RKN ip block list routes to vpn by BGP

RKN ip block list routes to vpn by BGP


We will assume that the VPN that allows you to add routes on the fly is already configured.

Setup

  1. install bird (BGP daemon)

opkg update
opkg install bird2 bird2c

  1. clean default bird config

> /etc/bird.conf

  1. write new config /etc/bird.conf

log syslog all;
log stderr all;

router id $IP;

protocol device {
    scan time 300;
}

protocol kernel kernel_routes {
    scan time 60;
    ipv4 {
        import none;
        export all;
    };
}

protocol bgp antifilter_network {
    ipv4 {
        import filter {
            ifname = "$INTERFACE";
            accept;
        };
        export none;
    };
    local as $ASN;
    neighbor 51.75.66.20 as 65444;
    multihop;
    hold time 240;
}

protocol bgp antifilter_download {
    ipv4 {
        import filter {
            ifname = "$INTERFACE";
            accept;
        };
        export none;
    };
    local as $ASN;
    neighbor 45.154.73.71 as 65432;
    multihop;
    hold time 240;
}

where is:

$IP - your white ip from WAN interface

$INTERFACE - your VPN interface name

$IP_GW - ip your remote gateway in VPN network

$ASN - autonomous system number (any number in the range 64512-65543 except 65432).

You must choose between $INTERFACE and $IP_GW. the rest should either be commented out with the # symbol or removed from the config.

  1. restart bird

service bird restart
# or
/etc/init.d/bird restart

  1. check bird work

birdc show protocols all
birdc show protocols all antifilter_download
birdc show protocols all antifilter_network
# or only routes count (must be greater than 0)
birdc show protocols all antifilter_download | grep 'Routes:'
birdc show protocols all antifilter_network | grep 'Routes:'

Troubleshooting

If your ISP blocks BGP or blocks the ip (45.154.73.71) of the antifilter service, you can set up a static route to its ip in your VPN settings.

example for wireguard:

  1. in config file /etc/config/network

config route 'for_antifilter_network'
        option target '51.75.66.20'
        option netmask '255.255.255.255'
        option interface '$INTERFACE'
config route 'for_antifilter_download'
        option target '45.154.73.71'
        option netmask '255.255.255.255'
        option interface '$INTERFACE'
  1. or in UCI cmd utility

uci set network.for_antifilter_network=route
uci set network.for_antifilter_network.target='51.75.66.20'
uci set network.for_antifilter_network.netmask='255.255.255.255'
uci set network.for_antifilter_network.interface='$INTERFACE'
uci set network.for_antifilter_download=route
uci set network.for_antifilter_download.target='45.154.73.71'
uci set network.for_antifilter_download.netmask='255.255.255.255'
uci set network.for_antifilter_download.interface='$INTERFACE'
uci commit

And restart network or reboot:

# restart network
service network restart
# reboot
reboot

Instructions taken from here.

Содержание