update trojan & add openvpn

apernet · Apr 2, 2024 · e7ce9bb · e7ce9bb
1 parent 4b10942
commit e7ce9bb
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 2 deletions.
diff --git a/docs/docs/analyzers.md b/docs/docs/analyzers.md
@@ -282,7 +282,7 @@ Example for blocking QUIC connections to `quic.rocks`:
 ```json
 {
   "trojan": {
-    "seq": [680, 4514, 293],
+    "seq": [682, 4540, 1310, 1031],
     "yes": true
   }
 }
@@ -296,6 +296,10 @@ Example for blocking Trojan connections:
   expr: trojan != nil && trojan.yes
 ```
 
+!!! warning
+
+    Trojan detection currently relies on traffic heuristics that are not always accurate, with approximately 0.6% false positives and 10% false negatives. Blocking all suspected Trojan connections, as in this example, can break normal TLS connections. For now, we recommend logging them and manually checking the IP addresses involved.
+
 ## SOCKS
 
 SOCKS4:
@@ -446,3 +450,24 @@ Example for blocking WireGuard traffic:
   action: block
   expr: wireguard?.packet_data?.receiver_index_matched == true
 ```
+
+## OpenVPN
+
+OpenVPN analyzer can detect both UDP and TCP modes. Note that this won't work if you have `tls-crypt` in your OpenVPN configuration, as the traffic will be fully encrypted with a pre-shared key.
+
+```json
+{
+  "openvpn": {
+    "rx_pkt_cnt": 88,
+    "tx_pkt_cnt": 23
+  }
+}
+```
+
+Example for blocking OpenVPN traffic, if the total packet count is more than 50 (to avoid potential false positives):
+
+```yaml
+- name: Block OpenVPN
+  action: block
+  expr: openvpn != nil && openvpn.rx_pkt_cnt + openvpn.tx_pkt_cnt > 50
+```
diff --git a/docs/docs/analyzers.zh.md b/docs/docs/analyzers.zh.md
@@ -278,7 +278,7 @@ QUIC 解析器的格式与 TLS 一样，但是目前只支持请求 (req) 部分
 ```json
 {
   "trojan": {
-    "seq": [680, 4514, 293],
+    "seq": [682, 4540, 1310, 1031],
     "yes": true
   }
 }
@@ -292,6 +292,10 @@ QUIC 解析器的格式与 TLS 一样，但是目前只支持请求 (req) 部分
   expr: trojan != nil && trojan.yes
 ```
 
+!!! warning
+
+    Trojan 检测目前依赖基于流量特征的启发式算法，并不保证完全准确。有大概 0.6% 的假阳性率和 10% 的假阴性率。像上述规则这样直接屏蔽所有疑似 Trojan 的连接可能导致误伤正常 TLS 连接。目前建议使用日志模式记录下 IP 地址，进行额外的人工审查。
+
 ## SOCKS
 
 SOCKS4:
@@ -442,3 +446,24 @@ SOCKS5 带验证:
   action: block
   expr: wireguard?.packet_data?.receiver_index_matched == true
 ```
+
+## OpenVPN
+
+OpenVPN 分析器对于 TCP 和 UDP 模式都可以检测。注意如果你的 OpenVPN 配置包含了 `tls-crypt` 则不能正常工作，因为在这种情况下连接会被一个预共享密钥加密，成为全加密连接。
+
+```json
+{
+  "openvpn": {
+    "rx_pkt_cnt": 88,
+    "tx_pkt_cnt": 23
+  }
+}
+```
+
+屏蔽 OpenVPN（如果检测到超过 50 个 OpenVPN 包，防止误伤）：
+
+```yaml
+- name: Block OpenVPN
+  action: block
+  expr: openvpn != nil && openvpn.rx_pkt_cnt + openvpn.tx_pkt_cnt > 50
+```