Deep Packet Inspection (DPI) bypass?

Is there a way to do it on OpenWRT? My ISP blocks websites like Netflix and some other websites, I was able to access them on my Windows PC using GoodbyeDPI (https://github.com/ValdikSS/GoodbyeDPI)

Now I'm wondering if there's GoodbyeDPI's equivalent for OpenWRT so that I can bypass blocked websites on network level (not just my PC).

Please help.

It depends on the ISP and DPI implementation.
If they use simple DNS hijacking, you can bypass it with DNS encryption.
In case they check SNI, you can utilize ESNI.
If this is IP-based filtering, you need to use Tor or VPN.
But there are drawbacks, as ESNI is site- and browser-specific, Tor is limited to DNS and TCP traffic and free VPN may have privacy issues or traffic limitations.
If you need GoodbyeDPI, you should ask the author how to adapt it for OpenWrt.

4 Likes

From the page you linked, this is the list of modifications GoodByeDPI does:

  • TCP-level fragmentation for first data packet
  • TCP-level fragmentation for persistent (keep-alive) HTTP
  • Replacing Host header with hoSt
  • Removing space between header name and value in Host header
  • Adding additional space between HTTP Method (GET, POST etc) and URI
  • Mixing case of Host header value

It does this by transparently redirecting HTTP(s) traffic.

The first 2 are on the tcp level, and look doable with some Xtables trickery.

The others are on the HTTP level. A (suitably configured/modified) HTTP-Proxy could do these modifications in transit.

1 Like

If the ISP is really keen/aggressive on filtering/blocking there is hardly a way to escape, considering that the ISP will always be able to monitor, never mind whether the traffic is encrypted/encapsulated:

  • ip addresses the client is connecting to
  • traffic volume of the client

This is just one sample of a DPI engine designed for ISP deployment. The features give a fairly good idea of what is possible for the ISP, as said depending on the scope of what the ISP wants to achieve (terms and conditions) and/or potential legislation at the place of the ISP's incorporation.

2 Likes

GreenTunnel


or zapret (if you do russian)

Ok, here's the info so far.

I modified the /etc/hosts and and put in all of Netflix's IP addresses (including sub domains cdn and etc) and was able to access the website but cannot play any videos.

For your info, I did the same on Windows PC and was able to access the website too, but "cannot" play any videos unless I have GoodbyeDPI installed. They really don't want us to play any videos from Netflix.

So I looked at these options that @orangepizza presented.

I wasn't able to get install GreenTunnel (maybe due to the fact that it doesn't support OpenWRT that is installed in Raspberry Pi 3+), but I managed to install the latter; Zapret.

I looked at the option at the guide using google translate and roughly got the idea, so I did install_easy.sh, so there are a few DPI fooling methods in it, I tried both nfqws_all_https and tpws_all_https, they didn't work.

Any ideas how can I achieve what GoodbyeDPI does on PC on this tool?

1 Like

There's an English readme for zapret:

It should work as good as GoodbyeDPI.

1 Like

There are multiple modes, I tried them all and none of them worked..
I used install_easy.sh

nfqws_ipset - use nfqws for http. targets are filtered by ipset "zapret"
nfqws_ipset_https - use nfqws for http and https. targets are filtered by ipset "zapret"
nfqws_all - use nfqws for all http
nfqws_all_https - use nfqws for all http and https
tpws_ipset - use tpws for http. targets are filtered by ipset "zapret"
tpws_ipset_https - use tpws for http and https. targets are filtered by ipset "zapret"
tpws_all - use tpws for all http
tpws_all_https - use tpws for all http and https
tpws_hostlist - same as tpws_all but touch only domains from the hostlist
ipset - only fill ipset. futher actions depend on your own code

zapret was not designed to be a magic pill.
Although sometimes it works this way, in other cases It requires understanding whats going on.
I'm sure If you undestand why goodbyedpi works for you, you can also tune zapret to work the same way.

How to instal? I tray one of one mode, but its not work..

But, i know its can, cuz i have mini router GL-MT300N-V2, and i buy services by someone to install zapret on my router, its work verywell,. I was open the script instalation, but i still dontkno how it works..

Hi everyone. I want to make a proxy at router level to unblock netflix just like what OP said. I've installed both green tunnel and zapret.

Okay first Green tunnel works if i manually input the proxy address to the client's device which is not what i wanted because it isn't done at router level or automatically.

And then I've installed Zapret, but it doesn't work at all. Tried both tpws and nfqws mode. Is it something to do with iptables, firewall or routing?

What i wanted to do is TLS fragmentation on the packets because i know that my ISP is checking the SNI of netflix and blocking it.

Please help me :frowning:

You definitely dont want to use downloadable lists. They are useless outside of Russia.
Default tpws_all_https does fragmentation on ports 80 and 443.
If it doesn't work for you may be netflix uses non-standard ports ?
Check in tcpdump that stream is really get fragmented

"tpws --socks" is useful for quick curl test

Just fragmentation is often not enough to bypass DPI. Nfqws with dpi desync is more advanced thing

ok i have good news i found some opkg package ssomething like that (im new to this linux interface something like that)

https://openwrt.org/packages/pkgdata/libndpi
the description say
Description:
nDPI is an open source LGPLv3 library for deep-packet inspection.\ Based on OpenDPI it includes ntop extensions.\ \

i tested it and it work on netflix (my goverment block netflix becouse reason)