Compare commits

...

5 Commits

Author SHA1 Message Date
bol-van
5304a82dcd windows.eng.md update info 2024-05-13 14:46:00 +03:00
bol-van
2686b25324 windows.eng.md update info 2024-05-13 14:43:16 +03:00
bol-van
1b6735549f blockcheck: support more nslookup and ping variants 2024-05-13 10:23:58 +03:00
bol-van
8ec43269c0 blockcheck: support more nslookup and ping variants 2024-05-13 09:56:31 +03:00
bol-van
512cf55e30 blockcheck: test ipv6 by default if available 2024-05-13 09:03:25 +03:00
2 changed files with 92 additions and 19 deletions

View File

@ -1265,9 +1265,12 @@ ask_params()
read dom
[ -n "$dom" ] && DOMAINS="$dom"
printf "ip protocol version(s) - 4, 6 or 46 for both (default: 4) : "
local IPVS_def=4
# yandex public dns
pingtest 6 2a02:6b8::feed:0ff && IPVS_def=46
printf "ip protocol version(s) - 4, 6 or 46 for both (default: $IPVS_def) : "
read IPVS
[ -n "$IPVS" ] || IPVS=4
[ -n "$IPVS" ] || IPVS=$IPVS_def
[ "$IPVS" = 4 -o "$IPVS" = 6 -o "$IPVS" = 46 ] || {
echo 'invalid ip version(s). should be 4, 6 or 46.'
exitp 1
@ -1287,13 +1290,11 @@ ask_params()
ENABLE_HTTPS_TLS13=0
echo
if [ -n "$TLS13" ]; then
echo "TLS 1.3 is the new standard for encrypted communications over TCP"
echo "its the most important feature for DPI bypass is encrypted TLS ServerHello"
echo "more and more sites enable TLS 1.3 but still there're many sites with only TLS 1.2 support"
echo "with TLS 1.3 more DPI bypass strategies can work but they may not apply to all sites"
echo "if a strategy works with TLS 1.2 it will also work with TLS 1.3"
echo "if nothing works with TLS 1.2 this test may find TLS1.3 only strategies"
echo "make sure that $DOMAINS support TLS 1.3 otherwise all test will return an error"
echo "TLS 1.3 uses encrypted ServerHello. DPI cannot check domain name in server response."
echo "This can allow more bypass strategies to work."
echo "What works for TLS 1.2 will also work for TLS 1.3 but not vice versa."
echo "Most sites nowadays support TLS 1.3 but not all. If you can't find a strategy for TLS 1.2 use this test."
echo "TLS 1.3 only strategy is better than nothing."
ask_yes_no_var ENABLE_HTTPS_TLS13 "check https tls 1.3"
else
echo "installed curl version does not support TLS 1.3 . tests disabled."
@ -1346,23 +1347,63 @@ ask_params()
ping_with_fix()
{
local ret
$PING $2 $1 >/dev/null 2>/dev/null
ret=$?
# can be because of unsupported -4 option
if [ "$ret" = 2 -o "$ret" = 64 ]; then
ping $2 $1 >/dev/null
else
return $ret
fi
}
pingtest()
{
# $1 - ip version : 4 or 6
# $2 - domain or ip
# ping command can vary a lot. some implementations have -4/-6 options. others don.t
# WARNING ! macos ping6 command does not have timeout option. ping6 will fail
local PING=ping ret
if [ "$1" = 6 ]; then
if exists ping6; then
PING=ping6
else
PING="ping -6"
fi
else
if [ "$UNAME" = Darwin -o "$UNAME" = FreeBSD -o "$UNAME" = OpenBSD ]; then
# ping by default pings ipv4, ping6 only pings ipv6
# in FreeBSD -4/-6 options are supported, in others not
PING=ping
else
# this can be linux or cygwin
# in linux it's not possible for sure to figure out if it supports -4/-6. only try and check for result code=2 (invalid option)
PING="ping -4"
fi
fi
case "$UNAME" in
Darwin)
$PING -c 1 -t 1 $2 >/dev/null 2>/dev/null
# WARNING ! macos ping6 command does not have timeout option. ping6 will fail. but without timeout is not an option.
;;
OpenBSD)
ping -c 1 -w 1 $1 >/dev/null
$PING -c 1 -w 1 $2 >/dev/null
;;
CYGWIN)
if starts_with "$(which ping)" /cygdrive; then
# cygwin does not have own PING by default. use windows PING.
ping -n 1 -w 1000 $1 >/dev/null
# cygwin does not have own ping by default. use windows PING.
$PING -n 1 -w 1000 $2 >/dev/null
else
# they have installed cygwin ping
ping -c 1 -W 1 $1 >/dev/null
ping_with_fix $2 '-c 1 -w 1'
fi
;;
*)
ping -c 1 -W 1 $1 >/dev/null
ping_with_fix $2 '-c 1 -W 1'
;;
esac
}
@ -1375,7 +1416,7 @@ find_working_public_dns()
{
local dns
for dns in $DNSCHECK_DNS; do
pingtest $dns && dnstest $dns && {
pingtest 4 $dns && dnstest $dns && {
PUBDNS=$dns
return 0
}
@ -1388,7 +1429,11 @@ lookup4()
# $2 - DNS
case "$LOOKUP" in
nslookup)
if is_linked_to_busybox nslookup; then
nslookup $1 $2 2>/dev/null | sed -e '1,3d' -nre 's/^.*:[^0-9]*(([0-9]{1,3}\.){3}[0-9]{1,3}).*$/\1/p'
else
nslookup $1 $2 2>/dev/null | sed -e '1,3d' -nre 's/^[^0-9]*(([0-9]{1,3}\.){3}[0-9]{1,3}).*$/\1/p'
fi
;;
host)
host -t A $1 $2 | grep "has address" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'

View File

@ -75,8 +75,8 @@ You must choose to install `curl`. To compile from sources install `gcc-core`,`m
It's possible to build x86 32-bit version but this version is not shipped. You have to build it yourself.
32-bit `windivert` can be downloaded from it's developer github. Required version is 2.2.2.
There's no `arm64` signed `windivert` driver and no `cygwin`.
Theorecitally it would be possible to compile `windivert` kernel driver with test signature and run it on a arm64 system with disabled driver signature checks.
User-mode part can be run under x64 emulation. But it was not tested.
But it's possible to use unsigned driver version in test mode and user mode components with x64 emulation.
x64 emulation requires `windows 11` and not supported in `windows 10`.
### blockcheck
@ -88,6 +88,7 @@ First run once `install_bin.sh` then `blockcheck.sh`.
Backslashes in windows paths shoud be doubled. Or use cygwin path notation.
```
cd "C:\\Users\\vasya"
cd "C:/Users/vasya"
cd "/cygdrive/c/Users/vasya"
```
`Cygwin` is required only for `blockcheck.sh`. Standalone `winws` can be run without it.
@ -102,3 +103,30 @@ Edit `task_create.cmd` and write your `winws` parameters to `%WINWS1%` variable.
clone the code in all cmd files to support multiple tasks `winws1,winws2,winws3,...`.
Tasks can also be controlled from GUI `taskschd.msc`.
Also you can use windows services the same way with `service_*.cmd`.
### zapret-win-bundle
To make your life easier there's ready to use [bundle](https://github.com/bol-van/zapret-win-bundle) with `cygwin`,`blockcheck` and `winws`.
* `/zapret-winws` - standalone version of `winws` for everyday use. does not require any other folders.
* `/zapret-winws/_CMD_ADMIN.cmd` - open `cmd` as administrator in the current folder
* `/blockcheck/blockcheck.cmd` - run `blockcheck` with logging to `blockcheck/blockcheck.log`
* `/cygwin/cygwin.cmd` - run `cygwin` shell as current user
* `/cygwin/cygwin-admin.cmd` - run `cygwin` shell as administrator
There're aliases in cygwin shell for `winws`,`blockcheck`,`ip2net`,`mdig`. No need to mess with paths.
It's possible to send signals to `winws` using standard unix utilites : `pidof,kill,killall,pgrep,pkill`.
`Cygwin` shares common process list per `cygwin1.dll` copy. If you run a `winws` from `zapret-winws`
you won't be able to `kill` it because this folder contain its own copy of `cygwin1.dll`.
It's possible to use `cygwin` shell to make `winws` debug log. Use `tee` command like this :
```
winws --debug --wf-tcp=80,443 | tee winws.log
unix2dos winws.log
```
`winws.log` will be in `cygwin/home/<username>`. `unix2dos` helps with `windows 7` notepad. It's not necessary in `Windows 10` and later.