feat: Add Mihomo and TProxy setup scripts for Alpine and legacy systems

- Introduced `iptables-mihomo-setup-mark2.sh` for advanced TProxy configuration.
- Created `iptables-mihomo-setup.sh` for legacy iptables management.
- Added `dnssec-test.sh` for DNSSEC interception testing.
- Implemented `config-warpgate-alpine.sh` for comprehensive Warpgate setup.
- Developed `iptables-mihomo-setup-alpine-mark2.sh` for refined TProxy rules on Alpine.
- Added `iptables-mihomo-setup-alpine.sh` for basic TProxy setup on Alpine.
- Created `update-core-and-dash.sh` for automated updates of Mihomo core and Zashboard UI.

scripts/warpgates/config-warpgate-alpine.sh

@@ -50,7 +50,7 @@ UI_DIR="/etc/mihomo/ui"
 # ==========================================
 echo ">>> [1/8] Updating system and installing dependencies..."
 # Включаем community репозитории (обычно там лежит gcompat и прочее)
-sed -i 's/^#//g' /etc/apk/repositories
+sed -i '/v[0-9]\.[0-9]*\/community/s/^#//' /etc/apk/repositories
 apk update
 apk add bash curl wget ca-certificates tar iptables ip6tables jq coreutils libcap bind-tools nano openrc openssh sudo shadow
 
@@ -67,6 +67,7 @@ net.ipv4.conf.default.rp_filter=0
 net.ipv4.conf.wt0.rp_filter=0
 EOF
 sysctl -p /etc/sysctl.d/99-warpgate.conf
+rc-update add sysctl boot
 
 # ==========================================
 # 3. NETBIRD INSTALLATION

scripts/warpgates/iptables-mihomo-setup-alpine-mark2.sh

@@ -0,0 +1,121 @@
+#!/bin/bash
+set -euo pipefail
+
+# ----------------------------
+# Config
+# ----------------------------
+MIHOMO_UID="mihomo"
+REDIR_PORT="7892"     # TCP Redirect
+TPROXY_PORT="7893"    # UDP/TCP TProxy
+FW_MARK="0x1"
+ROUTE_TABLE="100"
+
+EXCLUDE_IFACES=("tun0")  
+
+# ----------------------------
+# Helpers
+# ----------------------------
+ipt() { iptables "$@"; }
+
+del_loop() {
+  local table=$1
+  local chain=$2
+  shift 2
+  local rule_args="$@"
+
+  while iptables -t "$table" -C "$chain" $rule_args 2>/dev/null; do
+    echo "Deleting from $table/$chain: $rule_args"
+    iptables -t "$table" -D "$chain" $rule_args
+  done
+}
+
+ensure_ip_rule() {
+  while ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; do
+    ip rule del fwmark ${FW_MARK} lookup ${ROUTE_TABLE} || true
+  done
+  ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE}
+  ip route replace local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
+}
+
+# ----------------------------
+# CLEANUP PHASE
+# ----------------------------
+echo "--- Cleaning up old rules (Robust Mode) ---"
+
+del_loop nat OUTPUT -p tcp -m comment --comment "MIHOMO-JUMP" -j MIHOMO_REDIR
+del_loop nat PREROUTING -i wt0 -p tcp -m comment --comment "MIHOMO-REDIRECT" -j REDIRECT --to-port "${REDIR_PORT}"
+del_loop mangle PREROUTING -i wt0 -m comment --comment "MIHOMO-JUMP" -j MIHOMO_TPROXY
+
+del_loop mangle OUTPUT -p tcp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
+del_loop mangle OUTPUT -p udp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
+
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  del_loop mangle OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+  del_loop mangle PREROUTING -i "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+  del_loop nat OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+
+del_loop mangle OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+del_loop nat OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+
+ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
+ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true
+
+ipt -t nat -F MIHOMO_REDIR 2>/dev/null || true
+ipt -t nat -X MIHOMO_REDIR 2>/dev/null || true
+
+echo "--- Cleanup finished. Applying new rules ---"
+
+# ----------------------------
+# NAT (REDIRECT) - TCP
+# ----------------------------
+ipt -t nat -N MIHOMO_REDIR
+
+# Exclusions for gateway's own traffic
+ipt -t nat -A MIHOMO_REDIR -d 192.168.0.0/16 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -d 10.0.0.0/8 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -d 172.16.0.0/12 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -d 127.0.0.0/8 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -p tcp -j REDIRECT --to-ports "${REDIR_PORT}"
+
+# Apply to OUTPUT (Local gateway traffic)
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  ipt -t nat -A OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+ipt -t nat -A OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+ipt -t nat -A OUTPUT -p tcp -m comment --comment "MIHOMO-JUMP" -j MIHOMO_REDIR
+
+# Apply to PREROUTING (wt0 Ingress) - Force Redir for NetBird (skips exclusions by design)
+ipt -t nat -A PREROUTING -i wt0 -p tcp -m comment --comment "MIHOMO-REDIRECT" -j REDIRECT --to-port "${REDIR_PORT}"
+
+# ----------------------------
+# MANGLE (TPROXY) - UDP
+# ----------------------------
+ensure_ip_rule
+ipt -t mangle -N MIHOMO_TPROXY
+
+# Local exclusions: apply ONLY if traffic is NOT coming from NetBird (wt0)
+ipt -t mangle -A MIHOMO_TPROXY ! -i wt0 -d 192.168.0.0/16 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY ! -i wt0 -d 10.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY ! -i wt0 -d 172.16.0.0/12 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY ! -i wt0 -d 127.0.0.0/8 -j RETURN
+
+# TProxy Targets (UDP only, TCP is handled by REDIRECT)
+ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}/${FW_MARK}"
+
+# Apply to OUTPUT (Local gateway traffic)
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  ipt -t mangle -A OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+ipt -t mangle -A OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+
+# Mark local UDP packets
+ipt -t mangle -A OUTPUT -p udp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
+
+# Apply to PREROUTING (wt0 Ingress)
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  ipt -t mangle -A PREROUTING -i "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+ipt -t mangle -A PREROUTING -i wt0 -m comment --comment "MIHOMO-JUMP" -j MIHOMO_TPROXY
+
+echo "Done. Suboptimal hypervisor constraints bypassed successfully."

scripts/warpgates/iptables-mihomo-setup-alpine.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+set -u
+
+# ----------------------------
+# Config
+# ----------------------------
+MIHOMO_UID="mihomo"
+TPROXY_PORT="7893"
+FW_MARK="0x1"
+ROUTE_TABLE="100"
+
+# Интерфейсы клиентов (откуда прилетают запросы)
+LAN_IFACES=("wt0" "eth1" "eth2")
+
+# Порты самого сервера, которые НЕ надо проксировать (Web UI, SSH)
+LOCAL_PORTS="9090,22"
+
+# ----------------------------
+# Helpers
+# ----------------------------
+ipt() { iptables "$@"; }
+
+cleanup_references() {
+    local chain=$1
+    iptables-save | grep "\-j $chain" | sed "s/^-A/-D/" | while read rule; do
+        iptables -t mangle $rule 2>/dev/null || true
+    done
+}
+
+ensure_ip_rule() {
+  # 1. Перехват трафика от клиентов в TProxy (то, что мы уже починили)
+  if ! ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; then
+    ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE} pref 90
+  fi
+  if ! ip route show table ${ROUTE_TABLE} | grep -q "local default"; then
+    ip route add local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
+  fi
+  
+  # 2. НОВОЕ: Выпуск трафика Mihomo в интернет в обход Netbird
+  if ! ip rule list | grep -q "fwmark 1337 lookup main"; then
+    ip rule add fwmark 1337 lookup main pref 80
+  fi
+}
+
+# ----------------------------
+# 1. CLEANUP
+# ----------------------------
+echo "--- Cleaning up rules ---"
+cleanup_references "MIHOMO_TPROXY"
+ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
+ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true
+
+# ----------------------------
+# 2. SETUP
+# ----------------------------
+ensure_ip_rule
+
+# --- CHAIN: PREROUTING (Для клиентов) ---
+ipt -t mangle -N MIHOMO_TPROXY
+
+# === 1. Исключения по Портам (CRITICAL FIX) ===
+# Если стучатся в веб-морду или SSH - пропускаем мимо TProxy
+ipt -t mangle -A MIHOMO_TPROXY -p tcp -m multiport --dports "${LOCAL_PORTS}" -j RETURN
+
+# === 2. Исключения по IP (Bypass) ===
+# RFC1918 Private Networks
+ipt -t mangle -A MIHOMO_TPROXY -d 0.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 10.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 127.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 169.254.0.0/16 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 172.16.0.0/12 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 192.168.0.0/16 -j RETURN
+# Multicast
+ipt -t mangle -A MIHOMO_TPROXY -d 224.0.0.0/4 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 240.0.0.0/4 -j RETURN
+# !!! NETBIRD / CGNAT (Fix for VPN access) !!!
+ipt -t mangle -A MIHOMO_TPROXY -d 100.64.0.0/10 -j RETURN
+
+# === 3. Заворачиваем в TProxy ===
+ipt -t mangle -A MIHOMO_TPROXY -p tcp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
+ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
+
+# ----------------------------
+# 3. APPLY
+# ----------------------------
+for IFACE in "${LAN_IFACES[@]}"; do
+    echo "Adding TProxy rules for interface: $IFACE"
+    ipt -t mangle -A PREROUTING -i "$IFACE" -j MIHOMO_TPROXY
+done

scripts/warpgates/update-core-and-dash.sh

@@ -0,0 +1,81 @@
+#!/bin/sh
+set -e
+
+# Configuration
+UI_URL="https://github.com/Zephyruso/zashboard/releases/latest/download/dist-cdn-fonts.zip"
+BIN_DIR="/usr/local/bin"
+UI_DIR="/etc/mihomo/ui/zashboard"
+
+echo "[*] Resolving latest Alpha URL from vernesong/mihomo..."
+CORE_URL=$(curl -sL "https://api.github.com/repos/vernesong/mihomo/releases/tags/Prerelease-Alpha" | grep -o 'https://[^"]*mihomo-linux-amd64-alpha-smart-[^"]*\.gz' | head -n 1)
+
+if [ -z "$CORE_URL" ]; then
+    echo "[-] ERROR: Failed to resolve download URL."
+    exit 1
+fi
+
+echo "[+] Target URL: $CORE_URL"
+
+# ==========================================
+# ФАЗА 1: СЕТЕВЫЕ ОПЕРАЦИИ (пока жив DNS)
+# ==========================================
+
+echo "[*] Downloading Mihomo Core..."
+curl -SLf -o /tmp/mihomo.gz "$CORE_URL"
+
+if [ ! -s /tmp/mihomo.gz ]; then
+    echo "[-] ERROR: Downloaded core file is empty or missing!"
+    exit 1
+fi
+
+echo "[*] Downloading Zashboard UI..."
+curl -SLf -o /tmp/zashboard.zip "$UI_URL"
+
+if [ ! -s /tmp/zashboard.zip ]; then
+    echo "[-] ERROR: Downloaded UI file is empty or missing!"
+    exit 1
+fi
+
+# ==========================================
+# ФАЗА 2: ЛОКАЛЬНЫЕ ОПЕРАЦИИ (остановка сервиса)
+# ==========================================
+
+echo "[*] Stopping mihomo service..."
+rc-service mihomo stop
+
+echo "[*] Unpacking and installing Mihomo Core..."
+gzip -d -f /tmp/mihomo.gz
+mv /tmp/mihomo "$BIN_DIR/mihomo"
+chmod 755 "$BIN_DIR/mihomo"
+chown root:root "$BIN_DIR/mihomo"
+setcap 'cap_net_admin,cap_net_bind_service=+ep' "$BIN_DIR/mihomo"
+
+echo "[*] Unpacking and installing Zashboard UI..."
+# Создаем изолированную директорию для распаковки
+mkdir -p /tmp/zash_temp
+unzip -q -o /tmp/zashboard.zip -d /tmp/zash_temp/
+
+# Динамически ищем, как GitHub назвал корневую папку внутри архива
+EXTRACTED_DIR=$(find /tmp/zash_temp -mindepth 1 -maxdepth 1 -type d | head -n 1)
+
+if [ -z "$EXTRACTED_DIR" ]; then
+    echo "[-] ERROR: Could not find extracted UI directory in the zip archive."
+    rc-service mihomo start
+    exit 1
+fi
+
+rm -rf "$UI_DIR"/*
+# Копируем содержимое найденной папки
+cp -r "$EXTRACTED_DIR"/* "$UI_DIR"/
+
+chown -R root:root "$UI_DIR"
+find "$UI_DIR" -type d -exec chmod 755 {} \;
+find "$UI_DIR" -type f -exec chmod 644 {} \;
+
+# Зачищаем следы
+rm -rf /tmp/zashboard.zip /tmp/zash_temp
+
+echo "[*] Starting mihomo service..."
+rc-service mihomo start
+
+echo "[+] Update completed successfully."