Merge 7177c18ecd into ceac5597ac

feat: add AmneziaWG

.github/workflows/public-galaxy.yml

@@ -2,7 +2,6 @@ name: Public to Ansible Galaxy
 
 on:
   push:
-    branches: [ "role" ]
     tags:
       - '*'
 
@@ -15,5 +14,4 @@ jobs:
       - name: Publish Ansible role to Galaxy
         uses: robertdebock/galaxy-action@1.2.1
         with:
-          galaxy_api_key: ${{ secrets.galaxy_api_key }}
+          galaxy_api_key: ${{ secrets.galaxy_api_key }}
-          git_branch: 0.1.3

README.EN.md

@@ -69,7 +69,7 @@ Wireguard, only domains, stubby, Russia, acces from wg network, host 192.168.1.1
   remote_user: root
 
   roles:
-    - domain-routing-openwrt
+    - itdoginfo.domain_routing_openwrt
 
   vars:
     tunnel: wg
@@ -93,12 +93,22 @@ Sing-box, stubby, Russia
   remote_user: root
 
   roles:
-    - domain-routing-openwrt
+    - itdoginfo.domain_routing_openwrt
 
   vars:
     tunnel: singbox
     dns_encrypt: stubby
     country: russia-inside
+
+  tasks:
+  - name: sing-box config
+    template:
+      src: "templates/openwrt-sing-box-json.j2"
+      dest: "/etc/sing-box/config.json"
+      mode: 0644
+    notify:
+      - Restart sing-box
+      - Restart network
 ```
 
 License

README.md

@@ -1,7 +1,7 @@
-[English role README](https://github.com/itdoginfo/domain-routing-openwrt/blob/role/README.EN.md)
+[English role README](https://github.com/itdoginfo/domain-routing-openwrt/blob/master/README.EN.md)
 
 # Описание
-Shell скрипт и playbook для Ansible. Автоматизируют настройку роутера на OpenWrt для роутинга по доменам и спискам IP-адресов.
+Shell скрипт и [роль для Ansible](https://galaxy.ansible.com/ui/standalone/roles/itdoginfo/domain_routing_openwrt). Автоматизируют настройку роутера на OpenWrt для роутинга по доменам и спискам IP-адресов.
 
 Полное описание происходящего:
 - [Статья на хабре](https://habr.com/ru/articles/767464/)
@@ -12,6 +12,11 @@ Shell скрипт и playbook для Ansible. Автоматизируют на
 sh <(wget -O - https://raw.githubusercontent.com/itdoginfo/domain-routing-openwrt/master/getdomains-install.sh)
 ```
 
+## AmneziaWG
+Через этот скрипт можно установить Amnezia wireguard. Скрипт проверяет наличие пакетов под вашу платформу в [стороннем репозитории](https://github.com/Slava-Shchipunov/awg-openwrt/releases), так как в официальном репозитории OpenWRT они отсутствуют, и автоматически их устанавливает.
+
+Если подходящих пакетов нет, перед настройкой необходимо будет самостоятельно [собрать бинарники AmneziaWG](https://github.com/itdoginfo/domain-routing-openwrt/wiki/Amnezia-WG-Build) для своего устройства и установить их.
+
 ## Скрипт для проверки конфигурации
 Написан для OpenWrt 23.05 и 22.03. На 21.02 работает только половина проверок.
 
@@ -44,7 +49,7 @@ ansible-galaxy role install itdoginfo.domain_routing_openwrt
 
 Примеры playbooks
 
-Wireguard, only domains, stubby, Russia, acces from wg network (примерное значение 192.168.80.0/24), host 192.168.1.1
+Wireguard, only domains, stubby, Russia, acces from wg network (пример 192.168.80.0/24), host 192.168.1.1
 ```
 - hosts: 192.168.1.1
   remote_user: root
@@ -81,6 +86,16 @@ Sing-box, stubby, Russia
     tunnel: singbox
     dns_encrypt: stubby
     country: russia-inside
+
+  tasks:
+  - name: sing-box config
+    template:
+      src: "templates/openwrt-sing-box-json.j2"
+      dest: "/etc/sing-box/config.json"
+      mode: 0644
+    notify:
+      - Restart sing-box
+      - Restart network
 ```
 
 В inventory файле роутер обязательно должен быть в группе `[openwrt]`
@@ -115,7 +130,7 @@ service getdomains start
 Для 22ой версии нужно установить пакет вручную.
 - tun2socks настраивается только роутинг и зона. Всё остальное нужно настроить вручную
 
-Для **tunnel** четыре возможных значения:
+Для **tunnel** шесть возможных значений:
 - wg
 - openvpn
 - singbox
@@ -183,12 +198,11 @@ service getdomains start
 [Инструкция для OpenWrt 21.02](https://t.me/itdoginfo/8)
 
 ## Текстовый редактор nano
-Устанавливается по умолчанию
+Устанавливается по умолчанию. Можно выключить
-Можно выключить
 ```
   nano: false
 ```
 
 ---
 
-[Telegram-канал с обновлениями](https://t.me/+lW1HmBO_Fa00M2Iy)
+[Telegram-канал с обновлениями](https://t.me/+lW1HmBO_Fa00M2Iy)

getdomains-check.sh

@@ -19,13 +19,13 @@ output_21() {
 }
 
 # System Details
-MODEL=$(grep machine /proc/cpuinfo | cut -d ':' -f 2)
+MODEL=$(cat /tmp/sysinfo/model)
-RELEASE=$(grep OPENWRT_RELEASE /etc/os-release | awk -F '"' '{print $2}')
+source /etc/os-release
-printf "\033[34;1mModel:$MODEL\033[0m\n"
+printf "\033[34;1mModel: $MODEL\033[0m\n"
-printf "\033[34;1mVersion: $RELEASE\033[0m\n"
+printf "\033[34;1mVersion: $OPENWRT_RELEASE\033[0m\n"
 printf "\033[34;1mDate: $(date)\033[0m\n"
 
-VERSION_ID=$(grep VERSION_ID /etc/os-release | awk -F '"' '{print $2}' | awk -F. '{print $1}')
+VERSION_ID=$(echo $VERSION | awk -F. '{print $1}')
 RAM=$(free -m | grep Mem: | awk '{print $2}')
 if [[ "$VERSION_ID" -ge 22 && "$RAM" -lt 150000 ]]
 then 
@@ -94,11 +94,6 @@ if curl -6 -s https://ifconfig.io | egrep -q "(::)?[0-9a-fA-F]{1,4}(::?[0-9a-fA-
     checkpoint_false "IPv6 detected. This script does not currently work with IPv6"
 fi
 
-# PPPoE
-if uci show network.wan.proto | grep -q "pppoe"; then
-    checkpoint_false "PPPoE is used. That could be a problem"
-fi
-
 # Tunnels
 WIREGUARD=$(opkg list-installed | grep -c wireguard-tools )
 if [ $WIREGUARD -eq 1 ]; then
@@ -134,7 +129,7 @@ if [ "$WG" == true ]; then
     if [ $ROUTE_TABLE -eq 1 ]; then
         checkpoint_true "Route table WG"
     else
-        checkpoint_false "Route table VPN"
+        checkpoint_false "Route table WG"
         echo "Details: https://cli.co/Atxr6U3"
     fi
 fi
@@ -467,4 +462,4 @@ fi
 
 # Info
 echo -e "\nTelegram channel: https://t.me/itdoginfo"
-echo "Telegram chat: https://t.me/itdogchat"
+echo "Telegram chat: https://t.me/itdogchat"

getdomains-install.sh

@@ -13,6 +13,12 @@ cat << EOF > /etc/hotplug.d/iface/30-vpnroute
 #!/bin/sh
 
 ip route add table vpn default dev wg0
+EOF
+    elif [ "$TUNNEL" == awg ]; then
+cat << EOF > /etc/hotplug.d/iface/30-vpnroute
+#!/bin/sh
+
+ip route add table vpn default dev awg0
 EOF
     elif [ "$TUNNEL" == singbox ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then
 cat << EOF > /etc/hotplug.d/iface/30-vpnroute
@@ -39,13 +45,15 @@ add_mark() {
 }
 
 add_tunnel() {
-    echo "We can automatically configure only Wireguard. OpenVPN, Sing-box(Shadowsocks2022, VMess, VLESS, etc) and tun2socks will need to be configured manually"
+    echo "We can automatically configure only Wireguard and Amnezia WireGuard. OpenVPN, Sing-box(Shadowsocks2022, VMess, VLESS, etc) and tun2socks will need to be configured manually"
     echo "Select a tunnel:"
     echo "1) WireGuard"
     echo "2) OpenVPN"
     echo "3) Sing-box"
     echo "4) tun2socks"
-    echo "5) Skip this step"
+    echo "5) wgForYoutube"
+    echo "6) Amnezia WireGuard"
+    echo "7) Skip this step"
 
     while true; do
     read -r -p '' TUNNEL
@@ -71,7 +79,17 @@ add_tunnel() {
             break
             ;;
 
-        5)
+        5) 
+            TUNNEL=wgForYoutube
+            break
+            ;;
+
+        6) 
+            TUNNEL=awg
+            break
+            ;;
+
+        7)
             echo "Skip"
             TUNNEL=0
             break
@@ -207,6 +225,165 @@ EOF
         printf "\033[32;1mConfigure route for Sing-box\033[0m\n"
         route_vpn
     fi
+
+    if [ "$TUNNEL" == 'wgForYoutube' ]; then
+        add_internal_wg
+    fi
+
+    if [ "$TUNNEL" == 'awg' ]; then
+        printf "\033[32;1mConfigure Amnezia WireGuard\033[0m\n"
+
+        # Получение pkgarch с наибольшим приоритетом
+        PKGARCH=$(opkg print-architecture | awk 'BEGIN {max=0} {if ($3 > max) {max = $3; arch = $2}} END {print arch}')
+
+        TARGET=$(ubus call system board | jsonfilter -e '@.release.target' | cut -d '/' -f 1)
+        SUBTARGET=$(ubus call system board | jsonfilter -e '@.release.target' | cut -d '/' -f 2)
+        VERSION=$(ubus call system board | jsonfilter -e '@.release.version')
+        PKGPOSTFIX="_v${VERSION}_${PKGARCH}_${TARGET}_${SUBTARGET}.ipk"
+        BASE_URL="https://github.com/Slava-Shchipunov/awg-openwrt/releases/download/"
+
+        AWG_DIR="/tmp/amneziawg"
+        mkdir -p "$AWG_DIR"
+
+        if opkg list-installed | grep -q amneziawg-tools; then
+            echo "amneziawg-tools already installed"
+        else
+            AMNEZIAWG_TOOLS_FILENAME="amneziawg-tools${PKGPOSTFIX}"
+            DOWNLOAD_URL="${BASE_URL}v${VERSION}/${AMNEZIAWG_TOOLS_FILENAME}"
+            curl -L -o "$AWG_DIR/$AMNEZIAWG_TOOLS_FILENAME" "$DOWNLOAD_URL"
+
+            if [ $? -eq 0 ]; then
+                echo "amneziawg-tools file downloaded successfully"
+            else
+                echo "Error downloading amneziawg-tools. Please, install amneziawg-tools manually and run the script again"
+                exit 1
+            fi
+
+            opkg install "$AWG_DIR/$AMNEZIAWG_TOOLS_FILENAME"
+
+            if [ $? -eq 0 ]; then
+                echo "amneziawg-tools file downloaded successfully"
+            else
+                echo "Error installing amneziawg-tools. Please, install amneziawg-tools manually and run the script again"
+                exit 1
+            fi
+        fi
+        
+        if opkg list-installed | grep -q kmod-amneziawg; then
+            echo "kmod-amneziawg already installed"
+        else
+            KMOD_AMNEZIAWG_FILENAME="kmod-amneziawg${PKGPOSTFIX}"
+            DOWNLOAD_URL="${BASE_URL}v${VERSION}/${KMOD_AMNEZIAWG_FILENAME}"
+            curl -L -o "$AWG_DIR/$KMOD_AMNEZIAWG_FILENAME" "$DOWNLOAD_URL"
+
+            if [ $? -eq 0 ]; then
+                echo "kmod-amneziawg file downloaded successfully"
+            else
+                echo "Error downloading kmod-amneziawg. Please, install kmod-amneziawg manually and run the script again"
+                exit 1
+            fi
+            
+            opkg install "$AWG_DIR/$KMOD_AMNEZIAWG_FILENAME"
+
+            if [ $? -eq 0 ]; then
+                echo "kmod-amneziawg file downloaded successfully"
+            else
+                echo "Error installing kmod-amneziawg. Please, install kmod-amneziawg manually and run the script again"
+                exit 1
+            fi
+        fi
+        
+        if opkg list-installed | grep -q luci-app-amneziawg; then
+            echo "luci-app-amneziawg already installed"
+        else
+            LUCI_APP_AMNEZIAWG_FILENAME="luci-app-amneziawg${PKGPOSTFIX}"
+            DOWNLOAD_URL="${BASE_URL}v${VERSION}/${LUCI_APP_AMNEZIAWG_FILENAME}"
+            curl -L -o "$AWG_DIR/$LUCI_APP_AMNEZIAWG_FILENAME" "$DOWNLOAD_URL"
+
+            if [ $? -eq 0 ]; then
+                echo "luci-app-amneziawg file downloaded successfully"
+            else
+                echo "Error downloading luci-app-amneziawg. Please, install luci-app-amneziawg manually and run the script again"
+                exit 1
+            fi
+
+            opkg install "$AWG_DIR/$LUCI_APP_AMNEZIAWG_FILENAME"
+
+            if [ $? -eq 0 ]; then
+                echo "luci-app-amneziawg file downloaded successfully"
+            else
+                echo "Error installing luci-app-amneziawg. Please, install luci-app-amneziawg manually and run the script again"
+                exit 1
+            fi
+        fi
+
+        rm -rf "$AWG_DIR"
+
+        route_vpn
+
+        read -r -p "Enter the private key (from [Interface]):"$'\n' AWG_PRIVATE_KEY
+
+        while true; do
+            read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (Address from [Interface]):"$'\n' AWG_IP
+            if echo "$AWG_IP" | egrep -oq '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+$'; then
+                break
+            else
+                echo "This IP is not valid. Please repeat"
+            fi
+        done
+
+        read -r -p "Enter Jc value (from [Interface]):"$'\n' AWG_JC
+        read -r -p "Enter Jmin value (from [Interface]):"$'\n' AWG_JMIN
+        read -r -p "Enter Jmax value (from [Interface]):"$'\n' AWG_JMAX
+        read -r -p "Enter S1 value (from [Interface]):"$'\n' AWG_S1
+        read -r -p "Enter S2 value (from [Interface]):"$'\n' AWG_S2
+        read -r -p "Enter H1 value (from [Interface]):"$'\n' AWG_H1
+        read -r -p "Enter H2 value (from [Interface]):"$'\n' AWG_H2
+        read -r -p "Enter H3 value (from [Interface]):"$'\n' AWG_H3
+        read -r -p "Enter H4 value (from [Interface]):"$'\n' AWG_H4
+    
+        read -r -p "Enter the public key (from [Peer]):"$'\n' AWG_PUBLIC_KEY
+        read -r -p "If use PresharedKey, Enter this (from [Peer]). If your don't use leave blank:"$'\n' AWG_PRESHARED_KEY
+        read -r -p "Enter Endpoint host without port (Domain or IP) (from [Peer]):"$'\n' AWG_ENDPOINT
+
+        read -r -p "Enter Endpoint host port (from [Peer]) [51820]:"$'\n' AWG_ENDPOINT_PORT
+        AWG_ENDPOINT_PORT=${AWG_ENDPOINT_PORT:-51820}
+        if [ "$AWG_ENDPOINT_PORT" = '51820' ]; then
+            echo $AWG_ENDPOINT_PORT
+        fi
+        
+        uci set network.awg0=interface
+        uci set network.awg0.proto='amneziawg'
+        uci set network.awg0.private_key=$AWG_PRIVATE_KEY
+        uci set network.awg0.listen_port='51820'
+        uci set network.awg0.addresses=$AWG_IP
+
+        uci set network.awg0.awg_jc=$AWG_JC
+        uci set network.awg0.awg_jmin=$AWG_JMIN
+        uci set network.awg0.awg_jmax=$AWG_JMAX
+        uci set network.awg0.awg_s1=$AWG_S1
+        uci set network.awg0.awg_s2=$AWG_S2
+        uci set network.awg0.awg_h1=$AWG_H1
+        uci set network.awg0.awg_h2=$AWG_H2
+        uci set network.awg0.awg_h3=$AWG_H3
+        uci set network.awg0.awg_h4=$AWG_H4
+
+        if ! uci show network | grep -q amneziawg_awg0; then
+            uci add network amneziawg_awg0
+        fi
+
+        uci set network.@amneziawg_awg0[0]=amneziawg_awg0
+        uci set network.@amneziawg_awg0[0].name='awg0_client'
+        uci set network.@amneziawg_awg0[0].public_key=$AWG_PUBLIC_KEY
+        uci set network.@amneziawg_awg0[0].preshared_key=$AWG_PRESHARED_KEY
+        uci set network.@amneziawg_awg0[0].route_allowed_ips='0'
+        uci set network.@amneziawg_awg0[0].persistent_keepalive='25'
+        uci set network.@amneziawg_awg0[0].endpoint_host=$AWG_ENDPOINT
+        uci set network.@amneziawg_awg0[0].allowed_ips='0.0.0.0/0'
+        uci set network.@amneziawg_awg0[0].endpoint_port=$AWG_ENDPOINT_PORT
+        uci commit
+    fi
+
 }
 
 dnsmasqfull() {
@@ -254,14 +431,25 @@ add_zone() {
             while uci -q delete firewall.@zone[$zone_wg_id]; do :; done
         fi
 
+        zone_awg_id=$(uci show firewall | grep -E '@zone.*awg0' | awk -F '[][{}]' '{print $2}' | head -n 1)
+        if [ "$zone_awg_id" == 0 ] || [ "$zone_awg_id" == 1 ]; then
+            printf "\033[32;1mawg0 zone has an identifier of 0 or 1. That's not ok. Fix your firewall. lan and wan zones should have identifiers 0 and 1. \033[0m\n"
+            exit 1
+        fi
+        if [ ! -z "$zone_awg_id" ]; then
+            while uci -q delete firewall.@zone[$zone_awg_id]; do :; done
+        fi
+
         uci add firewall zone
         uci set firewall.@zone[-1].name="$TUNNEL"
         if [ "$TUNNEL" == wg ]; then
             uci set firewall.@zone[-1].network='wg0'
+        elif [ "$TUNNEL" == awg ]; then
+            uci set firewall.@zone[-1].network='awg0'
         elif [ "$TUNNEL" == singbox ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then
             uci set firewall.@zone[-1].device='tun0'
         fi
-        if [ "$TUNNEL" == wg ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then
+        if [ "$TUNNEL" == wg ] || [ "$TUNNEL" == awg ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then
             uci set firewall.@zone[-1].forward='REJECT'
             uci set firewall.@zone[-1].output='ACCEPT'
             uci set firewall.@zone[-1].input='REJECT'
@@ -288,6 +476,11 @@ add_zone() {
             remove_forwarding
         fi
 
+        if [[ $TUNNEL != "awg" ]]; then
+            forward_id=$(uci show firewall | grep -E "@forwarding.*dest='awg'" | awk -F '[][{}]' '{print $2}' | head -n 1)
+            remove_forwarding
+        fi
+
         if [[ $TUNNEL != "ovpn" ]]; then
             forward_id=$(uci show firewall | grep -E "@forwarding.*dest='ovpn'" | awk -F '[][{}]' '{print $2}' | head -n 1)
             remove_forwarding
@@ -552,13 +745,160 @@ EOF
     fi
 }
 
-# System Details
+add_internal_wg() {
-MODEL=$(grep machine /proc/cpuinfo | cut -d ':' -f 2)
+    printf "\033[32;1mConfigure WireGuard\033[0m\n"
-RELEASE=$(grep OPENWRT_RELEASE /etc/os-release | awk -F '"' '{print $2}')
+    if opkg list-installed | grep -q wireguard-tools; then
-printf "\033[34;1mModel:$MODEL\033[0m\n"
+        echo "Wireguard already installed"
-printf "\033[34;1mVersion: $RELEASE\033[0m\n"
+    else
+        echo "Installed wg..."
+        opkg install wireguard-tools
+    fi
 
-VERSION_ID=$(grep VERSION_ID /etc/os-release | awk -F '"' '{print $2}' | awk -F. '{print $1}')
+    read -r -p "Enter the private key (from [Interface]):"$'\n' WG_PRIVATE_KEY_INT
+
+    while true; do
+        read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (from [Interface]):"$'\n' WG_IP
+        if echo "$WG_IP" | egrep -oq '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+$'; then
+            break
+        else
+            echo "This IP is not valid. Please repeat"
+        fi
+    done
+
+    read -r -p "Enter the public key (from [Peer]):"$'\n' WG_PUBLIC_KEY_INT
+    read -r -p "If use PresharedKey, Enter this (from [Peer]). If your don't use leave blank:"$'\n' WG_PRESHARED_KEY_INT
+    read -r -p "Enter Endpoint host without port (Domain or IP) (from [Peer]):"$'\n' WG_ENDPOINT_INT
+
+    read -r -p "Enter Endpoint host port (from [Peer]) [51820]:"$'\n' WG_ENDPOINT_PORT_INT
+    WG_ENDPOINT_PORT_INT=${WG_ENDPOINT_PORT_INT:-51820}
+    if [ "$WG_ENDPOINT_PORT_INT" = '51820' ]; then
+        echo $WG_ENDPOINT_PORT_INT
+    fi
+    
+    uci set network.wg1=interface
+    uci set network.wg1.proto='wireguard'
+    uci set network.wg1.private_key=$WG_PRIVATE_KEY_INT
+    uci set network.wg1.listen_port='51820'
+    uci set network.wg1.addresses=$WG_IP
+
+    if ! uci show network | grep -q wireguard_wg1; then
+        uci add network wireguard_wg1
+    fi
+    uci set network.@wireguard_wg1[0]=wireguard_wg1
+    uci set network.@wireguard_wg1[0].name='wg1_client'
+    uci set network.@wireguard_wg1[0].public_key=$WG_PUBLIC_KEY_INT
+    uci set network.@wireguard_wg1[0].preshared_key=$WG_PRESHARED_KEY_INT
+    uci set network.@wireguard_wg1[0].route_allowed_ips='0'
+    uci set network.@wireguard_wg1[0].persistent_keepalive='25'
+    uci set network.@wireguard_wg1[0].endpoint_host=$WG_ENDPOINT_INT
+    uci set network.@wireguard_wg1[0].allowed_ips='0.0.0.0/0'
+    uci set network.@wireguard_wg1[0].endpoint_port=$WG_ENDPOINT_PORT_INT
+    uci commit network
+
+    grep -q "110 vpninternal" /etc/iproute2/rt_tables || echo '110 vpninternal' >> /etc/iproute2/rt_tables
+
+    if ! uci show network | grep -q mark0x2; then
+        printf "\033[32;1mConfigure mark rule\033[0m\n"
+        uci add network rule
+        uci set network.@rule[-1].name='mark0x2'
+        uci set network.@rule[-1].mark='0x2'
+        uci set network.@rule[-1].priority='110'
+        uci set network.@rule[-1].lookup='vpninternal'
+        uci commit
+    fi
+
+    if ! uci show network | grep -q vpn_route_internal; then
+        printf "\033[32;1mAdd route\033[0m\n"
+        uci set network.vpn_route_internal=route
+        uci set network.vpn_route_internal.name='vpninternal'
+        uci set network.vpn_route_internal.interface='wg1'
+        uci set network.vpn_route_internal.table='vpninternal'
+        uci set network.vpn_route_internal.target='0.0.0.0/0'
+        uci commit network
+    fi
+
+    if ! uci show firewall | grep -q "@zone.*name='wg_internal'"; then
+        printf "\033[32;1mZone Create\033[0m\n"
+        uci add firewall zone
+        uci set firewall.@zone[-1].name="wg_internal"
+        uci set firewall.@zone[-1].network='wg1'
+        uci set firewall.@zone[-1].forward='REJECT'
+        uci set firewall.@zone[-1].output='ACCEPT'
+        uci set firewall.@zone[-1].input='REJECT'
+        uci set firewall.@zone[-1].masq='1'
+        uci set firewall.@zone[-1].mtu_fix='1'
+        uci set firewall.@zone[-1].family='ipv4'
+        uci commit firewall
+    fi
+
+    if ! uci show firewall | grep -q "@forwarding.*name='wg_internal'"; then
+        printf "\033[32;1mConfigured forwarding\033[0m\n"
+        uci add firewall forwarding
+        uci set firewall.@forwarding[-1]=forwarding
+        uci set firewall.@forwarding[-1].name="wg_internal-lan"
+        uci set firewall.@forwarding[-1].dest="wg_internal"
+        uci set firewall.@forwarding[-1].src='lan'
+        uci set firewall.@forwarding[-1].family='ipv4'
+        uci commit firewall
+    fi
+
+    if uci show firewall | grep -q "@ipset.*name='vpn_domains_internal'"; then
+        printf "\033[32;1mSet already exist\033[0m\n"
+    else
+        printf "\033[32;1mCreate set\033[0m\n"
+        uci add firewall ipset
+        uci set firewall.@ipset[-1].name='vpn_domains_internal'
+        uci set firewall.@ipset[-1].match='dst_net'
+        uci commit firewall
+    fi
+
+    if uci show firewall | grep -q "@rule.*name='mark_domains_intenal'"; then
+        printf "\033[32;1mRule for set already exist\033[0m\n"
+    else
+        printf "\033[32;1mCreate rule set\033[0m\n"
+        uci add firewall rule
+        uci set firewall.@rule[-1]=rule
+        uci set firewall.@rule[-1].name='mark_domains_intenal'
+        uci set firewall.@rule[-1].src='lan'
+        uci set firewall.@rule[-1].dest='*'
+        uci set firewall.@rule[-1].proto='all'
+        uci set firewall.@rule[-1].ipset='vpn_domains_internal'
+        uci set firewall.@rule[-1].set_mark='0x2'
+        uci set firewall.@rule[-1].target='MARK'
+        uci set firewall.@rule[-1].family='ipv4'
+        uci commit firewall
+    fi
+
+    if uci show dhcp | grep -q "@ipset.*name='vpn_domains_internal'"; then
+        printf "\033[32;1mDomain on vpn_domains_internal already exist\033[0m\n"
+    else
+        printf "\033[32;1mCreate domain for vpn_domains_internal\033[0m\n"
+        uci add dhcp ipset
+        uci add_list dhcp.@ipset[-1].name='vpn_domains_internal'
+        uci add_list dhcp.@ipset[-1].domain='youtube.com'
+        uci add_list dhcp.@ipset[-1].domain='googlevideo.com'
+        uci add_list dhcp.@ipset[-1].domain='youtubekids.com'
+        uci add_list dhcp.@ipset[-1].domain='googleapis.com'
+        uci add_list dhcp.@ipset[-1].domain='ytimg.com'
+        uci add_list dhcp.@ipset[-1].domain='ggpht.com'
+        uci commit dhcp
+    fi
+
+    sed -i "/done/a sed -i '/youtube.com\\\|ytimg.com\\\|ggpht.com\\\|googlevideo.com\\\|googleapis.com\\\|youtubekids.com/d' /tmp/dnsmasq.d/domains.lst" "/etc/init.d/getdomains"
+
+    service dnsmasq restart
+    service network restart
+
+    exit 0
+}
+
+# System Details
+MODEL=$(cat /tmp/sysinfo/model)
+source /etc/os-release
+printf "\033[34;1mModel: $MODEL\033[0m\n"
+printf "\033[34;1mVersion: $OPENWRT_RELEASE\033[0m\n"
+
+VERSION_ID=$(echo $VERSION | awk -F. '{print $1}')
 
 if [ "$VERSION_ID" -ne 23 ]; then
     printf "\033[31;1mScript only support OpenWrt 23.05\033[0m\n"

handlers/main.yml

@@ -1,4 +1,9 @@
 ---
+  - name: Restart sing-box
+    service:
+      name: sing-box
+      state: restarted
+
   - name: Restart network
     service:
       name: network