Sunday, March 13, 2022

Fixing AT&T fiber's connectivity to China on OpenWrt

Labels: ,

Note: AT&T fiber's IPv6 and IPv4 connectivity to China was restored as of Jan 2023. So the workaround below is unnecessary.

I switched to AT&T fiber last month and then found out that I could not open douban.com anymore. Some web search led me to https://www.reddit.com/r/ATT/comments/mbutte/is_att_blocking_china_internet_backbones/

So basically AT&T fiber has connectivity issue with IPv4 addresses in China. And they are unwilling to admit it or fix it. So I had three options,

  1. Switch back to Comcast.
  2. Install VPN on my devices and turn on VPN when I want to visit Chinese websites.
  3. Connect my router to a VPN and change its routing table to use the VPN for IPv4 addresses in China.

Option 1 is not preferred because Comcast's cable network has abysmal upload speed. Option 2 is feasible but requires VPN on my laptop, phone, and tablet. So I chose option 3.

Although AT&T fiber does not allow customers to bring their own router, the AT&T router supports IPv6 prefix delegation and IPv4 port forwarding. So I installed a OpenWRT router behind the AT&T one.

I configured wireguard on OpenWRT to connect to a VPS. Then I downloaded a list of IP net blocks in China from ip2location. I wrote a script to convert the list to a big OpenWRT static route config file and appended it to /etc/config/network. Then I executed service network reload. However, the command hung. It seemed OpenWrt could not handle 7000+ static routes. So I gave up on this option.

Eventually I worked out a solution using ipset, iptables, and shadowsocks.

1) Install shadowsocks on the VPS and configure it to run as a server.

2) Install shadowsocks-libev on OpenWrt and configure it to run ss-redir on port 2333.

3) Install ipset on OpenWrt.

4) On OpenWrt, create a file at /root/ipset.conf with following contents,

create china hash:net family inet hashsize 2048 maxelem 65536
add china 223.223.192.0/20
add china 47.89.54.0/23

repeat the "add china" pattern for all ip blocks in China.

5) On OpenWrt, append the following to /etc/firewall.user. This will instruct iptables to redirect all TCP connections to China to the ss-redir port.

ipset restore < /root/ipset.conf
iptables -t nat -A prerouting_lan_rule -p tcp -m set --match-set china dst -j REDIRECT --to-port 2333

6) Run service firewall restart on OpenWrt. (Or simply reboot OpenWrt)

7) Visit https://www.123cha.com. It should display the IP of the VPS.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)