分类
OpenWRT 树莓派Raspberry

树莓派刷原生OpenWRT 安装V2ray作为旁路由(网关或透明代理)让全屋免配置走代理

ITGeeker之前有配置过OpenWRT使用SS+ChinaDNS+DNS-Forwarder来做代理:

虽然obfs混淆不被ss支持了,但使用起来还是没有问题的。不过最近服务器支持V2ray了,所以又用OpenWRT配置了V2ray的透明代理,或者说是网关,ITGeeker喜欢把它叫成旁路由,你喜欢怎么称呼都可以,技术奇客这里安装再旁路由器里,就称旁路由了。

先来个简化的拓扑图,具体配置图文的确比较繁杂,看的懂下面的完整配置文件的应该可以自己配置。有需要图文说明的请留言将优先更新。

by itgeeker.net

V2ray其实相当于打包了好多上面的应用,安装起来比较方便,功能强大了很多,但配置起来却不是更方便,幸亏openwrt版的预先内置配置很有用。

完整配置文档

来自/var/etc/v2ray/v2ray.main.json文件,我这里配置了6个自有的outbond服务器,4个v2ray+2个ss。只要替换上你自己的服务器地址、ID、alterId、security或者SS的密码,理论上就可自动实现代理了。

在V2ray的全局设置中,设置config文件应该可以实现,但还未亲自测试。
{
	"log": {
		"access": "/dev/null",
		"loglevel": "warning",
		"error": "/var/log/v2ray-error.log"
	},
	"dns": {
		"hosts": {
			"example.com": "127.0.0.1"
		},
		"servers": [
			"1.1.1.1",
			"8.8.8.8",
			{
				"address": "114.114.114.114",
				"port": 53,
				"domains": [
					"geosite:cn",
					"ntp.org"
				]
			},
			{
				"address": "223.5.5.5",
				"port": 53,
				"domains": [
					"geosite:cn"
				]
			},
			"202.96.209.5"
		]
	},
	"routing": {
		"domainStrategy": "IPOnDemand",
		"rules": [
			{
				"type": "field",
				"ip": [
					"geoip:private",
					"geoip:cn"
				],
				"outboundTag": "direct"
			},
			{
				"type": "field",
				"domain": [
					"geosite:cn"
				],
				"outboundTag": "direct"
			},
			{
				"type": "field",
				"protocol": [
					"bittorrent"
				],
				"outboundTag": "direct"
			},
			{
				"type": "field",
				"domain": [
					"geosite:category-ads-all"
				],
				"outboundTag": "block"
			},
			{
				"type": "field",
				"port": "53",
				"network": "udp",
				"inboundTag": [
					"transparent"
				],
				"outboundTag": "dns_out"
			},
			{
				"type": "field",
				"ip": [
					"114.114.114.114",
					"223.5.5.5"
				],
				"outboundTag": "direct"
			},
			{
				"type": "field",
				"ip": [
					"1.1.1.1",
					"8.8.8.8",
					"208.67.222.222"
				],
				"outboundTag": "proxy"
			},
			{
				"type": "field",
				"port": "123",
				"network": "udp",
				"outboundTag": "direct"
			}
		],
		"balancers": [
			{
				"tag": "balancer",
				"selector": [
					"server1",
					"server2",
					"server3",
					"server4",
					"proxy"
				]
			}
		]
	},
	"inbounds": [
		{
			"port": 10800,
			"protocol": "socks",
			"settings": {
				"auth": "noauth",
				"udp": true,
				"ip": "0.0.0.0"
			},
			"streamSettings": {
				"sockopt": {
					
				}
			},
			"tag": "in_proxy",
			"sniffing": {
				"enabled": true,
				"destOverride": [
					"http",
					"tls"
				]
			}
		},
		{
			"port": 10811,
			"protocol": "dokodemo-door",
			"settings": {
				"followRedirect": true,
				"network": "tcp,udp",
				"timeout": 30
			},
			"streamSettings": {
				"sockopt": {
					
				}
			},
			"tag": "transparent",
			"sniffing": {
				"enabled": true,
				"destOverride": [
					"http",
					"tls"
				]
			}
		}
	],
	"outbounds": [
		{
			"protocol": "vmess",
			"settings": {
				"vnext": [
					{
						"address": "server3.domain.com",
						"port": YOUR SERVER ID PORT,
						"users": [
							{
								"id": "YOUR SERVER ID“
								"alterId": 0,
								"security": "auto"
							}
						]
					}
				]
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "proxy",
			"mux": {
				"enabled": true,
				"concurrency": 8
			}
		},
		{
			"protocol": "freedom",
			"settings": {
				
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "direct",
			"mux": {
				"enabled": true,
				"concurrency": 8
			}
		},
		{
			"protocol": "blackhole",
			"settings": {
				
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "block"
		},
		{
			"protocol": "dns",
			"settings": {
				
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "dns_out"
		},
		{
			"protocol": "vmess",
			"settings": {
				"vnext": [
					{
						"address": "server5.domain.com",
						"port": YOUR SERVER ID PORT,
						"users": [
							{
								"id": "YOUR SERVER ID“
								"alterId": 0,
								"security": "auto"
							}
						]
					}
				]
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "server5",
			"mux": {
				"enabled": true,
				"concurrency": 8
			}
		},
		{
			"protocol": "vmess",
			"settings": {
				"vnext": [
					{
						"address": "server4.domain.com",
						"port": YOUR SERVER ID PORT,
						"users": [
							{
								"id": "YOUR SERVER ID“
								"alterId": 0,
								"security": "auto"
							}
						]
					}
				]
			},
			"streamSettings": {
				"network": "tcp",
				"tcpSettings": {
					"header": {
						"type": "none"
					}
				},
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "server4"
		},
		{
			"protocol": "vmess",
			"settings": {
				"vnext": [
					{
						"address": "server801.domain.com",
						"port": YOUR SERVER ID PORT,
						"users": [
							{
								"id": "YOUR SERVER ID“
								"alterId": 0,
								"security": "auto"
							}
						]
					}
				]
			},
			"streamSettings": {
				"network": "tcp",
				"tcpSettings": {
					"header": {
						"type": "none"
					}
				},
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "server801",
			"mux": {
				"enabled": true,
				"concurrency": 8
			}
		},
		{
			"protocol": "shadowsocks",
			"settings": {
				"servers": [
					{
						"address": "server1.domain.com",
						"port": YOUR SERVER ID PORT,
						"method": "aes-256-gcm",
						"password": "YOUR SS PASSWORD",
						"ota": false
					}
				]
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255,
					"tcpFastOpen": true
				}
			},
			"tag": "server1"
		},
		{
			"protocol": "shadowsocks",
			"settings": {
				"servers": [
					{
						"address": "server2.domain.com",
						"port": YOUR SERVER ID PORT,
						"method": "aes-256-gcm",
						"password": "YOUR SS PASSWORD",
						"ota": false
					}
				]
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255,
					"tcpFastOpen": true
				}
			},
			"tag": "server2"
		}
	]
}

防火墙iptables配置

命令行输入执行或者添加到OpenWrt 管理界面面 Network -> Firewall -> Custom Rules

ipset -N gfwlist iphash
iptables -t nat -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1081
iptables -t nat -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1081
ipset add gfwlist 8.8.8.8

开启UDP需要 iptables-mod-tproxy 模块,请确保已经安装好。

opkg install iptables-mod-tproxy

OpenWRT dnsmasq-full配置

可参考:OpenWRT dnsmasq-full配置

cd /etc/dnsmasq.d && wget https://cokebar.github.io/gfwlist2dnsmasq/dnsmasq_gfwlist_ipset.conf

#若下载错误,请安装
opkg install libustream-mbedtls coreutils-base64 ca-certificates ca-bundle

这里我们需要把dnsmasq_gfwlist_ipset.conf里类似server=/hp.com/127.0.0.1#5353的行全部删除,在win10可用vsc等编辑软件,正则搜索

server=/(.*)

替换为空就行。记得

# 重启dnsmasq
/etc/init.d/dnsmasq restart

dnsmasq-china-list安装(可选)

作为前置优化国内外网站用,请参考官方发安装方法,国内外各大代码网站都有他们的官方代码:

V2ray透明代理的问题解决

如果重启主路由和旁路由了还不能上网,可以按以下方式检查:

  • 旁路由配置是否正确?可以参考

刷了OpenWRT的路由器+旁路由配置方法+无缝漫游配置(树莓派3B/3B+/4B使用OpenWRT系统做旁路由)

  • 旁路由是否开启 IP 转发?
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/10-default.conf
sysctl -p
  • 测试旁路由自身是否可以通过代理上网?
curl -x socks5://127.0.0.1:1080 google.com

结果应为:

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
  • 再检查一遍iptables命令是否被正确执行?
  • 还不行,找个高手指导一下吧

这里用的是redirect的方式走代理,不支持ipv6,据说tproxy的方式可以支持ipv6

by itgeeker.net

分类
OpenWRT

OpenWRT dnsmasq-full配置

此配置dnsmasq的主要作用是ipset需要代理的域名,传递给iptables使用。

dnsmasq-full安装

openwrt的默认dnsmasq并不支持ipset,需要安装dnsmasq-full版本。ipset是为了支持对域名的转发代理,而chinadns是对ip进行转发代理。所以如果你选择域名匹配的方式走代理,则需要安装dnsmasq-full版本。这里就有了一个问题,当卸载dnsmasq之后,无法解析域名,也就无法安装dnsmasq-full了。这里需要卸载和安装同步进行以避免此类问题。代码如下:

opkg remove dnsmasq && opkg install dnsmasq-full

OpenWRT dnsmasq-full配置

mkdir -p /etc/dnsmasq.d

uci add_list dhcp.@dnsmasq[0].confdir=/etc/dnsmasq.d
uci commit dhcp
uci get dhcp.@dnsmasq[0].confdir

dnsmasq-full配置文件下载

cd /etc/dnsmasq.d && wget https://cokebar.github.io/gfwlist2dnsmasq/dnsmasq_gfwlist_ipset.conf

#若下载错误,请安装
opkg install libustream-mbedtls coreutils-base64 ca-certificates ca-bundle

dnsmasq_gfwlist_ipset.conf的每条命令是这样

server=/hp.com/127.0.0.1#5353
ipset=/hp.com/gfwlist

如果使用DNS-Forwarder转发,请填写相应端口,比如#5353

ipset后面的gfwlist要和下面的防火墙iptables命令行相对应。

by itgeeker.net
# 重启dnsmasq
/etc/init.d/dnsmasq restart