OpenGFW: Build Your Own Great Firewall at Home for Network Analysis and Control

The OpenGFW project allows users to implement firewall-like capabilities on their home routers. This enables analysis of network traffic, blocking of specific content, and a deeper understanding of internet censorship techniques. Aimed at tech enthusiasts and network administrators, OpenGFW offers a hands-on approach to learning about and controlling network activity.

Understanding OpenGFW’s Capabilities

OpenGFW replicates some of the functionalities of the Great Firewall (GFW) of China, including:

• SNI Blocking: Blocking access to websites based on Server Name Indication.
• DNS Poisoning: Redirecting domain name resolutions to incorrect IP addresses.
• Proxy Blocking: Detecting and blocking encrypted proxy protocols like Shadowsocks, Vmess, and Trojan.

Setting Up OpenGFW on an OpenWrt Router

This tutorial focuses on setting up OpenGFW on a router running OpenWrt. Here are the steps involved:

1. Cross-Compilation: Compile the OpenGFW program for your router’s specific architecture. This typically involves downloading the OpenGFW source code from GitHub, installing the Go programming language environment, and executing compilation commands tailored to your router’s CPU architecture (e.g., ARM64).
2. OpenWrt Configuration: Access your router’s administration interface and make necessary configuration changes:
   • Disable “Software flow offloading” in the firewall settings.
   • If using a “bypass router” configuration, enable IP Masquerading for the LAN zone.
3. Installation and File Transfer: Use SSH to connect to your router and install the required dependencies using the `opkg` package manager. Transfer the compiled OpenGFW executable to the router’s `/root/` directory using `scp`.
4. Configuration Files: Create two configuration files: `config.yaml` and `rule.yaml`. The `config.yaml` file defines general settings, while `rule.yaml` specifies the filtering rules.
5. Running OpenGFW: Execute the OpenGFW program with the command `nohup ./OpenGFW -c config.yaml -r rule.yaml &`.

Practical Examples and Rule Configuration

The `rule.yaml` file defines the behavior of OpenGFW. Rules can be configured to log, block, or modify network traffic based on various criteria, such as domain names, IP addresses, and protocol types.

• Logging “Thirsty” Requests: A rule can be created to log access attempts to domains containing keywords like “porn” or “hentai.” This demonstrates OpenGFW’s ability to monitor specific types of web traffic.
• Blocking HTTP/HTTPS/QUIC Access to Baidu: Rules can be configured to block access to Baidu via HTTP, HTTPS, and QUIC protocols. This showcases OpenGFW’s ability to block access based on multiple protocols.
• DNS Poisoning: OpenGFW can be configured to redirect DNS queries for specific domains (e.g., zhihu.com) to a specified IP address (e.g., 1.1.1.1). This demonstrates DNS poisoning capabilities.
• Proxy Blocking: OpenGFW can detect and block connections using Shadowsocks and Trojan proxy protocols.

Limitations and Considerations

OpenGFW, while powerful, has limitations:

• Hysteria Protocol: OpenGFW does not natively support blocking the Hysteria protocol. However, blocking QUIC traffic associated with Hysteria can mitigate its use.
• Complexity: Configuring OpenGFW requires technical knowledge and command-line proficiency.
• Evolving Project: OpenGFW is a relatively new project and is still under active development. Users should expect ongoing updates and changes.

Potential Use Cases

OpenGFW can be used for various purposes:

• Network Analysis: Understanding the types of traffic traversing your network.
• Parental Control: Blocking access to unwanted content for family members.
• Proxy Detection: Identifying and blocking proxy traffic on a network.
• Educational Purposes: Learning about censorship techniques and network security.