Antizapret created to redirect only blocked domains to VPN tunnel. Its called split tunneling. This repo is based on idea from original AntiZapret LXD image
https://t.me/antizapret_support
- List of blocked domains downloaded from open registry.
- List parsed and rules for dns resolver (adguardhome) created.
- Adguardhome resend requests for blocked domains to python script dnsmap.py.
- Python script: a) resolve real address for domain b) create fake address from 10.244.0.0/15 subnet c) create iptables rule to forward all packets from fake ip to real ip.
- Fake IP is sent in DNS response to client
- All vpn tunnels configured with split tunneling. Only traffic to 10.244.0.0/15 subnet is routed through VPN.
- openvpn-dco - a kernel extension for improving performance of OpenVPN
- Multiple VPN transports: Wireguard, OpenVPN, IPsec/XAuth ("Cisco IPsec")
- Adguard as main DNS resolver
- filebrowser as web viewer & editor for
*-custom.txtfiles
- Install Docker Engine:
curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh
- Clone repository and start container:
git clone https://github.com/xtrime-ru/antizapret-vpn-docker.git antizapret cd antizapret - Create docker-compose.override.yml with services you need. For example:
services:
antizapret:
environment:
- ADGUARDHOME_PASSWORD=somestrongpassword
filebrowser:
environment:
- FILEBROWSER_PASSWORD=somestrongpassword
extends:
file: docker-compose.filebrowser.yml
service: filebrowser
openvpn:
extends:
file: docker-compose.openvpn.yml
service: openvpn
environment:
- OBFUSCATE_TYPE=2
openvpn-ui:
environment:
- OPENVPN_ADMIN_PASSWORD=somestrongpassword
extends:
file: docker-compose.openvpn.yml
service: openvpn-ui
wireguard-amnezia:
environment:
- WIREGUARD_PASSWORD=somestrongpassword
extends:
file: docker-compose.wireguard-amnezia.yml
service: wireguard-amnezia- Start services:
docker compose pull
docker compose build
docker compose up -d- Admin panels started at following ports at your host:
- adguard: 3000
- filebrowser: 2000
- wireguard/amnezia: 51821
- openvpn: 8080
git pull
docker compose pull
docker compose build
docker compose down --remove-orphans && docker compose up -d --remove-orphansOnly WireGuard/Amnezia configs can be moved, please make backup WireGuard files (from ./.etc_wireguard or ./.etc_wireguard_amnezia) and put them in ./config/wireguard or ./config/wireguard_amnezia accordingly after steps below.
Recommended to perform full remove of old version:
docker compose down --remove-orphans
docker system prune -af
cd ../
rm -rf antizapret/Then follow installation steps from this README.
Remove all settings, vpn configs and return initial state of service:
docker compose down
rm -rf config/*
docker compose up -dAny domains or IPs can be added or excluded from routing with config files from ./config/antizapret/custom directory.
These lists are added/excluded to/from automatically generated lists of domains and IP's.
Reboot container and wait few minutes for applying changes.
Here is rules for lists: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#upstreams
Examples:
subdomain.host.com
*.host.com
host.com
de
You can define these variables in docker-compose.override.yml file for your needs:
Antizapret:
SKIP_UPDATE_FROM_ZAPRET=true- do not download and use list of all blocked domains from internet. Will reduce RAM consumption. Need to manually fill domains in*-custom.txtfiles.UPDATE_TIMER=1d- blocked domains update intervalADGUARDHOME_PORT=3000ADGUARDHOME_USERNAME=adminADGUARDHOME_PASSWORD=ADGUARDHOME_PASSWORD_HASH=- hashed password, taken from the AdGuardHome.yaml file after the first run usingADGUARDHOME_PASSWORDDNS=1.1.1.1- Upstream DNS for resolving blocked sitesROUTES- list of VPN containers and their virtual addresses. Needed for uniq client addresses in adguard logs
Filebrowser:
FILEBROWSER_PORT=adminFILEBROWSER_PASSWORD=password
Openvpn
OBFUSCATE_TYPE=0- custom obfuscation level of openvpn protocol. 0 - disable.Act as regular openvpn client, support by all clients. 1 - light obfuscation, works with microtics 2 - strong obfuscation, works with some clients: openvpn gui client, asuswrt client...ANTIZAPRET_SUBNET=10.224.0.0/15- subnet for virtual blocked ipsOPENVPN_DNS=10.1.165.1- DNS address for clients. Must be inANTIZAPRET_SUBNET
Openvpn-ui
OPENVPN_ADMIN_PASSWORD=— will be used as a server address in .ovpn profiles upon keys generation (default: your server's IP)OPENVPN_PORT=1194— will be used as a server port in .ovpn profiles upon keys generation. (default: 1194)
Wireguard/Wireguard Amnezia
WIREGUARD_PASSWORD=- password for admin panelWIREGUARD_PASSWORD_HASH=- hashed password for admin panelANTIZAPRET_SUBNET=10.224.0.0/15- subnet for virtual blocked ipsWG_DEFAULT_DNS=10.224.0.1- DNS address for clients. Must be inANTIZAPRET_SUBNETWG_PERSISTENT_KEEPALIVE=25PORT=51821- admin panel portWG_PORT=51820- wireguard server portWG_DEVICE=eth0
Wireguard, Wireguard Amnezia, Openvpn:
FORCE_FORWARD_DNS=true- Redirects UDP traffic on port 53 to AntiZapret DNS (default: false)FORCE_FORWARD_DNS_PORTS="53 5353"- Parameter can be used to change port 53 for FORCE_FORWARD_DNS to one or more, separated by a space (default: 53)- For other environment variables, see the original manual Wireguard Amnezia or Wireguard.
Adguard uses Google DNS and Quad9 DNS to resolve unblocked domains. This upstreams support ECS requests (more info below). Cloudflare DNS do not support ECS and is not recommended for use.
Source code: Adguard upstream DNS
After container is started working copy is located here: ./config/adguard/conf/upstream_dns_file_basis
Some domains can resolve differently, depending on subnet (geoip) of client. In this case using of DNS located on remote server will break some services. ECS allow to provide client IP in DNS requests to upstream server and get correct results. Its enabled by default in Adguard and client ip is pointed to Moscow (Yandex Subnet).
If you located in other region, you need to replace 77.88.8.8 with your real ip address on this page http://your-server-ip:3000/#dns
https://github.com/d3vilh/openvpn-ui?tab=readme-ov-file#generating-ovpn-client-profiles
- go to
http://%your_ip%:8080/certificates - click "create certificate"
- enter unique name. Leave all other fields empty
- click create
- click on certificate name in list to download ovpn file.
OpenVPN Data Channel Offload (DCO) provides performance improvements by moving the data channel handling to the kernel space, where it can be handled more efficiently and with multi-threading. tl;dr it increases speed and reduces CPU usage on a server.
Kernel extensions can be installed only on a host machine, not in a container.
sudo apt update
sudo apt upgrade
echo "#### Please reboot your system after upgrade ###" && sleep 100
sudo apt install -y efivar
sudo apt install -y openvpn-dco-dkmssudo apt update
sudo apt upgrade
echo "#### Please reboot your system after upgrade ###" && sleep 100
deb=openvpn-dco-dkms_0.0+git20231103-1_all.deb
sudo apt install -y efivar dkms linux-headers-$(uname -r)
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openvpn-dco-dkms/$deb
sudo dpkg -i $debIf your clients do not have GCM ciphers support you can use legacy CBC ciphers. DCO is incompatible with legacy ciphers and will be disabled. This is also increase CPU load.
Most providers now block openvpn to foreign IPs. Obfuscation not always fix the issue. For stable openvpn operation you can buy VPS inside of your country and then proxy all traffic to foreign server. Here is example of startup script. Replace X.X.X.X with IP address of your server and run it on fresh VPS (ubuntu 24.04 is recommended):
#!/bin/sh
# Fill with your foreign server ip
export VPN_IP=X.X.X.X
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/99-sysctl.conf
sysctl -w net.ipv4.ip_forward=1
# DNAT rules
iptables -t nat -A PREROUTING -p tcp ! --dport 22 -j DNAT --to-destination "$VPN_IP"
iptables -t nat -A PREROUTING -p udp ! --dport 22 -j DNAT --to-destination "$VPN_IP"
# MASQUERADE rules
iptables -t nat -A POSTROUTING -p tcp -d "$VPN_IP" -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp -d "$VPN_IP" -j MASQUERADE
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | sudo debconf-set-selections
apt install -y iptables-persistent
- OpenWrt setup guide - how to setup OpenWrt router with this solution to keep LAN clients happy.
- Keenetic setup guide - instructions for configuring the server and connecting Keenetic routers to it (на русском языке)
iperf3 server is included in antizapret-vpn container.
- Connect to VPN
- Use iperf3 client on your phone or computer to check upload/download speed.
Example 10 threads for 10 seconds and report result every second:
iperf3 -c 10.224.0.1 -i1 -t10 -P10 iperf3 -c 10.224.0.1 -i1 -t10 -P10 -R
Important notice: not all clients support tunnel-split (send only part of traffic via VPN). For example Apple devices will not be able to connect to this server.
Recommended to use OpenVPN or Wireguard/Amnezia instead.
- Create settings file:
cp ipsec/ipsec.env.example ipsec/ipsec.env
- Fill your creditentials in
ipsec/ipsec.env - Start
docker compose down docker compose -f docker-compose.ipsec.yml up -d
- Setup your clients: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth.md
- ProstoVPN — the original project
- AntiZapret VPN Container — source code of the LXD-based container
- AntiZapret PAC Generator — proxy auto-configuration generator to bypass censorship of Russian Federation
- Amnezia WireGuard VPN — used for Amnezia Wireguard integration
- WireGuard VPN — used for Wireguard integration
- OpenVPN - used for OpenVPN integration
- IPsec VPN — used for IPsec integration
- AdGuardHome - DNS resolver
- filebrowser - web file browser & editor
- No Thought Is a Crime — a forum about technical, political and economical aspects of internet censorship in different countries