Hi! I've been using openwrt for quite a while now and have been satisfied. However, my provider recently started to block sites that I use quite often. So I am now in search for a trusted anti-dpi solution.
So far I consideres zapret-openwrt, which is hosted on github and setting up network-wide vpn, although I am not so fond of reducing my internet speeds.
You are conflating DPI - listening into traffic , to MITM that your provider uses to block sites. Helps to help you if you say the country.
I live in Russia, so we have a lot of anti-dpi solutions. However, I dont know which one to trust.
Integration walkthrough
Alternatives are certainly slower passwall and tor, so you are on right path envisioning local produce.
In early moments of your blocking "drop invalid packets" checkbox helped.
Well, my ISP started blocking sites only a couple days ago, I will try this checkbox, otherwise will install zapret, seems that it helped people.
opkg update; opkg list | grep antiblock
But this one is VPN based and Russia-oriented. It downloads blocked IPs and reroutes requests to those IPs through VPN. Actually it is the best one from technical point of view. Much better than breaking IP headers.
Well, this could work, I have a VPN on a rented VPS
No idea how the DPI is set up, but if you can setup sniproxy on the VPS, you could simply resolve all FQDNs you need to get though the block, to resolve with the IP of the VPS.
I do this to get past US site geo blocks.
If that suits you then read this: https://habr.com/ru/articles/847412/
P.S.: Skip first part about installation, now antiblock (with luci-app) is included in OpenWrt since 24.10.
This is not what zapret does. You should read more about anti-dpi.
PS. I'm using youtubeUnblock. It has luci-app
Is there anything stopping you querying the root dns servers directly with unbound?
DNS is not tampered AFAIK. They take decision whether connection should be blocked or not by comparing IP and SNI content. Blind blocking by IP leads to a lot of false positives. We've been there already. Youtube is easy one to fix because it (Still? Really?) doesn't use Encrypted Client Hello.
Super Simple Clash is one of the best solutions. Very flexible and scalable, allows to add obfuscated with amnezia wg, vless, vmess, ss etc, custom rules, download rule-sets (lists) and many more.