ITGeeker之前有配置过OpenWRT使用SS+ChinaDNS+DNS-Forwarder来做代理:
虽然obfs混淆不被ss支持了,但使用起来还是没有问题的。不过最近服务器支持V2ray了,所以又用OpenWRT配置了V2ray的透明代理,或者说是网关,ITGeeker喜欢把它叫成旁路由,你喜欢怎么称呼都可以,技术奇客这里安装再旁路由器里,就称旁路由了。
先来个简化的拓扑图,具体配置图文的确比较繁杂,看的懂下面的完整配置文件的应该可以自己配置。有需要图文说明的请留言将优先更新。
by itgeeker.net
V2ray其实相当于打包了好多上面的应用,安装起来比较方便,功能强大了很多,但配置起来却不是更方便,幸亏openwrt版的预先内置配置很有用。
完整配置文档
来自/var/etc/v2ray/v2ray.main.json文件,我这里配置了6个自有的outbond服务器,4个v2ray+2个ss。只要替换上你自己的服务器地址、ID、alterId、security或者SS的密码,理论上就可自动实现代理了。
{
"log": {
"access": "/dev/null",
"loglevel": "warning",
"error": "/var/log/v2ray-error.log"
},
"dns": {
"hosts": {
"example.com": "127.0.0.1"
},
"servers": [
"1.1.1.1",
"8.8.8.8",
{
"address": "114.114.114.114",
"port": 53,
"domains": [
"geosite:cn",
"ntp.org"
]
},
{
"address": "223.5.5.5",
"port": 53,
"domains": [
"geosite:cn"
]
},
"202.96.209.5"
]
},
"routing": {
"domainStrategy": "IPOnDemand",
"rules": [
{
"type": "field",
"ip": [
"geoip:private",
"geoip:cn"
],
"outboundTag": "direct"
},
{
"type": "field",
"domain": [
"geosite:cn"
],
"outboundTag": "direct"
},
{
"type": "field",
"protocol": [
"bittorrent"
],
"outboundTag": "direct"
},
{
"type": "field",
"domain": [
"geosite:category-ads-all"
],
"outboundTag": "block"
},
{
"type": "field",
"port": "53",
"network": "udp",
"inboundTag": [
"transparent"
],
"outboundTag": "dns_out"
},
{
"type": "field",
"ip": [
"114.114.114.114",
"223.5.5.5"
],
"outboundTag": "direct"
},
{
"type": "field",
"ip": [
"1.1.1.1",
"8.8.8.8",
"208.67.222.222"
],
"outboundTag": "proxy"
},
{
"type": "field",
"port": "123",
"network": "udp",
"outboundTag": "direct"
}
],
"balancers": [
{
"tag": "balancer",
"selector": [
"server1",
"server2",
"server3",
"server4",
"proxy"
]
}
]
},
"inbounds": [
{
"port": 10800,
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true,
"ip": "0.0.0.0"
},
"streamSettings": {
"sockopt": {
}
},
"tag": "in_proxy",
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
},
{
"port": 10811,
"protocol": "dokodemo-door",
"settings": {
"followRedirect": true,
"network": "tcp,udp",
"timeout": 30
},
"streamSettings": {
"sockopt": {
}
},
"tag": "transparent",
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
}
],
"outbounds": [
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "server3.domain.com",
"port": YOUR SERVER ID PORT,
"users": [
{
"id": "YOUR SERVER ID“
"alterId": 0,
"security": "auto"
}
]
}
]
},
"streamSettings": {
"sockopt": {
"mark": 255
}
},
"tag": "proxy",
"mux": {
"enabled": true,
"concurrency": 8
}
},
{
"protocol": "freedom",
"settings": {
},
"streamSettings": {
"sockopt": {
"mark": 255
}
},
"tag": "direct",
"mux": {
"enabled": true,
"concurrency": 8
}
},
{
"protocol": "blackhole",
"settings": {
},
"streamSettings": {
"sockopt": {
"mark": 255
}
},
"tag": "block"
},
{
"protocol": "dns",
"settings": {
},
"streamSettings": {
"sockopt": {
"mark": 255
}
},
"tag": "dns_out"
},
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "server5.domain.com",
"port": YOUR SERVER ID PORT,
"users": [
{
"id": "YOUR SERVER ID“
"alterId": 0,
"security": "auto"
}
]
}
]
},
"streamSettings": {
"sockopt": {
"mark": 255
}
},
"tag": "server5",
"mux": {
"enabled": true,
"concurrency": 8
}
},
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "server4.domain.com",
"port": YOUR SERVER ID PORT,
"users": [
{
"id": "YOUR SERVER ID“
"alterId": 0,
"security": "auto"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"tcpSettings": {
"header": {
"type": "none"
}
},
"sockopt": {
"mark": 255
}
},
"tag": "server4"
},
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "server801.domain.com",
"port": YOUR SERVER ID PORT,
"users": [
{
"id": "YOUR SERVER ID“
"alterId": 0,
"security": "auto"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"tcpSettings": {
"header": {
"type": "none"
}
},
"sockopt": {
"mark": 255
}
},
"tag": "server801",
"mux": {
"enabled": true,
"concurrency": 8
}
},
{
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"address": "server1.domain.com",
"port": YOUR SERVER ID PORT,
"method": "aes-256-gcm",
"password": "YOUR SS PASSWORD",
"ota": false
}
]
},
"streamSettings": {
"sockopt": {
"mark": 255,
"tcpFastOpen": true
}
},
"tag": "server1"
},
{
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"address": "server2.domain.com",
"port": YOUR SERVER ID PORT,
"method": "aes-256-gcm",
"password": "YOUR SS PASSWORD",
"ota": false
}
]
},
"streamSettings": {
"sockopt": {
"mark": 255,
"tcpFastOpen": true
}
},
"tag": "server2"
}
]
}
防火墙iptables配置
命令行输入执行或者添加到OpenWrt 管理界面面 Network -> Firewall -> Custom Rules
ipset -N gfwlist iphash
iptables -t nat -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1081
iptables -t nat -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1081
ipset add gfwlist 8.8.8.8开启UDP需要 iptables-mod-tproxy 模块,请确保已经安装好。
opkg install iptables-mod-tproxyOpenWRT dnsmasq-full配置
cd /etc/dnsmasq.d && wget https://cokebar.github.io/gfwlist2dnsmasq/dnsmasq_gfwlist_ipset.conf
#若下载错误,请安装
opkg install libustream-mbedtls coreutils-base64 ca-certificates ca-bundle这里我们需要把dnsmasq_gfwlist_ipset.conf里类似server=/hp.com/127.0.0.1#5353的行全部删除,在win10可用vsc等编辑软件,正则搜索
server=/(.*)替换为空就行。记得
# 重启dnsmasq
/etc/init.d/dnsmasq restartdnsmasq-china-list安装(可选)
作为前置优化国内外网站用,请参考官方发安装方法,国内外各大代码网站都有他们的官方代码:
- https://gitee.com/felixonmars/dnsmasq-china-list.git
- https://pagure.io/dnsmasq-china-list.git
- https://github.com/felixonmars/dnsmasq-china-list.git
- https://bitbucket.org/felixonmars/dnsmasq-china-list.git
- https://gitlab.com/felixonmars/dnsmasq-china-list.git
- https://codehub.devcloud.huaweicloud.com/dnsmasq-china-list00001/dnsmasq-china-list.git
- https://code.aliyun.com/felixonmars/dnsmasq-china-list.git
- http://repo.or.cz/dnsmasq-china-list.git
V2ray透明代理的问题解决
如果重启主路由和旁路由了还不能上网,可以按以下方式检查:
- 旁路由配置是否正确?可以参考
刷了OpenWRT的路由器+旁路由配置方法+无缝漫游配置(树莓派3B/3B+/4B使用OpenWRT系统做旁路由)
- 旁路由是否开启 IP 转发?
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/10-default.conf
sysctl -p- 测试旁路由自身是否可以通过代理上网?
curl -x socks5://127.0.0.1:1080 google.com结果应为:
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>- 再检查一遍iptables命令是否被正确执行?
- 还不行,找个高手指导一下吧
这里用的是redirect的方式走代理,不支持ipv6,据说tproxy的方式可以支持ipv6
by itgeeker.net