Easy-to-use Docker image based upon original AntiZapret LXD image for self-hosting.
- Patches: Apple, IDN, RU
- Community-driven list with geoblocked and unlisted domains: YouTube, Microsoft, OpenAI and more
- openvpn-dco - a kernel extension for improving performance
- Option to forwarding queries to an external resolver, aka Adguard support.
- Support regex in custom rules
- XOR Tunneblick patch
- Multiple VPN transports: Wireguard, OpenVPN, IPsec/XAuth ("Cisco IPsec")
- Install Docker Engine:
curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh
- Clone repository and start container:
git clone https://github.com/xtrime-ru/antizapret-vpn-docker.git antizapret cd antizapret docker compose pull docker compose up -d
- Download keys
After start of the container folders./keys/client
and./configs
will be created. Download.ovpn
configs from./keys/client
directory and use to setup your clients. There will be UDP and TCP configurations. Use UDP for better performance. Use TCP in unstable conditions.
- Generate password for wireguard admin panel
docker run --rm ghcr.io/wg-easy/wg-easy wgpw 'YOUR_PASSWORD' | sed "s/'//g" | sed -r 's/\$/\$\$/g' | tee ./wireguard/wireguard.env
- Start container
docker compose -f docker-compose.wireguard.yml pull docker compose -f docker-compose.wireguard.yml up -d
- Open
http://YOUR_SERVER_IP:51821
and create new client
Important notice: not all clients support tunnel-split (send only part of traffic via VPN). For example Apple devices will not be able to connect to this server.
Its recomended to use OpenVPN or Wireguard instead.
- Create settings file:
cp ipsec/ipsec.env.example ipsec/ipsec.env
- Fill your creditentials in
ipsec/ipsec.env
- Start
docker compose down docker compose -f docker-compose.ipsec.yml up -d
- Setup your clients: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth.md
Antizapret-VPN can use external DNS resolvers. To start your own adguard docker container and use it as backend for antizapret:
docker compose down
docker compose -f docker-compose.adguard.yml up -d
Go to http://YOUR_SERVER_IP:3000
and setup adguard.
You can leave all values default. Except port for adguard. Change it from 80 to 3000
Its recommended not to change docker-compose files, because it can break ability to git pull updates.
The correct way - is to create docker-compose.override.yml.
For example you want all transports and adguard, and modify env variables of antizapret-vpn:
services:
antizapret-vpn:
environment:
- DNS=adguardhome
- ADGUARD=1
- OPENVPN_OPTIMIZATIONS=1
- OPENVPN_TLS_CRYPT=1
depends_on:
- adguardhome
adguardhome:
extends:
file: docker-compose.adguard.yml
service: adguardhome
ipsec:
extends:
file: docker-compose.ipsec.yml
service: ipsec
amnezia-wg-easy:
extends:
file: docker-compose.wireguard-amnezia.yml
service: amnezia-wg-easy
docker compose
will merge docker-compose.yml
and your custom docker-compose.override.yml
.
Start all containers from docker-compose.override.yml
:
docker compose down && docker compose pull && docker compose up -d
git pull
docker compose pull
docker compose down && docker compose up -d
Any domains or IPs can be added or excluded from routing with config files from ./config
directory.
These lists are added/excluded to/from automatically generated lists of domains and IP's.
Reboot container and wait few minutes for applying changes.
Its recommended to use *-regex-custom.txt
files.
You can debug your regular expressions online: https://regex101.com
Here is few regex example:
- Exact match:
^2ip\.ru$
- Subdomains only:
Will match any subdomain from microsoft.com. Both regular works same way.
\.microsoft\.com$
- List of first level domains:
microsoft\.[^.]*$ microsoft\.(ru|com|com\.de)
Client and server keys are stored in ./keys
.
They are persistent between container and host restarts.
To regenerating the keys use the following commands:
docker compose down
rm -rf keys/{client,server}/keys/*.{crt,key}
docker compose up -d
You can define these variables in docker-compose.yml file for your needs:
SKIP_UPDATE_FROM_ZAPRET=true
- do not download and use list of all blocked domains from internet. Will reduce RAM consumption. Need to manually fill domains in*-custom.txt
files.UPDATE_TIMER=1d
- blocked domains update intervalOPENVPN_HOST=example.com
— will be used as a server address in .ovpn profiles upon keys generation (default: your server's IP)OPENVPN_PORT=1194
— will be used as a server port in .ovpn profiles upon keys generation. (default: 1194) Also port need to be changed manually in docker-compose.yml. Replace%EXTERNAL_PORT%
with port number, and dont change internal port, because this variable do not override openvpn server configs:ports: - %EXTERNAL_PORT%:1194/tcp - %EXTERNAL_PORT%:1194/udp
OPENVPN_MTU=1420
- Set tun-mtu option with fixed value. (default: auto)OPENVPN_OPTIMIZATIONS=1
- Enable tcp-nodelay, fast-io options and invrease sndbuf and rcvbuf. (default: 0)OPENVPN_CBC_CIPHERS=1
- Enable support of legacy clients. WIll disable DCOOPENVPN_SCRAMBLE=1
- Enable additional obfuscation XOR Tunneblick patchOPENVPN_TLS_CRYPT=1
- Enable additional TLS encryption in OpenVPN. May help with connection obfuscation.DNS=1.1.1.1
— DNS server to resolve domains (default: host DNS server)DNS_RU=77.88.8.8
— Russian DNS server; used to fix issues with geo zones mismatch for domains likeapple.com
(default: 77.88.8.8)LOG_DNS=1
- Log all DNS requests and responses (default: 0)ADGUARD=1
- Resolve .ru, .рф and .su via DNS. By default, this zones resolved through DNS_RU. (default: 0)
FORCE_FORWARD_DNS=true
- Redirects UDP traffic on port 53 to AntiZapret DNS (default: false)FORCE_FORWARD_DNS_PORTS="53 5353"
- Parameter can be used to change port 53 for FORCE_FORWARD_DNS to one or more, separated by a space (default: 53)- For other environment variables, see the original manual Wireguard Amnesia or Wireguard.
- OpenWrt setup guide - how to setup OpenWrt router with this solution to keep LAN clients happy.
- Keenetic setup guide - instructions for configuring the server and connecting Keenetic routers to it (на русском языке)
OpenVPN Data Channel Offload (DCO) provides performance improvements by moving the data channel handling to the kernel space, where it can be handled more efficiently and with multi-threading. tl;dr it increases speed and reduces CPU usage on a server.
Kernel extensions can be installed only on a host machine, not in a container.
sudo apt update
sudo apt upgrade
echo "#### Please reboot your system after upgrade ###" && sleep 100
sudo apt install -y efivar
sudo apt install -y openvpn-dco-dkms
sudo apt update
sudo apt upgrade
echo "#### Please reboot your system after upgrade ###" && sleep 100
deb=openvpn-dco-dkms_0.0+git20231103-1_all.deb
sudo apt install -y efivar dkms linux-headers-$(uname -r)
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openvpn-dco-dkms/$deb
sudo dpkg -i $deb
If your clients do not have GCM ciphers support you can use legacy CBC ciphers. DCO is incompatible with legacy ciphers and will be disabled. This is also increase CPU load.
- Set ENV variable
CBC_CIPHERS=1
in docker-compose.yml. - Restart container.
- Download and apply updated .ovpn files from
keys/client/
folder.
iperf3 server is included in antizapret-vpn container.
- Connect to VPN
- Use iperf3 client on your phone or computer to check upload/download speed.
Example 10 threads for 10 seconds and report result every second:
iperf3 -c 10.224.0.1 -i1 -t10 -P10 iperf3 -c 10.224.0.1 -i1 -t10 -P10 -R
- ProstoVPN — the original project
- AntiZapret VPN Container — source code of the LXD-based container
- AntiZapret PAC Generator — proxy auto-configuration generator to bypass censorship of Russian Federation
- Amnezia WireGuard VPN — used for Amnezia Wireguard integration
- WireGuard VPN — used for Wireguard integration
- IPsec VPN — used for IPsec integration
- No Thought Is a Crime — a forum about technical, political and economical aspects of internet censorship in different countries