding\033[0m\n"
# Delete exists forwarding
if [[ $TUNNEL != "wg" ]]; then
forward_id=$(uci show firewall | grep -E "@forwarding.*dest='wg'" | awk -F '[][{}]' '{print $2}' | head -n 1)
remove_forwarding
fi
if [[ $TUNNEL != "ovpn" ]]; then
forward_id=$(uci show firewall | grep -E "@forwarding.*dest='ovpn'" | awk -F '[][{}]' '{print $2}' | head -n 1)
remove_forwarding
fi
if [[ $TUNNEL != "singbox" ]]; then
forward_id=$(uci show firewall | grep -E "@forwarding.*dest='singbox'" | awk -F '[][{}]' '{print $2}' | head -n 1)
remove_forwarding
fi
if [[ $TUNNEL != "tun2socks" ]]; then
forward_id=$(uci show firewall | grep -E "@forwarding.*dest='tun2socks'" | awk -F '[][{}]' '{print $2}' | head -n 1)
remove_forwarding
fi
uci add firewall forwarding
uci set firewall.@forwarding[-1]=forwarding
uci set firewall.@forwarding[-1].name="$TUNNEL-lan"
uci set firewall.@forwarding[-1].dest="$TUNNEL"
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].family='ipv4'
uci commit firewall
fi
}
show_manual() {
if [ "$TUNNEL" == tun2socks ]; then
printf "\033[42;1mZone for tun2socks cofigured. But you need to set up the tunnel yourself.\033[0m\n"
echo "Use this manual: LINK singbox"
elif [ "$TUNNEL" == ovpn ]; then
printf "\033[42;1mZone for OpenVPN cofigured. But you need to set up the tunnel yourself.\033[0m\n"
echo "Use this manual: https://itdog.info/nastrojka-klienta-openvpn-na-openwrt/"
fi
}
add_set() {
if uci show firewall | grep -q "@ipset.*name='vpn_domains'"; then
printf "\033[32;1mSet already exist\033[0m\n"
else
printf "\033[32;1mCreate set\033[0m\n"
uci add firewall ipset
uci set firewall.@ipset[-1].name='vpn_domains'
uci set firewall.@ipset[-1].match='dst_net'
uci commit
fi
if uci show firewall | grep -q "@rule.*name='mark_domains'"; then
printf "\033[32;1mRule for set already exist\033[0m\n"
else
printf "\033[32;1mCreate rule set\033[0m\n"
uci add firewall rule
uci set firewall.@rule[-1]=rule
uci set firewall.@rule[-1].name='mark_domains'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest='*'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].ipset='vpn_domains'
uci set firewall.@rule[-1].set_mark='0x1'
uci set firewall.@rule[-1].target='MARK'
uci set firewall.@rule[-1].family='ipv4'
uci commit
fi
}
add_dns_resolver() {
echo "Configure DNSCrypt2 or Stubby? It does matter if your ISP is spoofing DNS requests"
DISK=$(df -m / | awk 'NR==2{ print $2 }')
if [[ "$DISK" -lt 32 ]]; then
printf "\033[31;1mYour router a disk have less than 32MB. It is not recommended to install DNSCrypt, it takes 10MB\033[0m\n"
fi
echo "Select:"
echo "1) No [Default]"
echo "2) DNSCrypt2 (10.7M)"
echo "3) Stubby (36K)"
while true; do
read -r -p '' DNS_RESOLVER
case $DNS_RESOLVER in
1)
echo "Skiped"
break
;;
2)
DNS_RESOLVER=DNSCRYPT
break
;;
3)
DNS_RESOLVER=STUBBY
break
;;
*)
echo "Choose from the following options"
;;
esac
done
if [ "$DNS_RESOLVER" == 'DNSCRYPT' ]; then
if opkg list-installed | grep -q dnscrypt-proxy2; then
printf "\033[32;1mDNSCrypt2 already installed\033[0m\n"
else
printf "\033[32;1mInstalled dnscrypt-proxy2\033[0m\n"
opkg install dnscrypt-proxy2
if grep -q "# server_names" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml; then
sed -i "s/^# server_names =.*/server_names = [\'google\', \'cloudflare\', \'scaleway-fr\', \'yandex\']/g" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
fi
printf "\033[32;1mDNSCrypt restart\033[0m\n"
service dnscrypt-proxy restart
printf "\033[32;1mDNSCrypt needs to load the relays list. Please wait\033[0m\n"
sleep 30
if [ -f /etc/dnscrypt-proxy2/relays.md ]; then
uci set dhcp.@dnsmasq[0].noresolv="1"
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#53"
uci commit dhcp
printf "\033[32;1mDnsmasq restart\033[0m\n"
/etc/init.d/dnsmasq restart
else
printf "\033[31;1mDNSCrypt not download list on /etc/dnscrypt-proxy2. Repeat install DNSCrypt by script.\033[0m\n"
fi
fi
fi
if [ "$DNS_RESOLVER" == 'STUBBY' ]; then
printf "\033[32;1mConfigure Stubby\033[0m\n"
if opkg list-installed | grep -q stubby; then
printf "\033[32;1mStubby already installed\033[0m\n"
else
printf "\033[32;1mInstalled stubby\033[0m\n"
opkg install stubby
printf "\033[32;1mConfigure Dnsmasq for Stubby\033[0m\n"
uci set dhcp.@dnsmasq[0].noresolv="1"
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453"
uci commit dhcp
printf "\033[32;1mDnsmasq restart\033[0m\n"
/etc/init.d/dnsmasq restart
fi
fi
}
add_packages() {
if opkg list-installed | grep -q "curl -"; then
printf "\033[32;1mCurl already installed\033[0m\n"
else
printf "\033[32;1mInstall curl\033[0m\n"
opkg install curl
fi
if opkg list-installed | grep -q nano; then
printf "\033[32;1mNano already installed\033[0m\n"
else
printf "\033[32;1mInstall nano\033[0m\n"
opkg install nano
fi
}
add_getdomains() {
echo "Choose you country"
echo "Select:"
echo "1) Russia inside. You are inside Russia"
echo "2) Russia outside. You are outside of Russia, but you need access to Russian resources"
echo "3) Ukraine. uablacklist.net list"
echo "4) Skip script creation"
while true; do
read -r -p '' COUNTRY
case $COUNTRY in
1)
COUNTRY=russia_inside
break
;;
2)
COUNTRY=russia_outside
break
;;
3)
COUNTRY=ukraine
break
;;
4)
echo "Skiped"
COUNTRY=0
break
;;
*)
echo "Choose from the following options"
;;
esac
done
if [ "$COUNTRY" == 'russia_inside' ]; then
EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/inside-dnsmasq-nfset.lst
elif [ "$COUNTRY" == 'russia_outside' ]; then
EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/outside-dnsmasq-nfset.lst
elif [ "$COUNTRY" == 'ukraine' ]; then
EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Ukraine/inside-dnsmasq-nfset.lst
fi
if [ "$COUNTRY" != '0' ]; then
printf "\033[32;1mCreate script /etc/init.d/getdomains\033[0m\n"
cat << EOF > /etc/init.d/getdomains
#!/bin/sh /etc/rc.common
START=99
start () {
$EOF_DOMAINS
EOF
cat << 'EOF' >> /etc/init.d/getdomains
count=0
while true; do
if curl -m 3 github.com; then
curl -f $DOMAINS --output /tmp/dnsmasq.d/domains.lst
break
else
echo "GitHub is not available. Check the internet availability [$count]"
count=$((count+1))
fi
done
if dnsmasq --conf-file=/tmp/dnsmasq.d/domains.lst --test 2>&1 | grep -q "syntax check OK"; then
/etc/init.d/dnsmasq restart
fi
}
EOF
chmod +x /etc/init.d/getdomains
ln -sf ../init.d/getdomains /etc/rc.d/S99getdomains
if crontab -l | grep -q /etc/init.d/getdomains; then
printf "\033[32;1mCrontab already configured\033[0m\n"
else
crontab -l | { cat; echo "0 */8 * * * /etc/init.d/getdomains"; } | crontab -
printf "\033[32;1mIgnore this error. This is normal for a new installation\033[0m\n"
/etc/init.d/cron restart
fi
printf "\033[32;1mStart script\033[0m\n"
/etc/init.d/getdomains start
fi
}
# System Details
MODEL=$(grep machine /proc/cpuinfo | cut -d ':' -f 2)
RELEASE=$(grep OPENWRT_RELEASE /etc/os-release | awk -F '"' '{print $2}')
printf "\033[34;1mModel:$MODEL\033[0m\n"
printf "\033[34;1mVersion: $RELEASE\033[0m\n"
VERSION_ID=$(grep VERSION_ID /etc/os-release | awk -F '"' '{print $2}' | awk -F. '{print $1}')
if [ "$VERSION_ID" -ne 23 ]; then
printf "\033[31;1mScript only support OpenWrt 23.05\033[0m\n"
echo "For OpenWrt 21.02 and 22.03 you can:"
echo "1) Use ansible https://github.com/itdoginfo/ansible-openwrt-hirkn"
echo "2) Configure manually. Old manual: https://itdog.info/tochechnyj-obhod-blokirovok-rkn-na-routere-s-openwrt-s-pomoshhyu-wireguard-i-dnscrypt/"
exit 1
fi
printf "\033[31;1mAll actions performed here cannot be rolled back automatically.\033[0m\n"
check_repo
add_packages
add_tunnel
add_mark
add_zone
show_manual
add_set
dnsmasqfull
add_dns_resolver
add_getdomains
printf "\033[32;1mRestart network\033[0m\n"
/etc/init.d/network restart
printf "\033[32;1mDone\033[0m\n"

417
playbooks/hirkn.yml
View File

@@ -9,70 +9,100 @@
vars:
ansible_template_dir: /etc/ansible/templates/
wg_server_address: wg_server_ip/url
list_domains: true
list_subnet: false
list_ip: false
list_community: false
tunnel: wg
dns_encrypt: false
country: russia-inside
wg_server_address: wg-server-host
wg_private_key: privatekey-client
wg_public_key: publickey-server
#wg_preshared_key: preshared-key
wg_public_key: publickey-client
#wg_preshared_key: presharedkey-client
wg_listen_port: 51820
wg_client_port: 51820
wg_client_address: 192.168.100.3/24
download_utility: curl
list_subnet: true
list_ip: true
list_community: true
list_domains: false
# Packages installation
wg_client_address: ip-client
tasks:
- name: install packages
opkg:
name: "{{ item }}"
state: present
loop:
- kmod-wireguard
- wireguard-tools
- dnscrypt-proxy2
- name: install curl
opkg:
name: curl
state: present
when: download_utility == "curl"
- name: install ipset
opkg:
name: ipset
state: present
when: ansible_distribution_major_version < "22"
# Dnsmasq version check
- name: Get dnsmasq version
shell: opkg list-installed | grep dnsmasq-full | awk '{print $3}'
register: dnsmasqfull_version
# Hirkn script configure
- name: debug
debug:
var: ansible_distribution_major_version
# Packages installation
- name: install wg
opkg:
name: "{{ item }}"
state: present
loop:
- kmod-wireguard
- wireguard-tools
when: tunnel == "wg"
- name: install openvpn
opkg:
name: "{{ item }}"
state: present
loop:
- openvpn-openssl
when: tunnel == "openvpn"
- name: install singbox
opkg:
name: "{{ item }}"
state: present
loop:
- sing-box
when: tunnel == "singbox" and ansible_distribution_major_version >= "23"
- name: install curl and nano
opkg:
name: "{{ item }}"
state: present
loop:
- curl
- nano
- name: install ipset
opkg:
name: ipset
state: present
when: ansible_distribution_major_version < "22"
- name: install dnsmasq-full (23)
shell: opkg update && cd /tmp/ && opkg download dnsmasq-full && opkg remove dnsmasq && opkg install dnsmasq-full --cache /tmp/ && [ -f /etc/config/dhcp-opkg ] && cp etc/config/dhcp /etc/config/dhcp-old && mv /etc/config/dhcp-opkg /etc/config/dhcp
when: ansible_distribution_major_version >= "23" and list_domains and not dnsmasqfull_version.stdout
ignore_errors: true
# Getdomains script configure
- name: hirkn script copy
- name: getdomains script copy
template:
src: "{{ ansible_template_dir }}openwrt-hirkn.j2"
dest: "/etc/init.d/hirkn"
src: "{{ ansible_template_dir }}openwrt-getdomains.j2"
dest: "/etc/init.d/getdomains"
mode: a+x
trim_blocks: false
notify:
- Run hirkn script
- Run getdomains script
- name: create simplink in rc.d
file:
src: "/etc/init.d/hirkn"
dest: "/etc/rc.d/S99hirkn"
src: "/etc/init.d/getdomains"
dest: "/etc/rc.d/S99getdomains"
state: link
notify:
- Run hirkn script
- Run getdomains script
- name: check string in crontab
shell: grep "hirkn" /etc/crontabs/root
shell: grep "getdomains" /etc/crontabs/root
register: check_cron
ignore_errors: true
@@ -80,7 +110,7 @@
lineinfile:
path: /etc/crontabs/root
create: yes
line: "0 4 * * * /etc/init.d/hirkn reload"
line: "0 4 * * * /etc/init.d/getdomains start"
when: check_cron.stdout == ""
- name: enable and start crontab
@@ -91,14 +121,62 @@
# Configure route table
- name: route copy in hotplug
# - name: Create vpn0 interface
# uci:
# command: section
# config: network
# type: interface
# find_by:
# name: vpn0
# name: vpn0
# value:
# name: vpn0
# proto: none
# auto: 1
# device: tun0
# when: tunnel == "openvpn" or tunnel == "singbox" or tunnel == "tun2socks"
# notify:
# - Restart network
# - name: tunnel routing. tun0
# uci:
# command: section
# config: network
# type: route
# find_by:
# name: vpn_route
# name: vpn_route
# value:
# name: vpn_route
# interface: vpn0
# table: vpn
# target: 0.0.0.0/0
# when: tunnel == "openvpn" or tunnel == "singbox" or tunnel == "tun2socks"
# notify:
# - Restart network
# - name: tunnel routing. wg0
# uci:
# command: section
# config: network
# type: route
# find_by:
# name: vpn
# name: vpn_route
# value:
# interface: wg0
# table: vpn
# target: 0.0.0.0/0
# when: tunnel == "wg"
# notify:
# - Restart network
- name: Route for vpn table
template:
src: "{{ ansible_template_dir }}openwrt-30-rknroute.j2"
dest: "/etc/hotplug.d/iface/30-rknroute"
mode: 0644
notify:
- Restart network
- name: Check string in rt_tables
shell: grep "99 vpn" /etc/iproute2/rt_tables
register: check_rt_tables
@@ -112,14 +190,15 @@
notify:
- Restart network
# Configure network
# Configure WG
- name: add wg interface
uci:
command: add
config: network
type: interface
name: wg0
when: tunnel == "wg"
- name: configure wg interface
uci:
@@ -131,6 +210,9 @@
listen_port: "{{ wg_listen_port }}"
addresses:
- "{{ wg_client_address }}"
when: tunnel == "wg"
notify:
- Restart network
- name: set wg client without wg_preshared_key
uci:
@@ -146,8 +228,10 @@
endpoint_host: "{{ wg_server_address }}"
allowed_ips: 0.0.0.0/0
endpoint_port: "{{ wg_client_port }}"
when: wg_preshared_key is undefined
when: wg_preshared_key is undefined and tunnel == "wg"
notify:
- Restart network
- name: set wg client with wg_preshared_key
uci:
command: section
@@ -163,8 +247,117 @@
endpoint_host: "{{ wg_server_address }}"
allowed_ips: 0.0.0.0/0
endpoint_port: "{{ wg_client_port }}"
when: wg_preshared_key is defined
when: wg_preshared_key is defined and tunnel == "wg"
- name: set WG firewall zone
uci:
command: section
config: firewall
type: zone
find_by:
name: wg
value:
forward: REJECT
output: ACCEPT
name: wg
input: REJECT
masq: 1
mtu_fix: 1
network: wg0
family: ipv4
when: tunnel == "wg"
- name: add WG forwarding
uci:
command: section
config: firewall
type: forwarding
find_by:
name: wg-lan
value:
dest: wg
src: lan
family: ipv4
when: tunnel == "wg"
# Configure Sing-box
- name: set sing-box firewall zone. Only >=22
uci:
command: section
config: firewall
type: zone
find_by:
name: tun
value:
forward: ACCEPT
output: ACCEPT
name: tun
input: ACCEPT
masq: 1
mtu_fix: 1
device: tun0
family: ipv4
when: tunnel == "singbox"
failed_when: ansible_distribution_major_version < "22"
notify:
- Restart firewall
- name: template for sing-box.json
template:
src: "{{ ansible_template_dir }}sing-box-json.j2"
dest: "/etc/sing-box/config.json"
mode: 0644
when: tunnel == "singbox"
failed_when: ansible_distribution_major_version < "22"
- name: template for config/sing-box
template:
src: "{{ ansible_template_dir }}config-sing-box.j2"
dest: "/etc/config/sing-box"
mode: 0600
when: tunnel == "singbox"
failed_when: ansible_distribution_major_version < "22"
# Configure OpenVPN, tun2socks
- name: set {{ tunnel }} firewall zone
uci:
command: section
config: firewall
type: zone
find_by:
name: tun
value:
forward: REJECT
output: ACCEPT
name: tun
input: REJECT
masq: 1
mtu_fix: 1
device: tun0
family: ipv4
when: tunnel == "openvpn" or tunnel == "tun2socks"
notify:
- Restart firewall
- name: add {{ tunnel }} forwarding
uci:
command: section
config: firewall
type: forwarding
find_by:
name: lan-tun
value:
dest: tun
src: lan
family: ipv4
when: tunnel == "openvpn" or tunnel == "tun2socks" or tunnel == "singbox"
notify:
- Restart firewall
# Configure network
- name: set rule mark0x1
uci:
command: section
@@ -183,8 +376,16 @@
key: network.wan
value:
peerdns: 0
when: ansible_distribution_major_version < "22"
- name: uci commit
- name: uci commit firewall
uci:
command: commit
config: firewall
notify:
- Restart firewall
- name: uci commit network
uci:
command: commit
config: network
@@ -192,36 +393,7 @@
- Restart network
# Configure firewall
- name: set WG firewall zone
uci:
command: section
config: firewall
type: zone
find_by:
name: wg
value:
forward: REJECT
output: ACCEPT
name: wg
input: REJECT
masq: 1
mtu_fix: 1
network: wg0
family: ipv4
- name: add WG forwarding
uci:
command: section
config: firewall
type: forwarding
find_by:
name: wg-lan
value:
dest: wg
src: lan
family: ipv4
- name: add ipset for subnet (<22)
uci:
command: section
@@ -265,7 +437,7 @@
maxelem: 9900000
when: ansible_distribution_major_version < "22" and list_community
- name: add ipset for subnet (22)
- name: add nfset for subnet (22)
uci:
command: section
config: firewall
@@ -275,9 +447,9 @@
value:
match: dst_net
loadfile: /tmp/lst/subnet.lst
when: ansible_distribution_major_version == "22" and list_subnet
when: ansible_distribution_major_version >= "22" and list_subnet
- name: add ipset for ip (22)
- name: add nfset for ip (22)
uci:
command: section
config: firewall
@@ -287,9 +459,9 @@
value:
match: dst_net
loadfile: /tmp/lst/ip.lst
when: ansible_distribution_major_version == "22" and list_ip
when: ansible_distribution_major_version >= "22" and list_ip
- name: add ipset for community (22)
- name: add nfset for community (22)
uci:
command: section
config: firewall
@@ -299,7 +471,7 @@
value:
match: dst_net
loadfile: /tmp/lst/community.lst
when: ansible_distribution_major_version == "22" and list_community
when: ansible_distribution_major_version >= "22" and list_community
- name: add ipset for domains (<22). If failed, check dnsmasq-full
uci:
@@ -312,9 +484,9 @@
match: dst_net
storage: hash
failed_when: ansible_distribution_major_version < "22" and list_domains and not dnsmasqfull_version.stdout
when: ansible_distribution_major_version < "22" and list_domains and dnsmasqfull_version.stdout
when: ansible_distribution_major_version < "22" and list_domains
- name: add ipset for domains (22). If failed, check dnsmasq-full
- name: add nfset for domains (>=22). If failed, check dnsmasq-full
uci:
command: section
config: firewall
@@ -323,8 +495,8 @@
name: vpn_domains
value:
match: dst_net
failed_when: ansible_distribution_major_version == "22" and list_domains and dnsmasqfull_version.stdout < "2.87"
when: ansible_distribution_major_version == "22" and list_domains and dnsmasqfull_version.stdout >= "2.87"
failed_when: ansible_distribution_major_version >= "22" and list_domains and (not dnsmasqfull_version.stdout or dnsmasqfull_version.stdout < "2.87")
when: ansible_distribution_major_version >= "22" and list_domains
- name: add mark rule vpn_subnet
uci:
@@ -392,7 +564,7 @@
set_mark: "0x1"
target: MARK
family: ipv4
when: (ansible_distribution_major_version < "22" and list_domains and dnsmasqfull_version.stdout) or (ansible_distribution_major_version == "22" and list_domains and dnsmasqfull_version.stdout >= "2.87")
when: (ansible_distribution_major_version < "22" and list_domains and dnsmasqfull_version.stdout) or (ansible_distribution_major_version >= "22" and list_domains and dnsmasqfull_version.stdout >= "2.87")
# Remove unused rules and ipset
- name: Remove ipset for ip
@@ -467,26 +639,26 @@
name: mark_domains
when: not list_domains
- name: uci commit firewall
uci:
command: commit
config: firewall
notify:
- Restart firewall
# Configure DNS resolver
# Configure dnscrypt2
- name: install dnscrypt-proxy2
opkg:
name: dnscrypt-proxy2
state: present
when: dns_encrypt == "dnscrypt"
- name: check string in dnscrypt-proxy.toml
shell: grep "# server_names" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
register: check_server_names
ignore_errors: true
when: dns_encrypt == "dnscrypt"
- name: dnscrypt2 enable exact servers
lineinfile:
path: /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
regexp: "# server_names ="
line: "server_names = ['google', 'cloudflare', 'scaleway-fr', 'yandex']"
when: check_server_names.stdout
when: dns_encrypt == "dnscrypt" and check_server_names.stdout
notify:
- Restart dnscrypt-proxy
@@ -498,10 +670,45 @@
line: "{{ item }}"
with_items:
- " list server '127.0.0.53#53'"
- " list server '/pool.ntp.org/208.67.222.222'"
- " option noresolv '1'"
notify:
- Restart dnsmasq
when: dns_encrypt == "dnscrypt"
- name: install stubby
opkg:
name: stubby
state: present
when: dns_encrypt == "stubby"
- name: edit dhcp config. add localhost server
lineinfile:
path: /etc/config/dhcp
firstmatch: "true"
insertafter: "option leasefile '/tmp/dhcp.leases'"
line: "{{ item }}"
with_items:
- " list server '127.0.0.1#5453'"
- " option noresolv '1'"
notify:
- Restart dnsmasq
when: dns_encrypt == "stubby"
# Commit and handlers
- name: uci commit firewall
uci:
command: commit
config: firewall
notify:
- Restart firewall
- name: uci commit network
uci:
command: commit
config: network
notify:
- Restart network
handlers:
- name: Restart network
@@ -514,9 +721,9 @@
name: firewall
state: restarted
- name: Run hirkn script
- name: Run getdomains script
service:
name: hirkn
name: getdomains
state: restarted
- name: Restart dnscrypt-proxy

5
templates/config-sing-box.j2 Normal file
View File

@@ -0,0 +1,5 @@
config sing-box 'main'
option enabled '1'
option user 'root'
option conffile '/etc/sing-box/config.json'
option workdir '/usr/share/sing-box'

5
templates/openwrt-30-rknroute.j2
View File

@@ -1,3 +1,8 @@
#!/bin/sh
{% if tunnel == "wg" %}
ip route add table vpn default dev wg0
{% elif (tunnel == "openvpn") or (tunnel == "singbox") or (tunnel == "tun2socks") %}
sleep 5
ip route add table vpn default dev tun0
{% endif %}

70
templates/openwrt-getdomains.j2 Normal file
View File

@@ -0,0 +1,70 @@
#!/bin/sh /etc/rc.common
START=99
start () {
{% if ansible_distribution_major_version >= "22" and country == "russia-inside" %}
DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/inside-dnsmasq-nfset.lst
{% endif %}
{% if ansible_distribution_major_version >= "22" and country == "russia-outside" %}
DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/outside-dnsmasq-nfset.lst
{% endif %}
{% if ansible_distribution_major_version >= "22" and country == "ukraine" %}
DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Ukraine/inside-dnsmasq-nfset.lst
{% endif %}
{% if ansible_distribution_major_version < "22" and country == "russia-inside" %}
DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/inside-dnsmasq-ipset.lst
{% endif %}
{% if ansible_distribution_major_version < "22" and country == "russia-outside" %}
DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/outside-dnsmasq-ipset.lst
{% endif %}
{% if ansible_distribution_major_version < "22" and country == "ukraine" %}
DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Ukraine/inside-dnsmasq-ipset.lst
{% endif %}
count=0
while true; do
if curl -m 3 github.com; then
curl -f $DOMAINS --output /tmp/dnsmasq.d/domains.lst
break
else
echo "GitHub is not available. Check the internet availability [$count]"
count=$((count+1))
fi
done
if dnsmasq --conf-file=/tmp/dnsmasq.d/domains.lst --test 2>&1 | grep -q "syntax check OK"; then
/etc/init.d/dnsmasq restart
fi
{% if ansible_distribution_major_version >= "22" and (list_ip or list_community) %}
echo "Flush sets"
nft flush ruleset
{% endif %}
{% if list_subnet or list_ip or list_community %}
dir=/tmp/lst
mkdir -p $dir
count=0
while true; do
if curl -m 3 https://antifilter.download/; then
{% if list_subnet %}
curl -f -z $dir/subnet.lst https://antifilter.download/list/subnet.lst --output $dir/subnet.lst
{% endif %}
{% if list_ip %}
curl -f -z $dir/ip.lst https://antifilter.download/list/ip.lst --output $dir/ip.lst
{% endif %}
{% if list_community %}
curl -f -z $dir/community.lst https://community.antifilter.download/list/community.lst --output $dir/community.lst
{% endif %}
break
else
echo "antifilter.download is not available. Check the internet availability [$count]"
count=$((count+1))
fi
done
echo "Firewall restart"
/etc/init.d/firewall restart
{% endif %}
}

116
templates/openwrt-hirkn.j2
View File

@@ -1,116 +0,0 @@
#!/bin/sh /etc/rc.common
START=99
script () {
dir=/tmp/lst
SUBNET=https://antifilter.download/list/subnet.lst
IP=https://antifilter.download/list/ip.lst
COMMUNITY=https://community.antifilter.download/list/community.lst
DOMAINS=https://community.antifilter.download/list/domains.lst
{% if download_utility == "curl" %}
download () {
count=0
while [ ! -f $dir/$1 ]; do
if [ $count -gt 10 ]; then
echo Exit
exit 1
else
echo "Try $count"
curl -f -z $dir/$1 $2 --output $dir/$1
count=$((count+1))
sleep 5
fi
done
}
{% elif download_utility == "wget" %}
download () {
count=0
while [ ! -f $dir/$1 ]; do
if [ $count -gt 10 ]; then
echo Exit
exit 1
else
echo "Try $count"
wget -P $dir $2
count=$((count+1))
sleep 5
fi
done
}
{% endif %}
mkdir -p $dir
{% if ansible_distribution_major_version == "22" and (list_ip or list_community) %}
echo "Flush sets"
nft flush ruleset
{% endif %}
echo "Run download lists"
{% if download_utility == "curl" %}
{% if list_subnet %}
curl -f -z $dir/subnet.lst $SUBNET --output $dir/subnet.lst
download subnet.lst $SUBNET
{% endif %}
{% if list_ip %}
curl -f -z $dir/ip.lst $IP --output $dir/ip.lst
download ip.lst $IP
{% endif %}
{% if list_community %}
curl -f -z $dir/community.lst $COMMUNITY --output $dir/community.lst
download community.lst $COMMUNITY
{% endif %}
{% if list_domains and (ansible_distribution_major_version < "22" and dnsmasqfull_version.stdout) or ( ansible_distribution_major_version == "22" and dnsmasqfull_version.stdout >= "2.87") %}
curl -f -z $dir/domains.lst $DOMAINS --output $dir/domains.lst
download domains.lst $DOMAINS
{% endif %}
{% elif download_utility == "wget" %}
{% if list_subnet %}
rm -f /$dir/subnet.lst && wget -P $dir $SUBNET
download subnet.lst $SUBNET
{% endif %}
{% if list_ip %}
rm -f /$dir/ip.lst && wget -P $dir $IP
download ip.lst $IP
{% endif %}
{% if list_community %}
rm -f /$dir/community.lst && wget -P $dir $COMMUNITY
download community.lst $COMMUNITY
{% endif %}
{% if list_domains and (ansible_distribution_major_version < "22" and dnsmasqfull_version.stdout) or ( ansible_distribution_major_version == "22" and dnsmasqfull_version.stdout >= "2.87") %}
rm -f /$dir/domains.lst && wget -P $dir $DOMAINS
download domains.lst $DOMAINS
{% endif %}
{% endif %}
{% if list_domains %}
{% if ansible_distribution_major_version == "22" and dnsmasqfull_version.stdout >= "2.87" %}
sed "s/.*/nftset=\/&\/4#inet#fw4#vpn_domains/" $dir/domains.lst > /tmp/dnsmasq.d/domains
{% elif ansible_distribution_major_version < "22" and dnsmasqfull_version.stdout %}
sed "s/.*/ipset=\/&\/vpn_domains/" $dir/domains.lst > /tmp/dnsmasq.d/domains
{% endif %}
echo "Dnsmasq restart"
/etc/init.d/dnsmasq restart
{% endif %}
echo "Firewall restart"
/etc/init.d/firewall restart
}
start () {
script
}
restart () {
script
}
reload () {
script
}

28
templates/sing-box-json.j2 Normal file
View File

@@ -0,0 +1,28 @@
{
"log": {
"level": "debug"
},
"inbounds": [
{
"type": "tun",
"interface_name": "tun0",
"domain_strategy": "ipv4_only",
"inet4_address": "172.19.0.1/30",
"auto_route": false,
"strict_route": false,
"sniff": true
}
],
"outbounds": [
{
"type": "$TYPE",
"server": "$HOST",
"server_port": $PORT,
"method": "$METHOD",
"password": "$PASS"
}
],
"route": {
"auto_detect_interface": true
}
}