Waujito/youtubeUnblock v1.0.0-rc6

on GitHub

What's Changed

• Add none strategy to udp-faking-strategy by @Waujito in #207
• Update trace logging by @Waujito in #212
• Conntrack support by @Waujito in #211
• Kmod fix #213 by @Waujito in #214
• Quic by @Waujito in #198
• Allow to specify sni domains as file by @Waujito in #223

Full Changelog: v1.0.0-rc5...v1.0.0-rc6

README updates

The readme updates grabbed with diff v1.0.0-rc5...v1.0.0-rc6

OpenWRT section

Since OpenWRT main branch switched to apk instead of opkg, but this is not released yet, here is not deploys for apk in Releases. But apk is supported in PR #196.

Flags

• --instaflush Used with tracing. Flushes the buffer instantly, without waiting for explicit new line. Highly useful for debugging crushes.
• --no-gso Disables support for TCP fat packets which uses GSO. This feature is well tested now, so this flag probably won't fix anything.
• --use-conntrack Enables support for conntrack in youtubeUnblock. Disabled by default. Enabled in kernel module.
• --connbytes-limit=<pkts> Kernel module only! Specify how much packets of connection should be processed by kyoutubeUnblock. Pass 0 if you want for each packet to be processed. This flag may be useful for UDP traffic since unlimited youtubeUnblock may lead to traffic flood and unexpected bans. Defaults to 19. In most cases you don't want to change it.
• --fake-custom-payload-file=<binary file containing TLS message> Same as --fake-custom-payload but binary file instead of hex. The file should contain raw binary TLS message (TCP payload).
• --sni-domains-file=<file contains comma or new-line separated list> Same as --sni-domains but accepts path to container file instead of inline domains list. The format is file may consist of both comma-separated domains list as well as new-line separated list.
• --exclude-domains-file=<file contains comma or new-line separated list> Same as --exclude-domains but accepts path to container file instead of inline domains list. The format is file may consist of both comma-separated domains list as well as new-line separated list.
• --udp-faking-strategy={checksum|ttl|none} Faking strategy for udp. checksum will fake UDP checksum, ttl won't fake but will make UDP content relatively small, none is no faking. Defaults to none.
• --udp-filter-quic={disabled|all|parse} Enables QUIC filtering for UDP handler. If disabled, quic won't be processed, if all, all quic initial packets will be handled. parse will decrypt and parse QUIC initial message and match it with --sni-domains. Defaults to disabled.
• --no-dport-filter By default, youtubeUnblock will filter for TLS and QUIC 443. If you want to disable it, pass this flag. (this does not affect --udp-dport-filter)

UDP/QUIC/Voice Chats

UDP is another communication protocol. Well-known technologies that use it are DNS, QUIC, voice chats. UDP does not provide reliable connection and its header is much simpler than TCP thus fragmentation is limited. The support provided primarily by faking.

For UDP faking in kernel module Make sure to decrease --connbytes-limit up to 5. This will allow not to process additional packets and prevent network flood.

Right now, QUIC faking may not work well, so use --udp-mode=drop option.

QUIC is enabled with --udp-filter-quic flag. The flag supports two modes: all will handle all the QUIC initial messages and parse will decrypt and parse the QUIC initial message, and then compare it with --sni-domains flag.

I recommend to use --udp-mode=drop --udp-filter-quic=parse.

For other UDP protocols I recommend to configure UDP support in the separate section from TCP, like --fbegin --udp-dport-filter=50000-50099 --tls=disabled. See more in flags related to udp and tickets tagged with udp label.

Conntrack troubleshooting

youtubeUnblock optionally depends on conntrack.
For kernel module, if conntrack breaks dependencies, compile it with make kmake EXTRA_CFLAGS="-DNO_CONNTRACK" to disable it completly.

If you want to be able to use connbytes in custom stack where conntrack is broken, check #220 and #213 for possible references.

NAT Hardware/Software offloading

youtubeUnblock will conflict with offloading. But hopefully youtubeUnblock need to process only a bunch of first packets in the connection. So, on some devices it is indeed possible to use youtubeUnblock alongside with offloading, especially on ones driven by nftables (OpenWRT 23+). Note, that this is not tested by me but reported as a workaround by users:

Edit /usr/share/firewall4/templates/ruleset.uc by replacing

meta l4proto { tcp, udp } flow offload @ft;

with

meta l4proto { tcp, udp } ct original packets ge 30 flow offload @ft;

And restart firewall with service firewall restart