jeka/ansible-openwrt-hirkn
1
0
Fork 0
mirror of https://github.com/itdoginfo/ansible-openwrt-hirkn.git synced 2025-12-13 18:44:31 +05:00
Code Issues Packages Projects Releases Wiki Activity

Update for 20.02.0. Add wget option. Switch to ip.lst

Browse Source
This commit is contained in:
koala
2021-10-06 17:06:53 +03:00
parent bbc8fc759f
commit fb95e2550c
3 changed files with 56 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@@ -11,6 +11,10 @@ Playbook для Ansible, автоматизирующий настройку о
И вот здесь: https://habr.com/ru/post/440030/ И вот здесь: https://habr.com/ru/post/440030/
Тестировалось с
- Ansible 2.9.6
- OpenWrt 20.02.0
# Использование # Использование
Для работы необходим wg сервер вне зоны действия РКН Для работы необходим wg сервер вне зоны действия РКН
@@ -60,3 +64,21 @@ ansible-playbook playbooks/hirkn.yml
``` ```
После выполнения playbook роутер сразу начнёт выполнять обход блокировок через Wireguard сервер. После выполнения playbook роутер сразу начнёт выполнять обход блокировок через Wireguard сервер.
# "DST Root CA X3" issue
С версии 19* по 20.02.0 есть проблема со скачиванием файлов c https://antifilter.download/. Там используется LE сертификат.
Workroud в том, что бы переключить системную ssl библиотеку на openssl.
Проверялось на 20.02.0
```
sed -i 's/https/http/g' /etc/opkg/distfeeds.conf
opkg install libopenssl
opkg install openssl-util
opkg --force-depends remove libustream-wolfssl20201210
opkg install libustream-openssl20201210
sed -i 's/http/https/g' /etc/opkg/distfeeds.conf
```
Чтобы curl использовал openssl его надо пересобирать, поэтому добавлена возможность использовать wget.
Для этого надо изменить переменную download_utility на wget
```
download_utility: wget
```

35
playbooks/hirkn.yml
View File

@@ -15,19 +15,26 @@
wg_listen_port: 51820 wg_listen_port: 51820
wg_client_port: 51820 wg_client_port: 51820
wg_client_address: 192.168.100.3/24 wg_client_address: 192.168.100.3/24
download_utility: curl
# Packages installation # Packages installation
tasks: tasks:
- name: install wireguard - name: install kmod-wireguard
opkg: opkg:
name: wireguard name: kmod-wireguard
state: present
- name: install wireguard-tools
opkg:
name: wireguard-tools
state: present state: present
- name: install curl - name: install curl
opkg: opkg:
name: curl name: curl
state: present state: present
when: download_utility == "curl"
- name: install ipset - name: install ipset
opkg: opkg:
@@ -53,9 +60,16 @@
dest: "/etc/rc.d/S99hirkn" dest: "/etc/rc.d/S99hirkn"
state: link state: link
- name: create crontab file
file:
dest: "/etc/crontabs/root"
state: touch
mode: 0600
- name: check string in crontab - name: check string in crontab
shell: grep "hirkn" /etc/crontabs/root shell: grep "hirkn" /etc/crontabs/root
register: check_cron register: check_cron
ignore_errors: true
- name: add script to cron - name: add script to cron
lineinfile: lineinfile:
@@ -81,6 +95,7 @@
- name: Check string in rt_tables - name: Check string in rt_tables
shell: grep "99 vpn" /etc/iproute2/rt_tables shell: grep "99 vpn" /etc/iproute2/rt_tables
register: check_rt_tables register: check_rt_tables
ignore_errors: true
- name: add route table - name: add route table
lineinfile: lineinfile:
@@ -189,17 +204,19 @@
storage: hash storage: hash
loadfile: /tmp/lst/subnet.lst loadfile: /tmp/lst/subnet.lst
- name: add ipset for ipsum - name: add ipset for ip
uci: uci:
command: section command: section
config: firewall config: firewall
type: ipset type: ipset
find_by: find_by:
name: vpn_ipsum name: vpn_ip
value: value:
match: dst_net match: dst_net
storage: hash storage: hash
loadfile: /tmp/lst/ipsum.lst loadfile: /tmp/lst/ip.lst
hashsize: 1000000
maxelem: 1000000
- name: add mark rule vpn_subnet - name: add mark rule vpn_subnet
uci: uci:
@@ -210,22 +227,24 @@
name: mark_subnet name: mark_subnet
value: value:
src: lan src: lan
dest: "*"
proto: all proto: all
ipset: vpn_subnets ipset: vpn_subnets
set_mark: "0x1" set_mark: "0x1"
target: MARK target: MARK
- name: add mark rule vpn_ipsum - name: add mark rule vpn_ip
uci: uci:
command: section command: section
config: firewall config: firewall
type: rule type: rule
find_by: find_by:
name: mark_ipsum name: mark_ip
value: value:
src: lan src: lan
dest: "*"
proto: all proto: all
ipset: vpn_ipsum ipset: vpn_ip
set_mark: "0x1" set_mark: "0x1"
target: MARK target: MARK

8
templates/openwrt-hirkn.j2
View File

@@ -7,9 +7,15 @@ dir=/tmp/lst
mkdir -p $dir mkdir -p $dir
echo "Run download lists" echo "Run download lists"
{% if download_utility == "curl" %}
curl -z $dir/subnet.lst https://antifilter.download/list/subnet.lst --output $dir/subnet.lst curl -z $dir/subnet.lst https://antifilter.download/list/subnet.lst --output $dir/subnet.lst
curl -z $dir/ip.lst https://antifilter.download/list/ip.lst --output $dir/ip.lst
curl -z $dir/ipsum.lst https://antifilter.download/list/ipsum.lst --output $dir/ipsum.lst {% elif download_utility == "wget" %}
rm -f /$dir/subnet.lst && wget -P $dir https://antifilter.download/list/subnet.lst
rm -f /$dir/ip.lst && wget -P $dir https://antifilter.download/list/ip.lst
{% endif %}
echo "Firewall restart" echo "Firewall restart"
/etc/init.d/firewall restart /etc/init.d/firewall restart