Installing Zapret on Linux: A Practical Guide to Bypassing Censorship
🇬🇧 Step-by-step guide to install Zapret (nfqws/tpws) on Linux to bypass internet censorship and blocks.
📝 Legal Notice
This article is for educational purposes only. Misusing the information here may be illegal. Use this only for security training or defensive purposes. Bad use can have legal consequences.
🤔 What is Zapret and What Does It Do?
Internet blocks and regional censorship can be annoying. Tools like Zapret can help you bypass these limits. Zapret was made to work against some DPI (Deep Packet Inspection) systems used in Russia, but the same ideas can help with other similar blocks.
In short, Zapret helps change your network traffic so DPI systems cannot block it. It uses tools like nfqws and tpws to do this.
- How DPI blocks work: DPI systems inspect HTTP and TLS/SSL handshakes to detect keywords, domain names (SNI), or IPs and then block traffic.
- What Zapret does: Tools inside Zapret (mainly
nfqwsandtpws) use methods such as packet fragmentation and adding fake packets (fake desync) to confuse DPI. This can make the DPI block before it sees the real data, or it makes the DPI choose wrong.
In short, Zapret acts like an anti-censorship shield to restore access to blocked services (for example, Discord).
🛠️ Step 1: Download the Files
First, download the latest Zapret release from GitHub. Make sure you pick the normal (non-embedded) zip file.
- Go to the releases page: https://github.com/bol-van/zapret/releases/latest/
- Under “Assets” download the
.zipfile (for examplezapret-vXX.Y.zip). Do not pick “Source code (zip)” or “Source code (tar.gz)”.
Important: Do not download files with “embedded” in the name (e.g.
zapret-vXX.Y-openwrt-embedded.tar.gz). Use the main.zipor.tar.gz.
📂 Step 2: Move Files to a System Folder
Unzip the downloaded file and move the folder to /opt/. Name the folder simply zapret.
1
2
3
4
5
# Unzip the downloaded file
unzip zapret-vXX.Y.zip
# Move the folder to /opt and rename it to 'zapret'
sudo mv zapret-vXX.Y /opt/zapret
Now go to the zapret folder to continue:
1
cd /opt/zapret/
⚙️ Step 3: Install Binaries and Dependencies
Zapret provides scripts to install the right binaries for your system.
-
Get root permissions for installation:
1 2
sudo su # After entering your password, the prompt will show 'root@...'
-
Install the binaries. The script detects your system (for example
linux-x86_64) and links the needed executables into place.1 2 3 4 5 6
./install_bin.sh # Example output: # installing binaries ... # linking : ../binaries/linux-x86_64/ip2net => /opt/zapret/ip2net # ...
⚡ Step 4: Run the Easy Install Script
Now run the main install script that sets up Zapret services.
-
Start the install:
1
./install_easy.sh
-
Firewall choice: The script will ask which firewall system to use. For modern Linux systems choose
nftables.- When asked, select:
nftables
- When asked, select:
-
Enable NFQWS: This is the main component that provides DPI bypass. Do not skip this step.
- When asked
enable nfqws ? (default : N) (Y/N) ?, type:Y
- When asked
-
You can accept the default answers for other options.
✅ Step 5: Check Service Status
After install, check that the Zapret service is running:
1
systemctl status zapret
Expected output:
If all is well, the Active: line will show active (running).
1
2
3
4
● zapret.service
Loaded: loaded (/usr/lib/systemd/system/zapret.service; enabled; preset: disabled)
Active: active (running) since Fri 2025-10-17 15:09:14 +03; 17min ago
# ... other details
If the status is not active (running) (for example failed), start the service manually:
1
systemctl start zapret
Common systemctl commands for Zapret:
-
sudo systemctl enable zapret
Start Zapret automatically on boot. -
sudo systemctl disable zapret
Turn off automatic start. -
sudo systemctl start zapret
Start the service now. -
sudo systemctl stop zapret
Stop the service now. -
sudo systemctl restart zapret
Restart the service (useful after config changes). -
sudo journalctl -u zapret -f
Watch Zapret logs in real time.
🌐 Step 6: Test and Troubleshoot
When the service is running, try to visit a site you know is blocked (for example discord.com).
-
Access works: Congrats! Zapret is working.
-
Access fails: First try rebooting your machine. Network settings sometimes need a reboot to apply.
If it still doesn’t work, run the Block Test.
Block Test
Zapret includes a block test tool that helps find which DPI bypass strategies work for your network.
- Go to the zapret folder:
1
cd /opt/zapret - Run the block test:
1
./blockcheck.sh
If a working strategy is found, you will see output like:
1
!!!!! curl_test_http: working strategy found for ipv4 discord.com : tpws --split-pos=method+2,midsld --fix-seg --oob !!!!!
Update Configuration
If blockcheck.sh suggests a strategy (like the example above), add those parameters to Zapret’s main config file.
- Open the config:
1
nano /opt/zapret/config
-
Find the
NFQWS_OPTline. It looks like this by default:1 2 3 4
NFQWS_OPT=" --filter-tcp=80 --dpi-desync=fake,multisplit --dpi-desync-split-pos=method+2 --dpi-desync-fooling=md5sig <HOSTLIST> --new --filter-tcp=443 --dpi-desync=fake,multidisorder --dpi-desync-split-pos=1,midsld --dpi-desync-fooling=badseq,md5sig <HOSTLIST> --new --filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=6 <HOSTLIST_NOAUTO> "
-
Add or replace the line with the parameters
blockcheck.shsuggested. Usually you add the new params to the appropriate line (like the HTTP or TLS line). -
Save changes and restart Zapret:
1
systemctl restart zapret
🗑️ Step 7: Uninstall Zapret
If you no longer need Zapret, remove it cleanly.
- Go to the zapret folder:
1
cd /opt/zapret - Get root:
1
sudo su -
Run the uninstall script. It removes the systemd service, clears firewall rules (nftables or iptables), and removes Zapret files:
1
./uninstall.sh
-
Check the service no longer exists:
1
systemctl status zapret
Expected output: an error like
Unit zapret.service could not be found. -
The
uninstall.shscript may not remove/opt/zapret. Remove it manually if you want:1
sudo rm -rf /opt/zapret
See you in another post. Stay safe.