Skip to content

Instantly share code, notes, and snippets.

@kurtbahartr

kurtbahartr/dpi-bypass-zapret-turkey.mkdn

Created August 9, 2025 16:17
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kurtbahartr/6861965c73c429da9c66cf2fe18c7ce3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kurtbahartr/6861965c73c429da9c66cf2fe18c7ce3 to your computer and use it in GitHub Desktop.
Download ZIP
Setting up proper DPI bypass in Turkey with Zapret on CachyOS
Raw
dpi-bypass-zapret-turkey.mkdn

Prologue

So, you've arrived in Turkey and you want to access certain services such as Discord while roaming. But would you look at that - that service is blocked in Turkey!

It's easy to bypass on Android using an app called "Intra" (assuming you're running stock ROM or a custom ROM with proper support for such apps). However, that doesn't end here.

See, if you have a Windows system, just using GoodbyeDPI-Turkey should be enough. Use the proper dnsredir script and you're done.

However, you have a Linux system, and you need a proper stack to effectively bypass DPI.

This is where Zapret comes into play.

Combine it with dnscrypt-proxy and you're pretty much all set to go.

What is dnscrypt-proxy?

In short, dnscrypt-proxy is a DoH and DNSSEC handler that replaces your current DNS provider.

Setting up dnscrypt-proxy

Of course, first and foremost, we install dnscrypt-proxy. Since it's in official CachyOS repositories, we can use pacman to install it:

sudo pacman -Sy dnscrypt-proxy

Then, we need to configure it to work properly.

First off, you need to stop and disable systemd-resolved since it will clash with dnscrypt-proxy:

sudo systemctl disable systemd-resolved --now

Then, create /etc/NetworkManager/conf.d/90-dns-none.conf with the following content and restart NetworkManager (sudo systemctl restart NetworkManager):

[main]
dns=none

After that, replace /etc/resolv.conf with a new file with the following content:

nameserver ::1
nameserver 127.0.0.1
options edns0

Note

If you use an app like Tailscale, it's completely fine for this to be replaced after putting the above content. Tailscale users can disable MagicDNS acceptance with tailscale set --accept-dns=false and the resolv.conf will be automagically replaced with the original content it had.

Once this is done, enable dnscrypt-proxy with

sudo systemctl enable dnscrypt-proxy --now

Setting up Zapret

Now that we've switched to DoH, our connection is slightly more secure, but we're not done yet.

You see, using DoH will only circumvent DNS poisoning but not deep packet inspection (also known as DPI).

You can easily bypass DPI with Zapret, and I'm going to walk you through the steps of doing so.

First off, we install Zapret from AUR:

paru -S zapret-git

After that, cd into /opt/zapret and run ./blockcheck.sh aganist discord.gg. Remember to use quick check for the fastest results.

Pick the HTTPS 1.2 result (make sure it's NFQWS) and open config to set the following configuration values:

  • NFQWS_ENABLE=1
  • NFQWS_OPT="(the NFQWS parameters you picked from blockcheck earlier)"

For example, for Turk Telekom customers, NFQWS_OPT is going to be:

NFQWS_OPT="
--dpi-desync=fake --dpi-desync-ttl=5
"

After setting up Zapret, enable and start it:

sudo systemctl enable zapret --now

And voila! You're now all set up for accessing blocked websites without having to worry about VPNs!

Credits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment