From fb95e2550cf3314d4f6181a572017d5f2a6451c5 Mon Sep 17 00:00:00 2001
From: koala <koalav42@gmail.com>
Date: Wed, 6 Oct 2021 17:06:53 +0300
Subject: [PATCH] Update for 20.02.0. Add wget option. Switch to ip.lst

---
 README.md                  | 22 ++++++++++++++++++++++
 playbooks/hirkn.yml        | 35 +++++++++++++++++++++++++++--------
 templates/openwrt-hirkn.j2 |  8 +++++++-
 3 files changed, 56 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 51b4c71..3ae2c7c 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,10 @@ Playbook для Ansible, автоматизирующий настройку о
 
 И вот здесь: https://habr.com/ru/post/440030/
 
+Тестировалось с
+- Ansible 2.9.6
+- OpenWrt 20.02.0
+
 # Использование
 
 Для работы необходим wg сервер вне зоны действия РКН
@@ -60,3 +64,21 @@ ansible-playbook playbooks/hirkn.yml
 ```
 
 После выполнения playbook роутер сразу начнёт выполнять обход блокировок через Wireguard сервер.
+
+# "DST Root CA X3" issue
+С версии 19* по 20.02.0 есть проблема со скачиванием файлов c https://antifilter.download/. Там используется LE сертификат.
+Workroud в том, что бы переключить системную ssl библиотеку на openssl.
+Проверялось на 20.02.0
+```
+sed -i 's/https/http/g' /etc/opkg/distfeeds.conf
+opkg install libopenssl
+opkg install openssl-util
+opkg --force-depends remove libustream-wolfssl20201210
+opkg install libustream-openssl20201210
+sed -i 's/http/https/g' /etc/opkg/distfeeds.conf
+```
+Чтобы curl использовал openssl его надо пересобирать, поэтому добавлена возможность использовать wget.
+Для этого надо изменить переменную download_utility на wget
+```
+    download_utility: wget
+```
\ No newline at end of file
diff --git a/playbooks/hirkn.yml b/playbooks/hirkn.yml
index c240f6d..ae5811f 100644
--- a/playbooks/hirkn.yml
+++ b/playbooks/hirkn.yml
@@ -15,19 +15,26 @@
     wg_listen_port: 51820
     wg_client_port: 51820
     wg_client_address: 192.168.100.3/24
+    download_utility: curl
 
 # Packages installation
 
   tasks:
-  - name: install wireguard
+  - name: install kmod-wireguard
     opkg:
-      name: wireguard
+      name: kmod-wireguard
+      state: present
+
+  - name: install wireguard-tools
+    opkg:
+      name: wireguard-tools
       state: present
     
   - name: install curl
     opkg:
       name: curl
       state: present
+    when: download_utility == "curl"
   
   - name: install ipset
     opkg:
@@ -53,9 +60,16 @@
       dest: "/etc/rc.d/S99hirkn"
       state: link
 
+  - name: create crontab file
+    file:
+      dest: "/etc/crontabs/root"
+      state: touch
+      mode: 0600
+
   - name: check string in crontab
     shell: grep "hirkn" /etc/crontabs/root
     register: check_cron
+    ignore_errors: true
       
   - name: add script to cron
     lineinfile:
@@ -81,6 +95,7 @@
   - name: Check string in rt_tables
     shell: grep "99 vpn" /etc/iproute2/rt_tables
     register: check_rt_tables
+    ignore_errors: true
       
   - name: add route table
     lineinfile:
@@ -189,17 +204,19 @@
          storage: hash
          loadfile: /tmp/lst/subnet.lst
          
-  - name: add ipset for ipsum
+  - name: add ipset for ip
     uci:
        command: section
        config: firewall
        type: ipset
        find_by:
-         name: vpn_ipsum
+         name: vpn_ip
        value:
          match: dst_net
          storage: hash
-         loadfile: /tmp/lst/ipsum.lst
+         loadfile: /tmp/lst/ip.lst
+         hashsize: 1000000
+         maxelem: 1000000
          
   - name: add mark rule vpn_subnet
     uci:
@@ -210,22 +227,24 @@
          name: mark_subnet
        value:
          src: lan
+         dest: "*"
          proto: all
          ipset: vpn_subnets
          set_mark: "0x1"
          target: MARK
 
-  - name: add mark rule vpn_ipsum
+  - name: add mark rule vpn_ip
     uci:
        command: section
        config: firewall
        type: rule
        find_by:
-         name: mark_ipsum
+         name: mark_ip
        value:
          src: lan
+         dest: "*"
          proto: all
-         ipset: vpn_ipsum
+         ipset: vpn_ip
          set_mark: "0x1"
          target: MARK
 
diff --git a/templates/openwrt-hirkn.j2 b/templates/openwrt-hirkn.j2
index db9bf81..3379125 100644
--- a/templates/openwrt-hirkn.j2
+++ b/templates/openwrt-hirkn.j2
@@ -7,9 +7,15 @@ dir=/tmp/lst
 mkdir -p $dir
 
 echo "Run download lists"
+{% if download_utility == "curl" %}
 curl -z $dir/subnet.lst https://antifilter.download/list/subnet.lst --output $dir/subnet.lst
+curl -z $dir/ip.lst https://antifilter.download/list/ip.lst --output $dir/ip.lst
 
-curl -z $dir/ipsum.lst https://antifilter.download/list/ipsum.lst --output $dir/ipsum.lst
+{% elif download_utility == "wget" %}
+rm -f /$dir/subnet.lst && wget -P $dir https://antifilter.download/list/subnet.lst
+rm -f /$dir/ip.lst && wget -P $dir https://antifilter.download/list/ip.lst
+
+{% endif %}
 
 echo "Firewall restart"
 /etc/init.d/firewall restart