├── .github └── workflows │ ├── build-openwrt.yml │ └── update-checker.yml ├── LICENSE ├── README.md ├── diy-part1.sh ├── diy-part2.sh ├── env ├── feeds.conf.default ├── files ├── etc │ ├── AdGuardHome │ │ └── AdGuardHome.yaml.template │ ├── chinadns-ng │ │ ├── blacklist.txt │ │ └── whitelist.txt │ ├── config │ │ ├── chinadns-ng │ │ ├── smartdns │ │ └── turboacc │ ├── dnscrypt-proxy2 │ │ ├── blocked-ips.txt │ │ └── dnscrypt-proxy.toml │ ├── netdata │ │ └── netdata.conf │ ├── smartdns │ │ ├── address.conf │ │ ├── blacklist-ip.conf │ │ └── custom.conf │ ├── sysctl.conf │ └── sysupgrade.conf └── usr │ └── share │ ├── passwall │ ├── 0_default_config │ └── rules │ │ ├── block_ip │ │ ├── direct_host │ │ ├── direct_ip │ │ ├── proxy_host │ │ └── proxy_ip │ └── passwall2 │ └── 0_default_config └── myconfig /.github/workflows/build-openwrt.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (c) 2019-2020 P3TERX 3 | # 4 | # This is free software, licensed under the MIT License. 5 | # See /LICENSE for more information. 6 | # 7 | # https://github.com/P3TERX/Actions-OpenWrt 8 | # Description: Build OpenWrt using GitHub Actions 9 | # 10 | 11 | name: Build OpenWrt 12 | 13 | on: 14 | repository_dispatch: 15 | workflow_dispatch: 16 | inputs: 17 | ssh: 18 | description: 'SSH connection to Actions' 19 | required: false 20 | default: 'false' 21 | # schedule: 22 | # - cron: 0 23 * * * 23 | 24 | env: 25 | REPO_URL: https://github.com/xiaoqingfengATGH/HomeLede.git 26 | REPO_BRANCH: k5 27 | FEEDS_CONF: feeds.conf.default 28 | CONFIG_FILE: myconfig 29 | DIY_P1_SH: diy-part1.sh 30 | DIY_P2_SH: diy-part2.sh 31 | UPLOAD_BIN_DIR: false 32 | UPLOAD_FIRMWARE: true 33 | UPLOAD_COWTRANSFER: false 34 | UPLOAD_WETRANSFER: false 35 | UPLOAD_RELEASE: true 36 | TZ: Asia/Shanghai 37 | 38 | jobs: 39 | build: 40 | runs-on: ubuntu-22.04 41 | 42 | steps: 43 | - name: Checkout 44 | uses: actions/checkout@main 45 | 46 | - name: Initialization environment 47 | env: 48 | DEBIAN_FRONTEND: noninteractive 49 | run: | 50 | sudo rm -rf /etc/apt/sources.list.d/* /usr/share/dotnet /usr/local/lib/android /opt/ghc 51 | sudo -E apt-get -qq update 52 | sudo -E apt-get -qq install $(curl -fsSL raw.githubusercontent.com/SakuraFallingMad/OpenWrt_HomeLede_Mod/main/env) 53 | sudo -E apt-get -qq autoremove --purge 54 | sudo -E apt-get -qq clean 55 | sudo timedatectl set-timezone "$TZ" 56 | sudo mkdir -p /workdir 57 | sudo chown $USER:$GROUPS /workdir 58 | 59 | - name: Clone source code 60 | working-directory: /workdir 61 | run: | 62 | df -hT $PWD 63 | git clone $REPO_URL -b $REPO_BRANCH openwrt 64 | ln -sf /workdir/openwrt $GITHUB_WORKSPACE/openwrt 65 | 66 | - name: Cache 67 | uses: HiGarfield/cachewrtbuild@main 68 | with: 69 | ccache: 'true' 70 | prefix: ${{ github.workspace }}/openwrt 71 | 72 | - name: Load custom feeds 73 | run: | 74 | [ -e $FEEDS_CONF ] && mv $FEEDS_CONF openwrt/feeds.conf.default 75 | chmod +x $DIY_P1_SH 76 | cd openwrt 77 | $GITHUB_WORKSPACE/$DIY_P1_SH 78 | 79 | # - name: Update feeds 80 | # run: cd openwrt && ./scripts/feeds update -a 81 | 82 | # - name: Install feeds 83 | # run: cd openwrt && ./scripts/feeds install -a 84 | 85 | - name: Load custom configuration 86 | run: | 87 | [ -e files ] && mv files openwrt/files 88 | [ -e $CONFIG_FILE ] && mv $CONFIG_FILE openwrt/.config 89 | chmod +x $DIY_P2_SH 90 | cd openwrt 91 | $GITHUB_WORKSPACE/$DIY_P2_SH 92 | 93 | - name: SSH connection to Actions 94 | uses: P3TERX/ssh2actions@v1.0.0 95 | if: (github.event.inputs.ssh == 'true' && github.event.inputs.ssh != 'false') || contains(github.event.action, 'ssh') 96 | env: 97 | TELEGRAM_CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }} 98 | TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }} 99 | 100 | - name: Download package 101 | id: package 102 | run: | 103 | cd openwrt 104 | make defconfig 105 | make download -j8 106 | find dl -size -1024c -exec ls -l {} \; 107 | find dl -size -1024c -exec rm -f {} \; 108 | 109 | - name: Compile the firmware 110 | id: compile 111 | run: | 112 | cd openwrt 113 | echo -e "$(nproc) thread compile" 114 | make -j$(nproc) || make -j1 || make -j1 V=sc 115 | echo "::set-output name=status::success" 116 | grep '^CONFIG_TARGET.*DEVICE.*=y' .config | sed -r 's/.*DEVICE_(.*)=y/\1/' > DEVICE_NAME 117 | [ -s DEVICE_NAME ] && echo "DEVICE_NAME=_$(cat DEVICE_NAME)" >> $GITHUB_ENV 118 | echo "FILE_DATE=_$(date +"%Y%m%d%H%M")" >> $GITHUB_ENV 119 | 120 | - name: Check space usage 121 | if: (!cancelled()) 122 | run: df -hT 123 | 124 | - name: Upload bin directory 125 | uses: actions/upload-artifact@main 126 | if: steps.compile.outputs.status == 'success' && env.UPLOAD_BIN_DIR == 'true' 127 | with: 128 | name: OpenWrt_bin${{ env.DEVICE_NAME }}${{ env.FILE_DATE }} 129 | path: openwrt/bin 130 | 131 | - name: Organize files 132 | id: organize 133 | if: env.UPLOAD_FIRMWARE == 'true' && !cancelled() 134 | run: | 135 | cd openwrt/bin/targets/*/* 136 | rm -rf packages 137 | echo "FIRMWARE=$PWD" >> $GITHUB_ENV 138 | echo "::set-output name=status::success" 139 | 140 | - name: Upload firmware directory 141 | uses: actions/upload-artifact@main 142 | if: steps.organize.outputs.status == 'success' && !cancelled() 143 | with: 144 | name: OpenWrt_firmware${{ env.DEVICE_NAME }}${{ env.FILE_DATE }} 145 | path: ${{ env.FIRMWARE }} 146 | 147 | - name: Upload firmware to cowtransfer 148 | id: cowtransfer 149 | if: steps.organize.outputs.status == 'success' && env.UPLOAD_COWTRANSFER == 'true' && !cancelled() 150 | run: | 151 | curl -fsSL git.io/file-transfer | sh 152 | ./transfer cow --block 2621440 -s -p 64 --no-progress ${FIRMWARE} 2>&1 | tee cowtransfer.log 153 | echo "::warning file=cowtransfer.com::$(cat cowtransfer.log | grep https)" 154 | echo "::set-output name=url::$(cat cowtransfer.log | grep https | cut -f3 -d" ")" 155 | 156 | - name: Upload firmware to WeTransfer 157 | id: wetransfer 158 | if: steps.organize.outputs.status == 'success' && env.UPLOAD_WETRANSFER == 'true' && !cancelled() 159 | run: | 160 | curl -fsSL git.io/file-transfer | sh 161 | ./transfer wet -s -p 16 --no-progress ${FIRMWARE} 2>&1 | tee wetransfer.log 162 | echo "::warning file=wetransfer.com::$(cat wetransfer.log | grep https)" 163 | echo "::set-output name=url::$(cat wetransfer.log | grep https | cut -f3 -d" ")" 164 | 165 | - name: Generate release tag 166 | id: tag 167 | if: env.UPLOAD_RELEASE == 'true' && !cancelled() 168 | run: | 169 | echo "::set-output name=release_tag::$(date +"%Y.%m.%d-%H%M")" 170 | touch release.txt 171 | [ $UPLOAD_COWTRANSFER = true ] && echo "🔗 [Cowtransfer](${{ steps.cowtransfer.outputs.url }})" >> release.txt 172 | [ $UPLOAD_WETRANSFER = true ] && echo "🔗 [WeTransfer](${{ steps.wetransfer.outputs.url }})" >> release.txt 173 | echo "::set-output name=status::success" 174 | 175 | - name: Upload firmware to release 176 | uses: softprops/action-gh-release@v1 177 | if: steps.tag.outputs.status == 'success' && !cancelled() 178 | env: 179 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 180 | with: 181 | tag_name: ${{ steps.tag.outputs.release_tag }} 182 | body_path: release.txt 183 | files: ${{ env.FIRMWARE }}/* 184 | 185 | - name: Delete workflow runs 186 | uses: GitRML/delete-workflow-runs@main 187 | with: 188 | retain_days: 1 189 | keep_minimum_runs: 3 190 | 191 | - name: Remove old Releases 192 | uses: dev-drprasad/delete-older-releases@v0.1.0 193 | if: env.UPLOAD_RELEASE == 'true' && !cancelled() 194 | with: 195 | keep_latest: 3 196 | delete_tags: true 197 | env: 198 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 199 | -------------------------------------------------------------------------------- /.github/workflows/update-checker.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (c) 2019-2021 P3TERX 3 | # 4 | # This is free software, licensed under the MIT License. 5 | # See /LICENSE for more information. 6 | # 7 | # https://github.com/P3TERX/Actions-OpenWrt 8 | # File: .github/workflows/update-checker.yml 9 | # Description: Source code update checker 10 | # 11 | 12 | name: Update Checker 13 | 14 | env: 15 | REPO_URL: https://github.com/xiaoqingfengATGH/HomeLede.git 16 | REPO_BRANCH: k5 17 | 18 | on: 19 | workflow_dispatch: 20 | schedule: 21 | - cron: 0 */6 * * * 22 | 23 | jobs: 24 | check: 25 | runs-on: ubuntu-22.04 26 | 27 | steps: 28 | 29 | - name: Get Commit Hash 30 | id: getHash 31 | run: | 32 | git clone --depth 1 $REPO_URL -b $REPO_BRANCH . 33 | echo "::set-output name=commitHash::$(git rev-parse HEAD)" 34 | 35 | - name: Compare Commit Hash 36 | id: cacheHash 37 | uses: actions/cache@v2 38 | with: 39 | path: .commitHash 40 | key: HEAD-${{ steps.getHash.outputs.commitHash }} 41 | 42 | - name: Save New Commit Hash 43 | if: steps.cacheHash.outputs.cache-hit != 'true' 44 | run: | 45 | echo ${{ steps.getHash.outputs.commitHash }} | tee .commitHash 46 | 47 | - name: Trigger build 48 | if: steps.cacheHash.outputs.cache-hit != 'true' 49 | uses: peter-evans/repository-dispatch@v1 50 | with: 51 | token: ${{ secrets.ACTIONS_TRIGGER_PAT }} 52 | event-type: Source Code Update 53 | 54 | - name: Delete workflow runs 55 | uses: GitRML/delete-workflow-runs@main 56 | with: 57 | retain_days: 1 58 | keep_minimum_runs: 1 59 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019-2020 P3TERX 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | **English** | [中文](https://p3terx.com/archives/build-openwrt-with-github-actions.html) 2 | 3 | # Actions-OpenWrt 4 | 5 | [![LICENSE](https://img.shields.io/github/license/mashape/apistatus.svg?style=flat-square&label=LICENSE)](https://github.com/P3TERX/Actions-OpenWrt/blob/master/LICENSE) 6 | ![GitHub Stars](https://img.shields.io/github/stars/P3TERX/Actions-OpenWrt.svg?style=flat-square&label=Stars&logo=github) 7 | ![GitHub Forks](https://img.shields.io/github/forks/P3TERX/Actions-OpenWrt.svg?style=flat-square&label=Forks&logo=github) 8 | 9 | A template for building OpenWrt with GitHub Actions 10 | 11 | ## Usage 12 | 13 | - Click the [Use this template](https://github.com/P3TERX/Actions-OpenWrt/generate) button to create a new repository. 14 | - Generate `.config` files using [Lean's OpenWrt](https://github.com/coolsnowwolf/lede) source code. ( You can change it through environment variables in the workflow file. ) 15 | - Push `.config` file to the GitHub repository. 16 | - Select `Build OpenWrt` on the Actions page. 17 | - Click the `Run workflow` button. 18 | - When the build is complete, click the `Artifacts` button in the upper right corner of the Actions page to download the binaries. 19 | 20 | ## Tips 21 | 22 | - It may take a long time to create a `.config` file and build the OpenWrt firmware. Thus, before create repository to build your own firmware, you may check out if others have already built it which meet your needs by simply [search `Actions-Openwrt` in GitHub](https://github.com/search?q=Actions-openwrt). 23 | - Add some meta info of your built firmware (such as firmware architecture and installed packages) to your repository introduction, this will save others' time. 24 | 25 | ## Credits 26 | 27 | - [Microsoft Azure](https://azure.microsoft.com) 28 | - [GitHub Actions](https://github.com/features/actions) 29 | - [OpenWrt](https://github.com/openwrt/openwrt) 30 | - [Lean's OpenWrt](https://github.com/coolsnowwolf/lede) 31 | - [tmate](https://github.com/tmate-io/tmate) 32 | - [mxschmitt/action-tmate](https://github.com/mxschmitt/action-tmate) 33 | - [csexton/debugger-action](https://github.com/csexton/debugger-action) 34 | - [Cowtransfer](https://cowtransfer.com) 35 | - [WeTransfer](https://wetransfer.com/) 36 | - [Mikubill/transfer](https://github.com/Mikubill/transfer) 37 | - [softprops/action-gh-release](https://github.com/softprops/action-gh-release) 38 | - [ActionsRML/delete-workflow-runs](https://github.com/ActionsRML/delete-workflow-runs) 39 | - [dev-drprasad/delete-older-releases](https://github.com/dev-drprasad/delete-older-releases) 40 | - [peter-evans/repository-dispatch](https://github.com/peter-evans/repository-dispatch) 41 | 42 | ## License 43 | 44 | [MIT](https://github.com/P3TERX/Actions-OpenWrt/blob/main/LICENSE) © [**P3TERX**](https://p3terx.com) 45 | -------------------------------------------------------------------------------- /diy-part1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright (c) 2019-2020 P3TERX 4 | # 5 | # This is free software, licensed under the MIT License. 6 | # See /LICENSE for more information. 7 | # 8 | # https://github.com/P3TERX/Actions-OpenWrt 9 | # File name: diy-part1.sh 10 | # Description: OpenWrt DIY script part 1 (Before Update feeds) 11 | # 12 | 13 | # Uncomment a feed source 14 | #sed -i 's/^#\(.*helloworld\)/\1/' feeds.conf.default 15 | 16 | # Add a feed source 17 | #echo 'src-git helloworld https://github.com/fw876/helloworld' >>feeds.conf.default 18 | #echo 'src-git passwall https://github.com/xiaorouji/openwrt-passwall' >>feeds.conf.default 19 | 20 | # Add HomeLede prepareCompile.sh 21 | disablePkgsList=" 22 | ./feeds/luci/applications/luci-app-nft-qos 23 | ./feeds/luci/applications/luci-app-softethervpn 24 | ./feeds/luci/applications/luci-app-sqm 25 | ./feeds/luci/themes/luci-theme-argon 26 | ./feeds/packages/net/adguardhome 27 | ./feeds/packages/net/dnscrypt-proxy2 28 | ./feeds/packages/net/miniupnpd 29 | ./feeds/packages/net/mwan3 30 | ./feeds/packages/net/smartdns 31 | ./feeds/pw_packages/chinadns-ng 32 | ./feeds/xiaoqingfeng/ipt2socks-alt 33 | ./feeds/xiaoqingfeng/luci-theme-argon 34 | ./feeds/xiaoqingfeng/softethervpn5 35 | " 36 | 37 | function disableDulicatedPkg() 38 | { 39 | if [ -d $1 ];then 40 | rm -rf $1 41 | echo $1" Disabled." 42 | fi 43 | } 44 | 45 | ./scripts/feeds update -a 46 | 47 | for disablePkg in $disablePkgsList 48 | do 49 | disableDulicatedPkg $disablePkg 50 | done 51 | 52 | ./scripts/feeds update -i 53 | ./scripts/feeds install -a 54 | -------------------------------------------------------------------------------- /diy-part2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright (c) 2019-2020 P3TERX 4 | # 5 | # This is free software, licensed under the MIT License. 6 | # See /LICENSE for more information. 7 | # 8 | # https://github.com/P3TERX/Actions-OpenWrt 9 | # File name: diy-part2.sh 10 | # Description: OpenWrt DIY script part 2 (After Update feeds) 11 | # 12 | 13 | # Modify default IP 14 | #sed -i 's/192.168.1.1/192.168.50.5/g' package/base-files/files/bin/config_generate 15 | -------------------------------------------------------------------------------- /env: -------------------------------------------------------------------------------- 1 | ack antlr3 asciidoc autoconf automake autopoint binutils bison build-essential bzip2 ccache clang cmake cpio curl device-tree-compiler ecj fastjar flex gawk gettext gcc-multilib g++-multilib git gnutls-dev gperf haveged help2man intltool lib32gcc-s1 libc6-dev-i386 libelf-dev libglib2.0-dev libgmp3-dev libltdl-dev libmpc-dev libmpfr-dev libncurses5-dev libncursesw5 libncursesw5-dev libpython3-dev libreadline-dev libssl-dev libtool lld llvm lrzsz mkisofs msmtp nano ninja-build p7zip p7zip-full patch pkgconf python2.7 python3 python3-pip python3-ply python3-pyelftools qemu-utils re2c rsync scons squashfs-tools subversion swig texinfo uglifyjs upx-ucl unzip vim wget xmlto xxd zlib1g-dev 2 | -------------------------------------------------------------------------------- /feeds.conf.default: -------------------------------------------------------------------------------- 1 | src-git packages https://github.com/xiaoqingfengATGH/feeds-packages.git 2 | src-git luci https://github.com/xiaoqingfengATGH/feeds-luci.git 3 | src-git routing https://github.com/coolsnowwolf/routing.git 4 | src-git telephony https://git.openwrt.org/feed/telephony.git 5 | src-git pw_packages https://github.com/xiaorouji/openwrt-passwall.git;packages 6 | src-git pw_luci https://github.com/xiaorouji/openwrt-passwall.git;luci 7 | src-git pw2_luci https://github.com/xiaorouji/openwrt-passwall2.git 8 | src-git jerrykuku https://github.com/jerrykuku/openwrt-package.git 9 | src-git lienol https://github.com/homelede/openwrt-package.git;main 10 | src-git xiaoqingfeng https://github.com/xiaoqingfengATGH/feeds-xiaoqingfeng.git 11 | # luci-theme-infinityfreedom 12 | src-git infinityfreedom https://github.com/xiaoqingfengATGH/luci-theme-infinityfreedom.git 13 | # homeclash 14 | src-git homeclash https://github.com/xiaoqingfengATGH/homeclash.git 15 | # strongswanInDocker 16 | src-git strongswanInDocker https://github.com/xiaoqingfengATGH/luci-app-strongswanInDocker.git 17 | -------------------------------------------------------------------------------- /files/etc/AdGuardHome/AdGuardHome.yaml.template: -------------------------------------------------------------------------------- 1 | bind_host: ##ROUTER_IP## 2 | bind_port: 3000 3 | beta_bind_port: 0 4 | users: 5 | - name: root 6 | password: $2y$05$NXsf6fEZbU4eFmXOAmFSXe0Cdywzt6VPsk0vMJn/PLyGBfLXoIOVW 7 | dns: 8 | bind_hosts: 9 | - '0.0.0.0' 10 | port: 53 11 | statistics_interval: 1 12 | querylog_enabled: false 13 | querylog_interval: 6h 14 | protection_enabled: true 15 | ratelimit: 0 16 | upstream_dns: 17 | - '[/lan/]127.0.0.1:54' 18 | - '[/lan/][::1]:54' 19 | - '[//]127.0.0.1:54' 20 | - '[//][::1]:54' 21 | - 127.0.0.1:54 22 | - '[::1]:54' 23 | bootstrap_dns: 24 | - tls://1.0.0.1 25 | - tls://101.101.101.101 26 | all_servers: false 27 | fastest_addr: true 28 | allowed_clients: 29 | - 10.0.0.0/8 30 | - 127.0.0.0/8 31 | - 172.16.0.0/12 32 | - 192.168.0.0/16 33 | - ::1/128 34 | - fc00::/7 35 | cache_size: 4194304 36 | cache_ttl_min: 0 37 | cache_ttl_max: 0 38 | cache_optimistic: true 39 | aaaa_disabled: true 40 | enable_dnssec: false 41 | edns_client_subnet: false 42 | filtering_enabled: true 43 | filters_update_interval: 1 44 | local_ptr_upstreams: 45 | - 127.0.0.1:54 46 | - '[::1]:54' 47 | schema_version: 12 48 | -------------------------------------------------------------------------------- /files/etc/chinadns-ng/blacklist.txt: -------------------------------------------------------------------------------- 1 | adguard.com 2 | cloudflare-dns.com 3 | dns.google 4 | jp.tiar.app 5 | libredns.gr 6 | meganerd.nl 7 | moulticast.net 8 | nextdns.io 9 | opendns.com 10 | quad9.net -------------------------------------------------------------------------------- /files/etc/chinadns-ng/whitelist.txt: -------------------------------------------------------------------------------- 1 | ddns.softether-network.net 2 | nat-traversal.softether-network.net 3 | checkip.synology.com 4 | checkipv6.synology.com 5 | ddns.synology.com -------------------------------------------------------------------------------- /files/etc/config/chinadns-ng: -------------------------------------------------------------------------------- 1 | 2 | config chinadns-ng 3 | option enable '1' 4 | option bind_addr '127.0.0.1' 5 | option bind_port '5053' 6 | option china_dns '127.0.0.1#6053' 7 | option trust_dns '127.0.0.1#7053' 8 | option ipset_name4 'chnroute' 9 | option ipset_name6 'chnroute6' 10 | option gfwlist_file '/etc/chinadns-ng/gfwlist.txt' 11 | option chnlist_file '/etc/chinadns-ng/chinalist.txt' 12 | option timeout_sec '3' 13 | option repeat_times '1' 14 | option chnlist_first '0' 15 | option no_ipv6 '1' 16 | option fair_mode '0' 17 | option reuse_port '1' 18 | option noip_as_chnip '1' 19 | option auto_update '1' 20 | -------------------------------------------------------------------------------- /files/etc/config/smartdns: -------------------------------------------------------------------------------- 1 | 2 | config smartdns 3 | option enabled '1' 4 | option server_name 'HomeLedeDNS' 5 | option port '6053' 6 | option tcp_server '1' 7 | option ipv6_server '1' 8 | option dualstack_ip_selection '1' 9 | option prefetch_domain '1' 10 | option serve_expired '1' 11 | option cache_size '16384' 12 | option force_https_soa '1' 13 | option rr_ttl_min '2400' 14 | option rr_ttl_max '86400' 15 | option seconddns_port '7053' 16 | option seconddns_tcp_server '1' 17 | option seconddns_server_group 'overseas' 18 | option seconddns_no_speed_check '0' 19 | option seconddns_no_rule_addr '0' 20 | option seconddns_no_rule_nameserver '0' 21 | option seconddns_no_rule_ipset '0' 22 | option seconddns_no_rule_soa '0' 23 | option seconddns_no_dualstack_selection '0' 24 | option seconddns_no_cache '0' 25 | option seconddns_force_aaaa_soa '0' 26 | 27 | config server 28 | option enabled '1' 29 | option name 'CN-ALI DOH #1' 30 | option ip 'https://223.5.5.5/dns-query' 31 | option type 'https' 32 | option server_group 'mainland' 33 | option blacklist_ip '1' 34 | option no_check_certificate '0' 35 | 36 | config server 37 | option enabled '1' 38 | option name 'CN-ALI DOH #2' 39 | option ip 'https://223.6.6.6/dns-query' 40 | option type 'https' 41 | option server_group 'mainland' 42 | option blacklist_ip '1' 43 | option no_check_certificate '0' 44 | 45 | config server 46 | option enabled '1' 47 | option name 'CN-DNSPOD DOH #1' 48 | option ip 'https://1.12.12.12/dns-query' 49 | option type 'https' 50 | option server_group 'mainland' 51 | option blacklist_ip '1' 52 | option no_check_certificate '0' 53 | 54 | config server 55 | option enabled '1' 56 | option name 'CN-DNSPOD DOH #2' 57 | option ip 'https://120.53.53.53/dns-query' 58 | option type 'https' 59 | option server_group 'mainland' 60 | option blacklist_ip '1' 61 | option no_check_certificate '0' 62 | 63 | config server 64 | option enabled '1' 65 | option name 'CN-ALI DOT #1' 66 | option ip '223.5.5.5' 67 | option type 'tls' 68 | option server_group 'mainland' 69 | option blacklist_ip '1' 70 | option no_check_certificate '0' 71 | 72 | config server 73 | option enabled '1' 74 | option name 'CN-ALI DOT #2' 75 | option ip '223.6.6.6' 76 | option type 'tls' 77 | option server_group 'mainland' 78 | option blacklist_ip '1' 79 | option no_check_certificate '0' 80 | 81 | config server 82 | option enabled '1' 83 | option name 'CN-DNSPOD DOT #1' 84 | option ip '1.12.12.12' 85 | option type 'tls' 86 | option server_group 'mainland' 87 | option blacklist_ip '1' 88 | option no_check_certificate '0' 89 | 90 | config server 91 | option enabled '1' 92 | option name 'CN-DNSPOD DOT #2' 93 | option ip '120.53.53.53' 94 | option type 'tls' 95 | option server_group 'mainland' 96 | option blacklist_ip '1' 97 | option no_check_certificate '0' 98 | 99 | config server 100 | option enabled '0' 101 | option name 'OS-Google DNS DOH' 102 | option ip 'https://8.8.8.8/dns-query' 103 | option type 'https' 104 | option server_group 'overseas' 105 | option blacklist_ip '1' 106 | option no_check_certificate '0' 107 | option addition_arg '-exclude-default-group' 108 | 109 | config server 110 | option enabled '0' 111 | option name 'OS-CloudFlare DNS DOH' 112 | option ip 'https://1.1.1.1/dns-query' 113 | option type 'https' 114 | option server_group 'overseas' 115 | option blacklist_ip '1' 116 | option no_check_certificate '0' 117 | option addition_arg '-exclude-default-group' 118 | 119 | config server 120 | option enabled '0' 121 | option name 'OS-Quad9 DNS DOH' 122 | option ip 'https://9.9.9.11/dns-query' 123 | option type 'https' 124 | option server_group 'overseas' 125 | option blacklist_ip '1' 126 | option no_check_certificate '0' 127 | option addition_arg '-exclude-default-group' 128 | 129 | config server 130 | option enabled '0' 131 | option name 'OS-Quad101 DNS DOH' 132 | option ip 'https://101.101.101.101/dns-query' 133 | option type 'https' 134 | option server_group 'overseas' 135 | option blacklist_ip '1' 136 | option no_check_certificate '0' 137 | option addition_arg '-exclude-default-group' 138 | 139 | config server 140 | option enabled '0' 141 | option name 'OS-Google DNS DOT' 142 | option ip '8.8.8.8' 143 | option type 'tls' 144 | option server_group 'overseas' 145 | option blacklist_ip '1' 146 | option no_check_certificate '0' 147 | option addition_arg '-exclude-default-group' 148 | 149 | config server 150 | option enabled '0' 151 | option name 'OS-CloudFlare DNS DOT' 152 | option ip '1.1.1.1' 153 | option type 'tls' 154 | option server_group 'overseas' 155 | option blacklist_ip '1' 156 | option no_check_certificate '0' 157 | option addition_arg '-exclude-default-group' 158 | 159 | config server 160 | option enabled '0' 161 | option name 'OS-Quad9 DNS DOT' 162 | option ip '9.9.9.11' 163 | option type 'tls' 164 | option server_group 'overseas' 165 | option blacklist_ip '1' 166 | option no_check_certificate '0' 167 | option addition_arg '-exclude-default-group' 168 | 169 | config server 170 | option enabled '0' 171 | option name 'OS-Quad101 DNS DOT' 172 | option ip '101.101.101.101' 173 | option type 'tls' 174 | option server_group 'overseas' 175 | option blacklist_ip '1' 176 | option no_check_certificate '0' 177 | option addition_arg '-exclude-default-group' 178 | -------------------------------------------------------------------------------- /files/etc/config/turboacc: -------------------------------------------------------------------------------- 1 | 2 | config turboacc 'config' 3 | option sw_flow '0' 4 | option hw_flow '0' 5 | option sfe_flow '0' 6 | option fullcone_nat '1' 7 | option bbr_cca '1' 8 | option dns_caching '0' 9 | -------------------------------------------------------------------------------- /files/etc/dnscrypt-proxy2/blocked-ips.txt: -------------------------------------------------------------------------------- 1 | ############################## 2 | # IP blocklist # 3 | ############################## 4 | 5 | ## Rules for IP-based response blocking 6 | ## 7 | ## Sample feeds of suspect IP addresses: 8 | ## - https://github.com/stamparm/ipsum 9 | ## - https://github.com/tg12/bad_packets_blocklist 10 | ## - https://isc.sans.edu/block.txt 11 | ## - https://block.energized.pro/extensions/ips/formats/list.txt 12 | ## - https://www.iblocklist.com/lists 13 | 14 | 118.5.49.6 15 | 128.121.126.139 16 | 159.106.121.75 17 | 159.24.3.173 18 | 169.132.13.103 19 | 182.43.124.6 20 | 188.5.4.96 21 | 189.163.17.5 22 | 190.93.244.4 23 | 190.93.245.4 24 | 190.93.246.4 25 | 190.93.247.4 26 | 192.67.198.6 27 | 197.4.4.12 28 | 202.106.1.2 29 | 202.181.7.85 30 | 203.161.230.171 31 | 203.98.7.65 32 | 207.12.88.98 33 | 208.56.31.43 34 | 209.145.54.50 35 | 209.220.30.174 36 | 209.36.73.33 37 | 209.85.229.138 38 | 211.94.66.147 39 | 213.169.251.35 40 | 216.221.188.182 41 | 216.234.179.13 42 | 220.250.64.24 43 | 23.89.5.60 44 | 243.185.187.30 45 | 243.185.187.39 46 | 249.129.46.48 47 | 253.157.14.165 48 | 37.61.54.158 49 | 39.102.194.95 50 | 4.36.66.178 51 | 46.82.174.68 52 | 49.2.123.56 53 | 54.76.135.1 54 | 59.24.3.173 55 | 64.33.88.161 56 | 64.33.99.47 57 | 64.66.163.251 58 | 65.104.202.252 59 | 65.160.219.113 60 | 65.49.2.178 61 | 66.45.252.237 62 | 69.55.52.253 63 | 72.14.205.104 64 | 72.14.205.99 65 | 74.125.127.102 66 | 74.125.155.102 67 | 74.125.39.102 68 | 74.125.39.113 69 | 77.4.7.92 70 | 78.16.49.15 71 | 8.7.198.45 72 | 93.46.8.89 73 | -------------------------------------------------------------------------------- /files/etc/dnscrypt-proxy2/dnscrypt-proxy.toml: -------------------------------------------------------------------------------- 1 | 2 | ############################################## 3 | # # 4 | # dnscrypt-proxy configuration # 5 | # # 6 | ############################################## 7 | 8 | ## This is an example configuration file. 9 | ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml" 10 | ## 11 | ## Online documentation is available here: https://dnscrypt.info/doc 12 | 13 | 14 | 15 | ################################## 16 | # Global settings # 17 | ################################## 18 | 19 | ## List of servers to use 20 | ## 21 | ## Servers from the "public-resolvers" source (see down below) can 22 | ## be viewed here: https://dnscrypt.info/public-servers 23 | ## 24 | ## The proxy will automatically pick working servers from this list. 25 | ## Note that the require_* filters do NOT apply when using this setting. 26 | ## 27 | ## By default, this list is empty and all registered servers matching the 28 | ## require_* filters will be used instead. 29 | ## 30 | ## Remove the leading # first to enable this; lines starting with # are ignored. 31 | 32 | # server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare'] 33 | 34 | 35 | ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. 36 | ## Example with both IPv4 and IPv6: 37 | ## listen_addresses = ['127.0.0.1:53', '[::1]:53'] 38 | ## 39 | ## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']` 40 | ## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']` 41 | 42 | listen_addresses = ['127.0.0.1:7053', '[::1]:7053'] 43 | 44 | 45 | ## Maximum number of simultaneous client connections to accept 46 | 47 | max_clients = 250 48 | 49 | 50 | ## Switch to a different system user after listening sockets have been created. 51 | ## Note (1): this feature is currently unsupported on Windows. 52 | ## Note (2): this feature is not compatible with systemd socket activation. 53 | ## Note (3): when using -pidfile, the PID file directory must be writable by the new user 54 | 55 | # user_name = 'nobody' 56 | 57 | 58 | ## Require servers (from remote sources) to satisfy specific properties 59 | 60 | # Use servers reachable over IPv4 61 | ipv4_servers = true 62 | 63 | # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity 64 | ipv6_servers = false 65 | 66 | # Use servers implementing the DNSCrypt protocol 67 | dnscrypt_servers = true 68 | 69 | # Use servers implementing the DNS-over-HTTPS protocol 70 | doh_servers = true 71 | 72 | # Use servers implementing the Oblivious DoH protocol 73 | odoh_servers = false 74 | 75 | 76 | ## Require servers defined by remote sources to satisfy specific properties 77 | 78 | # Server must support DNS security extensions (DNSSEC) 79 | require_dnssec = true 80 | 81 | # Server must not log user queries (declarative) 82 | require_nolog = true 83 | 84 | # Server must not enforce its own blocklist (for parental control, ads blocking...) 85 | require_nofilter = true 86 | 87 | # Server names to avoid even if they match all criteria 88 | disabled_server_names = [] 89 | 90 | 91 | ## Always use TCP to connect to upstream servers. 92 | ## This can be useful if you need to route everything through Tor. 93 | ## Otherwise, leave this to `false`, as it doesn't improve security 94 | ## (dnscrypt-proxy will always encrypt everything even using UDP), and can 95 | ## only increase latency. 96 | 97 | force_tcp = false 98 | 99 | 100 | ## SOCKS proxy 101 | ## Uncomment the following line to route all TCP connections to a local Tor node 102 | ## Tor doesn't support UDP, so set `force_tcp` to `true` as well. 103 | 104 | # proxy = 'socks5://127.0.0.1:9050' 105 | 106 | 107 | ## HTTP/HTTPS proxy 108 | ## Only for DoH servers 109 | 110 | # http_proxy = 'http://127.0.0.1:8888' 111 | 112 | 113 | ## How long a DNS query will wait for a response, in milliseconds. 114 | ## If you have a network with *a lot* of latency, you may need to 115 | ## increase this. Startup may be slower if you do so. 116 | ## Don't increase it too much. 10000 is the highest reasonable value. 117 | 118 | timeout = 5000 119 | 120 | 121 | ## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds 122 | 123 | keepalive = 30 124 | 125 | 126 | ## Add EDNS-client-subnet information to outgoing queries 127 | ## 128 | ## Multiple networks can be listed; they will be randomly chosen. 129 | ## These networks don't have to match your actual networks. 130 | 131 | # edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32'] 132 | 133 | 134 | ## Response for blocked queries. Options are `refused`, `hinfo` (default) or 135 | ## an IP response. To give an IP response, use the format `a:,aaaa:`. 136 | ## Using the `hinfo` option means that some responses will be lies. 137 | ## Unfortunately, the `hinfo` option appears to be required for Android 8+ 138 | 139 | # blocked_query_response = 'refused' 140 | 141 | 142 | ## Load-balancing strategy: 'p2' (default), 'ph', 'p', 'first' or 'random' 143 | ## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency. 144 | ## The response quality still depends on the server itself. 145 | 146 | lb_strategy = 'p8' 147 | 148 | ## Set to `true` to constantly try to estimate the latency of all the resolvers 149 | ## and adjust the load-balancing parameters accordingly, or to `false` to disable. 150 | ## Default is `true` that makes 'p2' `lb_strategy` work well. 151 | 152 | lb_estimator = true 153 | 154 | 155 | ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors) 156 | 157 | # log_level = 2 158 | 159 | 160 | ## Log file for the application, as an alternative to sending logs to 161 | ## the standard system logging service (syslog/Windows event log). 162 | ## 163 | ## This file is different from other log files, and will not be 164 | ## automatically rotated by the application. 165 | 166 | # log_file = 'dnscrypt-proxy.log' 167 | 168 | 169 | ## When using a log file, only keep logs from the most recent launch. 170 | 171 | # log_file_latest = true 172 | 173 | 174 | ## Use the system logger (syslog on Unix, Event Log on Windows) 175 | 176 | # use_syslog = true 177 | 178 | 179 | ## Delay, in minutes, after which certificates are reloaded 180 | 181 | cert_refresh_delay = 240 182 | 183 | 184 | ## DNSCrypt: Create a new, unique key for every single DNS query 185 | ## This may improve privacy but can also have a significant impact on CPU usage 186 | ## Only enable if you don't have a lot of network load 187 | 188 | # dnscrypt_ephemeral_keys = false 189 | 190 | 191 | ## DoH: Disable TLS session tickets - increases privacy but also latency 192 | 193 | # tls_disable_session_tickets = false 194 | 195 | 196 | ## DoH: Use a specific cipher suite instead of the server preference 197 | ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 198 | ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 199 | ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 200 | ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 201 | ## 4865 = TLS_AES_128_GCM_SHA256 202 | ## 4867 = TLS_CHACHA20_POLY1305_SHA256 203 | ## 204 | ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...), 205 | ## the following suite improves performance. 206 | ## This may also help on Intel CPUs running 32-bit operating systems. 207 | ## 208 | ## Keep tls_cipher_suite empty if you have issues fetching sources or 209 | ## connecting to some DoH servers. Google and Cloudflare are fine with it. 210 | 211 | # tls_cipher_suite = [52392, 49199] 212 | 213 | 214 | ## Bootstrap resolvers 215 | ## 216 | ## These are normal, non-encrypted DNS resolvers, that will be only used 217 | ## for one-shot queries when retrieving the initial resolvers list and if 218 | ## the system DNS configuration doesn't work. 219 | ## 220 | ## No user queries will ever be leaked through these resolvers, and they will 221 | ## not be used after IP addresses of DoH resolvers have been found (if you are 222 | ## using DoH). 223 | ## 224 | ## They will never be used if lists have already been cached, and if the stamps 225 | ## of the configured servers already include IP addresses (which is the case for 226 | ## most of DoH servers, and for all DNSCrypt servers and relays). 227 | ## 228 | ## They will not be used if the configured system DNS works, or after the 229 | ## proxy already has at least one usable secure resolver. 230 | ## 231 | ## Resolvers supporting DNSSEC are recommended, and, if you are using 232 | ## DoH, bootstrap resolvers should ideally be operated by a different entity 233 | ## than the DoH servers you will be using, especially if you have IPv6 enabled. 234 | ## 235 | ## People in China may want to use 114.114.114.114:53 here. 236 | ## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1. 237 | ## 238 | ## If more than one resolver is specified, they will be tried in sequence. 239 | ## 240 | ## TL;DR: put valid standard resolver addresses here. Your actual queries will 241 | ## not be sent there. If you're using DNSCrypt or Anonymized DNS and your 242 | ## lists are up to date, these resolvers will not even be used. 243 | 244 | bootstrap_resolvers = ['101.6.6.6:5353', '1.1.1.1:53', '9.9.9.9:53'] 245 | 246 | 247 | ## Always use the bootstrap resolver before the system DNS settings. 248 | 249 | ignore_system_dns = true 250 | 251 | 252 | ## Maximum time (in seconds) to wait for network connectivity before 253 | ## initializing the proxy. 254 | ## Useful if the proxy is automatically started at boot, and network 255 | ## connectivity is not guaranteed to be immediately available. 256 | ## Use 0 to not test for connectivity at all (not recommended), 257 | ## and -1 to wait as much as possible. 258 | 259 | netprobe_timeout = 60 260 | 261 | ## Address and port to try initializing a connection to, just to check 262 | ## if the network is up. It can be any address and any port, even if 263 | ## there is nothing answering these on the other side. Just don't use 264 | ## a local address, as the goal is to check for Internet connectivity. 265 | ## On Windows, a datagram with a single, nul byte will be sent, only 266 | ## when the system starts. 267 | ## On other operating systems, the connection will be initialized 268 | ## but nothing will be sent at all. 269 | 270 | netprobe_address = '119.29.29.29:53' 271 | 272 | 273 | ## Offline mode - Do not use any remote encrypted servers. 274 | ## The proxy will remain fully functional to respond to queries that 275 | ## plugins can handle directly (forwarding, cloaking, ...) 276 | 277 | # offline_mode = false 278 | 279 | 280 | ## Additional data to attach to outgoing queries. 281 | ## These strings will be added as TXT records to queries. 282 | ## Do not use, except on servers explicitly asking for extra data 283 | ## to be present. 284 | ## encrypted-dns-server can be configured to use this for access control 285 | ## in the [access_control] section 286 | 287 | # query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken'] 288 | 289 | 290 | ## Automatic log files rotation 291 | 292 | # Maximum log files size in MB - Set to 0 for unlimited. 293 | log_files_max_size = 10 294 | 295 | # How long to keep backup files, in days 296 | log_files_max_age = 7 297 | 298 | # Maximum log files backups to keep (or 0 to keep all backups) 299 | log_files_max_backups = 1 300 | 301 | 302 | 303 | ######################### 304 | # Filters # 305 | ######################### 306 | 307 | ## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you 308 | ## configure dnscrypt-proxy to do any kind of filtering (including the filters 309 | ## below and blocklists). 310 | ## You can still choose resolvers that do DNSSEC validation. 311 | 312 | 313 | ## Immediately respond to IPv6-related queries with an empty response 314 | ## This makes things faster when there is no IPv6 connectivity, but can 315 | ## also cause reliability issues with some stub resolvers. 316 | 317 | block_ipv6 = true 318 | 319 | 320 | ## Immediately respond to A and AAAA queries for host names without a domain name 321 | 322 | block_unqualified = true 323 | 324 | 325 | ## Immediately respond to queries for local zones instead of leaking them to 326 | ## upstream resolvers (always causing errors or timeouts). 327 | 328 | block_undelegated = true 329 | 330 | 331 | ## TTL for synthetic responses sent when a request has been blocked (due to 332 | ## IPv6 or blocklists). 333 | 334 | reject_ttl = 10 335 | 336 | 337 | 338 | ################################################################################## 339 | # Route queries for specific domains to a dedicated set of servers # 340 | ################################################################################## 341 | 342 | ## See the `example-forwarding-rules.txt` file for an example 343 | 344 | # forwarding_rules = 'forwarding-rules.txt' 345 | 346 | 347 | 348 | ############################### 349 | # Cloaking rules # 350 | ############################### 351 | 352 | ## Cloaking returns a predefined address for a specific name. 353 | ## In addition to acting as a HOSTS file, it can also return the IP address 354 | ## of a different name. It will also do CNAME flattening. 355 | ## If 'cloak_ptr' is set, then PTR (reverse lookups) are enabled 356 | ## for cloaking rules that do not contain wild cards. 357 | ## 358 | ## See the `example-cloaking-rules.txt` file for an example 359 | 360 | # cloaking_rules = 'cloaking-rules.txt' 361 | 362 | ## TTL used when serving entries in cloaking-rules.txt 363 | 364 | # cloak_ttl = 600 365 | # cloak_ptr = false 366 | 367 | 368 | 369 | ########################### 370 | # DNS cache # 371 | ########################### 372 | 373 | ## Enable a DNS cache to reduce latency and outgoing traffic 374 | 375 | cache = true 376 | 377 | 378 | ## Cache size 379 | 380 | cache_size = 16384 381 | 382 | 383 | ## Minimum TTL for cached entries 384 | 385 | cache_min_ttl = 2400 386 | 387 | 388 | ## Maximum TTL for cached entries 389 | 390 | cache_max_ttl = 86400 391 | 392 | 393 | ## Minimum TTL for negatively cached entries 394 | 395 | cache_neg_min_ttl = 60 396 | 397 | 398 | ## Maximum TTL for negatively cached entries 399 | 400 | cache_neg_max_ttl = 600 401 | 402 | 403 | 404 | ######################################## 405 | # Captive portal handling # 406 | ######################################## 407 | 408 | [captive_portals] 409 | 410 | ## A file that contains a set of names used by operating systems to 411 | ## check for connectivity and captive portals, along with hard-coded 412 | ## IP addresses to return. 413 | 414 | # map_file = 'example-captive-portals.txt' 415 | 416 | 417 | 418 | ################################## 419 | # Local DoH server # 420 | ################################## 421 | 422 | [local_doh] 423 | 424 | ## dnscrypt-proxy can act as a local DoH server. By doing so, web browsers 425 | ## requiring a direct connection to a DoH server in order to enable some 426 | ## features will enable these, without bypassing your DNS proxy. 427 | 428 | ## Addresses that the local DoH server should listen to 429 | 430 | # listen_addresses = ['127.0.0.1:3000'] 431 | 432 | 433 | ## Path of the DoH URL. This is not a file, but the part after the hostname 434 | ## in the URL. By convention, `/dns-query` is frequently chosen. 435 | ## For each `listen_address` the complete URL to access the server will be: 436 | ## `https://` (ex: `https://127.0.0.1/dns-query`) 437 | 438 | # path = '/dns-query' 439 | 440 | 441 | ## Certificate file and key - Note that the certificate has to be trusted. 442 | ## See the documentation (wiki) for more information. 443 | 444 | # cert_file = 'localhost.pem' 445 | # cert_key_file = 'localhost.pem' 446 | 447 | 448 | 449 | ############################### 450 | # Query logging # 451 | ############################### 452 | 453 | ## Log client queries to a file 454 | 455 | [query_log] 456 | 457 | ## Path to the query log file (absolute, or relative to the same directory as the config file) 458 | ## Can be set to /dev/stdout in order to log to the standard output. 459 | 460 | # file = 'query.log' 461 | 462 | 463 | ## Query log format (currently supported: tsv and ltsv) 464 | 465 | format = 'tsv' 466 | 467 | 468 | ## Do not log these query types, to reduce verbosity. Keep empty to log everything. 469 | 470 | # ignored_qtypes = ['DNSKEY', 'NS'] 471 | 472 | 473 | 474 | ############################################ 475 | # Suspicious queries logging # 476 | ############################################ 477 | 478 | ## Log queries for nonexistent zones 479 | ## These queries can reveal the presence of malware, broken/obsolete applications, 480 | ## and devices signaling their presence to 3rd parties. 481 | 482 | [nx_log] 483 | 484 | ## Path to the query log file (absolute, or relative to the same directory as the config file) 485 | 486 | # file = 'nx.log' 487 | 488 | 489 | ## Query log format (currently supported: tsv and ltsv) 490 | 491 | format = 'tsv' 492 | 493 | 494 | 495 | ###################################################### 496 | # Pattern-based blocking (blocklists) # 497 | ###################################################### 498 | 499 | ## Blocklists are made of one pattern per line. Example of valid patterns: 500 | ## 501 | ## example.com 502 | ## =example.com 503 | ## *sex* 504 | ## ads.* 505 | ## ads*.example.* 506 | ## ads*.example[0-9]*.com 507 | ## 508 | ## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/ 509 | ## A script to build blocklists from public feeds can be found in the 510 | ## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code. 511 | 512 | [blocked_names] 513 | 514 | ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) 515 | 516 | # blocked_names_file = 'blocked-names.txt' 517 | 518 | 519 | ## Optional path to a file logging blocked queries 520 | 521 | # log_file = 'blocked-names.log' 522 | 523 | 524 | ## Optional log format: tsv or ltsv (default: tsv) 525 | 526 | # log_format = 'tsv' 527 | 528 | 529 | 530 | ########################################################### 531 | # Pattern-based IP blocking (IP blocklists) # 532 | ########################################################### 533 | 534 | ## IP blocklists are made of one pattern per line. Example of valid patterns: 535 | ## 536 | ## 127.* 537 | ## fe80:abcd:* 538 | ## 192.168.1.4 539 | 540 | [blocked_ips] 541 | 542 | ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) 543 | 544 | blocked_ips_file = 'blocked-ips.txt' 545 | 546 | 547 | ## Optional path to a file logging blocked queries 548 | 549 | # log_file = 'blocked-ips.log' 550 | 551 | 552 | ## Optional log format: tsv or ltsv (default: tsv) 553 | 554 | # log_format = 'tsv' 555 | 556 | 557 | 558 | ###################################################### 559 | # Pattern-based allow lists (blocklists bypass) # 560 | ###################################################### 561 | 562 | ## Allowlists support the same patterns as blocklists 563 | ## If a name matches an allowlist entry, the corresponding session 564 | ## will bypass names and IP filters. 565 | ## 566 | ## Time-based rules are also supported to make some websites only accessible at specific times of the day. 567 | 568 | [allowed_names] 569 | 570 | ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file) 571 | 572 | # allowed_names_file = 'allowed-names.txt' 573 | 574 | 575 | ## Optional path to a file logging allowed queries 576 | 577 | # log_file = 'allowed-names.log' 578 | 579 | 580 | ## Optional log format: tsv or ltsv (default: tsv) 581 | 582 | # log_format = 'tsv' 583 | 584 | 585 | 586 | ######################################################### 587 | # Pattern-based allowed IPs lists (blocklists bypass) # 588 | ######################################################### 589 | 590 | ## Allowed IP lists support the same patterns as IP blocklists 591 | ## If an IP response matches an allow ip entry, the corresponding session 592 | ## will bypass IP filters. 593 | ## 594 | ## Time-based rules are also supported to make some websites only accessible at specific times of the day. 595 | 596 | [allowed_ips] 597 | 598 | ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) 599 | 600 | # allowed_ips_file = 'allowed-ips.txt' 601 | 602 | 603 | ## Optional path to a file logging allowed queries 604 | 605 | # log_file = 'allowed-ips.log' 606 | 607 | ## Optional log format: tsv or ltsv (default: tsv) 608 | 609 | # log_format = 'tsv' 610 | 611 | 612 | 613 | ########################################## 614 | # Time access restrictions # 615 | ########################################## 616 | 617 | ## One or more weekly schedules can be defined here. 618 | ## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name 619 | ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule. 620 | ## 621 | ## For example, the following rule in a blocklist file: 622 | ## *.youtube.* @time-to-sleep 623 | ## would block access to YouTube during the times defined by the 'time-to-sleep' schedule. 624 | ## 625 | ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00 626 | ## {after= '9:00', before='18:00'} matches 9:00-18:00 627 | 628 | [schedules] 629 | 630 | # [schedules.time-to-sleep] 631 | # mon = [{after='21:00', before='7:00'}] 632 | # tue = [{after='21:00', before='7:00'}] 633 | # wed = [{after='21:00', before='7:00'}] 634 | # thu = [{after='21:00', before='7:00'}] 635 | # fri = [{after='23:00', before='7:00'}] 636 | # sat = [{after='23:00', before='7:00'}] 637 | # sun = [{after='21:00', before='7:00'}] 638 | 639 | # [schedules.work] 640 | # mon = [{after='9:00', before='18:00'}] 641 | # tue = [{after='9:00', before='18:00'}] 642 | # wed = [{after='9:00', before='18:00'}] 643 | # thu = [{after='9:00', before='18:00'}] 644 | # fri = [{after='9:00', before='17:00'}] 645 | 646 | 647 | 648 | ######################### 649 | # Servers # 650 | ######################### 651 | 652 | ## Remote lists of available servers 653 | ## Multiple sources can be used simultaneously, but every source 654 | ## requires a dedicated cache file. 655 | ## 656 | ## Refer to the documentation for URLs of public sources. 657 | ## 658 | ## A prefix can be prepended to server names in order to 659 | ## avoid collisions if different sources share the same for 660 | ## different servers. In that case, names listed in `server_names` 661 | ## must include the prefixes. 662 | ## 663 | ## If the `urls` property is missing, cache files and valid signatures 664 | ## must already be present. This doesn't prevent these cache files from 665 | ## expiring after `refresh_delay` hours. 666 | ## Cache freshness is checked every 24 hours, so values for 'refresh_delay' 667 | ## of less than 24 hours will have no effect. 668 | ## A maximum delay of 168 hours (1 week) is imposed to ensure cache freshness. 669 | 670 | [sources] 671 | 672 | ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers 673 | 674 | [sources.public-resolvers] 675 | urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'] 676 | cache_file = 'public-resolvers.md' 677 | minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' 678 | refresh_delay = 72 679 | prefix = '' 680 | 681 | ### Anonymized DNS relays 682 | 683 | # [sources.relays] 684 | # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md'] 685 | # cache_file = 'relays.md' 686 | # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' 687 | # refresh_delay = 72 688 | # prefix = '' 689 | 690 | ### ODoH (Oblivious DoH) servers and relays 691 | 692 | # [sources.odoh-servers] 693 | # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md'] 694 | # cache_file = 'odoh-servers.md' 695 | # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' 696 | # refresh_delay = 24 697 | # prefix = '' 698 | # [sources.odoh-relays] 699 | # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md'] 700 | # cache_file = 'odoh-relays.md' 701 | # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' 702 | # refresh_delay = 24 703 | # prefix = '' 704 | 705 | ### Quad9 706 | 707 | # [sources.quad9-resolvers] 708 | # urls = ['https://www.quad9.net/quad9-resolvers.md'] 709 | # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN' 710 | # cache_file = 'quad9-resolvers.md' 711 | # prefix = 'quad9-' 712 | 713 | ### Another example source, with resolvers censoring some websites not appropriate for children 714 | ### This is a subset of the `public-resolvers` list, so enabling both is useless. 715 | 716 | # [sources.parental-control] 717 | # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md'] 718 | # cache_file = 'parental-control.md' 719 | # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' 720 | 721 | 722 | 723 | ######################################### 724 | # Servers with known bugs # 725 | ######################################### 726 | 727 | [broken_implementations] 728 | 729 | ## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't 730 | ## truncate responses larger than questions as expected by the DNSCrypt protocol. 731 | ## This prevents large responses from being received over UDP and over relays. 732 | ## 733 | ## Older versions of the `dnsdist` server software had a bug with queries larger 734 | ## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but 735 | ## some server may still run an outdated version. 736 | ## 737 | ## The list below enables workarounds to make non-relayed usage more reliable 738 | ## until the servers are fixed. 739 | 740 | fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6'] 741 | 742 | 743 | 744 | ################################################################# 745 | # Certificate-based client authentication for DoH # 746 | ################################################################# 747 | 748 | ## Use a X509 certificate to authenticate yourself when connecting to DoH servers. 749 | ## This is only useful if you are operating your own, private DoH server(s). 750 | ## 'creds' maps servers to certificates, and supports multiple entries. 751 | ## If you are not using the standard root CA, an optional "root_ca" 752 | ## property set to the path to a root CRT file can be added to a server entry. 753 | 754 | [doh_client_x509_auth] 755 | 756 | # creds = [ 757 | # { server_name='*', client_cert='client.crt', client_key='client.key' } 758 | # ] 759 | 760 | 761 | 762 | ################################ 763 | # Anonymized DNS # 764 | ################################ 765 | 766 | [anonymized_dns] 767 | 768 | ## Routes are indirect ways to reach DNSCrypt servers. 769 | ## 770 | ## A route maps a server name ("server_name") to one or more relays that will be 771 | ## used to connect to that server. 772 | ## 773 | ## A relay can be specified as a DNS Stamp (either a relay stamp, or a 774 | ## DNSCrypt stamp) or a server name. 775 | ## 776 | ## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`, 777 | ## and "example-server-2" via the relay whose relay DNS stamp is 778 | ## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM". 779 | ## 780 | ## !!! THESE ARE JUST EXAMPLES !!! 781 | ## 782 | ## Review the list of available relays from the "relays.md" file, and, for each 783 | ## server you want to use, define the relays you want connections to go through. 784 | ## 785 | ## Carefully choose relays and servers so that they are run by different entities. 786 | ## 787 | ## "server_name" can also be set to "*" to define a default route, for all servers: 788 | ## { server_name='*', via=['anon-example-1', 'anon-example-2'] } 789 | ## 790 | ## If a route is ["*"], the proxy automatically picks a relay on a distinct network. 791 | ## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal. 792 | ## 793 | ## Manual selection is always recommended over automatic selection, so that you can 794 | ## select (relay,server) pairs that work well and fit your own criteria (close by or 795 | ## in different countries, operated by different entities, on distinct ISPs...) 796 | 797 | # routes = [ 798 | # { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] }, 799 | # { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] } 800 | # ] 801 | 802 | 803 | ## Skip resolvers incompatible with anonymization instead of using them directly 804 | 805 | skip_incompatible = false 806 | 807 | 808 | ## If public server certificates for a non-conformant server cannot be 809 | ## retrieved via a relay, try getting them directly. Actual queries 810 | ## will then always go through relays. 811 | 812 | # direct_cert_fallback = false 813 | 814 | 815 | 816 | ############################### 817 | # DNS64 # 818 | ############################### 819 | 820 | ## DNS64 is a mechanism for synthesizing AAAA records from A records. 821 | ## It is used with an IPv6/IPv4 translator to enable client-server 822 | ## communication between an IPv6-only client and an IPv4-only server, 823 | ## without requiring any changes to either the IPv6 or the IPv4 node, 824 | ## for the class of applications that work through NATs. 825 | ## 826 | ## There are two options to synthesize such records: 827 | ## Option 1: Using a set of static IPv6 prefixes; 828 | ## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver. 829 | ## 830 | ## If both options are configured - only static prefixes are used. 831 | ## (Ref. RFC6147, RFC6052, RFC7050) 832 | ## 833 | ## Do not enable unless you know what DNS64 is and why you need it, or else 834 | ## you won't be able to connect to anything at all. 835 | 836 | [dns64] 837 | 838 | ## Static prefix(es) as Pref64::/n CIDRs 839 | 840 | # prefix = ['64:ff9b::/96'] 841 | 842 | ## DNS64-enabled resolver(s) to discover Pref64::/n CIDRs 843 | ## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only. 844 | ## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96). 845 | ## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only. 846 | 847 | # resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53'] 848 | 849 | 850 | 851 | ######################################## 852 | # Static entries # 853 | ######################################## 854 | 855 | ## Optional, local, static list of additional servers 856 | ## Mostly useful for testing your own servers. 857 | 858 | # [static] 859 | 860 | # [static.'nextdns-doh'] 861 | # NextDNS is a cloud-based private DNS service that gives you full control over what is allowed and what is blocked on the Internet. DNSSEC, Anycast, Non-logging, NoFilters 862 | # stamp = 'sdns://AgcAAAAAAAAACjQ1LjkwLjI4LjAgmjo09yfeubylEAPZzpw5-PJ92cUkKQHCurGkTmNaAhkOZG5zLm5leHRkbnMuaW8PL2Ruc2NyeXB0LXByb3h5' 863 | 864 | # [static.'quad9-dnscrypt-ip4-nofilter-pri'] 865 | # Quad9 (anycast) no-dnssec/no-log/no-filter 9.9.9.10 / 149.112.112.10 866 | # stamp = 'sdns://AQYAAAAAAAAAEzE0OS4xMTIuMTEyLjEwOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA' 867 | 868 | # [static.'quad9-doh-ip4-port443-nofilter-pri'] 869 | # Quad9 (anycast) no-dnssec/no-log/no-filter 9.9.9.10 / 149.112.112.10 870 | # stamp = 'sdns://AgYAAAAAAAAACDkuOS45LjEwICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczEwLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ' 871 | 872 | # [static.'cloudflare.doh'] 873 | # Cloudflare DNS (anycast) - aka 1.1.1.1 / 1.0.0.1 874 | # stamp = 'sdns://AgcAAAAAAAAABzEuMC4wLjEAEmRucy5jbG91ZGZsYXJlLmNvbQovZG5zLXF1ZXJ5' 875 | 876 | # [static.'google.doh'] 877 | # Google DNS (anycast) 878 | # stamp = 'sdns://AgUAAAAAAAAABzguOC44LjigHvYkz_9ea9O63fP92_3qVlRn43cpncfuZnUWbzAMwbmgdoAkR6AZkxo_AEMExT_cbBssN43Evo9zs5_ZyWnftEUgalBisNF41VbxY7E7Gw8ZQ10CWIKRzHVYnf7m6xHI1cMKZG5zLmdvb2dsZQovZG5zLXF1ZXJ5' 879 | 880 | # [static.'meganerd.DNSCrypt'] 881 | # meganerd of Netherlands 882 | # stamp = 'sdns://AQcAAAAAAAAAEjEzNi4yNDQuOTcuMTE0OjQ0MyD8qtxwTl7jYLuhTuKVO9Uougk1epDw_OTQOgE4a_-rYhgyLmRuc2NyeXB0LWNlcnQubWVnYW5lcmQ' 883 | 884 | # [static.'meganerd-doh-ipv4'] 885 | # DoH server by MegaNerd.nl (IPv4) - https://meganerd.nl/encrypted-dns-server Hosted in Amsterdam (AMS1), The Netherlands. Non-logging, non-filtering, supports DNSSEC. 886 | # stamp = 'sdns://AgcAAAAAAAAADjEzNi4yNDQuOTcuMTE0IEROvWe7g_iAezkh6TiskXi4gr1QqtsRIx8ETPXwjffOGWNoZXdiYWNjYS5tZWdhbmVyZC5ubDo0NDMEL2RvaA' 887 | 888 | # [static.'jp.tiar.app-DNSCrypt'] 889 | # Non-Logging, Non-Filtering DNSCrypt server in Japan. No ECS, Support DNSSEC 890 | # stamp = 'sdns://AQcAAAAAAAAAEjE3Mi4xMDQuOTMuODA6MTQ0MyAyuHY-8b9lNqHeahPAzW9IoXnjiLaZpTeNbVs8TN9UUxsyLmRuc2NyeXB0LWNlcnQuanAudGlhci5hcHA' 891 | 892 | # [static.'jp.tiar.app-doh'] 893 | # Non-Logging, Non-Filtering DNS-over-HTTPS server in Japan. No ECS, Support DNSSEC 894 | # stamp = 'sdns://AgcAAAAAAAAADTE3Mi4xMDQuOTMuODCgzBBg05yDKbYrb7x9DW35MJhpuYHn5jktXNj6QI9NgOYgRE69Z7uD-IB7OSHpOKyReLiCvVCq2xEjHwRM9fCN984LanAudGlhci5hcHAKL2Rucy1xdWVyeQ' 895 | 896 | # [static.'moulticast-sg-ipv4'] 897 | # Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Singapore | Operated by @herver (Github) | https://moulticast.net/dnscrypt/ 898 | # stamp = 'sdns://AQcAAAAAAAAAETUxLjc5LjE1OC4xODM6NDQzIC-H3tskESNJYwjHtOc4UpnihmM_osylY8hNONDr6voFHTIuZG5zY3J5cHQtY2VydC5tb3VsdGljYXN0LXNn' 899 | -------------------------------------------------------------------------------- /files/etc/netdata/netdata.conf: -------------------------------------------------------------------------------- 1 | # Full configuration can be retrieved from the running 2 | # server at http://localhost:19999/netdata.conf 3 | # 4 | # Example: 5 | # curl -o /etc/netdata/netdata.conf http://localhost:19999/netdata.conf 6 | # 7 | 8 | [global] 9 | update every = 1 10 | memory deduplication (ksm) = no 11 | debug log = syslog 12 | error log = syslog 13 | access log = none 14 | run as user = root 15 | 16 | [web] 17 | allow connections from = localhost 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 18 | allow dashboard from = localhost 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 19 | 20 | [plugins] 21 | cgroups = no 22 | apps = no 23 | charts.d = no 24 | fping = no 25 | node.d = no 26 | python.d = no 27 | 28 | [health] 29 | enabled = no 30 | 31 | [plugin:proc] 32 | /sys/kernel/mm/ksm = no 33 | /proc/pressure = no 34 | 35 | [plugin:proc:ipc] 36 | shared memory totals = no 37 | 38 | -------------------------------------------------------------------------------- /files/etc/smartdns/address.conf: -------------------------------------------------------------------------------- 1 | # Add domains which you want to force to an IP address here. 2 | # The example below send any host in example.com to a local webserver. 3 | # address /domain/[ip|-|-4|-6|#|#4|#6] 4 | # address /www.example.com/1.2.3.4, return ip 1.2.3.4 to client 5 | # address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all 6 | # address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all 7 | 8 | # specific ipset to domain 9 | # ipset /domain/[ipset|-] 10 | # ipset /www.example.com/block, set ipset with ipset name of block 11 | # ipset /www.example.com/-, ignore this domain 12 | 13 | # specific nameserver to domain 14 | # nameserver /domain/[group|-] 15 | # nameserver /www.example.com/office, Set the domain name to use the appropriate server group. 16 | # nameserver /www.example.com/-, ignore this domain 17 | -------------------------------------------------------------------------------- /files/etc/smartdns/blacklist-ip.conf: -------------------------------------------------------------------------------- 1 | # Add IP blacklist which you want to filtering from some DNS server here. 2 | # The example below filtering ip from the result of DNS server which is configured with -blacklist-ip. 3 | # blacklist-ip [ip/subnet] 4 | # blacklist-ip 254.0.0.1/16 5 | 6 | blacklist-ip 118.5.49.6 7 | blacklist-ip 128.121.126.139 8 | blacklist-ip 159.106.121.75 9 | blacklist-ip 159.24.3.173 10 | blacklist-ip 169.132.13.103 11 | blacklist-ip 182.43.124.6 12 | blacklist-ip 188.5.4.96 13 | blacklist-ip 189.163.17.5 14 | blacklist-ip 190.93.244.4 15 | blacklist-ip 190.93.245.4 16 | blacklist-ip 190.93.246.4 17 | blacklist-ip 190.93.247.4 18 | blacklist-ip 192.67.198.6 19 | blacklist-ip 197.4.4.12 20 | blacklist-ip 202.106.1.2 21 | blacklist-ip 202.181.7.85 22 | blacklist-ip 203.161.230.171 23 | blacklist-ip 203.98.7.65 24 | blacklist-ip 207.12.88.98 25 | blacklist-ip 208.56.31.43 26 | blacklist-ip 209.145.54.50 27 | blacklist-ip 209.220.30.174 28 | blacklist-ip 209.36.73.33 29 | blacklist-ip 209.85.229.138 30 | blacklist-ip 211.94.66.147 31 | blacklist-ip 213.169.251.35 32 | blacklist-ip 216.221.188.182 33 | blacklist-ip 216.234.179.13 34 | blacklist-ip 220.250.64.24 35 | blacklist-ip 23.89.5.60 36 | blacklist-ip 243.185.187.30 37 | blacklist-ip 243.185.187.39 38 | blacklist-ip 249.129.46.48 39 | blacklist-ip 253.157.14.165 40 | blacklist-ip 37.61.54.158 41 | blacklist-ip 39.102.194.95 42 | blacklist-ip 4.36.66.178 43 | blacklist-ip 46.82.174.68 44 | blacklist-ip 49.2.123.56 45 | blacklist-ip 54.76.135.1 46 | blacklist-ip 59.24.3.173 47 | blacklist-ip 64.33.88.161 48 | blacklist-ip 64.33.99.47 49 | blacklist-ip 64.66.163.251 50 | blacklist-ip 65.104.202.252 51 | blacklist-ip 65.160.219.113 52 | blacklist-ip 65.49.2.178 53 | blacklist-ip 66.45.252.237 54 | blacklist-ip 69.55.52.253 55 | blacklist-ip 72.14.205.104 56 | blacklist-ip 72.14.205.99 57 | blacklist-ip 74.125.127.102 58 | blacklist-ip 74.125.155.102 59 | blacklist-ip 74.125.39.102 60 | blacklist-ip 74.125.39.113 61 | blacklist-ip 77.4.7.92 62 | blacklist-ip 78.16.49.15 63 | blacklist-ip 8.7.198.45 64 | blacklist-ip 93.46.8.89 65 | -------------------------------------------------------------------------------- /files/etc/smartdns/custom.conf: -------------------------------------------------------------------------------- 1 | # Add custom settings here. 2 | 3 | # set log level 4 | # log-level [level], level=fatal, error, warn, notice, info, debug 5 | # log-level error 6 | 7 | # log-size k,m,g 8 | # log-size 128k 9 | 10 | # log-file /var/log/smartdns.log 11 | # log-num 2 12 | 13 | # List of hosts that supply bogus NX domain results 14 | # bogus-nxdomain [ip/subnet] 15 | 16 | # Other optimization 17 | -------------------------------------------------------------------------------- /files/etc/sysctl.conf: -------------------------------------------------------------------------------- 1 | # Defaults are configured in /etc/sysctl.d/* and can be customized in this file 2 | 3 | # max open files 4 | fs.file-max = 1048576 5 | 6 | # increase the watches limit 7 | fs.inotify.max_user_watches = 1048576 8 | 9 | # increase inotify instance queue limit 10 | fs.inotify.max_queued_events = 32768 11 | 12 | # increase inotify instances limit 13 | fs.inotify.max_user_instances = 65536 14 | 15 | # max processor input queue 16 | net.core.netdev_max_backlog = 4096 17 | 18 | # max SYN backlog 19 | net.ipv4.tcp_max_syn_backlog = 4096 20 | 21 | # turn on path MTU discovery 22 | net.ipv4.tcp_mtu_probing = 1 23 | 24 | # default read buffer 25 | net.core.rmem_default = 262144 26 | 27 | # default write buffer 28 | net.core.wmem_default = 262144 29 | 30 | # max read buffer 31 | net.core.rmem_max = 67108864 32 | 33 | # max write buffer 34 | net.core.wmem_max = 67108864 35 | 36 | # TCP receive buffer 37 | net.ipv4.tcp_rmem = 4096 87380 67108864 38 | 39 | # TCP write buffer 40 | net.ipv4.tcp_wmem = 4096 16384 67108864 41 | 42 | # outbound port range 43 | net.ipv4.ip_local_port_range = 10000 65535 44 | 45 | # turn on TCP Fast Open on both client and server side 46 | net.ipv4.tcp_fastopen = 3 47 | 48 | # enhance socat performance 49 | net.ipv4.tcp_syncookies = 1 50 | net.ipv4.tcp_tw_reuse = 1 51 | 52 | # enhance arp_cache performance 53 | net.ipv4.neigh.default.gc_thresh1 = 80000 54 | net.ipv4.neigh.default.gc_thresh2 = 90000 55 | net.ipv4.neigh.default.gc_thresh3 = 100000 56 | -------------------------------------------------------------------------------- /files/etc/sysupgrade.conf: -------------------------------------------------------------------------------- 1 | ## This file contains files and directories that should 2 | ## be preserved during an upgrade. 3 | 4 | # /etc/example.conf 5 | # /etc/openvpn/ 6 | 7 | /etc/AdGuardHome/AdGuardHome.yaml 8 | /etc/chinadns-ng/blacklist.txt 9 | /etc/chinadns-ng/whitelist.txt 10 | /etc/dnscrypt-proxy2/blocked-ips.txt 11 | /usr/share/v2ray/geoip.dat 12 | /usr/share/v2ray/geosite.dat 13 | /usr/share/passwall/rules/chnlist 14 | /usr/share/passwall/rules/chnroute 15 | /usr/share/passwall/rules/chnroute6 16 | /usr/share/passwall/rules/gfwlist 17 | -------------------------------------------------------------------------------- /files/usr/share/passwall/0_default_config: -------------------------------------------------------------------------------- 1 | 2 | config global 3 | option enabled '0' 4 | option socks_enabled '0' 5 | option tcp_node 'nil' 6 | option udp_node 'nil' 7 | option dns_mode 'dns2tcp' 8 | option remote_dns '127.0.0.1:7053' 9 | option filter_proxy_ipv6 '0' 10 | option tcp_proxy_mode 'chnroute' 11 | option udp_proxy_mode 'chnroute' 12 | option localhost_tcp_proxy_mode 'default' 13 | option localhost_udp_proxy_mode 'default' 14 | option close_log_tcp '0' 15 | option close_log_udp '0' 16 | option loglevel 'error' 17 | option trojan_loglevel '3' 18 | 19 | config global_haproxy 20 | option balancing_enable '0' 21 | 22 | config global_delay 23 | option auto_on '0' 24 | option start_daemon '1' 25 | option start_delay '1' 26 | 27 | config global_forwarding 28 | option tcp_no_redir_ports 'disable' 29 | option udp_no_redir_ports 'disable' 30 | option tcp_proxy_drop_ports 'disable' 31 | option udp_proxy_drop_ports '80,443' 32 | option tcp_redir_ports '22,25,53,143,465,587,853,993,995,80,443' 33 | option udp_redir_ports '1:65535' 34 | option accept_icmp '1' 35 | option use_nft '0' 36 | option tcp_proxy_way 'redirect' 37 | option ipv6_tproxy '0' 38 | option sniffing '1' 39 | option route_only '0' 40 | 41 | config global_other 42 | option nodes_ping 'auto_ping tcping' 43 | 44 | config global_rules 45 | option auto_update '0' 46 | option chnlist_update '1' 47 | option chnroute_update '1' 48 | option chnroute6_update '1' 49 | option gfwlist_update '1' 50 | option geosite_update '1' 51 | option geoip_update '1' 52 | list gfwlist_url 'https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/greatfire.txt' 53 | list chnroute_url 'https://cdn.jsdelivr.net/gh/gaoyifan/china-operator-ip@ip-lists/china.txt' 54 | list chnroute6_url 'https://cdn.jsdelivr.net/gh/gaoyifan/china-operator-ip@ip-lists/china6.txt' 55 | list chnlist_url 'https://cdn.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/accelerated-domains.china.conf' 56 | option v2ray_location_asset '/usr/share/v2ray/' 57 | 58 | config global_app 59 | option v2ray_file '/usr/bin/v2ray' 60 | option xray_file '/usr/bin/xray' 61 | option trojan_go_file '/usr/bin/trojan-go' 62 | option brook_file '/usr/bin/brook' 63 | option hysteria_file '/usr/bin/hysteria' 64 | 65 | config global_subscribe 66 | option subscribe_proxy '0' 67 | option filter_keyword_mode '1' 68 | list filter_discard_list '过期时间' 69 | list filter_discard_list '剩余流量' 70 | list filter_discard_list 'QQ群' 71 | list filter_discard_list '官网' 72 | list filter_discard_list '续费' 73 | 74 | config auto_switch 75 | option enable '0' 76 | option testing_time '1' 77 | option connect_timeout '3' 78 | option retry_num '3' 79 | option shunt_logic '1' 80 | 81 | config nodes 'myshunt' 82 | option remarks '分流总节点' 83 | option type 'Xray' 84 | option protocol '_shunt' 85 | option ForceReject '_blackhole' 86 | option ForceDirect '_direct' 87 | option AD '_blackhole' 88 | option BT '_direct' 89 | option Telegram 'nil' 90 | option YouTube 'nil' 91 | option Netflix 'nil' 92 | option TVB 'nil' 93 | option China 'nil' 94 | option default_node 'nil' 95 | option domainStrategy 'IPOnDemand' 96 | option domainMatcher 'hybrid' 97 | 98 | config shunt_rules 'ForceReject' 99 | option remarks 'ForceReject' 100 | option domain_list 'regexp:(.*\.|)(acl4ssr-sub)\.(github.io) 101 | regexp:(.*\.|)(beijingspring|chinaaffairs|chengmingmag|dafahao|dongtaiwang|epochweekly|epochtimes)\.(cn|org|com) 102 | regexp:(.*\.|)(beyondbenefit)\.(com) 103 | regexp:(.*\.|)(cloudtest)\.(cc) 104 | regexp:(.*\.|)(dafahao|minghui|dongtaiwang|epochtimes|ntdtv|falundafa|wujieliulan)\.(org|com|net) 105 | regexp:(.*\.|)(falundafa|ifjc|minghui|ntdtv|open|bannedboot|secretchina|tuidang|wujieliulan|zhuichaguoji)\.(cn|org|com) 106 | regexp:(.*\.|)(metatrader4|metatrader5|mql5)\.(org|com|net) 107 | regexp:(\.|)360kan\.com 108 | regexp:(\.|)360safe\.com 109 | regexp:(\.|)360totalsecurity\.com 110 | regexp:(\.|)360\.(cn|com) 111 | regexp:(\.|)aboluowang\.com 112 | regexp:(\.|)gtv\.org 113 | regexp:(\.|)kingdomsalvation\.org 114 | regexp:(\.|)li-hongzhi-master\.org 115 | regexp:(\.|)qhimg\.com 116 | regexp:(\.|)qihoo\.com 117 | regexp:(\.|)so\.com 118 | regexp:(\.|)zhengwunet\.org 119 | regexp:(^.*\@)(guerrillamail|guerrillamailblock|sharklasers|grr|pokemail|spam4|bccto|chacuo|027168)\.(info|biz|com|de|net|org|me|la) 120 | ' 121 | 122 | config shunt_rules 'ForceDirect' 123 | option remarks 'ForceDirect' 124 | option domain_list 'regexp:(.?)(xunlei|sandai|Thunder|XLLiveUD)(.) 125 | regexp:(Subject|HELO|SMTP) 126 | regexp:(torrent|\.torrent|peer_id=|announce|info_hash|get_peers|find_node|BitTorrent|announce_peer|protocol|announce\.php\?passkey=) 127 | regexp:(torrent|\.torrent|peer_id=|info_hash|get_peers|find_node|BitTorrent|announce_peer|announce\.php\?passkey=) 128 | ' 129 | 130 | config shunt_rules 'AD' 131 | option remarks 'AD' 132 | option domain_list 'geosite:category-ads-all 133 | ' 134 | 135 | config shunt_rules 'BT' 136 | option remarks 'BT' 137 | option protocol 'bittorrent' 138 | 139 | config shunt_rules 'Telegram' 140 | option remarks 'Telegram' 141 | option domain_list 'geosite:telegram 142 | ' 143 | option ip_list 'geoip:telegram 144 | ' 145 | 146 | config shunt_rules 'YouTube' 147 | option remarks 'YouTube' 148 | option domain_list 'geosite:youtube 149 | ' 150 | 151 | config shunt_rules 'Netflix' 152 | option remarks 'Netflix' 153 | option domain_list 'geosite:netflix 154 | ' 155 | option ip_list 'geoip:netflix 156 | ' 157 | 158 | config shunt_rules 'TVB' 159 | option remarks 'TVB' 160 | option domain_list 'geosite:cabletv 161 | geosite:hkbn 162 | geosite:hkedcity 163 | geosite:hketgroup 164 | geosite:hkgolden 165 | geosite:hkopentv 166 | geosite:hkt 167 | geosite:rthk 168 | geosite:tvb 169 | ' 170 | 171 | config shunt_rules 'China' 172 | option remarks 'China' 173 | option domain_list 'geosite:cn 174 | ' 175 | option ip_list 'geoip:cn 176 | ' 177 | -------------------------------------------------------------------------------- /files/usr/share/passwall/rules/block_ip: -------------------------------------------------------------------------------- 1 | 118.5.49.6 2 | 128.121.126.139 3 | 159.106.121.75 4 | 159.24.3.173 5 | 169.132.13.103 6 | 182.43.124.6 7 | 188.5.4.96 8 | 189.163.17.5 9 | 190.93.244.4 10 | 190.93.245.4 11 | 190.93.246.4 12 | 190.93.247.4 13 | 192.67.198.6 14 | 197.4.4.12 15 | 202.106.1.2 16 | 202.181.7.85 17 | 203.161.230.171 18 | 203.98.7.65 19 | 207.12.88.98 20 | 208.56.31.43 21 | 209.145.54.50 22 | 209.220.30.174 23 | 209.36.73.33 24 | 209.85.229.138 25 | 211.94.66.147 26 | 213.169.251.35 27 | 216.221.188.182 28 | 216.234.179.13 29 | 220.250.64.24 30 | 23.89.5.60 31 | 243.185.187.30 32 | 243.185.187.39 33 | 249.129.46.48 34 | 253.157.14.165 35 | 37.61.54.158 36 | 39.102.194.95 37 | 4.36.66.178 38 | 46.82.174.68 39 | 49.2.123.56 40 | 54.76.135.1 41 | 59.24.3.173 42 | 64.33.88.161 43 | 64.33.99.47 44 | 64.66.163.251 45 | 65.104.202.252 46 | 65.160.219.113 47 | 65.49.2.178 48 | 66.45.252.237 49 | 69.55.52.253 50 | 72.14.205.104 51 | 72.14.205.99 52 | 74.125.127.102 53 | 74.125.155.102 54 | 74.125.39.102 55 | 74.125.39.113 56 | 77.4.7.92 57 | 78.16.49.15 58 | 8.7.198.45 59 | 93.46.8.89 60 | -------------------------------------------------------------------------------- /files/usr/share/passwall/rules/direct_host: -------------------------------------------------------------------------------- 1 | #softethervpn ddns 2 | ddns.softether-network.net 3 | nat-traversal.softether-network.net 4 | #synology ddns 5 | checkip.synology.com 6 | checkipv6.synology.com 7 | ddns.synology.com 8 | -------------------------------------------------------------------------------- /files/usr/share/passwall/rules/direct_ip: -------------------------------------------------------------------------------- 1 | 1.12.12.12 2 | 106.6.6.6 3 | 120.53.53.53 4 | 202.141.162.123 5 | 202.141.176.93 6 | 223.5.5.5 7 | 223.6.6.6 8 | -------------------------------------------------------------------------------- /files/usr/share/passwall/rules/proxy_host: -------------------------------------------------------------------------------- 1 | #dns 2 | adguard.com 3 | cloudflare-dns.com 4 | dns.google 5 | jp.tiar.app 6 | libredns.gr 7 | meganerd.nl 8 | moulticast.net 9 | nextdns.io 10 | opendns.com 11 | quad9.net 12 | -------------------------------------------------------------------------------- /files/usr/share/passwall/rules/proxy_ip: -------------------------------------------------------------------------------- 1 | 1.0.0.1 2 | 1.1.1.1 3 | 1.1.1.2 4 | 116.202.176.26 5 | 136.244.97.114 6 | 149.112.112.10 7 | 172.104.93.80 8 | 176.103.130.130 9 | 208.67.222.220 10 | 208.67.222.222 11 | 51.79.158.183 12 | 8.8.4.4 13 | 8.8.8.8 14 | 9.9.9.11 15 | 9.9.9.9 16 | -------------------------------------------------------------------------------- /files/usr/share/passwall2/0_default_config: -------------------------------------------------------------------------------- 1 | 2 | config global 3 | option enabled '0' 4 | option localhost_proxy '1' 5 | option socks_enabled '0' 6 | option node 'myshunt' 7 | option direct_dns_protocol 'auto' 8 | option remote_dns_protocol 'tcp' 9 | option remote_dns '1.1.1.1' 10 | option dns_query_strategy 'UseIPv4' 11 | option dns_hosts 'cloudflare-dns.com 1.1.1.1 12 | dns.google 8.8.8.8' 13 | option close_log '0' 14 | option loglevel 'error' 15 | 16 | config global_delay 17 | option auto_on '0' 18 | option start_daemon '1' 19 | option start_delay '1' 20 | 21 | config global_forwarding 22 | option tcp_no_redir_ports 'disable' 23 | option udp_no_redir_ports 'disable' 24 | option tcp_redir_ports '22,25,53,143,465,587,853,993,995,80,443' 25 | option udp_redir_ports '1:65535' 26 | option accept_icmp '1' 27 | option tcp_proxy_way 'redirect' 28 | option ipv6_tproxy '0' 29 | option sniffing '1' 30 | option route_only '0' 31 | 32 | config global_other 33 | option nodes_ping 'auto_ping tcping' 34 | 35 | config global_rules 36 | option auto_update '0' 37 | option geosite_update '1' 38 | option geoip_update '1' 39 | option v2ray_location_asset '/usr/share/v2ray/' 40 | 41 | config global_app 42 | option v2ray_file '/usr/bin/v2ray' 43 | option xray_file '/usr/bin/xray' 44 | option brook_file '/usr/bin/brook' 45 | option hysteria_file '/usr/bin/hysteria' 46 | 47 | config global_subscribe 48 | option subscribe_proxy '0' 49 | option filter_keyword_mode '1' 50 | list filter_discard_list '过期时间' 51 | list filter_discard_list '剩余流量' 52 | list filter_discard_list 'QQ群' 53 | list filter_discard_list '官网' 54 | list filter_discard_list '续费' 55 | 56 | config auto_switch 57 | option enable '0' 58 | option testing_time '1' 59 | option connect_timeout '3' 60 | option retry_num '3' 61 | option shunt_logic '1' 62 | 63 | config nodes 'myshunt' 64 | option remarks '分流总节点' 65 | option type 'Xray' 66 | option protocol '_shunt' 67 | option LAN '_direct' 68 | option Direct '_direct' 69 | option ForceReject '_blackhole' 70 | option ForceDirect '_direct' 71 | option AD '_blackhole' 72 | option BT '_direct' 73 | option Telegram 'nil' 74 | option YouTube 'nil' 75 | option Netflix 'nil' 76 | option TVB 'nil' 77 | option Proxy '_default' 78 | option China '_direct' 79 | option QUIC '_blackhole' 80 | option UDP 'nil' 81 | option default_node 'nil' 82 | option domainStrategy 'IPOnDemand' 83 | option domainMatcher 'hybrid' 84 | 85 | config shunt_rules 'LAN' 86 | option remarks 'LAN' 87 | option network 'tcp,udp' 88 | option domain_list 'geosite:private 89 | ' 90 | option ip_list 'geoip:private 91 | ' 92 | 93 | config shunt_rules 'Direct' 94 | option remarks 'Direct' 95 | option network 'tcp,udp' 96 | option domain_list 'full:checkip.synology.com 97 | full:checkipv6.synology.com 98 | full:ddns.synology.com 99 | domain:ddns.softether-network.net 100 | domain:nat-traversal.softether-network.net 101 | ' 102 | option ip_list '1.12.12.12 103 | 106.6.6.6 104 | 120.53.53.53 105 | 202.141.162.123 106 | 202.141.176.93 107 | 223.5.5.5 108 | 223.6.6.6 109 | ' 110 | 111 | config shunt_rules 'ForceReject' 112 | option remarks 'ForceReject' 113 | option network 'tcp,udp' 114 | option domain_list 'regexp:(.*\.|)(acl4ssr-sub)\.(github.io) 115 | regexp:(.*\.|)(beijingspring|chinaaffairs|chengmingmag|dafahao|dongtaiwang|epochweekly|epochtimes)\.(cn|org|com) 116 | regexp:(.*\.|)(beyondbenefit)\.(com) 117 | regexp:(.*\.|)(cloudtest)\.(cc) 118 | regexp:(.*\.|)(dafahao|minghui|dongtaiwang|epochtimes|ntdtv|falundafa|wujieliulan)\.(org|com|net) 119 | regexp:(.*\.|)(falundafa|ifjc|minghui|ntdtv|open|bannedboot|secretchina|tuidang|wujieliulan|zhuichaguoji)\.(cn|org|com) 120 | regexp:(.*\.|)(metatrader4|metatrader5|mql5)\.(org|com|net) 121 | regexp:(\.|)360kan\.com 122 | regexp:(\.|)360safe\.com 123 | regexp:(\.|)360totalsecurity\.com 124 | regexp:(\.|)360\.(cn|com) 125 | regexp:(\.|)aboluowang\.com 126 | regexp:(\.|)gtv\.org 127 | regexp:(\.|)kingdomsalvation\.org 128 | regexp:(\.|)li-hongzhi-master\.org 129 | regexp:(\.|)qhimg\.com 130 | regexp:(\.|)qihoo\.com 131 | regexp:(\.|)so\.com 132 | regexp:(\.|)zhengwunet\.org 133 | regexp:(^.*\@)(guerrillamail|guerrillamailblock|sharklasers|grr|pokemail|spam4|bccto|chacuo|027168)\.(info|biz|com|de|net|org|me|la) 134 | ' 135 | 136 | config shunt_rules 'ForceDirect' 137 | option remarks 'ForceDirect' 138 | option network 'tcp,udp' 139 | option domain_list 'regexp:(.?)(xunlei|sandai|Thunder|XLLiveUD)(.) 140 | regexp:(Subject|HELO|SMTP) 141 | regexp:(torrent|\.torrent|peer_id=|announce|info_hash|get_peers|find_node|BitTorrent|announce_peer|protocol|announce\.php\?passkey=) 142 | regexp:(torrent|\.torrent|peer_id=|info_hash|get_peers|find_node|BitTorrent|announce_peer|announce\.php\?passkey=) 143 | ' 144 | 145 | config shunt_rules 'AD' 146 | option remarks 'AD' 147 | option network 'tcp,udp' 148 | option domain_list 'geosite:category-ads-all 149 | ' 150 | 151 | config shunt_rules 'BT' 152 | option remarks 'BT' 153 | option protocol 'bittorrent' 154 | option network 'tcp,udp' 155 | 156 | config shunt_rules 'Telegram' 157 | option remarks 'Telegram' 158 | option network 'tcp,udp' 159 | option domain_list 'geosite:telegram 160 | ' 161 | option ip_list 'geoip:telegram 162 | ' 163 | 164 | config shunt_rules 'YouTube' 165 | option remarks 'YouTube' 166 | option network 'tcp,udp' 167 | option domain_list 'geosite:youtube 168 | ' 169 | 170 | config shunt_rules 'Netflix' 171 | option remarks 'Netflix' 172 | option network 'tcp,udp' 173 | option domain_list 'geosite:netflix 174 | ' 175 | option ip_list 'geoip:netflix 176 | ' 177 | 178 | config shunt_rules 'TVB' 179 | option remarks 'TVB' 180 | option network 'tcp,udp' 181 | option domain_list 'geosite:cabletv 182 | geosite:hkbn 183 | geosite:hkedcity 184 | geosite:hketgroup 185 | geosite:hkgolden 186 | geosite:hkopentv 187 | geosite:hkt 188 | geosite:rthk 189 | geosite:tvb 190 | ' 191 | 192 | config shunt_rules 'Proxy' 193 | option remarks 'Proxy' 194 | option network 'tcp,udp' 195 | option domain_list 'full:jp.tiar.app 196 | domain:adguard.com 197 | domain:cloudflare-dns.com 198 | domain:dns.google 199 | domain:libredns.gr 200 | domain:meganerd.nl 201 | domain:moulticast.net 202 | domain:nextdns.io 203 | domain:opendns.com 204 | domain:quad9.net 205 | ' 206 | option ip_list '1.0.0.1 207 | 1.1.1.1 208 | 1.1.1.2 209 | 116.202.176.26 210 | 136.244.97.114 211 | 149.112.112.10 212 | 172.104.93.80 213 | 176.103.130.130 214 | 208.67.222.220 215 | 208.67.222.222 216 | 51.79.158.183 217 | 8.8.4.4 218 | 8.8.8.8 219 | 9.9.9.11 220 | 9.9.9.9 221 | ' 222 | 223 | config shunt_rules 'China' 224 | option remarks 'China' 225 | option network 'tcp,udp' 226 | option domain_list 'geosite:cn 227 | ' 228 | option ip_list 'geoip:cn 229 | ' 230 | 231 | config shunt_rules 'QUIC' 232 | option remarks 'QUIC' 233 | option port '80,443' 234 | option network 'udp' 235 | 236 | config shunt_rules 'UDP' 237 | option remarks 'UDP' 238 | option network 'udp' 239 | --------------------------------------------------------------------------------