feat: Add Mihomo and TProxy setup scripts for Alpine and legacy systems

- Introduced `iptables-mihomo-setup-mark2.sh` for advanced TProxy configuration.
- Created `iptables-mihomo-setup.sh` for legacy iptables management.
- Added `dnssec-test.sh` for DNSSEC interception testing.
- Implemented `config-warpgate-alpine.sh` for comprehensive Warpgate setup.
- Developed `iptables-mihomo-setup-alpine-mark2.sh` for refined TProxy rules on Alpine.
- Added `iptables-mihomo-setup-alpine.sh` for basic TProxy setup on Alpine.
- Created `update-core-and-dash.sh` for automated updates of Mihomo core and Zashboard UI.

scripts/warpgates/config-warpgate-alpine.sh

@@ -0,0 +1,316 @@
+#!/bin/bash
+set -euo pipefail
+
+# ==========================================
+# 0. USER INTERACTION
+# ==========================================
+echo "-----------------------------------------------------"
+echo "🔐 USER SETUP"
+echo "-----------------------------------------------------"
+# В Alpine bash может не быть установлен изначально, но мы добавим его в зависимостях.
+# Если скрипт запускается через sh, read -sp работает, но проверим.
+echo "Enter password for new user 'supervisor':"
+stty -echo
+read SUPERVISOR_PASS
+stty echo
+echo
+
+if [ -z "$SUPERVISOR_PASS" ]; then
+    echo "❌ Password cannot be empty."
+    exit 1
+fi
+
+# ==========================================
+# 1. CONFIGURATION
+# ==========================================
+
+# Netbird 
+NETBIRD_SETUP_KEY="7369BE4D-C485-4339-A7CA-C245FD95E857"
+NETBIRD_MANAGEMENT_URL="https://webway.shamanlanding.org:443"
+
+# Mihomo Version (Alpha)
+MIHOMO_URL="https://github.com/vernesong/mihomo/releases/download/Prerelease-Alpha/mihomo-linux-amd64-alpha-smart-ec7f445.gz"
+
+# Remote Resources
+REPO_BASE="https://gitea.shamanlanding.org/DaTekShaman/clash-rules/raw/branch/main"
+URL_CONFIG_MIHOMO="${REPO_BASE}/config-clash/cadian/cadian.current.yaml"
+URL_SCRIPT_IPTABLES="${REPO_BASE}/scripts/iptables-mihomo-setup.sh"
+URL_INIT_MIHOMO="${REPO_BASE}/init-scripts/openrc/mihomo"
+URL_INIT_IPTABLES="${REPO_BASE}/init-scripts/openrc/mihomo-iptables"
+
+# Paths
+BIN_DIR="/usr/local/bin"
+CONF_DIR="/etc/mihomo"
+LOG_DIR="/var/log/mihomo"
+INIT_DIR="/etc/init.d"
+UI_DIR="/etc/mihomo/ui"
+
+# ==========================================
+# 2. SYSTEM PREP & DEPENDENCIES
+# ==========================================
+echo ">>> [1/8] Updating system and installing dependencies..."
+# Включаем community репозитории (обычно там лежит gcompat и прочее)
+sed -i '/v[0-9]\.[0-9]*\/community/s/^#//' /etc/apk/repositories
+apk update
+apk add bash curl wget ca-certificates tar iptables ip6tables jq coreutils libcap bind-tools nano openrc openssh sudo shadow
+
+# Для совместимости AdGuard VPN (если потребуется glibc)
+apk add gcompat libgcc || true
+
+echo ">>> [2/8] Configuring Sysctl (Forwarding)..."
+# OpenRC читает /etc/sysctl.d/*.conf
+cat <<EOF > /etc/sysctl.d/99-warpgate.conf
+net.ipv4.ip_forward=1
+net.ipv6.conf.all.forwarding=1
+net.ipv4.conf.all.rp_filter=0
+net.ipv4.conf.default.rp_filter=0
+net.ipv4.conf.wt0.rp_filter=0
+EOF
+sysctl -p /etc/sysctl.d/99-warpgate.conf
+rc-update add sysctl boot
+
+# ==========================================
+# 3. NETBIRD INSTALLATION
+# ==========================================
+echo ">>> [3/8] Checking Netbird..."
+if ! command -v netbird &> /dev/null; then
+    echo "Installing Netbird..."
+    curl -fsSL https://pkgs.netbird.io/install.sh | sh
+fi
+
+echo ">>> Connecting Netbird..."
+# Проверяем статус. Если не подключен — подключаем.
+if ! netbird status | grep -q "Connected"; then
+    if [ -n "$NETBIRD_SETUP_KEY" ] && [ "$NETBIRD_SETUP_KEY" != "YOUR_NETBIRD_SETUP_KEY_HERE" ]; then
+        netbird up --management-url "$NETBIRD_MANAGEMENT_URL" https://webway.shamanlanding.org:443 --setup-key "$NETBIRD_SETUP_KEY" --disable-dns --allow-server-ssh --enable-ssh-root
+    else
+        echo "WARNING: Netbird Setup Key not set. Run manual setup later."
+    fi
+else
+    echo "Netbird is already connected."
+fi
+
+# Добавляем в автозагрузку OpenRC
+if [ -f /etc/init.d/netbird ]; then
+    rc-update add netbird default
+fi
+
+# ==========================================
+# 4. ADGUARD VPN CLI
+# ==========================================
+echo ">>> [4/8] Checking AdGuard VPN CLI..."
+if ! command -v adguardvpn-cli &> /dev/null; then
+    echo "Installing AdGuard VPN CLI..."
+    # Используем проверенный в диагностике метод
+    curl -fsSL https://raw.githubusercontent.com/AdguardTeam/AdGuardVPNCLI/master/scripts/release/install.sh | sh -s -- -v
+fi
+
+# Преднастройка
+adguardvpn-cli config set-mode socks
+adguardvpn-cli config set-socks-host 0.0.0.0
+adguardvpn-cli config set-tun-routing-mode none
+
+# ==========================================
+# 5. MIHOMO INSTALLATION
+# ==========================================
+echo ">>> [5/8] Installing Mihomo..."
+
+# Создаем группу, если нет
+if ! grep -q "^mihomo:" /etc/group; then
+    addgroup -S mihomo
+fi
+
+# Создаем пользователя и добавляем в группу (-G mihomo)
+if ! id "mihomo" &>/dev/null; then
+    adduser -S -D -H -s /sbin/nologin -G mihomo mihomo
+fi
+
+# Binary
+if [ ! -f "${BIN_DIR}/mihomo" ]; then
+    echo "Downloading Mihomo binary..."
+    # Используем временное имя, чтобы не конфликтовать
+    wget -qO /tmp/mihomo.gz "$MIHOMO_URL"
+    gzip -d /tmp/mihomo.gz
+    mv /tmp/mihomo "${BIN_DIR}/mihomo"
+    chmod +x "${BIN_DIR}/mihomo"
+else
+    echo "Mihomo binary already exists."
+fi
+
+# Capabilities (Вместо Systemd AmbientCapabilities)
+# Даем права на биндинг портов <1024 и управление сетью
+setcap 'cap_net_admin,cap_net_bind_service,cap_net_raw+ep' "${BIN_DIR}/mihomo"
+
+# Directories
+mkdir -p "$CONF_DIR"
+chown -R mihomo:mihomo "$CONF_DIR"
+
+mkdir -p "$LOG_DIR"
+chown -R mihomo:mihomo "$LOG_DIR"
+
+# ==========================================
+# 6. INSTALLING WEB UI
+# ==========================================
+echo ">>> [6/9] Installing Web UIs (Metacubexd, Yacd, Zashboard)..."
+mkdir -p "$UI_DIR"
+cd "$UI_DIR"
+
+# Metacubexd
+if [ ! -d "metacubexd" ]; then
+    echo "Downloading Metacubexd..."
+    wget -qO metacubexd.zip "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip"
+    unzip -q -o metacubexd.zip
+    mv metacubexd-gh-pages metacubexd
+    rm metacubexd.zip
+fi
+
+# Yacd
+if [ ! -d "yacd" ]; then
+    echo "Downloading Yacd..."
+    wget -qO yacd.zip "https://github.com/haishanh/yacd/archive/refs/heads/gh-pages.zip"
+    unzip -q -o yacd.zip
+    mv yacd-gh-pages yacd
+    rm yacd.zip
+fi
+
+# Zashboard
+if [ ! -d "zashboard" ]; then
+    echo "Downloading Zashboard..."
+    wget -qO zashboard.zip "https://github.com/zephyruso/zashboard/archive/refs/heads/gh-pages.zip"
+    unzip -q -o zashboard.zip
+    mv zashboard-gh-pages zashboard
+    rm zashboard.zip
+fi
+
+# ==========================================
+# 6. CONFIGURATION & OPENRC SERVICES
+# ==========================================
+echo ">>> [6/8] Downloading Configs and Services..."
+
+# 6.1 Mihomo Config
+if [ ! -f "${CONF_DIR}/config.yaml" ]; then
+    echo "Fetching Config: $URL_CONFIG_MIHOMO"
+    wget -qO "${CONF_DIR}/config.yaml" "$URL_CONFIG_MIHOMO"
+    chown mihomo:mihomo "${CONF_DIR}/config.yaml"
+else
+    echo "Config exists, skipping download."
+fi
+
+# 6.2 Iptables Setup Script
+echo "Fetching Script: $URL_SCRIPT_IPTABLES"
+wget -qO "${BIN_DIR}/iptables-mihomo-setup.sh" "$URL_SCRIPT_IPTABLES"
+chmod +x "${BIN_DIR}/iptables-mihomo-setup.sh"
+
+# 6.3 Config Validation
+echo "Validating Mihomo Configuration..."
+if ! "${BIN_DIR}/mihomo" -t -d "$CONF_DIR"; then
+    echo "❌ ERROR: Mihomo configuration test failed!"
+    echo "Please inspect: ${CONF_DIR}/config.yaml"
+    exit 1
+else
+    echo "✅ Configuration test passed."
+fi
+
+# 6.4 Download OpenRC Services
+echo "Fetching OpenRC Init Scripts..."
+
+# Service: Mihomo
+if [ ! -f "${INIT_DIR}/mihomo" ]; then
+    echo "Downloading Service: $URL_INIT_MIHOMO"
+    wget -qO "${INIT_DIR}/mihomo" "$URL_INIT_MIHOMO"
+    chmod +x "${INIT_DIR}/mihomo"
+else
+    echo "Service 'mihomo' already exists."
+fi
+
+# Service: IPtables Helper
+if [ ! -f "${INIT_DIR}/mihomo-iptables" ]; then
+    echo "Downloading Service: $URL_INIT_IPTABLES"
+    wget -qO "${INIT_DIR}/mihomo-iptables" "$URL_INIT_IPTABLES"
+    chmod +x "${INIT_DIR}/mihomo-iptables"
+else
+    echo "Service 'mihomo-iptables' already exists."
+fi
+
+# 6.5 Enable Services (rc-update)
+# Добавляем в автозагрузку (default runlevel)
+echo "Enabling services..."
+rc-update add mihomo-iptables default
+rc-update add mihomo default
+
+# ==========================================
+# 7. USER & SSH SETUP
+# ==========================================
+echo ">>> [7/8] Configuring User and SSH..."
+
+# 7.1 Create Supervisor
+if ! id "supervisor" &>/dev/null; then
+    # Alpine: adduser создает группу с именем юзера
+    adduser -D -s /bin/bash supervisor
+    # Устанавливаем пароль
+    echo "supervisor:${SUPERVISOR_PASS}" | chpasswd
+    
+    # Настройка sudo (группа wheel)
+    # Убедимся, что wheel раскомментирована в sudoers
+    sed -i 's/^# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/' /etc/sudoers
+    
+    # Добавляем юзера в wheel
+    addgroup supervisor wheel
+    echo "✅ User 'supervisor' created and added to wheel group."
+else
+    echo "User 'supervisor' already exists."
+fi
+
+# 7.2 Configure SSHD
+# Проверяем, установлен ли sshd (openssh)
+if [ ! -f /etc/ssh/sshd_config ]; then
+    apk add openssh
+    rc-update add sshd default
+fi
+
+# Разрешаем вход по паролю, запрещаем рута
+sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
+sed -i 's/^PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
+sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+
+# Перезапуск SSH
+if rc-service sshd status | grep -q "started"; then
+    rc-service sshd restart
+else
+    rc-service sshd start
+fi
+echo "✅ SSH configured."
+
+# ==========================================
+# 8. DNS & FINALIZATION
+# ==========================================
+echo ">>> [8/8] Locking DNS & Enabling Services..."
+
+# В Alpine нет systemd-resolved. Просто пишем в resolv.conf
+# Убираем immutable атрибут, если он был (на всякий случай)
+chattr -i /etc/resolv.conf 2>/dev/null || true
+echo "nameserver 127.0.0.1" > /etc/resolv.conf
+mkdir -p /etc/udhcpc
+echo 'RESOLV_CONF="no"' > /etc/udhcpc/udhcpc.conf
+touch /etc/.pve-ignore.resolv.conf
+# Блокируем файл от перезаписи DHCP клиентом
+chattr +i /etc/resolv.conf 2>/dev/null || true 
+# (chattr в Alpine требует e2fsprogs-extra, если не установлен - пропустим)
+
+# Включаем сервисы
+rc-update add mihomo-iptables default
+rc-update add mihomo default
+
+chown -R mihomo:mihomo "$CONF_DIR"
+chown -R mihomo:mihomo "$LOG_DIR"
+
+echo "-----------------------------------------------------"
+echo "✅ INSTALLATION COMPLETE"
+echo "-----------------------------------------------------"
+echo "Next Steps:"
+echo "1. Login to AdGuard: 'adguardvpn-cli login'"
+echo "2. Start services:"
+echo "   rc-service mihomo-iptables start"
+echo "   rc-service mihomo start"
+echo "3. Check logs: 'cat /var/log/mihomo/...' or check process status"

scripts/warpgates/iptables-mihomo-setup-alpine-mark2.sh

@@ -0,0 +1,121 @@
+#!/bin/bash
+set -euo pipefail
+
+# ----------------------------
+# Config
+# ----------------------------
+MIHOMO_UID="mihomo"
+REDIR_PORT="7892"     # TCP Redirect
+TPROXY_PORT="7893"    # UDP/TCP TProxy
+FW_MARK="0x1"
+ROUTE_TABLE="100"
+
+EXCLUDE_IFACES=("tun0")  
+
+# ----------------------------
+# Helpers
+# ----------------------------
+ipt() { iptables "$@"; }
+
+del_loop() {
+  local table=$1
+  local chain=$2
+  shift 2
+  local rule_args="$@"
+
+  while iptables -t "$table" -C "$chain" $rule_args 2>/dev/null; do
+    echo "Deleting from $table/$chain: $rule_args"
+    iptables -t "$table" -D "$chain" $rule_args
+  done
+}
+
+ensure_ip_rule() {
+  while ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; do
+    ip rule del fwmark ${FW_MARK} lookup ${ROUTE_TABLE} || true
+  done
+  ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE}
+  ip route replace local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
+}
+
+# ----------------------------
+# CLEANUP PHASE
+# ----------------------------
+echo "--- Cleaning up old rules (Robust Mode) ---"
+
+del_loop nat OUTPUT -p tcp -m comment --comment "MIHOMO-JUMP" -j MIHOMO_REDIR
+del_loop nat PREROUTING -i wt0 -p tcp -m comment --comment "MIHOMO-REDIRECT" -j REDIRECT --to-port "${REDIR_PORT}"
+del_loop mangle PREROUTING -i wt0 -m comment --comment "MIHOMO-JUMP" -j MIHOMO_TPROXY
+
+del_loop mangle OUTPUT -p tcp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
+del_loop mangle OUTPUT -p udp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
+
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  del_loop mangle OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+  del_loop mangle PREROUTING -i "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+  del_loop nat OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+
+del_loop mangle OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+del_loop nat OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+
+ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
+ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true
+
+ipt -t nat -F MIHOMO_REDIR 2>/dev/null || true
+ipt -t nat -X MIHOMO_REDIR 2>/dev/null || true
+
+echo "--- Cleanup finished. Applying new rules ---"
+
+# ----------------------------
+# NAT (REDIRECT) - TCP
+# ----------------------------
+ipt -t nat -N MIHOMO_REDIR
+
+# Exclusions for gateway's own traffic
+ipt -t nat -A MIHOMO_REDIR -d 192.168.0.0/16 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -d 10.0.0.0/8 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -d 172.16.0.0/12 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -d 127.0.0.0/8 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -p tcp -j REDIRECT --to-ports "${REDIR_PORT}"
+
+# Apply to OUTPUT (Local gateway traffic)
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  ipt -t nat -A OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+ipt -t nat -A OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+ipt -t nat -A OUTPUT -p tcp -m comment --comment "MIHOMO-JUMP" -j MIHOMO_REDIR
+
+# Apply to PREROUTING (wt0 Ingress) - Force Redir for NetBird (skips exclusions by design)
+ipt -t nat -A PREROUTING -i wt0 -p tcp -m comment --comment "MIHOMO-REDIRECT" -j REDIRECT --to-port "${REDIR_PORT}"
+
+# ----------------------------
+# MANGLE (TPROXY) - UDP
+# ----------------------------
+ensure_ip_rule
+ipt -t mangle -N MIHOMO_TPROXY
+
+# Local exclusions: apply ONLY if traffic is NOT coming from NetBird (wt0)
+ipt -t mangle -A MIHOMO_TPROXY ! -i wt0 -d 192.168.0.0/16 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY ! -i wt0 -d 10.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY ! -i wt0 -d 172.16.0.0/12 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY ! -i wt0 -d 127.0.0.0/8 -j RETURN
+
+# TProxy Targets (UDP only, TCP is handled by REDIRECT)
+ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}/${FW_MARK}"
+
+# Apply to OUTPUT (Local gateway traffic)
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  ipt -t mangle -A OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+ipt -t mangle -A OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+
+# Mark local UDP packets
+ipt -t mangle -A OUTPUT -p udp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
+
+# Apply to PREROUTING (wt0 Ingress)
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  ipt -t mangle -A PREROUTING -i "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+ipt -t mangle -A PREROUTING -i wt0 -m comment --comment "MIHOMO-JUMP" -j MIHOMO_TPROXY
+
+echo "Done. Suboptimal hypervisor constraints bypassed successfully."

scripts/warpgates/iptables-mihomo-setup-alpine.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+set -u
+
+# ----------------------------
+# Config
+# ----------------------------
+MIHOMO_UID="mihomo"
+TPROXY_PORT="7893"
+FW_MARK="0x1"
+ROUTE_TABLE="100"
+
+# Интерфейсы клиентов (откуда прилетают запросы)
+LAN_IFACES=("wt0" "eth1" "eth2")
+
+# Порты самого сервера, которые НЕ надо проксировать (Web UI, SSH)
+LOCAL_PORTS="9090,22"
+
+# ----------------------------
+# Helpers
+# ----------------------------
+ipt() { iptables "$@"; }
+
+cleanup_references() {
+    local chain=$1
+    iptables-save | grep "\-j $chain" | sed "s/^-A/-D/" | while read rule; do
+        iptables -t mangle $rule 2>/dev/null || true
+    done
+}
+
+ensure_ip_rule() {
+  # 1. Перехват трафика от клиентов в TProxy (то, что мы уже починили)
+  if ! ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; then
+    ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE} pref 90
+  fi
+  if ! ip route show table ${ROUTE_TABLE} | grep -q "local default"; then
+    ip route add local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
+  fi
+  
+  # 2. НОВОЕ: Выпуск трафика Mihomo в интернет в обход Netbird
+  if ! ip rule list | grep -q "fwmark 1337 lookup main"; then
+    ip rule add fwmark 1337 lookup main pref 80
+  fi
+}
+
+# ----------------------------
+# 1. CLEANUP
+# ----------------------------
+echo "--- Cleaning up rules ---"
+cleanup_references "MIHOMO_TPROXY"
+ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
+ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true
+
+# ----------------------------
+# 2. SETUP
+# ----------------------------
+ensure_ip_rule
+
+# --- CHAIN: PREROUTING (Для клиентов) ---
+ipt -t mangle -N MIHOMO_TPROXY
+
+# === 1. Исключения по Портам (CRITICAL FIX) ===
+# Если стучатся в веб-морду или SSH - пропускаем мимо TProxy
+ipt -t mangle -A MIHOMO_TPROXY -p tcp -m multiport --dports "${LOCAL_PORTS}" -j RETURN
+
+# === 2. Исключения по IP (Bypass) ===
+# RFC1918 Private Networks
+ipt -t mangle -A MIHOMO_TPROXY -d 0.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 10.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 127.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 169.254.0.0/16 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 172.16.0.0/12 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 192.168.0.0/16 -j RETURN
+# Multicast
+ipt -t mangle -A MIHOMO_TPROXY -d 224.0.0.0/4 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 240.0.0.0/4 -j RETURN
+# !!! NETBIRD / CGNAT (Fix for VPN access) !!!
+ipt -t mangle -A MIHOMO_TPROXY -d 100.64.0.0/10 -j RETURN
+
+# === 3. Заворачиваем в TProxy ===
+ipt -t mangle -A MIHOMO_TPROXY -p tcp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
+ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
+
+# ----------------------------
+# 3. APPLY
+# ----------------------------
+for IFACE in "${LAN_IFACES[@]}"; do
+    echo "Adding TProxy rules for interface: $IFACE"
+    ipt -t mangle -A PREROUTING -i "$IFACE" -j MIHOMO_TPROXY
+done

scripts/warpgates/update-core-and-dash.sh

@@ -0,0 +1,81 @@
+#!/bin/sh
+set -e
+
+# Configuration
+UI_URL="https://github.com/Zephyruso/zashboard/releases/latest/download/dist-cdn-fonts.zip"
+BIN_DIR="/usr/local/bin"
+UI_DIR="/etc/mihomo/ui/zashboard"
+
+echo "[*] Resolving latest Alpha URL from vernesong/mihomo..."
+CORE_URL=$(curl -sL "https://api.github.com/repos/vernesong/mihomo/releases/tags/Prerelease-Alpha" | grep -o 'https://[^"]*mihomo-linux-amd64-alpha-smart-[^"]*\.gz' | head -n 1)
+
+if [ -z "$CORE_URL" ]; then
+    echo "[-] ERROR: Failed to resolve download URL."
+    exit 1
+fi
+
+echo "[+] Target URL: $CORE_URL"
+
+# ==========================================
+# ФАЗА 1: СЕТЕВЫЕ ОПЕРАЦИИ (пока жив DNS)
+# ==========================================
+
+echo "[*] Downloading Mihomo Core..."
+curl -SLf -o /tmp/mihomo.gz "$CORE_URL"
+
+if [ ! -s /tmp/mihomo.gz ]; then
+    echo "[-] ERROR: Downloaded core file is empty or missing!"
+    exit 1
+fi
+
+echo "[*] Downloading Zashboard UI..."
+curl -SLf -o /tmp/zashboard.zip "$UI_URL"
+
+if [ ! -s /tmp/zashboard.zip ]; then
+    echo "[-] ERROR: Downloaded UI file is empty or missing!"
+    exit 1
+fi
+
+# ==========================================
+# ФАЗА 2: ЛОКАЛЬНЫЕ ОПЕРАЦИИ (остановка сервиса)
+# ==========================================
+
+echo "[*] Stopping mihomo service..."
+rc-service mihomo stop
+
+echo "[*] Unpacking and installing Mihomo Core..."
+gzip -d -f /tmp/mihomo.gz
+mv /tmp/mihomo "$BIN_DIR/mihomo"
+chmod 755 "$BIN_DIR/mihomo"
+chown root:root "$BIN_DIR/mihomo"
+setcap 'cap_net_admin,cap_net_bind_service=+ep' "$BIN_DIR/mihomo"
+
+echo "[*] Unpacking and installing Zashboard UI..."
+# Создаем изолированную директорию для распаковки
+mkdir -p /tmp/zash_temp
+unzip -q -o /tmp/zashboard.zip -d /tmp/zash_temp/
+
+# Динамически ищем, как GitHub назвал корневую папку внутри архива
+EXTRACTED_DIR=$(find /tmp/zash_temp -mindepth 1 -maxdepth 1 -type d | head -n 1)
+
+if [ -z "$EXTRACTED_DIR" ]; then
+    echo "[-] ERROR: Could not find extracted UI directory in the zip archive."
+    rc-service mihomo start
+    exit 1
+fi
+
+rm -rf "$UI_DIR"/*
+# Копируем содержимое найденной папки
+cp -r "$EXTRACTED_DIR"/* "$UI_DIR"/
+
+chown -R root:root "$UI_DIR"
+find "$UI_DIR" -type d -exec chmod 755 {} \;
+find "$UI_DIR" -type f -exec chmod 644 {} \;
+
+# Зачищаем следы
+rm -rf /tmp/zashboard.zip /tmp/zash_temp
+
+echo "[*] Starting mihomo service..."
+rc-service mihomo start
+
+echo "[+] Update completed successfully."