jeka/ansible-openwrt-hirkn
1
0
Fork 0
mirror of https://github.com/itdoginfo/ansible-openwrt-hirkn.git synced 2025-12-13 18:44:31 +05:00
Code Issues Packages Projects Releases Wiki Activity

Update for 20.02.0. Add wget option. Switch to ip.lst

Browse Source
This commit is contained in:
koala
2021-10-06 17:06:53 +03:00
parent bbc8fc759f
commit fb95e2550c
3 changed files with 56 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@@ -11,6 +11,10 @@ Playbook для Ansible, автоматизирующий настройку о
И вот здесь: https://habr.com/ru/post/440030/
Тестировалось с
- Ansible 2.9.6
- OpenWrt 20.02.0
# Использование
Для работы необходим wg сервер вне зоны действия РКН
@@ -60,3 +64,21 @@ ansible-playbook playbooks/hirkn.yml
```
После выполнения playbook роутер сразу начнёт выполнять обход блокировок через Wireguard сервер.
# "DST Root CA X3" issue
С версии 19* по 20.02.0 есть проблема со скачиванием файлов c https://antifilter.download/. Там используется LE сертификат.
Workroud в том, что бы переключить системную ssl библиотеку на openssl.
Проверялось на 20.02.0
```
sed -i 's/https/http/g' /etc/opkg/distfeeds.conf
opkg install libopenssl
opkg install openssl-util
opkg --force-depends remove libustream-wolfssl20201210
opkg install libustream-openssl20201210
sed -i 's/http/https/g' /etc/opkg/distfeeds.conf
```
Чтобы curl использовал openssl его надо пересобирать, поэтому добавлена возможность использовать wget.
Для этого надо изменить переменную download_utility на wget
```
download_utility: wget
```

35
playbooks/hirkn.yml
View File

@@ -15,19 +15,26 @@
wg_listen_port: 51820
wg_client_port: 51820
wg_client_address: 192.168.100.3/24
download_utility: curl
# Packages installation
tasks:
- name: install wireguard
- name: install kmod-wireguard
opkg:
name: wireguard
name: kmod-wireguard
state: present
- name: install wireguard-tools
opkg:
name: wireguard-tools
state: present
- name: install curl
opkg:
name: curl
state: present
when: download_utility == "curl"
- name: install ipset
opkg:
@@ -53,9 +60,16 @@
dest: "/etc/rc.d/S99hirkn"
state: link
- name: create crontab file
file:
dest: "/etc/crontabs/root"
state: touch
mode: 0600
- name: check string in crontab
shell: grep "hirkn" /etc/crontabs/root
register: check_cron
ignore_errors: true
- name: add script to cron
lineinfile:
@@ -81,6 +95,7 @@
- name: Check string in rt_tables
shell: grep "99 vpn" /etc/iproute2/rt_tables
register: check_rt_tables
ignore_errors: true
- name: add route table
lineinfile:
@@ -189,17 +204,19 @@
storage: hash
loadfile: /tmp/lst/subnet.lst
- name: add ipset for ipsum
- name: add ipset for ip
uci:
command: section
config: firewall
type: ipset
find_by:
name: vpn_ipsum
name: vpn_ip
value:
match: dst_net
storage: hash
loadfile: /tmp/lst/ipsum.lst
loadfile: /tmp/lst/ip.lst
hashsize: 1000000
maxelem: 1000000
- name: add mark rule vpn_subnet
uci:
@@ -210,22 +227,24 @@
name: mark_subnet
value:
src: lan
dest: "*"
proto: all
ipset: vpn_subnets
set_mark: "0x1"
target: MARK
- name: add mark rule vpn_ipsum
- name: add mark rule vpn_ip
uci:
command: section
config: firewall
type: rule
find_by:
name: mark_ipsum
name: mark_ip
value:
src: lan
dest: "*"
proto: all
ipset: vpn_ipsum
ipset: vpn_ip
set_mark: "0x1"
target: MARK

8
templates/openwrt-hirkn.j2
View File

@@ -7,9 +7,15 @@ dir=/tmp/lst
mkdir -p $dir
echo "Run download lists"
{% if download_utility == "curl" %}
curl -z $dir/subnet.lst https://antifilter.download/list/subnet.lst --output $dir/subnet.lst
curl -z $dir/ip.lst https://antifilter.download/list/ip.lst --output $dir/ip.lst
curl -z $dir/ipsum.lst https://antifilter.download/list/ipsum.lst --output $dir/ipsum.lst
{% elif download_utility == "wget" %}
rm -f /$dir/subnet.lst && wget -P $dir https://antifilter.download/list/subnet.lst
rm -f /$dir/ip.lst && wget -P $dir https://antifilter.download/list/ip.lst
{% endif %}
echo "Firewall restart"
/etc/init.d/firewall restart