Bypassing VPN Blocking

Let me say right away, I didn't come up with the workaround myself, it was suggested to me by the author of the zapret project, or rather his comment, moreover, I use his project to watch YouTube normally. Thank you very much!

I'll add that I use nftables and nfqws, if this option works for me, it doesn't mean it will work for you! You may need to change some parameters.

First, read the comment at the link above very carefully and study how to port iptables rules to nftables.

$ iptables-translate -A OUTPUT -t mangle -o wlan0 -p udp --dport 443 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 220 --queue-bypass

it turned out:

$ nft 'add rule ip mangle OUTPUT oifname "wlan0" udp dport 443 mark and 0x40000000 != 0x40000000 counter queue num 220 bypass'

• wlan0 — the interface through which we access the network

• 443 — the port for connecting to the VPN service

• change OUTPUT to output

the final line is:

$ nft 'add rule ip mangle output oifname "wlan0" udp dport { 443, 18189 } mark and 0x40000000 != 0x40000000 counter queue num 220 bypass'

I have two VPN connections, hence two ports!

Before starting, let's check that we have the ip mangle table:

$ nft list tables

if not, create it and the output chain

$ nft add table ip mangle
$ nft 'add chain ip mangle output { type filter hook output priority 0 ; }'

Let's see that everything is created:

$ nft -a list table ip mangle

now run the line to add the new rule and check again what's inside the table.

and finally, we launch the daemon that masks packets sent to the required ports

$ /opt/zapret/nfq/nfqws --uid 2 --qnum=220 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d2 --dpi-desync-repeats=10 --dpi-desync-ttl=5 --daemon

note that the ttl value may differ for you. I peeked mine through ps aux | grep nfqws, which is in the zapret daemon.

Of course, everything can be automated and not run manually, but I needed it urgently. The most important thing is that it works!