snowwm/dpi-bypass.md

## dpi-bypass.md

      
    Raw
  

              dpi-bypass.md
            
          
This method may or may not work depending on what DPI technologies your ISP uses.


Tested on Arch Linux.

Usage with yandex-browser-beta

Make sure you have nftables and yandex-browser-beta installed. Download files from this gist, then run:
# These commands need to be run as root (or with sudo).
groupadd dpi-bypass
usermod -aG dpi-bypass "$USER"
nft -f dpi-bypass.rules

# Run these as your regular user.
sed -i "s|\$HOME|$HOME|" yandex-browser-dpi-bypass.desktop
cp yandex-browser-dpi-bypass.desktop ~/.local/share/applications/
Once everything works fine, choose any method to automatically load nft rules on startup (e. g. put them into /etc/nftables.conf and enable the nftables service). You may also want to change icon in yandex-browser-dpi-bypass.desktop to anything you like.
Explanation

This will launch a separate instance of yandex-browser under the special group dpi-bypass. The nftables firewall will then fragment every request made by this program. Hopefully, DPI will be fooled. To use it with any other program, just run it with sudo -g dpi-bypass <program>.

Note: this doesn't circumvent DNS poisonong and IP blockings.

Some Random Links

https://habr.com/ru/post/335436/

https://github.com/bol-van/zapret

  
## dpi-bypass.rules
#!/usr/bin/nft -f

define group_ = "dpi-bypass"
define mark_ = 0x1337
define tcp_window_ = 8
# define log_prefix_ = "dpi-bypass: " # strangely, doesn't work

# clean up after previous versions
table inet dpi-bypass
delete table inet dpi-bypass

table inet dpi-bypass {
    chain output {
        type nat hook output priority filter
        skgid $group_ tcp dport {80, 443} \
            ct mark set $mark_ \
            # counter log prefix "dpi-bypass: "
    }

    chain input {
        type filter hook input priority filter
        ct mark $mark_ tcp flags & (syn | ack) == syn | ack \
            tcp window set $tcp_window_ \
            # counter log prefix "dpi-bypass: "
    }
}

## yandex-browser-dpi-bypass.desktop
#!/usr/bin/env xdg-open

[Desktop Entry]
Version=1.0
Name=Yandex Browser (dpi-bypass)
Exec=/usr/bin/sudo -g dpi-bypass /usr/bin/yandex-browser-beta --user-data-dir=$HOME/.config/yandex-browser-dpi-bypass %U
StartupNotify=true
Terminal=false
Icon=yandex-browser
Type=Application
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml_xml;image/webp;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp;
	#!/usr/bin/nft -f

	define group_ = "dpi-bypass"
	define mark_ = 0x1337
	define tcp_window_ = 8
	# define log_prefix_ = "dpi-bypass: " # strangely, doesn't work

	# clean up after previous versions
	table inet dpi-bypass
	delete table inet dpi-bypass

	table inet dpi-bypass {
	chain output {
	type nat hook output priority filter
	skgid $group_ tcp dport {80, 443} \
	ct mark set $mark_ \
	# counter log prefix "dpi-bypass: "
	}

	chain input {
	type filter hook input priority filter
	ct mark $mark_ tcp flags & (syn \| ack) == syn \| ack \
	tcp window set $tcp_window_ \
	# counter log prefix "dpi-bypass: "
	}
	}
	#!/usr/bin/env xdg-open

	[Desktop Entry]
	Version=1.0
	Name=Yandex Browser (dpi-bypass)
	Exec=/usr/bin/sudo -g dpi-bypass /usr/bin/yandex-browser-beta --user-data-dir=$HOME/.config/yandex-browser-dpi-bypass %U
	StartupNotify=true
	Terminal=false
	Icon=yandex-browser
	Type=Application
	Categories=Network;WebBrowser;
	MimeType=text/html;text/xml;application/xhtml_xml;image/webp;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp;