[RELEASE] StealthOS Lite – DNS Leak Protection + TTL/HopLimit Bypass

[RELEASE] StealthOS Lite – DNS Leak Protection + TTL/HopLimit Bypass (Travel Router Optimized)

Hi all,

I built a lightweight OpenWrt tool focused on fixing two real problems on travel routers:

1. DNS leaks (especially with VPNs like WireGuard / Tailscale)
2. Carrier tethering detection (TTL / HopLimit checks)

This project enforces clean routing without breaking complex setups.

WHAT IT DOES

• Forces DNS (Port 53) through the router (IPv4 + IPv6)
• Blocks DNS-over-TLS (Port 853) → forces fallback to controlled DNS
• Preserves Tailscale (100.64.0.0/10 + MagicDNS)
• Applies TTL (IPv4) + HopLimit (IPv6) = 65 (tethering bypass)
• Works with:

• WireGuard
• Tailscale
• Dual-stack IPv4/IPv6
• Multi-WAN setups

SAFETY DESIGN

• Fully idempotent (safe to run multiple times)
• Native fw4 integration (no rule conflicts)
• Automatic rollback on firewall errors
• Clean uninstall script (removes everything, verified against kernel)
• No system file overwrite (surgical changes only)

LIMITATIONS (IMPORTANT)

• DNS-over-HTTPS (DoH, port 443) cannot be blocked without breaking HTTPS
• Some apps may bypass DNS control using DoH
• Advanced routing setups (mwan3 / policy routing) should be tested carefully

INSTALL

SSH into router:

cd /tmp
wget https://raw.githubusercontent.com/OZAMNJ/Openwrt-stealthOs/main/install.sh
chmod +x install.sh
./install.sh

UNINSTALL

cd /tmp
wget https://raw.githubusercontent.com/OZAMNJ/Openwrt-stealthOs/main/uninstall.sh
chmod +x uninstall.sh
./uninstall.sh

TESTED ON

• OpenWrt 22.03+
• Travel routers (GL.iNet class)
• WireGuard + Tailscale combo
• IPv4 + IPv6 networks

WHY I BUILT THIS

While traveling, switching hotspots + VPN + DNS setups kept breaking:
• captive portals
• Tailscale routing
• DNS resolution

This tool stabilizes everything with predictable behavior.

REPO

https://github.com/OZAMNJ/Openwrt-stealthOs

FEEDBACK WELCOME

If you test this on unusual setups (LTE modems, multi-WAN, enterprise networks), let me know what breaks.

That’s where the real improvements come from.

—-

ADMIN NOTE: Any users who wish to use this code should read and understand its operation before installing. It should be noted that the OP is a relatively new user on the forum and thus does not have a known track record. This is not to imply that they are not trustworthy, but without much history, we cannot vouch for the code in terms of both functionality and security.

didn't take you long to get everything wiped of GH ...

No i think some issue with github, I am check url in incognito mode its showing error 404 , but in regular logged in am able to browse repo PFA screenshot

screencapture-github-OZAMNJ-Openwrt-stealthOs-2026-04-09-15_23_281920×2779 602 KB

Hey everyone,

Quick update for anyone trying to access the StealthOS Lite repository and getting a 404 Not Found error right now.

It looks like GitHub's automated spam filter overzealously flagged my account—likely because of the sudden burst of activity pushing a full, complex networking project to a previously inactive profile. Because of this, GitHub has temporarily "shadowbanned" my profile, meaning the repository is hidden from the public even though it is set to Public in my settings.

I have already opened a support ticket with GitHub to get this automated flag lifted by a human reviewer. Based on what I've read, this usually takes about 24 to 48 hours to resolve.

I will post another reply here the exact minute the repository is officially visible and the wget installation commands are working.

Thank you for your patience, and I can't wait for you all to test it out!

Was this vibe coded?

The note about DoH not able to be blocked without breaking https is not strictly true by the way.

Haha, I can assure you it is the exact opposite of vibe-coded! Once the repo is visible, you'll see the uninstall.sh script went through some pretty paranoid, rigorous auditing—using pure shell parameter expansion, full POSIX signal traps (EXIT, TERM, HUP, QUIT), and hybrid behavioral kernel verification to ensure it never orphans rules or touches native OpenWrt configs.

But you are 100% spot on about the DoH note, and I appreciate the callout. I definitely oversimplified that line in the README.

While we can't do a blanket port 443 block like we do with DoT (Port 853), DoH can absolutely be blocked using IP blacklists of known resolvers, SNI filtering, or canary domains (like use-application-dns.net). I ultimately decided to leave DoH blocking out of this specific tool because maintaining a constantly updating list of DoH IPs/SNIs requires cron jobs and external downloads, which goes against the "zero-footprint / zero-dependency" goal of this Lite project. I will update the README to be more technically accurate about that!

Right now, GitHub's automated spam filter has temporarily hidden the repository (throwing a 404 error for anyone not logged into my account), but I have a ticket open with support to get it unlocked.

As soon as the link is live, I’d love for you to dive into the actual code and test it out on your hardware. I think you'll really appreciate the fw4 native firewall integration. I'll update this thread the minute GitHub restores access!

Without seeing the source, the classic LLM emoji-heavy description overselling the project doesn't instill confidence. GH flagging the account doesn't help either.

That is a completely fair take. If I saw a 404 GitHub link wrapped in a bunch of rocket emojis promising "absolute security," I'd be highly suspicious too!

I will be the first to admit I heavily leveraged an LLM to generate the UI boilerplate, format the documentation, and structure the post (hence the emoji overload). But my core philosophy with this project is that LLM + Human Intelligence can build absolute magic.

An LLM alone writes broken, hallucinated OpenWrt configurations. It doesn't understand the nuances of ash subshell memory leaks, how mwan3 overrides fw4 routing marks, or how to safely flush NAND flash buffers with sync to prevent corruption. The network topology, the kernel-native nftables injection, and the rigorous rollback safety checks were all driven by deep, human iteration and engineering.

The GitHub flag is just an unfortunate automated anti-spam trigger because I pushed a massive, complex project to a previously quiet account all at once. Support is currently reviewing the ticket.

I completely respect the skepticism. Once the repo is unlocked, I invite you to strip away the marketing fluff and just judge the raw POSIX shell and nftables syntax. I think the code will speak for itself!

Good grief. Your LLM responses are making it worse.

Fair enough I'll stop typing and just let the raw code speak for itself once GitHub unblocks the repo.