OpenGFW

OpenGFW is a flexible, easy-to-use, open source implementation of GFW on Linux OpenGFW 是 GFW 在 Linux 上的灵活、易于使用的开源实现

Go to file

Haruue 234ee32687 chore: go mod tidy		2024-02-28 21:58:16 +08:00
.github/workflows	fix: release workflow	2024-02-26 10:49:19 -08:00
analyzer	feat: update FET analyzer to better reflect what's described in the paper	2024-02-26 15:27:35 -08:00
cmd	feat: logging support in ruleset	2024-02-23 14:13:35 -08:00
docs	docs: add QUIC	2024-02-17 13:56:33 -08:00
engine	feat: logging support in ruleset	2024-02-23 14:13:35 -08:00
io	fix: engine exit when too many packets hit NFQUEUE	2024-02-28 21:20:08 +08:00
modifier	first	2024-01-19 16:45:01 -08:00
ruleset	fix: variable support & update example in doc	2024-02-23 14:37:05 -08:00
.gitignore	first	2024-01-19 16:45:01 -08:00
LICENSE	first	2024-01-19 16:45:01 -08:00
README.ja.md	chore: update gfw report links	2024-02-26 15:17:07 -08:00
README.md	chore: update gfw report links	2024-02-26 15:17:07 -08:00
README.zh.md	chore: update gfw report links	2024-02-26 15:17:07 -08:00
go.mod	chore: go mod tidy	2024-02-28 21:58:16 +08:00
go.sum	fix merge	2024-02-17 14:39:12 -08:00
main.go	first	2024-01-19 16:45:01 -08:00

README.md

中文文档 日本語ドキュメント

OpenGFW is your very own DIY Great Firewall of China (https://en.wikipedia.org/wiki/Great_Firewall), available as a flexible, easy-to-use open source program on Linux. Why let the powers that be have all the fun? It's time to give power to the people and democratize censorship. Bring the thrill of cyber-sovereignty right into your home router and start filtering like a pro - you too can play Big Brother.

Telegram group: https://t.me/OpGFW

[!CAUTION] This project is still in very early stages of development. Use at your own risk.

[!NOTE] We are looking for contributors to help us with this project, especially implementing analyzers for more protocols!!!

Features

Full IP/TCP reassembly, various protocol analyzers
- HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
- "Fully encrypted traffic" detection for Shadowsocks, etc. (https://gfw.report/publications/usenixsecurity23/en/)
- Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)
- [WIP] Machine learning based traffic classification
Full IPv4 and IPv6 support
Flow-based multicore load balancing
Connection offloading
Powerful rule engine based on expr
Hot-reloadable rules (send SIGHUP to reload)
Flexible analyzer & modifier framework
Extensible IO implementation (only NFQueue for now)
[WIP] Web UI

Use cases

Ad blocking
Parental control
Malware protection
Abuse prevention for VPN/proxy services
Traffic analysis (log only mode)
Help you fulfill your dictatorial ambitions

Usage

Build

go build

Run

export OPENGFW_LOG_LEVEL=debug
./OpenGFW -c config.yaml rules.yaml

OpenWrt

OpenGFW has been tested to work on OpenWrt 23.05 (other versions should also work, just not verified).

Install the dependencies:

opkg install kmod-nft-queue kmod-nf-conntrack-netlink

Example config

io:
  queueSize: 1024
  local: true # set to false if you want to run OpenGFW on FORWARD chain

workers:
  count: 4
  queueSize: 16
  tcpMaxBufferedPagesTotal: 4096
  tcpMaxBufferedPagesPerConn: 64
  udpMaxStreams: 4096

# The path to load specific local geoip/geosite db files.
# If not set, they will be automatically downloaded from https://github.com/Loyalsoldier/v2ray-rules-dat
# geo:
#   geoip: geoip.dat
#   geosite: geosite.dat

Example rules

Analyzer properties

For syntax of the expression language, please refer to Expr Language Definition.

# A rule must have at least one of "action" or "log" field set.
- name: log horny people
  log: true
  expr: let sni = string(tls?.req?.sni); sni contains "porn" || sni contains "hentai"

- name: block v2ex http
  action: block
  expr: string(http?.req?.headers?.host) endsWith "v2ex.com"

- name: block v2ex https
  action: block
  expr: string(tls?.req?.sni) endsWith "v2ex.com"

- name: block v2ex quic
  action: block
  expr: string(quic?.req?.sni) endsWith "v2ex.com"

- name: block and log shadowsocks
  action: block
  log: true
  expr: fet != nil && fet.yes

- name: block trojan
  action: block
  expr: trojan != nil && trojan.yes

- name: v2ex dns poisoning
  action: modify
  modifier:
    name: dns
    args:
      a: "0.0.0.0"
      aaaa: "::"
  expr: dns != nil && dns.qr && any(dns.questions, {.name endsWith "v2ex.com"})

- name: block google socks
  action: block
  expr: string(socks?.req?.addr) endsWith "google.com" && socks?.req?.port == 80

- name: block wireguard by handshake response
  action: drop
  expr: wireguard?.handshake_response?.receiver_index_matched == true

- name: block bilibili geosite
  action: block
  expr: geosite(string(tls?.req?.sni), "bilibili")

- name: block CN geoip
  action: block
  expr: geoip(string(ip.dst), "cn")

- name: block cidr
  action: block
  expr: cidr(string(ip.dst), "192.168.0.0/16")

Supported actions

allow: Allow the connection, no further processing.
block: Block the connection, no further processing.
drop: For UDP, drop the packet that triggered the rule, continue processing future packets in the same flow. For TCP, same as block.
modify: For UDP, modify the packet that triggered the rule using the given modifier, continue processing future packets in the same flow. For TCP, same as allow.