zapret2-mcp 0.3.3 → 0.3.5

package/CHANGELOG.md

@@ -1,11 +1,29 @@
 # Changelog
 
-## [Unreleased]
+## [0.3.5] - 2026-02-19
+
+### Added
+- **Новый промпт `strategy-knowledge`** — полный справочник по стратегиям обхода DPI для LLM: все семейства стратегий (TCP сегментация, фейки, HTTP, window, UDP/QUIC, circular оркестрация), fooling-опции (md5sig, badsum, ip_autottl, tcp_ts), маркеры позиций, типы DPI с рекомендованными подходами, протокол-специфичные заметки (TLS 1.2 vs 1.3, QUIC, HTTP)
+
+### Changed
+- **Промпт `find-bypass-strategy` обогащён knowledge base** — добавлены: как читать результаты blockcheck (AVAILABLE/UNAVAILABLE), критерии выбора стратегии (стабильность > скорость), как конструировать NFQWS2_OPT из результатов, рекомендации по fooling-методам, circular orchestration для отказоустойчивости
+- **Промпт `troubleshoot` обогащён диагностикой** — добавлена секция типичных причин неработающих стратегий: IP-блокировка vs DPI, неправильный fooling для фейков, проблемы с TTL (autottl vs фиксированный), устаревшие стратегии, отсутствие NFQUEUE-модуля
+
+## [0.3.4] - 2026-02-18
 
 ### Added
 - **`removeZapret2` tool** — полный откат установки zapret2: остановка сервиса (init script + systemd), удаление systemd unit, принудительное завершение nfqws2, очистка firewall-правил (nftables/iptables), удаление `/opt/zapret2`. DNS-настройки не откатываются.
 - **Unit-тест `removeZapret2`** — 5 тестов: успешное удаление, отсутствие установки, содержимое скрипта, таймаут 60 с, обработка ошибки.
 
+### Changed
+- **`verifyBypass` — улучшена точность проверки**:
+  - Добавлен параметр `interface` — явное указание WAN-интерфейса для curl; если не задан, читается `IFACE_WAN` из `/opt/zapret2/config`
+  - Добавлены поля в ответ: `wanInterface` (использованный интерфейс), `routeTo` (маршрут до IP домена)
+  - `bypassConfirmed` теперь определяется только по HTTP-коду (`!= 0` и `!= 000`), а не по состоянию zapret2 — корректно отражает реальную доступность сайта
+  - curl теперь всегда использует `--noproxy '*'` чтобы исключить влияние системных прокси
+  - Убран FIXME-комментарий
+- **Тесты `verifyBypass`** — добавлено 5 новых тестов: `interface` arg, `--noproxy`, `bypassConfirmed=true`, `bypassConfirmed=false`, чтение `IFACE_WAN` из конфига; обновлены ожидаемые поля в существующем тесте
+
 ## [0.3.3] - 2026-02-18
 
 ### Fixed

package/build/prompts.js

@@ -38,12 +38,41 @@ Follow these steps:
 
 1. Run getStatus to check current state. If zapret2 is running, run stopService (blockcheck requires zapret2 to be stopped).
 2. Run runBlockcheck with the target domain. This is a heavy operation (~5 min). The full log is saved as a resource.
-3. Read the blockcheck log resource to analyze AVAILABLE strategies. Look for lines with "AVAILABLE" status — these are working bypass methods.
-4. Choose the best strategy and run updateConfig with key="NFQWS2_OPT" and the selected nfqws2 parameters as value.
+3. Read the blockcheck log resource to analyze AVAILABLE strategies.
+4. Choose the best strategy using the knowledge below, and run updateConfig with key="NFQWS2_OPT" and the selected nfqws2 parameters as value.
 5. Run restartService to apply the new configuration.
 6. Run verifyBypass with the target domain to confirm the bypass works.
 
-Report the chosen strategy and verification results to the user.`,
+Report the chosen strategy and verification results to the user.
+
+## How to read blockcheck results
+
+Blockcheck tests multiple bypass strategies against the target domain. In the output:
+- **AVAILABLE** — strategy works, the site is reachable with these parameters.
+- **UNAVAILABLE** — strategy failed.
+- Each AVAILABLE line shows the exact nfqws2 parameters that worked.
+
+When multiple strategies are AVAILABLE, choose based on these criteria (in priority order):
+1. **Stability** — prefer strategies without fragile TTL tricks (avoid fixed ip_ttl, prefer ip_autottl or non-TTL fooling).
+2. **Simplicity** — fewer parameters = more robust. Prefer \`--dpi-desync=split2\` over complex multi-strategy chains.
+3. **Protocol coverage** — if the domain uses both HTTPS and HTTP, ensure the strategy covers both.
+4. **TLS version awareness** — TLS 1.3 is easier to bypass (less metadata exposed). TLS 1.2 may need additional work with server response.
+
+## Constructing NFQWS2_OPT from blockcheck results
+
+Take the parameters from the AVAILABLE line and use them as NFQWS2_OPT value. For example:
+- Blockcheck shows: \`nfqws2 --dpi-desync=fake,split2 --dpi-desync-split-pos=1 --dpi-desync-fooling=md5sig\`
+- Set NFQWS2_OPT to: \`--dpi-desync=fake,split2 --dpi-desync-split-pos=1 --dpi-desync-fooling=md5sig\`
+
+If multiple AVAILABLE strategies exist, prefer those using:
+- \`split2\` or \`disorder2\` (TCP segmentation without fakes — simplest)
+- \`fake,split2\` with \`md5sig\` or \`badsum\` fooling (reliable fake disposal)
+- \`multisplit\` or \`multidisorder\` for complex DPI that reassembles segments
+- Avoid strategies relying solely on \`ip_ttl\` — TTL varies across networks and may break on path changes.
+
+For resilience, consider using circular orchestration:
+\`--dpi-desync=fake,split2 --dpi-desync-fooling=md5sig --dpi-desync-circular-strategy=3\`
+This rotates through N strategies automatically if the current one stops working.`,
                     },
                 },
             ],
@@ -75,7 +104,32 @@ Analyze the results and report:
 - Is NFQWS2_OPT configured with bypass parameters?
 - Can the domain be resolved and reached?
 - Is DNS configured correctly? Consider using configureDns if DNS is unreliable.
-- What is the likely root cause and recommended fix?`,
+- What is the likely root cause and recommended fix?
+
+## Common failure causes
+
+**IP-level blocking (not DPI):**
+- If the domain's IP is blocked entirely, zapret2 cannot help — it only works against DPI inspection.
+- Symptom: DNS resolves, but connection times out regardless of strategy. Try accessing via VPN to confirm.
+
+**Wrong fooling for fakes:**
+- If using fake-based strategies (fake, fakedsplit, fakeddisorder), the fake packet must be discarded by the server but accepted by the DPI.
+- If fakes reach the server, it breaks the connection. Symptoms: connection reset, TLS handshake failure.
+- Fix: switch fooling method. Try md5sig → badsum → ip_autottl. Use ip_autottl instead of fixed ip_ttl.
+
+**TTL issues:**
+- Fixed ip_ttl too low → fakes don't reach DPI, bypass fails.
+- Fixed ip_ttl too high → fakes reach the server, connection breaks.
+- Fix: use \`--dpi-desync-fooling=ip_autottl\` which auto-detects the right TTL hop count.
+
+**Strategy stopped working:**
+- DPI systems get updated. A strategy that worked yesterday may fail today.
+- Fix: re-run blockcheck (find-bypass-strategy prompt) to discover new working strategies.
+- For resilience, use \`--dpi-desync-circular-strategy=N\` to auto-rotate between strategies.
+
+**NFQUEUE module not loaded:**
+- If detectSystem shows nfqueueAvailable=false, nfqws2 cannot intercept packets.
+- Fix: \`modprobe nfnetlink_queue\` or install the kernel module package.`,
                     },
                 },
             ],
@@ -104,6 +158,94 @@ If any step fails, report the error and suggest remediation before proceeding.`,
             },
         ],
     }));
+    server.prompt("strategy-knowledge", "Reference guide: all DPI bypass strategy families, nfqws2 parameters, fooling options, and protocol-specific recommendations", () => ({
+        messages: [
+            {
+                role: "user",
+                content: {
+                    type: "text",
+                    text: `Provide the full reference guide for zapret2 DPI bypass strategies.
+
+## Strategy Families
+
+### TCP Segmentation (splitting outgoing packets)
+- **split2** / **disorder2** — split TCP segment at a position. disorder2 sends segments out of order. Simplest strategies, no fakes involved.
+- **multisplit** / **multidisorder** — split at multiple positions. For DPI that reassembles single-split segments.
+- **fakedsplit** / **fakeddisorder** — split with a fake segment inserted between real parts. Fake confuses DPI reassembly.
+- **hostfakesplit** — split only at the Host header position in HTTP.
+
+Key parameters for segmentation:
+- \`--dpi-desync-split-pos=N\` — byte offset to split at. Special values: \`host\` (start of Host/SNI), \`endhost\` (end of Host/SNI), \`midsld\` (middle of SLD in SNI).
+- \`--dpi-desync-split-seqovl=N\` — TCP sequence number overlap. Confuses DPI that tracks sequences. Requires \`--dpi-desync-split-pos\` > N.
+- \`--dpi-desync-split-http-req=method+host\` — split HTTP request at method and host boundaries.
+
+### Fake Packets (injecting decoy packets that DPI processes but server ignores)
+- **fake** — send a fake packet before the real one. DPI processes the fake and misses the real data.
+- **rst** / **rstack** — send fake RST to make DPI think connection closed.
+- **syndata** — send data in SYN packet (unusual, confuses some DPI).
+
+Key parameters for fakes:
+- \`--dpi-desync-fake-tls=<file>\` — custom fake TLS ClientHello payload.
+- \`--dpi-desync-fake-http=<file>\` — custom fake HTTP request payload.
+
+### Fooling Options (making fakes invisible to the server)
+Fakes MUST be discarded by the server but processed by the DPI. Fooling options ensure this:
+- \`--dpi-desync-fooling=md5sig\` — add fake TCP MD5 signature option. Server drops packets with wrong MD5. Most reliable on Linux servers.
+- \`--dpi-desync-fooling=badsum\` — corrupt TCP checksum. Server's NIC drops bad checksum. Does NOT work if server has checksum offload disabled.
+- \`--dpi-desync-fooling=ip_autottl\` — auto-detect TTL so fake expires before reaching server but passes DPI. Best TTL-based option.
+- \`--dpi-desync-fooling=ip_ttl=N\` — fixed TTL for fakes. Fragile — depends on hop count to DPI vs server.
+- \`--dpi-desync-fooling=tcp_ts\` — shift TCP timestamp far in the past. Server drops stale timestamps.
+- Multiple fooling methods can be combined: \`--dpi-desync-fooling=md5sig,badsum\`
+
+### HTTP-Specific Strategies
+- \`--hostcase\` — change Host header case (e.g., "Host:" → "hOsT:"). Simple, effective against basic DPI.
+- \`--domcase\` — randomize domain case in Host header. DPI can't match domain name.
+- \`--methodeol\` — add extra line ending after HTTP method.
+
+### TCP Window Manipulation
+- \`--wsize=N\` — set TCP window size to force small segments from the server.
+- \`--wssize=N\` — set TCP window scale factor.
+
+### UDP/QUIC Strategies
+- \`--dpi-desync-udplen-increment=N\` — pad UDP packets. Changes packet signature.
+- \`--dpi-desync-fake-quic=<file>\` — custom fake QUIC Initial payload.
+- IP fragmentation (\`ipfrag2\`) — fragment IP packets so DPI can't reassemble.
+
+### Orchestration (circular)
+- \`--dpi-desync-circular-strategy=N\` — rotate through N different strategies automatically.
+- When current strategy fails, nfqws2 switches to the next one.
+- Provides resilience against DPI updates without manual intervention.
+
+## DPI Types and Recommended Approaches
+
+**Domain-based DPI (inspects SNI/Host):**
+→ TCP segmentation at SNI position: \`--dpi-desync=split2 --dpi-desync-split-pos=host\`
+→ Or with sequence overlap: \`--dpi-desync=split2 --dpi-desync-split-pos=host --dpi-desync-split-seqovl=1\`
+
+**Stateful DPI (tracks TCP state):**
+→ Fakes + fooling: \`--dpi-desync=fake,split2 --dpi-desync-fooling=md5sig\`
+→ RST injection: \`--dpi-desync=rst --dpi-desync-fooling=ip_autottl\`
+
+**Stateless DPI (inspects individual packets):**
+→ IP fragmentation: \`--dpi-desync=ipfrag2\`
+→ Padding/disorder: \`--dpi-desync=disorder2\`
+
+**HTTP-only DPI:**
+→ \`--hostcase --dpi-desync=split2 --dpi-desync-split-http-req=method+host\`
+
+## Protocol-Specific Notes
+
+**TLS 1.3:** Minimal metadata exposed. Usually \`split2\` at SNI position is enough.
+
+**TLS 1.2:** Server certificate is visible. May need strategies for both ClientHello and ServerHello directions. More complex to bypass.
+
+**QUIC/UDP:** IP fragmentation (\`ipfrag2\`) or \`udplen\` padding. Fake-based strategies with ipfrag. QUIC is harder to intercept because it's encrypted from the start.
+
+**HTTP:** Easiest to bypass. \`--hostcase\` alone often works. Combine with split for robust bypass.`,
+                },
+            },
+        ],
+    }));
     server.prompt("overview", "Quick reference: all available tools, resources, and typical workflows for zapret2-mcp", () => ({
         messages: [
             {

package/build/prompts.js.map

@@ -1 +1 @@
-{"version":3,"file":"prompts.js","sourceRoot":"","sources":["../src/prompts.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,MAAM,UAAU,eAAe,CAAC,MAAiB;IAC/C,MAAM,CAAC,MAAM,CACX,cAAc,EACd,yIAAyI,EACzI,GAAG,EAAE,CAAC,CAAC;QACL,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,MAAe;gBACrB,OAAO,EAAE;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE;;;;;;;;;;;+EAW6D;iBACpE;aACF;SACF;KACF,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,MAAM,CACX,sBAAsB,EACtB,gJAAgJ,EAChJ,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,0CAA0C,CAAC,EAAE,EACtF,CAAC,IAAI,EAAE,EAAE;QACP,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM;YAC5B,CAAC,CAAC,eAAe,IAAI,CAAC,MAAM,oCAAoC;YAChE,CAAC,CAAC,sEAAsE,CAAC;QAE3E,OAAO;YACL,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,MAAe;oBACrB,OAAO,EAAE;wBACP,IAAI,EAAE,MAAe;wBACrB,IAAI,EAAE,mDAAmD,UAAU;;;;;;;;;;;iEAWhB;qBACpD;iBACF;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,MAAM,CACX,cAAc,EACd,sGAAsG,EACtG,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kDAAkD,CAAC,EAAE,EAC9F,CAAC,IAAI,EAAE,EAAE;QACP,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM;YAC5B,CAAC,CAAC,+BAA+B,IAAI,CAAC,MAAM,IAAI;YAChD,CAAC,CAAC,sFAAsF,CAAC;QAE3F,OAAO;YACL,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,MAAe;oBACrB,OAAO,EAAE;wBACP,IAAI,EAAE,MAAe;wBACrB,IAAI,EAAE,mDAAmD,UAAU;;;;;;;;;;;;;;;;qDAgB5B;qBACxC;iBACF;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,MAAM,CACX,eAAe,EACf,iMAAiM,EACjM,GAAG,EAAE,CAAC,CAAC;QACL,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,MAAe;gBACrB,OAAO,EAAE;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE;;;;;;;;;;;;+EAY6D;iBACpE;aACF;SACF;KACF,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,MAAM,CACX,UAAU,EACV,wFAAwF,EACxF,GAAG,EAAE,CAAC,CAAC;QACL,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,MAAe;gBACrB,OAAO,EAAE;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;wGAqCsF;iBAC7F;aACF;SACF;KACF,CAAC,CACH,CAAC;AACJ,CAAC"}
+{"version":3,"file":"prompts.js","sourceRoot":"","sources":["../src/prompts.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,MAAM,UAAU,eAAe,CAAC,MAAiB;IAC/C,MAAM,CAAC,MAAM,CACX,cAAc,EACd,yIAAyI,EACzI,GAAG,EAAE,CAAC,CAAC;QACL,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,MAAe;gBACrB,OAAO,EAAE;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE;;;;;;;;;;;+EAW6D;iBACpE;aACF;SACF;KACF,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,MAAM,CACX,sBAAsB,EACtB,gJAAgJ,EAChJ,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,0CAA0C,CAAC,EAAE,EACtF,CAAC,IAAI,EAAE,EAAE;QACP,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM;YAC5B,CAAC,CAAC,eAAe,IAAI,CAAC,MAAM,oCAAoC;YAChE,CAAC,CAAC,sEAAsE,CAAC;QAE3E,OAAO;YACL,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,MAAe;oBACrB,OAAO,EAAE;wBACP,IAAI,EAAE,MAAe;wBACrB,IAAI,EAAE,mDAAmD,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kFAwCC;qBACrE;iBACF;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,MAAM,CACX,cAAc,EACd,sGAAsG,EACtG,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kDAAkD,CAAC,EAAE,EAC9F,CAAC,IAAI,EAAE,EAAE;QACP,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM;YAC5B,CAAC,CAAC,+BAA+B,IAAI,CAAC,MAAM,IAAI;YAChD,CAAC,CAAC,sFAAsF,CAAC;QAE3F,OAAO;YACL,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,MAAe;oBACrB,OAAO,EAAE;wBACP,IAAI,EAAE,MAAe;wBACrB,IAAI,EAAE,mDAAmD,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0EAyCP;qBAC7D;iBACF;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,MAAM,CACX,eAAe,EACf,iMAAiM,EACjM,GAAG,EAAE,CAAC,CAAC;QACL,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,MAAe;gBACrB,OAAO,EAAE;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE;;;;;;;;;;;;+EAY6D;iBACpE;aACF;SACF;KACF,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,MAAM,CACX,oBAAoB,EACpB,8HAA8H,EAC9H,GAAG,EAAE,CAAC,CAAC;QACL,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,MAAe;gBACrB,OAAO,EAAE;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qGA6EmF;iBAC1F;aACF;SACF;KACF,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,MAAM,CACX,UAAU,EACV,wFAAwF,EACxF,GAAG,EAAE,CAAC,CAAC;QACL,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,MAAe;gBACrB,OAAO,EAAE;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;wGAqCsF;iBAC7F;aACF;SACF;KACF,CAAC,CACH,CAAC;AACJ,CAAC"}

package/build/tools/verifyBypass.d.ts

@@ -5,16 +5,20 @@ export declare const verifyBypassTool: {
     schema: z.ZodObject<{
         domain: z.ZodDefault<z.ZodString>;
         timeout: z.ZodDefault<z.ZodNumber>;
+        interface: z.ZodOptional<z.ZodString>;
     }, "strip", z.ZodTypeAny, {
         domain: string;
         timeout: number;
+        interface?: string | undefined;
     }, {
         domain?: string | undefined;
         timeout?: number | undefined;
+        interface?: string | undefined;
     }>;
     handler: (args: {
         domain?: string;
         timeout?: number;
+        interface?: string;
     }) => Promise<{
         content: {
             type: "text";

package/build/tools/verifyBypass.js

@@ -1,16 +1,17 @@
 import { z } from "zod";
 import { getExecutor } from "../executorInstance.js";
-// FIXME: отшлёпывает 200 на любой запрос. Выяснить, в чём дело
 export const verifyBypassTool = {
     name: "verifyBypass",
     description: "Verify network connectivity: DNS resolution, HTTP request, and nfqws2 running status for a given domain. Use after startService or restartService to confirm zapret2 is working.",
     schema: z.object({
         domain: z.string().default("example.com").describe("Domain to verify bypass for (default: example.com)"),
         timeout: z.number().default(10).describe("HTTP request timeout in seconds (default: 10)"),
+        interface: z.string().optional().describe("WAN interface to bind curl to (e.g. wlp0s20f3). If omitted, reads IFACE_WAN from config."),
     }),
     handler: async (args) => {
         const domain = args.domain || "example.com";
         const timeout = args.timeout || 10;
+        const ifaceArg = args.interface || "";
         const script = `
       DNS_RESOLVED="false"
       DNS_IP=""
@@ -23,10 +24,33 @@ export const verifyBypassTool = {
         DNS_IP="$IP"
       fi
 
+      # Determine WAN interface: from argument, then from config
+      WAN_IFACE="${ifaceArg}"
+      if [ -z "$WAN_IFACE" ] && [ -f /opt/zapret2/config ]; then
+        WAN_IFACE=$(grep '^IFACE_WAN=' /opt/zapret2/config 2>/dev/null | head -1 | cut -d'=' -f2 | tr -d '"' | tr -d "'")
+      fi
+
+      # Route info for the resolved IP
+      ROUTE_TO=""
+      if [ -n "$DNS_IP" ] && command -v ip >/dev/null 2>&1; then
+        ROUTE_TO=$(ip route get "$DNS_IP" 2>/dev/null | head -1 || true)
+      fi
+
       HTTP_CODE="0"
-      CURL_EXIT="0"
+      CURL_EXIT="1"
       if command -v curl >/dev/null 2>&1; then
-        HTTP_CODE=$(curl -sL -o /dev/null -w '%{http_code}' --max-time ${timeout} "https://${domain}/" 2>/dev/null || true)
+        if [ -n "$WAN_IFACE" ]; then
+          HTTP_CODE=$(curl -sL -o /dev/null -w '%{http_code}' \
+            --max-time ${timeout} \
+            --interface "$WAN_IFACE" \
+            --noproxy '*' \
+            "https://${domain}/" 2>/dev/null || true)
+        else
+          HTTP_CODE=$(curl -sL -o /dev/null -w '%{http_code}' \
+            --max-time ${timeout} \
+            --noproxy '*' \
+            "https://${domain}/" 2>/dev/null || true)
+        fi
         CURL_EXIT=$?
         if [ -z "$HTTP_CODE" ]; then HTTP_CODE="0"; fi
       fi
@@ -50,15 +74,19 @@ export const verifyBypassTool = {
       fi
 
       BYPASS_CONFIRMED="false"
-      if [ "$ZAPRET_RUNNING" = "true" ] && [ "$FW_RULES" -gt 0 ] && [ "$HTTP_CODE" != "0" ] && [ "$HTTP_CODE" != "" ]; then
+      if [ "$HTTP_CODE" != "0" ] && [ "$HTTP_CODE" != "000" ] && [ -n "$HTTP_CODE" ]; then
         BYPASS_CONFIRMED="true"
       fi
 
+      WAN_IFACE_JSON=\${WAN_IFACE:-""}
+
       cat <<EOJSON
 {
   "domain": "${domain}",
   "dnsResolved": $DNS_RESOLVED,
   "dnsIp": "$DNS_IP",
+  "wanInterface": "$WAN_IFACE_JSON",
+  "routeTo": "$ROUTE_TO",
   "httpCode": "$HTTP_CODE",
   "curlExit": "$CURL_EXIT",
   "zapretRunning": $ZAPRET_RUNNING,

package/build/tools/verifyBypass.js.map

@@ -1 +1 @@
-{"version":3,"file":"verifyBypass.js","sourceRoot":"","sources":["../../src/tools/verifyBypass.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD,+DAA+D;AAC/D,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,IAAI,EAAE,cAAc;IACpB,WAAW,EAAE,kLAAkL;IAC/L,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,oDAAoD,CAAC;QACxG,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,+CAA+C,CAAC;KAC1F,CAAC;IACF,OAAO,EAAE,KAAK,EAAE,IAA2C,EAAE,EAAE;QAC7D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,aAAa,CAAC;QAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;QAEnC,MAAM,MAAM,GAAG;;;uBAGI,MAAM;;6BAEA,MAAM;;;;;;;;;;yEAUsC,OAAO,aAAa,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eA8BpF,MAAM;;;;;;;;;;KAUhB,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAC1E,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;QACvE,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,CAAC,GAAG,GAA0D,CAAC;YACrE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,KAAK,EAAE,OAAO,IAAI,eAAe,EAAE,EAAE,CAAC;gBACvG,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC;CACF,CAAC"}
+{"version":3,"file":"verifyBypass.js","sourceRoot":"","sources":["../../src/tools/verifyBypass.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,IAAI,EAAE,cAAc;IACpB,WAAW,EAAE,kLAAkL;IAC/L,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,oDAAoD,CAAC;QACxG,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,+CAA+C,CAAC;QACzF,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,0FAA0F,CAAC;KACtI,CAAC;IACF,OAAO,EAAE,KAAK,EAAE,IAA+D,EAAE,EAAE;QACjF,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,aAAa,CAAC;QAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC;QAEtC,MAAM,MAAM,GAAG;;;uBAGI,MAAM;;6BAEA,MAAM;;;;;;;;mBAQhB,QAAQ;;;;;;;;;;;;;;;;yBAgBF,OAAO;;;uBAGT,MAAM;;;yBAGJ,OAAO;;uBAET,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eAiCd,MAAM;;;;;;;;;;;;KAYhB,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,WAAW,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAC1E,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;QACvE,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,CAAC,GAAG,GAA0D,CAAC;YACrE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,KAAK,EAAE,OAAO,IAAI,eAAe,EAAE,EAAE,CAAC;gBACvG,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC;CACF,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zapret2-mcp",
-  "version": "0.3.3",
+  "version": "0.3.5",
   "description": "MCP server for managing zapret2 network packet processing tool on OpenWrt routers and Linux desktops via Docker, SSH, or locally",
   "license": "MIT",
   "author": "Stanislav Zemlyakov",