OpenGFW/README.md

173 lines
5.0 KiB
Markdown
Raw Normal View History

2024-01-20 08:45:01 +08:00
# ![OpenGFW](docs/logo.png)
2024-03-14 15:06:27 +08:00
[![Quality check status](https://github.com/apernet/OpenGFW/actions/workflows/check.yaml/badge.svg)](https://github.com/apernet/OpenGFW/actions/workflows/check.yaml)
2024-01-20 08:45:01 +08:00
[![License][1]][2]
[1]: https://img.shields.io/badge/License-MPL_2.0-brightgreen.svg
[2]: LICENSE
**[中文文档](README.zh.md)**
2024-01-25 12:01:43 +08:00
**[日本語ドキュメント](README.ja.md)**
2024-01-20 08:45:01 +08:00
2024-02-24 10:31:16 +08:00
OpenGFW is your very own DIY Great Firewall of China (https://en.wikipedia.org/wiki/Great_Firewall), available as a flexible, easy-to-use open source program on Linux. Why let the powers that be have all the fun? It's time to give power to the people and democratize censorship. Bring the thrill of cyber-sovereignty right into your home router and start filtering like a pro - you too can play Big Brother.
2024-02-18 14:34:38 +08:00
2024-02-24 07:43:08 +08:00
Telegram group: https://t.me/OpGFW
2024-01-20 08:45:01 +08:00
> [!CAUTION]
> This project is still in very early stages of development. Use at your own risk.
> [!NOTE]
> We are looking for contributors to help us with this project, especially implementing analyzers for more protocols!!!
## Features
- Full IP/TCP reassembly, various protocol analyzers
2024-02-18 05:56:33 +08:00
- HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
2024-01-28 05:56:08 +08:00
- "Fully encrypted traffic" detection for Shadowsocks,
2024-02-27 07:17:07 +08:00
etc. (https://gfw.report/publications/usenixsecurity23/en/)
2024-03-21 09:10:22 +08:00
- Trojan (proxy protocol) detection
2024-01-28 05:56:08 +08:00
- [WIP] Machine learning based traffic classification
2024-01-22 08:11:01 +08:00
- Full IPv4 and IPv6 support
2024-01-20 08:45:01 +08:00
- Flow-based multicore load balancing
- Connection offloading
- Powerful rule engine based on [expr](https://github.com/expr-lang/expr)
- Hot-reloadable rules (send `SIGHUP` to reload)
2024-01-20 08:45:01 +08:00
- Flexible analyzer & modifier framework
- Extensible IO implementation (only NFQueue for now)
- [WIP] Web UI
## Use cases
- Ad blocking
- Parental control
- Malware protection
- Abuse prevention for VPN/proxy services
- Traffic analysis (log only mode)
2024-02-24 07:43:08 +08:00
- Help you fulfill your dictatorial ambitions
2024-01-20 08:45:01 +08:00
## Usage
### Build
```shell
go build
```
### Run
```shell
export OPENGFW_LOG_LEVEL=debug
./OpenGFW -c config.yaml rules.yaml
```
#### OpenWrt
OpenGFW has been tested to work on OpenWrt 23.05 (other versions should also work, just not verified).
Install the dependencies:
```shell
# For OpenWrt version 22.03 and later (nftables based firewall)
opkg install kmod-nft-queue kmod-nf-conntrack-netlink
# For OpenWrt versions prior to 22.03 (excluding 22.03, iptables based firewall)
opkg install kmod-ipt-nfqueue iptables-mod-nfqueue kmod-nf-conntrack-netlink
```
2024-01-20 08:45:01 +08:00
### Example config
```yaml
io:
queueSize: 1024
rcvBuf: 4194304
sndBuf: 4194304
2024-01-20 08:45:01 +08:00
local: true # set to false if you want to run OpenGFW on FORWARD chain
rst: false # set to true if you want to send RST for blocked TCP connections, local=false only
2024-01-20 08:45:01 +08:00
workers:
count: 4
queueSize: 16
tcpMaxBufferedPagesTotal: 4096
tcpMaxBufferedPagesPerConn: 64
udpMaxStreams: 4096
# The path to load specific local geoip/geosite db files.
# If not set, they will be automatically downloaded from https://github.com/Loyalsoldier/v2ray-rules-dat
# geo:
# geoip: geoip.dat
# geosite: geosite.dat
2024-01-20 08:45:01 +08:00
```
### Example rules
2024-01-25 12:01:53 +08:00
[Analyzer properties](docs/Analyzers.md)
2024-01-20 08:45:01 +08:00
For syntax of the expression language, please refer
to [Expr Language Definition](https://expr-lang.org/docs/language-definition).
```yaml
# A rule must have at least one of "action" or "log" field set.
- name: log horny people
log: true
expr: let sni = string(tls?.req?.sni); sni contains "porn" || sni contains "hentai"
2024-01-20 08:45:01 +08:00
- name: block v2ex http
action: block
expr: string(http?.req?.headers?.host) endsWith "v2ex.com"
- name: block v2ex https
action: block
expr: string(tls?.req?.sni) endsWith "v2ex.com"
2024-02-18 05:56:33 +08:00
- name: block v2ex quic
action: block
expr: string(quic?.req?.sni) endsWith "v2ex.com"
- name: block and log shadowsocks
2024-01-20 08:45:01 +08:00
action: block
log: true
2024-01-20 08:45:01 +08:00
expr: fet != nil && fet.yes
- name: block trojan
action: block
expr: trojan != nil && trojan.yes
2024-01-20 08:45:01 +08:00
- name: v2ex dns poisoning
action: modify
modifier:
name: dns
args:
a: "0.0.0.0"
aaaa: "::"
expr: dns != nil && dns.qr && any(dns.questions, {.name endsWith "v2ex.com"})
2024-01-27 06:03:22 +08:00
2024-01-28 05:56:08 +08:00
- name: block google socks
2024-01-27 06:03:22 +08:00
action: block
2024-01-28 05:56:08 +08:00
expr: string(socks?.req?.addr) endsWith "google.com" && socks?.req?.port == 80
- name: block wireguard by handshake response
action: drop
expr: wireguard?.handshake_response?.receiver_index_matched == true
- name: block bilibili geosite
action: block
expr: geosite(string(tls?.req?.sni), "bilibili")
- name: block CN geoip
action: block
expr: geoip(string(ip.dst), "cn")
- name: block cidr
action: block
expr: cidr(string(ip.dst), "192.168.0.0/16")
2024-01-20 08:45:01 +08:00
```
#### Supported actions
- `allow`: Allow the connection, no further processing.
- `block`: Block the connection, no further processing.
2024-01-20 08:45:01 +08:00
- `drop`: For UDP, drop the packet that triggered the rule, continue processing future packets in the same flow. For
TCP, same as `block`.
- `modify`: For UDP, modify the packet that triggered the rule using the given modifier, continue processing future
2024-01-22 08:11:01 +08:00
packets in the same flow. For TCP, same as `allow`.