WHAT
各个服务的依赖关系:
dns-forwarder 通过 TCP 查询 8.8.8.8 作为 ChinaDNS 的 上游 替代 ss-tunnel 使用 UDP 查询 8.8.8.8 的旧方案
GFW 干扰 UDP 丢包较严重
repo
OpenWrt-dist is a depot of OpenWrt/LEDE device.
http://openwrt-dist.sourceforge.net/packages/
OpenWrt-dist 提供 ChinaDNS 、dns-forwarder 、shadowsocks-libev 、simple-obfs 软件包
或是 https://dl.bintray.com/aa65535/opkg/shadowsocks-libev/ 提供 较新版本 的 shadowsocks-libev
但 http://openwrt-dist.sourceforge.net/ 被墙了,需要在 VPS 上自建 软件源 :
- 安装 WEB 服务
httpd软件包 - 下载路由器 CPU 架构对应的软件包
so easy
VPS 安装并启动 httpd 服务:
yum install -y httpd && service httpd start
查询路由器 CPU 架构:
root@OpenWrt:~# opkg print-architecture
arch all 1
arch noarch 1
arch ar71xx 10
root@OpenWrt:~# opkg print-architecture|tail -n 1|awk '{print $2}'
ar71xx
下载 openwrt 对应 CPU 架构的源及公钥到 httpd 目录下:
arch=ar71xx
opkg_key="http://openwrt-dist.sourceforge.net/packages/openwrt-dist.pub"
luci_repo="http://openwrt-dist.sourceforge.net/packages/OpenWrt/luci/"
base_repo="http://openwrt-dist.sourceforge.net/packages/OpenWrt/base/${arch}/"
cd /var/www/html/
wget -c -m -np -nv -nH -e robots=off -R html --reject-regex "\?.=.;.=." "$luci_repo"
wget -c -m -np -nv -nH -e robots=off -R html --reject-regex "\?.=.;.=." "$base_repo"
wget -c -nv "$opkg_key" -O /var/www/html/packages/openwrt-dist.pub
# du -sh /var/www/html/packages/
744K /var/www/html/packages/
# tree /var/www/html/packages/
/var/www/html/packages/
├── OpenWrt
│ ├── base
│ │ └── ar71xx
│ │ ├── ChinaDNS_1.3.2-5_ar71xx.ipk
│ │ ├── dns-forwarder_1.2.1-1_ar71xx.ipk
│ │ ├── libmbedtls_2.5.1-2_ar71xx.ipk
│ │ ├── libsodium_1.0.12-1_ar71xx.ipk
│ │ ├── libudns_0.4-1_ar71xx.ipk
│ │ ├── Packages
│ │ ├── Packages.gz
│ │ ├── Packages.sig
│ │ ├── shadowsocks-libev_3.0.8-1_ar71xx.ipk
│ │ ├── shadowsocks-libev-server_3.0.8-1_ar71xx.ipk
│ │ ├── ShadowVPN_0.2.0-1_ar71xx.ipk
│ │ ├── simple-obfs_0.0.3-1_ar71xx.ipk
│ │ └── simple-obfs-server_0.0.3-1_ar71xx.ipk
│ └── luci
│ ├── luci-app-chinadns_1.6.1-1_all.ipk
│ ├── luci-app-dns-forwarder_1.6.1-1_all.ipk
│ ├── luci-app-shadowsocks_1.8.1-1_all.ipk
│ ├── luci-app-shadowsocks-without-ipset_1.8.1-1_all.ipk
│ ├── luci-app-shadowvpn_1.6.1-1_all.ipk
│ ├── Packages
│ ├── Packages.gz
│ └── Packages.sig
└── openwrt-dist.pub
4 directories, 22 files
下载 LEDE 对应 CPU 架构的源及公钥到 httpd 目录下:
root@LEDE:~# arch=$(opkg print-architecture|tail -n 1|awk '{print $2}')
root@LEDE:~# echo $arch
mipsel_24kc
arch=mipsel_24kc
opkg_key="http://openwrt-dist.sourceforge.net/packages/openwrt-dist.pub"
luci_repo="http://openwrt-dist.sourceforge.net/packages/LEDE/luci/"
base_repo="http://openwrt-dist.sourceforge.net/packages/LEDE/base/${arch}/"
cd /var/www/html
wget -c -m -np -nv -nH -e robots=off -R html --reject-regex "\?.=.;.=." "$luci_repo"
wget -c -m -np -nv -nH -e robots=off -R html --reject-regex "\?.=.;.=." "$base_repo"
wget -c -nv "$opkg_key" -O /var/www/html/packages/openwrt-dist.pub
# tree /var/www/html/packages/LEDE/
/var/www/html/packages/LEDE/
├── base
│ └── mipsel_24kc
│ ├── ChinaDNS_1.3.2-5_mipsel_24kc.ipk
│ ├── dns-forwarder_1.2.1-1_mipsel_24kc.ipk
│ ├── libcares_1.13.0-1_mipsel_24kc.ipk
│ ├── libmbedtls_2.5.1-2_mipsel_24kc.ipk
│ ├── libsodium_1.0.12-1_mipsel_24kc.ipk
│ ├── libudns_0.4-1_mipsel_24kc.ipk
│ ├── Packages
│ ├── Packages.gz
│ ├── Packages.manifest
│ ├── Packages.sig
│ ├── shadowsocks-libev_3.1.0-1_mipsel_24kc.ipk
│ ├── shadowsocks-libev-server_3.1.0-1_mipsel_24kc.ipk
│ ├── ShadowVPN_0.2.0-1_mipsel_24kc.ipk
│ ├── simple-obfs_0.0.3-2_mipsel_24kc.ipk
│ └── simple-obfs-server_0.0.3-2_mipsel_24kc.ipk
└── luci
├── luci-app-chinadns_1.6.1-1_all.ipk
├── luci-app-dns-forwarder_1.6.1-1_all.ipk
├── luci-app-shadowsocks_1.8.1-1_all.ipk
├── luci-app-shadowsocks-without-ipset_1.8.1-1_all.ipk
├── luci-app-shadowvpn_1.6.1-1_all.ipk
├── Packages
├── Packages.gz
├── Packages.manifest
└── Packages.sig
3 directories, 24 files
TP Link WR703N
opkg
导入 openwrt-dist.pub 公钥:
wget http://fuckgfw.com/packages/openwrt-dist.pub -O /tmp/openwrt-dist.pub
cat /tmp/openwrt-dist.pub
opkg-key add /tmp/openwrt-dist.pub
root@OpenWrt:/# wget http://fuckgfw.com/packages/openwrt-dist.pub -O /tmp/openwrt-dist.pub
Connecting to fuckgfw.com (45.67.89.10:80)
openwrt-dist.pub 100% |****************************************| 104 0:00:00 ETA
root@OpenWrt:/# cat /tmp/openwrt-dist.pub
untrusted comment: public key 5c42250627d305bc
RWRcQiUGJ9MFvK9/3ma8yAZebnrCfGvZJN/qbjaVozu6Ey9+Ihgnggae
root@OpenWrt:/# opkg-key add /tmp/openwrt-dist.pub
更新软件源:
root@OpenWrt:/tmp# cat /etc/opkg.conf
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature 1
src/gz openwrt_dist http://fuckgfw.com/packages/OpenWrt/base/ar71xx
src/gz openwrt_dist_luci http://fuckgfw.com/packages/OpenWrt/luci
root@OpenWrt:~# opkg update
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/Packages.gz.
Updated list of available packages in /var/opkg-lists/openwrt_dist.
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/Packages.sig.
Signature check passed.
Downloading http://fuckgfw.com/packages/OpenWrt/luci/Packages.gz.
Updated list of available packages in /var/opkg-lists/openwrt_dist_luci.
Downloading http://fuckgfw.com/packages/OpenWrt/luci/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_base.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/luci/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_luci.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/luci/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_packages.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/routing/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_routing.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/routing/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/telephony/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_telephony.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/telephony/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/management/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_management.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/management/Packages.sig.
Signature check passed.
安装软件包:
root@OpenWrt:~# opkg install curl bind-dig ChinaDNS luci-app-chinadns dns-forwarder luci-app-dns-forwarder shadowsocks-libev luci-app-shadowsocks
Installing curl (7.40.0-3) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/curl_7.40.0-3_ar71xx.ipk.
Installing libcurl (7.40.0-3) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libcurl_7.40.0-3_ar71xx.ipk.
Installing libpolarssl (1.3.14-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libpolarssl_1.3.14-1_ar71xx.ipk.
Installing bind-dig (9.9.8-P3-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/bind-dig_9.9.8-P3-1_ar71xx.ipk.
Installing bind-libs (9.9.8-P3-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/bind-libs_9.9.8-P3-1_ar71xx.ipk.
Installing libopenssl (1.0.2g-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libopenssl_1.0.2g-1_ar71xx.ipk.
Installing zlib (1.2.8-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/zlib_1.2.8-1_ar71xx.ipk.
Installing ChinaDNS (1.3.2-5) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/ChinaDNS_1.3.2-5_ar71xx.ipk.
Installing luci-app-chinadns (1.6.1-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/luci/luci-app-chinadns_1.6.1-1_all.ipk.
Installing dns-forwarder (1.2.1-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/dns-forwarder_1.2.1-1_ar71xx.ipk.
Installing luci-app-dns-forwarder (1.6.1-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/luci/luci-app-dns-forwarder_1.6.1-1_all.ipk.
Installing shadowsocks-libev (3.0.8-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/shadowsocks-libev_3.0.8-1_ar71xx.ipk.
Installing libev (4.19-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/libev_4.19-1_ar71xx.ipk.
Installing libudns (0.4-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/libudns_0.4-1_ar71xx.ipk.
Installing libpcre (8.38-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/libpcre_8.38-1_ar71xx.ipk.
Installing libpthread (0.9.33.2-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libpthread_0.9.33.2-1_ar71xx.ipk.
Installing libsodium (1.0.12-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/libsodium_1.0.12-1_ar71xx.ipk.
Installing libmbedtls (2.5.1-2) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/libmbedtls_2.5.1-2_ar71xx.ipk.
Installing luci-app-shadowsocks (1.8.1-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/luci/luci-app-shadowsocks_1.8.1-1_all.ipk.
Installing ipset (6.24-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/ipset_6.24-1_ar71xx.ipk.
Installing kmod-ipt-ipset (3.18.23-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/kmod-ipt-ipset_3.18.23-1_ar71xx.ipk.
Installing kmod-nfnetlink (3.18.23-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/kmod-nfnetlink_3.18.23-1_ar71xx.ipk.
Installing libmnl (1.0.3-2) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libmnl_1.0.3-2_ar71xx.ipk.
Configuring zlib.
Configuring libev.
Configuring libudns.
Configuring libpcre.
Configuring libpthread.
Configuring libsodium.
Configuring libmbedtls.
Configuring shadowsocks-libev.
Configuring kmod-nfnetlink.
Configuring libpolarssl.
Configuring libcurl.
Configuring libmnl.
Configuring ChinaDNS.
Configuring luci-app-chinadns.
Configuring curl.
Configuring dns-forwarder.
Configuring kmod-ipt-ipset.
Configuring ipset.
Configuring libopenssl.
Configuring bind-libs.
Configuring luci-app-dns-forwarder.
Configuring bind-dig.
Configuring luci-app-shadowsocks.
软件包占用大概 3M 空间:
root@OpenWrt:~# df -hT
Filesystem Type Size Used Available Use% Mounted on
rootfs rootfs 12.5M 3.3M 9.2M 26% /
/dev/root squashfs 2.3M 2.3M 0 100% /rom
tmpfs tmpfs 29.8M 664.0K 29.2M 2% /tmp
tmpfs tmpfs 29.8M 44.0K 29.8M 0% /tmp/root
tmpfs tmpfs 512.0K 0 512.0K 0% /dev
/dev/mtdblock3 jffs2 12.5M 3.3M 9.2M 26% /overlay
overlayfs:/overlay overlay 12.5M 3.3M 9.2M 26% /
ss-redir 支持 UDP 代理 依赖 ip 和 iptables-mod-tproxy 软件包:
root@OpenWrt:~# opkg find ip
ip - 4.0.0-1 - Routing control utility (Minimal)
root@OpenWrt:~# opkg find ip-full
ip-full - 4.0.0-1 - Routing control utility (Full)
root@OpenWrt:~# opkg find *tproxy*
iptables-mod-tproxy - 1.4.21-1 - Transparent proxy iptables extensions.
Matches:
- socket
Targets:
- TPROXY
kmod-ipt-tproxy - 3.18.23-1 - Kernel modules for Transparent Proxying
root@OpenWrt:~# opkg install ip iptables-mod-tproxy
Installing ip (4.0.0-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/ip_4.0.0-1_ar71xx.ipk.
Installing iptables-mod-tproxy (1.4.21-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/iptables-mod-tproxy_1.4.21-1_ar71xx.ipk.
Installing kmod-ipt-tproxy (3.18.23-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/kmod-ipt-tproxy_3.18.23-1_ar71xx.ipk.
Configuring ip.
Configuring kmod-ipt-tproxy.
failed to find a module named nf_tproxy_core
Configuring iptables-mod-tproxy.
config
默认配置:
root@OpenWrt:~# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
root@OpenWrt:/tmp# uci show dns-forwarder
dns-forwarder.@dns-forwarder[0]=dns-forwarder
dns-forwarder.@dns-forwarder[0].enable='0'
dns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
dns-forwarder.@dns-forwarder[0].listen_port='5300'
dns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
root@OpenWrt:/tmp# uci show chinadns
chinadns.@chinadns[0]=chinadns
chinadns.@chinadns[0].enable='0'
chinadns.@chinadns[0].bidirectional='0'
chinadns.@chinadns[0].chnroute='/etc/chinadns_chnroute.txt'
chinadns.@chinadns[0].port='5353'
chinadns.@chinadns[0].server='223.5.5.5,8.8.4.4'
root@OpenWrt:/tmp# uci show shadowsocks
shadowsocks.@general[0]=general
shadowsocks.@general[0].startup_delay='0'
shadowsocks.@transparent_proxy[0]=transparent_proxy
shadowsocks.@transparent_proxy[0].main_server='nil'
shadowsocks.@transparent_proxy[0].udp_relay_server='nil'
shadowsocks.@transparent_proxy[0].local_port='1234'
shadowsocks.@socks5_proxy[0]=socks5_proxy
shadowsocks.@socks5_proxy[0].server='nil'
shadowsocks.@socks5_proxy[0].local_port='1080'
shadowsocks.@port_forward[0]=port_forward
shadowsocks.@port_forward[0].server='nil'
shadowsocks.@port_forward[0].local_port='5300'
shadowsocks.@port_forward[0].destination='8.8.4.4:53'
shadowsocks.@servers[0]=servers
shadowsocks.@servers[0].alias='sample'
shadowsocks.@servers[0].fast_open='0'
shadowsocks.@servers[0].server='127.0.0.1'
shadowsocks.@servers[0].server_port='8388'
shadowsocks.@servers[0].timeout='60'
shadowsocks.@servers[0].password='barfoo!'
shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'
shadowsocks.@access_control[0]=access_control
shadowsocks.@access_control[0].self_proxy='1'
root@OpenWrt:~# cat /etc/config/dns-forwarder
config dns-forwarder
option enable '0'
option listen_addr '0.0.0.0'
option listen_port '5300'
option dns_servers '8.8.8.8'
root@OpenWrt:~# cat /etc/config/chinadns
config chinadns
option enable '0'
option bidirectional '0'
option chnroute '/etc/chinadns_chnroute.txt'
option port '5353'
option server '223.5.5.5,8.8.4.4'
root@OpenWrt:~# cat /etc/config/shadowsocks
config general
option startup_delay '0'
config transparent_proxy
list main_server 'nil'
option udp_relay_server 'nil'
option local_port '1234'
config socks5_proxy
list server 'nil'
option local_port '1080'
config port_forward
list server 'nil'
option local_port '5300'
option destination '8.8.4.4:53'
config servers
option alias 'sample'
option fast_open '0'
option server '127.0.0.1'
option server_port '8388'
option timeout '60'
option password 'barfoo!'
option encrypt_method 'chacha20-ietf-poly1305'
config access_control
option self_proxy '1'
配置 DNSmasq 服务:
uci set dhcp.@dnsmasq[0].nohosts=1
uci set dhcp.@dnsmasq[0].noresolv=1
uci set dhcp.@dnsmasq[0].local=127.0.0.1#5353
uci changes
uci commit
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].nohosts=1
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].noresolv=1
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].local=127.0.0.1#5353
root@OpenWrt:~# uci changes
dhcp.cfg02411c.nohosts='1'
dhcp.cfg02411c.noresolv='1'
dhcp.cfg02411c.local='127.0.0.1#5353'
root@OpenWrt:~# uci commit
TODO :关闭 「Use DNS servers advertised by peer」 避免 WAN 接口连接外网时被 上层路由器 指定 DNS 服务器:
uci set network.wan.peerdns=0
配置 shadowsocks 服务:
uci set shadowsocks.@servers[0].server=45.67.89.10
uci set shadowsocks.@servers[0].server_port=12345
uci set shadowsocks.@servers[0].password=SS_SRV_PASS
uci set shadowsocks.@servers[0].encrypt_method=chacha20-ietf-poly1305
uci set shadowsocks.@transparent_proxy[0].main_server=cfg0a4a8f
uci set shadowsocks.@access_control[0].lan_target=SS_SPEC_WAN_AC
uci set shadowsocks.@access_control[0].wan_bp_list=/etc/chinadns_chnroute.txt
uci changes
uci commit
root@OpenWrt:~# uci set shadowsocks.@servers[0].server=45.67.89.10
root@OpenWrt:~# uci set shadowsocks.@servers[0].server_port=12345
root@OpenWrt:~# uci set shadowsocks.@servers[0].password=SS_SRV_PASS
root@OpenWrt:~# uci set shadowsocks.@servers[0].encrypt_method=chacha20-ietf-poly1305
root@OpenWrt:~#
root@OpenWrt:~# uci set shadowsocks.@transparent_proxy[0].main_server=cfg0a4a8f
root@OpenWrt:~#
root@OpenWrt:~# uci set shadowsocks.@access_control[0].lan_target=SS_SPEC_WAN_AC
root@OpenWrt:~# uci set shadowsocks.@access_control[0].wan_bp_list=/etc/chinadns_chnroute.txt
root@OpenWrt:~# uci changes
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='V_VL_Fuck_GFW'
shadowsocks.cfg043a58.main_server='cfg0a4a8f'
shadowsocks.cfg0c4417.lan_target='SS_SPEC_WAN_AC'
shadowsocks.cfg0c4417.wan_bp_list='/etc/chinadns_chnroute.txt'
root@OpenWrt:~# uci commit
配置 dns-forwarder 服务:
uci set dns-forwarder.@dns-forwarder[0].enable=1
uci set dns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
uci set dns-forwarder.@dns-forwarder[0].listen_port='5300'
uci set dns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
uci changes
uci commit
root@OpenWrt:/tmp# uci set dns-forwarder.@dns-forwarder[0].enable=1
root@OpenWrt:/tmp# uci changes
dns-forwarder.cfg02e1e3.enable='1'
root@OpenWrt:/tmp# uci commit
配置 ChinaDNS 服务:
uci set chinadns.@chinadns[0].enable=1
uci set chinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'
uci changes
uci commit
root@OpenWrt:/tmp# uci set chinadns.@chinadns[0].enable=1
root@OpenWrt:/tmp# uci set chinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'
root@OpenWrt:/tmp# uci changes
chinadns.cfg0265ad.enable='1'
chinadns.cfg0265ad.server='223.5.5.5,127.0.0.1:5300'
root@OpenWrt:/tmp# uci commit
启动 shadowsocks 服务:
/etc/init.d/shadowsocks enable
/etc/init.d/shadowsocks start
pgrep -lf ss
netstat -lntpu|grep ss
root@OpenWrt:~# /etc/init.d/shadowsocks enable
root@OpenWrt:~# /etc/init.d/shadowsocks start
2017-08-27 02:14:01 INFO: set MTU to 1492
root@OpenWrt:~# pgrep -lf ss
296 ss-redir -c /var/etc/shadowsocks.cfg0a4a8f.json -l 1234 --mtu 1492 -f /var/run/ss-redir-cfg0a4a8f.pid
root@OpenWrt:~# netstat -lntpu|grep ss
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1234 0.0.0.0:* LISTEN 296/ss-redir
启动 dns-forwarder 服务:
/etc/init.d/dns-forwarder enable
/etc/init.d/dns-forwarder start
pgrep -lf dns-forwarder
netstat -lntpu|grep dns-forwarder
root@OpenWrt:~# /etc/init.d/dns-forwarder enable
root@OpenWrt:~# /etc/init.d/dns-forwarder start
root@OpenWrt:~# pgrep -lf dns-forwarder
3180 /usr/bin/dns-forwarder -b 0.0.0.0 -p 5300 -s 8.8.8.8
root@OpenWrt:~# netstat -lntpu|grep dns-for
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:5300 0.0.0.0:* 3180/dns-forwarder
启动 ChinaDNS 服务:
/etc/init.d/chinadns enable
/etc/init.d/chinadns start
pgrep -lf chinadns
netstat -lntpu|grep chinadns
root@OpenWrt:~# /etc/init.d/chinadns enable
root@OpenWrt:~# /etc/init.d/chinadns start
root@OpenWrt:~# pgrep -lf chinadns
3241 /usr/bin/chinadns -m -p 5353 -s 223.5.5.5,127.0.0.1:5300 -c /etc/chinadns_chnroute.txt
root@OpenWrt:~# netstat -lntpu|grep chinadns
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:5353 0.0.0.0:* 3241/chinadns
测试 DNS 解析:
root@OpenWrt:~# dig +short dropbox.com @223.5.5.5
8.7.198.45
root@OpenWrt:~# dig +short dropbox.com @127.0.0.1 -p 5353
162.125.248.1
root@OpenWrt:~# dig +short dropbox.com @127.0.0.1 -p 5300
162.125.248.1
root@OpenWrt:~# dig +short dropbox.com
162.125.248.1
重启 dnsmasq 服务:
root@OpenWrt:~# cat /var/etc/dnsmasq.conf
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
dhcp-range=lan,192.168.12.100,192.168.12.249,255.255.255.0,12h
no-dhcp-interface=eth0
root@OpenWrt:~# /etc/init.d/dnsmasq restart
root@OpenWrt:~# cat /var/etc/dnsmasq.conf
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
no-hosts
no-resolv
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=127.0.0.1#5353
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
dhcp-range=lan,192.168.12.100,192.168.12.249,255.255.255.0,12h
no-dhcp-interface=eth0
xiaomi nano
repo
注意: 网线插在 LAN 口才能 SSH
$ ssh [email protected]
BusyBox v1.25.1 () built-in shell (ash)
_________
/ /\ _ ___ ___ ___
/ LE / \ | | | __| \| __|
/ DE / \ | |__| _|| |) | _|
/________/ LE \ |____|___|___/|___| lede-project.org
\ \ DE /
\ LE \ / -----------------------------------------------------------
\ DE \ / Reboot (17.01.2, r3435-65eec8bd5f)
\________\/ -----------------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@LEDE:~# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 842/uhttpd
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1005/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1027/dropbear
tcp 0 0 :::80 :::* LISTEN 842/uhttpd
tcp 0 0 :::53 :::* LISTEN 1005/dnsmasq
tcp 0 0 :::22 :::* LISTEN 1027/dropbear
root@LEDE:~# df -hT
Filesystem Type Size Used Available Use% Mounted on
/dev/root squashfs 2.3M 2.3M 0 100% /rom
tmpfs tmpfs 29.8M 428.0K 29.4M 1% /tmp
tmpfs tmpfs 29.8M 52.0K 29.8M 0% /tmp/root
tmpfs tmpfs 512.0K 0 512.0K 0% /dev
/dev/mtdblock6 jffs2 4.3M 276.0K 4.0M 6% /overlay
overlayfs:/overlay overlay 4.3M 276.0K 4.0M 6% /
安装软件包:
arch=mipsel_24kc
echo "src/gz openwrt_dist http://fuckgfw.com/packages/LEDE/base/${arch}
src/gz openwrt_dist_luci http://fuckgfw.com/packages/LEDE/luci" >> /etc/opkg.conf
cat /etc/opkg.conf
root@LEDE:~# cat /etc/opkg.conf
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature 1
src/gz openwrt_dist http://fuckgfw.com/packages/LEDE/base/mipsel_24kc
src/gz openwrt_dist_luci http://fuckgfw.com/packages/LEDE/luci
root@LEDE:~# wget http://fuckgfw.com/packages/openwrt-dist.pub -O /tmp/openwrt-dist.pub
Downloading 'http://fuckgfw.com/packages/openwrt-dist.pub'
Connecting to 45.67.89.10:80
Writing to '/tmp/openwrt-dist.pub'
/tmp/openwrt-dist.pu 100% |*******************************| 104 0:00:00 ETA
Download completed (104 bytes)
root@LEDE:~# opkg-key add /tmp/openwrt-dist.pub
root@LEDE:~# opkg update
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_dist
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/Packages.sig
Signature check passed.
Downloading http://fuckgfw.com/packages/LEDE/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_dist_luci
Downloading http://fuckgfw.com/packages/LEDE/luci/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7628/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_core
Downloading http://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7628/packages/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_base
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_luci
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/luci/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_packages
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_routing
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/routing/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_telephony
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/telephony/Packages.sig
Signature check passed.
root@LEDE:~# opkg install bind-dig ChinaDNS luci-app-chinadns dns-forwarder luci-app-dns-forwarder shadowsocks-libev luci-app-shadowsocks simple-obfs ip-full iptables-mod-tproxy
Installing bind-dig (9.10.4-P5-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/bind-dig_9.10.4-P5-1_mipsel_24kc.ipk
Installing zlib (1.2.11-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/zlib_1.2.11-1_mipsel_24kc.ipk
Installing libopenssl (1.0.2k-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/libopenssl_1.0.2k-1_mipsel_24kc.ipk
Installing bind-libs (9.10.4-P5-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/bind-libs_9.10.4-P5-1_mipsel_24kc.ipk
Installing ChinaDNS (1.3.2-5) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/ChinaDNS_1.3.2-5_mipsel_24kc.ipk
Installing luci-app-chinadns (1.6.1-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/luci/luci-app-chinadns_1.6.1-1_all.ipk
Installing dns-forwarder (1.2.1-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/dns-forwarder_1.2.1-1_mipsel_24kc.ipk
Installing luci-app-dns-forwarder (1.6.1-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/luci/luci-app-dns-forwarder_1.6.1-1_all.ipk
Installing shadowsocks-libev (3.1.0-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/shadowsocks-libev_3.1.0-1_mipsel_24kc.ipk
Installing libev (4.22-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/libev_4.22-1_mipsel_24kc.ipk
Installing libcares (1.13.0-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/libcares_1.13.0-1_mipsel_24kc.ipk
Installing libpcre (8.41-2) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/libpcre_8.41-2_mipsel_24kc.ipk
Installing libsodium (1.0.12-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/libsodium_1.0.12-1_mipsel_24kc.ipk
Installing libmbedtls (2.5.1-2) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/libmbedtls_2.5.1-2_mipsel_24kc.ipk
Installing luci-app-shadowsocks (1.8.1-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/luci/luci-app-shadowsocks_1.8.1-1_all.ipk
Installing kmod-nfnetlink (4.4.71-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7628/packages/kmod-nfnetlink_4.4.71-1_mipsel_24kc.ipk
Installing kmod-ipt-ipset (4.4.71-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7628/packages/kmod-ipt-ipset_4.4.71-1_mipsel_24kc.ipk
Installing libmnl (1.0.4-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/libmnl_1.0.4-1_mipsel_24kc.ipk
Installing ipset (6.30-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/ipset_6.30-1_mipsel_24kc.ipk
Installing simple-obfs (0.0.3-2) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/simple-obfs_0.0.3-2_mipsel_24kc.ipk
Installing ip-full (4.4.0-9) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/ip-full_4.4.0-9_mipsel_24kc.ipk
Installing iptables-mod-tproxy (1.4.21-2) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/iptables-mod-tproxy_1.4.21-2_mipsel_24kc.ipk
Installing kmod-ipt-tproxy (4.4.71-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7628/packages/kmod-ipt-tproxy_4.4.71-1_mipsel_24kc.ipk
Configuring zlib.
Configuring libev.
Configuring libcares.
Configuring libpcre.
Configuring libsodium.
Configuring libmbedtls.
Configuring shadowsocks-libev.
Configuring ip-full.
Configuring kmod-nfnetlink.
Configuring kmod-ipt-tproxy.
Configuring libmnl.
Configuring ChinaDNS.
Configuring luci-app-chinadns.
Configuring dns-forwarder.
Configuring kmod-ipt-ipset.
Configuring ipset.
Configuring iptables-mod-tproxy.
Configuring libopenssl.
Configuring bind-libs.
Configuring simple-obfs.
Configuring luci-app-dns-forwarder.
Configuring bind-dig.
Configuring luci-app-shadowsocks.
配置 shadowsocks-libev 服务:
root@LEDE:~# uci set shadowsocks.@servers[0]=servers
root@LEDE:~# uci set shadowsocks.@servers[0].server='45.67.89.10'
root@LEDE:~# uci set shadowsocks.@servers[0].server_port=12345
root@LEDE:~# uci set shadowsocks.@servers[0].password=YOUR_SS_PASSWORD
root@LEDE:~# uci set shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'
root@LEDE:~# uci changes
shadowsocks.cfg0a4a8f='servers'
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='YOUR_SS_PASSWORD'
root@LEDE:~# SS_CFGID=$(uci show shadowsocks.@servers[0].alias|awk -F '.' '{print $2}')
root@LEDE:~# uci set shadowsocks.@transparent_proxy[0].main_server="$SS_CFGID"
root@LEDE:~# uci changes
shadowsocks.cfg0a4a8f='servers'
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='YOUR_SS_PASSWORD'
shadowsocks.cfg043a58.main_server='cfg0a4a8f'
root@LEDE:~# uci set shadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
root@LEDE:~# uci set shadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.txt'
root@LEDE:~# uci changes
shadowsocks.cfg0a4a8f='servers'
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='YOUR_SS_PASSWORD'
shadowsocks.cfg043a58.main_server='cfg0a4a8f'
shadowsocks.cfg0c4417.lan_target='SS_SPEC_WAN_AC'
shadowsocks.cfg0c4417.wan_bp_list='/etc/chinadns_chnroute.txt'
root@LEDE:~# uci show shadowsocks
shadowsocks.@general[0]=general
shadowsocks.@general[0].startup_delay='0'
shadowsocks.@transparent_proxy[0]=transparent_proxy
shadowsocks.@transparent_proxy[0].udp_relay_server='nil'
shadowsocks.@transparent_proxy[0].local_port='1234'
shadowsocks.@transparent_proxy[0].main_server='cfg0a4a8f'
shadowsocks.@socks5_proxy[0]=socks5_proxy
shadowsocks.@socks5_proxy[0].server='nil'
shadowsocks.@socks5_proxy[0].local_port='1080'
shadowsocks.@port_forward[0]=port_forward
shadowsocks.@port_forward[0].server='nil'
shadowsocks.@port_forward[0].local_port='5300'
shadowsocks.@port_forward[0].destination='8.8.4.4:53'
shadowsocks.@servers[0]=servers
shadowsocks.@servers[0].alias='sample'
shadowsocks.@servers[0].fast_open='0'
shadowsocks.@servers[0].timeout='60'
shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'
shadowsocks.@servers[0].server='45.67.89.10'
shadowsocks.@servers[0].server_port='12345'
shadowsocks.@servers[0].password='YOUR_SS_PASSWORD'
shadowsocks.@access_control[0]=access_control
shadowsocks.@access_control[0].self_proxy='1'
shadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
shadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.txt'
root@LEDE:~# /etc/init.d/shadowsocks enable
root@LEDE:~# /etc/init.d/shadowsocks start
2017-09-23 14:28:43 INFO: set MTU to 1492
root@LEDE:~# pgrep -lf ss
379 ss-redir -c /var/etc/shadowsocks.cfg0a4a8f.json -l 1234 --mtu 1492 -f /var/run/ss-redir-cfg0a4a8f.pid
root@LEDE:~# netstat -lntpu|grep ss
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1234 0.0.0.0:* LISTEN 379/ss-redir
配置 dns-forwarder 服务:
root@LEDE:~# uci set dns-forwarder.@dns-forwarder[0]=dns-forwarder
root@LEDE:~# uci set dns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
root@LEDE:~# uci set dns-forwarder.@dns-forwarder[0].listen_port='5300'
root@LEDE:~# uci set dns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
root@LEDE:~# uci set dns-forwarder.@dns-forwarder[0].enable='1'
root@LEDE:~# uci changes
dns-forwarder.cfg02e1e3='dns-forwarder'
dns-forwarder.cfg02e1e3.enable='1'
root@LEDE:~# uci commit
root@LEDE:~# uci show dns-forwarder
dns-forwarder.@dns-forwarder[0]=dns-forwarder
dns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
dns-forwarder.@dns-forwarder[0].listen_port='5300'
dns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
dns-forwarder.@dns-forwarder[0].enable='1'
root@LEDE:~# /etc/init.d/dns-forwarder enable
root@LEDE:~# /etc/init.d/dns-forwarder start
root@LEDE:~# pgrep -lf dns-for
3763 /usr/bin/dns-forwarder -b 0.0.0.0 -p 5300 -s 8.8.8.8
root@LEDE:~# netstat -lntpu|grep dns-for
udp 0 0 0.0.0.0:5300 0.0.0.0:* 3763/dns-forwarder
配置 ChinaDNS 服务:
root@LEDE:~# uci set chinadns.@chinadns[0]=chinadns
root@LEDE:~# uci set chinadns.@chinadns[0].bidirectional='0'
root@LEDE:~# uci set chinadns.@chinadns[0].chnroute='/etc/chinadns_chnroute.txt'
root@LEDE:~# uci set chinadns.@chinadns[0].port='5353'
root@LEDE:~# uci set chinadns.@chinadns[0].enable='1'
root@LEDE:~# uci set chinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'
root@LEDE:~# uci changes
chinadns.cfg0265ad='chinadns'
chinadns.cfg0265ad.enable='1'
chinadns.cfg0265ad.server='223.5.5.5,127.0.0.1:5300'
root@LEDE:~# uci commit
root@LEDE:~# /etc/init.d/chinadns enable
root@LEDE:~# /etc/init.d/chinadns start
root@LEDE:~# pgrep -lf chinadns
3895 /usr/bin/chinadns -m -p 5353 -s 223.5.5.5,127.0.0.1:5300 -c /etc/chinadns_chnroute.txt
root@LEDE:~# netstat -lntpu|grep chinadns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 3895/chinadns
配置 WIFI :
uci set wireless.@wifi-device[0].country='CN'
uci set wireless.@wifi-device[0].disabled='0'
uci set wireless.@wifi-device[0].txpower='17'
uci set wireless.@wifi-iface[0].ssid='fuckgfw'
uci set wireless.@wifi-iface[0].encryption='psk2'
uci set wireless.@wifi-iface[0].key='YOUR_WIFI_PASSWORD'
root@LEDE:~# uci changes
wireless.radio0.disabled='0'
wireless.radio0.country='CN'
wireless.radio0.txpower='17'
wireless.default_radio0.ssid='fuckgfw'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='YOUR_WIFI_PASSWORD'
root@LEDE:~# uci commit
root@LEDE:~# uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='11'
wireless.radio0.hwmode='11g'
wireless.radio0.path='platform/10300000.wmac'
wireless.radio0.htmode='HT20'
wireless.radio0.disabled='0'
wireless.radio0.country='CN'
wireless.radio0.txpower='17'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid='fuckgfw'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='YOUR_WIFI_PASSWORD'
使用 wifi 命令启动无线:
root@LEDE:~# wifi status
{
"radio0": {
"up": false,
"pending": false,
"autostart": true,
"disabled": true,
"retry_setup_failed": false,
"config": {
"channel": "11",
"hwmode": "11g",
"path": "platform\/10300000.wmac",
"htmode": "HT20",
"disabled": true
},
"interfaces": [
{
"section": "default_radio0",
"config": {
"mode": "ap",
"ssid": "LEDE",
"encryption": "none",
"network": [
"lan"
],
"mode": "ap"
}
}
]
}
}
root@LEDE:~# wifi
root@LEDE:~# wifi status
{
"radio0": {
"up": true,
"pending": false,
"autostart": true,
"disabled": false,
"retry_setup_failed": false,
"config": {
"channel": "11",
"hwmode": "11g",
"path": "platform\/10300000.wmac",
"htmode": "HT20",
"country": "CN",
"disabled": false
},
"interfaces": [
{
"section": "default_radio0",
"ifname": "wlan0",
"config": {
"mode": "ap",
"ssid": "fuckgfw",
"encryption": "psk2",
"key": "YOUR_WIFI_PASSWORD",
"network": [
"lan"
],
"mode": "ap"
}
}
]
}
}
配置 network :
root@LEDE:~# uci delete network.globals.ula_prefix
root@LEDE:~# uci delete network.wan6
root@LEDE:~# uci set network.wan.peerdns=0
root@LEDE:~# uci set network.lan.ipaddr='192.168.11.1'
root@LEDE:~# uci changes
-network.globals.ula_prefix
-network.wan6
network.wan.peerdns='0'
network.lan.ipaddr='192.168.11.1'
root@LEDE:~# uci commit
配置 DNSmasq 服务:
root@LEDE:~# pgrep -lf dnsmasq
1069 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg02411c -k -x /var/run/dnsmasq/dnsmasq.cfg02411c.pid
root@LEDE:~# cat /var/etc/dnsmasq.conf.cfg02411c|sed -e '/^#/d' -e '/^$/d'
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq
dhcp-range=lan,192.168.1.100,192.168.1.249,255.255.255.0,12h
no-dhcp-interface=eth0.2
uci set dhcp.@dnsmasq[0].nohosts='1'
uci set dhcp.@dnsmasq[0].noresolv='1'
uci set dhcp.@dnsmasq[0].local='127.0.0.1#5353'
uci changes
uci commit
root@LEDE:~# uci set dhcp.@dnsmasq[0].nohosts='1'
root@LEDE:~# uci set dhcp.@dnsmasq[0].noresolv='1'
root@LEDE:~# uci set dhcp.@dnsmasq[0].local='127.0.0.1#5353'
root@LEDE:~# uci changes
dhcp.cfg02411c.nohosts='1'
dhcp.cfg02411c.noresolv='1'
dhcp.cfg02411c.local='127.0.0.1#5353'
root@LEDE:~# uci commit
重启网络服务和 DNSmasq 服务 (备份 history 记录):
root@LEDE:~# /etc/init.d/network restart && /etc/init.d/dnsmasq restart
root@LEDE:~# cat /var/etc/dnsmasq.conf.cfg02411c|sed -e '/^#/d' -e '/^$/d'
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
no-hosts
no-resolv
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=127.0.0.1#5353
dhcp-leasefile=/tmp/dhcp.leases
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq
dhcp-range=lan,192.168.11.100,192.168.11.249,255.255.255.0,12h
root@LEDE:~# dig +short dropbox.com
162.125.248.1
DNSmasq 配置 no-resolv 没有生效:
root@LEDE:~# cat /etc/resolv.conf
# Interface wan
nameserver 192.168.8.1
search lan
# Interface wan6
nameserver fe80::e695:6eff:fe40:6576%eth0.2
search lan
root@LEDE:~# dig +short dropbox.com @127.0.0.1
162.125.248.1
root@LEDE:~# dig +short dropbox.com
243.185.187.39
需要:
- 禁用 IPv6
- 禁用 上游 DHCP 分配的
nameserver
禁用 IPv6
[OpenWrt-Users] how to switch off IPV6 completely [on a BB 14.07 (r42625) - final release]
I set the dhcp server ipv6 settings all to disabled on both wan and lan (i.e. Router Advertisement-Service -> disabled , DHCPv6-Service -> disabled, NDP-Proxy -> disabled)
Network > Interfaces blank out the IPv6 ULA-Prefix box
清空 IPv6 ULA-Prefix :
root@LEDE:~# uci show network.globals
network.globals=globals
network.globals.ula_prefix='fdd3:b9a9:2288::/48'
uci delete network.globals.ula_prefix
删除 wan6 网卡设备:
uci delete network.wan6
禁用 上游 DHCP 分配的 nameserver
uci set network.wan.peerdns=0
排障过程:
root@LEDE:~# uci set network.wan.peerdns=0
root@LEDE:~# uci changes
network.wan.peerdns='0'
root@LEDE:~# cat /etc/resolv.conf
# Interface wan
# Interface wan6
nameserver fe80::e695:6eff:fe40:6576%eth0.2 ## ---+
search lan |
|
root@LEDE:~# dig dropbox.com |
|
; <<>> DiG 9.10.4-P5 <<>> dropbox.com |
;; global options: +cmd |
;; Got answer: |
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51090 |
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 |
|
;; OPT PSEUDOSECTION: |
; EDNS: version: 0, flags:; udp: 1280 |
;; QUESTION SECTION: |
;dropbox.com. IN A |
|
;; ANSWER SECTION: |
dropbox.com. 227 IN A 243.185.187.39 |
|
;; Query time: 13 msec |
;; SERVER: fe80::e695:6eff:fe40:6576%6#53(fe80::e695:6eff:fe40:6576%6) ## ---+ 上游 IPv6 DNS
;; WHEN: Wed Aug 30 00:38:57 UTC 2017
;; MSG SIZE rcvd: 56
root@LEDE:~# dig +short dropbox.com @127.0.0.1
162.125.248.1
root@LEDE:~# dig +short dropbox.com
243.185.187.39
root@LEDE:~# uci show network.globals
network.globals=globals
network.globals.ula_prefix='fdd3:b9a9:2288::/48'
root@LEDE:~# uci delete network.globals.ula_prefix
root@LEDE:~# uci delete network.wan6
root@LEDE:~# uci changes
-dhcp.lan.ra
-dhcp.lan.dhcpv6
-network.globals.ula_prefix
-network.wan6
root@LEDE:~# cat /etc/resolv.conf
# Interface wan
root@LEDE:~# dig +short dropbox.com
162.125.248.1
ChinaDNS
| release | date |
|---|---|
v1.3.2-5 |
2017-08-24 |
v1.3.2-4 |
2016-08-30 |
源码:https://github.com/aa65535/openwrt-chinadns/releases
下载:http://openwrt-dist.sourceforge.net/archives/ChinaDNS/1.3.2-5/
原理:
ChinaDNS 需要设置两组上游 DNS 服务器:国内 DNS 和 「国外 DNS 或者 可信 DNS」 是否是国内 DNS 是根据 chnroute 判断的。国内 DNS 通过当前 ISP 提供的流量解析(不经过代理),如果返回的结果也是 国内 IP,则采用此结果,否则采用 「国外 DNS 或者 可信 DNS」的解析结果。
国外 DNS 通过所使用的代理流量解析,而访问解析的目标站点也是提供代理流量。另外「国外 DNS 或者 可信 DNS」的结果 优先级 是高于国内 DNS 的,所以一旦先返回的结果是「国外 DNS 或者 可信 DNS」的,就直接采用了,导致国内 DNS 的解析结果被忽略,导致访问 国内站点 速度变慢(因为是「国外 DNS 或者 可信 DNS」的解析结果),所以 ChinaDNS 上游服务器是不能在本地做缓存的。
- ChinaDNS 默认是国内 DNS 比「国外 DNS 或者 可信 DNS」响应速度要快
- ChinaDNS 每次都会向 所有上游 DNS 同时 发送解析请求
使用 pdnsd 作为「国外 DNS 或者 可信 DNS」时,第一次请求的确是这样,这时 ChinaDNS 可以正确处理,但是当第二次请求时,因为 pdnsd 缓存的作用,pdnsd 比国内 DNS 先响应,这样的结果就是解析 国内站点 时也采用的是 pdnsd 的结果,可能会 导致国内站点解析到国外 影响访问速度。
一个域名解析请求会同时向国内 DNS 和国外 DNS(ChinaDNS 设置的上游 DNS)发送,请求的结果如果是国外 DNS 先返回,那么采用国外 DNS 的结果(你上面说国外 DNS 结果有优先);请求的结果如果是国内 DNS 先返回,又分两种情况:1、如果国内 DNS 返回的结果是国内的 IP 地址,那么采用;2、如果返回的是国外的地址,那么不采用国内 DNS 的结果而采用国外 DNS 的结果。
pdnsd 不适合做上游是因为有缓存,有缓存会出现上游设置的 国外 DNS (pdnsd) 的返回结果速度永远比国内 DNS 返回快
不要在可信 DNS 上面使用缓存,应该在 ChinaDNS 下游使用缓存。
如果国内 DNS 返回的结果是国内的 IP,且比国外 DNS 返回的要快,是会采用国内 DNS 的结果,建议 不要使用运营商提供的 DNS 服务器,改用 114 或者其他公共 DNS
使用 -v 调试:
root@OpenWrt:~# ps | awk '$5 == "\/usr\/bin\/chinadns"{for(i=5;i<=NF;i++)printf $i" ";print "-v"}'
/usr/bin/chinadns -p 5354 -s 223.5.5.5,127.0.0.1:5353 -c /etc/shadowsocks/ignore.list -m -v
https://github.com/aa65535/openwrt-chinadns/releases/tag/v1.3.2-2
使用 # 分开 IP 和 port 的 DNS 服务器即被认为是 可信 DNS,如:
-s 223.5.5.5,127.0.0.1#5353
此处的 127.0.0.1 即 可信 DNS 服务器,当指定了可信 DNS 后其他国外 IP 的 DNS 将被忽略,且压缩指针功能也不再生效(但是 -m 参数依然需要加)
- 可信 DNS 服务器不论 IP 是否国外,一律被当做国外 DNS 处理
- 国外 DNS 和可信 DNS 至少指定一个
配置:
root@OpenWrt:~# opkg files ChinaDNS
Package ChinaDNS (1.3.2-1) is installed on root and has the following files:
/etc/init.d/chinadns
/usr/bin/chinadns
/etc/config/chinadns
/etc/chinadns_chnroute.txt
root@OpenWrt:~# uci show chinadns
chinadns.@chinadns[0]=chinadns
chinadns.@chinadns[0].enable=1
chinadns.@chinadns[0].compression=1
chinadns.@chinadns[0].bidirectional=0
chinadns.@chinadns[0].port=5354
chinadns.@chinadns[0].chnroute=/etc/shadowsocks/ignore.list
chinadns.@chinadns[0].server=223.5.5.5,127.0.0.1:5353
不需要使用 ChinaDNS 查询的域名可以在 dnsmasq 中设置
server=/.microsoft.com/223.5.5.5
没错,这小运营商的网络极不稳定,连 baidu.com 的延迟变化幅度极大。也就是说查询 CDN 节点时,国内 DNS 返回时间可能比国外要长,然后 chinadns 直接使用了先返回的国外节点。
https://github.com/felixonmars/dnsmasq-china-list
此应为 ChinaDNS 误判,是 FAKE IP。在现在污染 IP 完全随机的情况下会有各种 bug
注意:使用 ChinaDNS 做防污染并不是他主要的作用,并且在当前的环境下,尽量不要单纯使用 CHinaDNS 作为防污染手段,一来有 bug,二来 DNS 服务器是根据你的实际 IP 返回的解析结果而不是根据代理服务器的 IP 这样造成解析出的 IP 可能离你的实际位置近但是离代理较远,反而速度慢。比如说服务器在美国,但是单纯使用 chinadns 就可能造成解析 google.com 到香港的情况。ChinaDNS 的主要作用是优选解析结果,国外 DNS 一定要通过代理走;这样既杜绝了污染也可以获取最佳的解析结果。
向上游 DNS 查询时使用的是 TCP。 0.0.0.0:5300 是内网的监听端口当然是 UDP了,不然怎么接受 DNS 查询。
DNS-Forwarder 的作用就是将下游的 UDP 协议的 DNS 查询转换成 TCP 协议的 DNS 查询后发送到上游服务器。
抛弃 UDP, 用 TCP 查询 DNS 我的 DNS 查询的流程就是: dnsmasq -> ChinaDNS -> DNS-Forwarder -> SS (TCP) -> 国外DNS服务器(e.g: 8.8.8.8)
shadowsocks-libev
| release | date |
|---|---|
v3.0.8 |
2017-07-27 |
源码:https://github.com/shadowsocks/openwrt-shadowsocks/releases
下载:http://openwrt-dist.sourceforge.net/archives/shadowsocks-libev/3.0.8/
crontab
更新 IP 列表:
root@OpenWrt:~# crontab -l
0 5 * * 1 sh -x /root/update.apnic.ip.sh > /tmp/update.apinic.ip.log 2>&1
更新脚本:
#!/bin/sh
apnic_url='http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'
#wget -c -O- "$apnic_url"|awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/shadowsocks/ignore.list.new
curl -s "$apnic_url"|awk -F\| '/CN\|ipv4/{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/shadowsocks/ignore.list.new
service_stop () {
echo "__STOP: $1 ---------------------------"
local service="$1"
local count=0
while [ $count -le 5 ]
do
if pgrep -lf "$service"
then
[ x"$service" = x'ss' ] && service='shadowsocks'
echo "/etc/init.d/$service stop"
/etc/init.d/$service stop
sleep 1s
count=`expr $count + 1`
continue
else
break
fi
done
}
service_start () {
echo "__START: $1 ---------------------------"
local service="$1"
local count=0
while [ $count -le 5 ]
do
if pgrep -lf "$service"
then
break
else
[ x"$service" = x'ss' ] && service='shadowsocks'
echo "/etc/init.d/$service start"
/etc/init.d/$service start
sleep 1s
count=`expr $count + 1`
continue
fi
done
}
pgrep -lf 'dns|ss'
if [ -s /etc/shadowsocks/ignore.list.new ]
then
ls -l /etc/shadowsocks/ignore.list*
wc -l /etc/shadowsocks/ignore.list*
mv -f /etc/shadowsocks/ignore.list /etc/shadowsocks/ignore.list.bak
mv -f /etc/shadowsocks/ignore.list.new /etc/shadowsocks/ignore.list
service_stop dnsmasq
service_stop chinadns
service_stop ss
sleep 2s
service_start ss
service_start chinadns
service_start dnsmasq
else
echo "__ERROR: download apnic IP list FAILED"
fi
TODO:
- curl 下载优化
- 备份日期
ss 黑名单 (Bypassed IP) :
root@LEDE:~# uci add_list shadowsocks.@access_control[0].wan_bp_ips='45.67.89.10'
root@LEDE:~# uci changes
shadowsocks.cfg0c4417.wan_bp_ips+='45.67.89.10'
root@LEDE:~# uci commit
root@LEDE:~# tail -n 7 /etc/config/shadowsocks
config access_control
option self_proxy '1'
option lan_target 'SS_SPEC_WAN_AC'
option wan_bp_list '/etc/chinadns_chnroute.txt'
list wan_bp_ips '45.67.89.10'
root@LEDE:~# /etc/init.d/shadowsocks restart
2018-01-31 15:50:49 INFO: set MTU to 1492
2018-01-31 15:50:49 INFO: using tcp fast open
root@LEDE:~# ipset list ss_spec_dst_bp|grep 45.67.89.10
45.67.89.10
用 OpenWRT + Shadowsocks 实现全自动爬梯子指南 2015-11-08
分析 iptables + ipset 匹配规则
Name: ss_spec_lan_no # 局域网禁止访问的 IP 段集合
Name: ss_spec_lan_bp # 局域网可以直连的 IP 段集合
Name: ss_spec_lan_fw # 局域网需要转发的 IP 段集合
Name: ss_spec_wan_sp # 局域网或者是 shadowsocks 服务器等 IP 段集合
Name: ss_spec_wan_bp # 外网需要直连的 IP 段集合 这个集合非常大
Name: ss_spec_wan_fw # 外网需要转发的 IP 段集合
http://code.taobao.org/svn/luci-app-adbyby/
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_ar71xx.ipk 为ar71xx版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_arm.ipk 为arm版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_armv7.ipk 为armv7版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_ralink.ipk 为7620A(N)和7621潘多拉专用版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_ramips_24kec.ipk 为7620A(N)和7621OPENWRT官版专用版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_x64.ipk 为X64版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_x86.ipk 为X86版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_mipsel_24kec_dsp.ipk为最新潘多拉专用版(2016.10之后)
http://code.taobao.org/svn/luci-app-adbyby/adbyby_mini_2.7-7.0_ralink.ipk 为7620A(N)和7621潘多拉小闪存专用版(每次开机时下载主程序到内存中运行)
http://code.taobao.org/svn/luci-app-adbyby/adbyby_mini_2.7-7.0_mipsel_24kec_dsp.ipk 为最新潘多拉小闪存专用版(2016.10之后)
opkg install http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_ralink.ipk
reference
openwrt-dist 项目介绍的防 DNS 劫持:https://sourceforge.net/p/openwrt-dist/wiki/DNS/
防 DNS 劫持 - 方案五 (已过时,但原理一致):https://sourceforge.net/p/openwrt-dist/wiki/Plan5/
抛弃 UDP 用 TCP 查询 DNS 2017-05-17
DNS 查询流程: DNSmasq -> ChinaDNS -> dns-forwarder -> SS (TCP) -> 国外 DNS 服务器 (8.8.8.8)
通过 抓包 介绍 DNS 污染:科学上网的一些原理 2015-02-08
x86_64 服务器翻墙翻案:ss-redir 透明代理 2017-04-29
openwrt 下 shadowsocks + chinadns 自动分流的补遗 2015-01-10
目前污染源采用了随机污染的手段,将目标导引到随机的外国网站去(这是一种恐怖主义行为!大炮)
当查询结果不是中国地址时,选择国际服务器的那个结果,但要求这个查询结果必须至少 0.3 秒后才有效 (防止污染)
对于 SS 中转 DNS 请求,这个想法很好,但是性能也堪忧。就算是亚太地区的 SS 服务器 100ms 延迟总是有的,
一个查询 0.1 秒来再 0.1 秒去,再加上 SS 服务器到 DNS 的时间 (双向),速度也几乎等同于直接连接 8.8.8.8
| 参数 | 含义 |
|---|---|
-d |
双向过滤:默认 开启 |
-m |
启用 压缩指针: 默认 开启 |
双向过滤:当国外 DNS 服务器返回的查询结果是国内 IP,或者当国内 DNS 服务器返回的查询结果是国外 IP 则过滤掉这个结果(较为严格的模式);去掉勾选的话只是过滤国内 DNS 的国外 IP 结果
利用 GFW 遇到压缩指针时的一个 bug 来精确识别来自 GFW 的抢答污染,从而极大提高识别的准确性和识别的效率,推荐启用,启用后 IPList 和等待时间将禁用(因为用不到了)
图文教程:
OpenWRT 编译 Shadowsocks 实现透明代理 2017-08-18
从头到尾,通过 OpenWrt 固件实现路由器智能代理及建立访客网络流量控制 2017-05-20
ipset + iptables
root@LEDE:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
root@LEDE:~# ipset -L|grep Name
Name: ss_spec_src_ac
Name: ss_spec_src_bp
Name: ss_spec_src_fw
Name: ss_spec_dst_sp
Name: ss_spec_dst_bp
Name: ss_spec_dst_fw
root@LEDE:~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 17347 packets, 2136K bytes)
pkts bytes target prot opt in out source destination
8042 561K SS_SPEC_LAN_DG tcp -- * * 0.0.0.0/0 0.0.0.0/0
17347 2136K prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for prerouting */
14244 1080K zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
3103 1057K zone_wan_prerouting all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 7919 packets, 577K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17338 packets, 1106K bytes)
pkts bytes target prot opt in out source destination
16216 973K SS_SPEC_WAN_DG tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 13834 packets, 885K bytes)
pkts bytes target prot opt in out source destination
30520 2059K postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for postrouting */
48 11264 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
16686 1174K zone_wan_postrouting all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain SS_SPEC_LAN_AC (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_src_bp src
0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_src_fw src
0 0 SS_SPEC_WAN_AC all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_src_ac src
7901 552K SS_SPEC_WAN_AC all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SS_SPEC_LAN_DG (1 references)
pkts bytes target prot opt in out source destination
141 8554 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_dst_sp dst
7901 552K SS_SPEC_LAN_AC tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain SS_SPEC_WAN_AC (3 references)
pkts bytes target prot opt in out source destination
0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_dst_fw dst
4693 302K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_dst_bp dst
9925 653K SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SS_SPEC_WAN_DG (1 references)
pkts bytes target prot opt in out source destination
9499 570K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_dst_sp dst
6717 403K SS_SPEC_WAN_AC tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain SS_SPEC_WAN_FW (3 references)
pkts bytes target prot opt in out source destination
9925 653K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 redir ports 1234
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
48 11264 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for postrouting */
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
14244 1080K prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for prerouting */
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
16686 1174K postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for postrouting */
16686 1174K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
3103 1057K prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for prerouting */
用 OpenWRT + Shadowsocks 实现全自动爬梯子指南 2015-11-08
iptables + tproxy 实现 ss-redir 的 UDP 转发的方法 2016-11-17
逻辑其实很简单,就是把需要转发的 UDP 包打上一个任意的标志,然后交给 TProxy 配合 iptables 进行转发
OpenWrt 做 UDP 转发需要的依赖是:iptables-mod-tproxy, kmod-ipt-tproxy 和 ip-full
*/10 * * * * /root/tester >> /var/log/shadowsocks_watchdog.log 2>&1
0 1 * * 7 echo "" > /var/log/shadowsocks_watchdog.log
#!/bin/sh
LOGTIME=$(date "+%Y-%m-%d %H:%M:%S")
wget --spider --quiet --tries=1 --timeout=3 www.google.co.jp
if [ "$?" == "0" ]
then
echo '['$LOGTIME'] No Problem.'
exit 0
else
wget --spider --quiet --tries=1 --timeout=3 www.baidu.com
if [ "$?" == "0" ]
then
echo '['$LOGTIME'] Problem detected, restarting shadowsocks.'
/etc/init.d/shadowsocks restart
else
echo '['$LOGTIME'] Network Problem. Do nothing.'
fi
fi
UDP
ssr-redir 是否支持 -u 启动 udp 的代理 #33 2016-07-07
opkg update
opkg install iptables-mod-tproxy kmod-ipt-tproxy ip iptables-mod-geoip
由于游戏需要加速主要原因是直接访问速度慢,而不是目标地址在墙后,所以再使用 gfwlist 就不太合适了,参考:https://0066.in/archives/568 的教程,使用 iptables-mod-geoip 的模块,来判断目标 IP 是否是大陆 IP,如果不是则翻墙,类似于大陆白名单模式,由于这个只涉及到 UDP 的特定端口转发,所以不会影响到平时的 gfwlist 的 tcp 翻墙。
VLAN
从头到尾,通过 OpenWrt 固件实现路由器智能代理及建立访客网络流量控制
图解设置 guest 网段
DNSmasq
https://leamtrop.com/2017/05/14/shadowsocks-proxy-on-lede/
http://www.keepwn.com/howto/route-traffic-selectively-by-domain-on-openwrt/
https://github.com/robbie-cao/kb-openwrt
pdnsd
使用 ipset 让 openwrt 上的 shadowsocks 更智能的重定向流量 2014-07-08
继续折腾 WNDR3800 之 shadowsocks 2014-11-24
openwrt 默认安装的 dnsmasq 不支持 ipset 需要先卸载,换成 dnsmasq-full
root@LEDE:~# dnsmasq -v
Dnsmasq version 2.78 Copyright (c) 2000-2017 Simon Kelley
Compile time options:
IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua
TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
在 OpenWRT 上配置 Shadowsocks 并通过 Dnsmasq + ipset 按域名翻墙 2015-06-05
SS_IPADDR=
SS_PORT=
SS_PASSWD=
uci set shadowsocks.@servers[0].server="$SS_IPADDR"
uci set shadowsocks.@servers[0].server_port="$SS_PORT"
uci set shadowsocks.@servers[0].password="$SS_PASSWD"
uci set shadowsocks.@servers[0].fast_open='1'
uci set shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'
uci set shadowsocks.@servers[0].plugin='obfs-local'
uci set shadowsocks.@servers[0].plugin_opts='obfs=tls;obfs-host=itunes.apple.com;fast-open'
SS_CFGID=$(uci show shadowsocks.@servers[0].alias|awk -F '.' '{print $2}')
uci set shadowsocks.@transparent_proxy[0].main_server="$SS_CFGID"
uci set shadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
uci set shadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.txt'
ls -lh /etc/rc.d|grep -i shadowsocks
/etc/init.d/shadowsocks enable
echo net.ipv4.tcp_fastopen=3 >> /etc/sysctl.d/local.conf
sysctl -p
uci set chinadns.@chinadns[0].enable=1
uci set chinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'
uci set dns-forwarder.@dns-forwarder[0].enable=1
uci set dhcp.lan.ra_management='1'
uci set dhcp.@dnsmasq[0].nohosts=1
uci set dhcp.@dnsmasq[0].noresolv=1
uci set dhcp.@dnsmasq[0].cachesize='1600'
uci set dhcp.@dnsmasq[0].local=127.0.0.1#5353
uci add_list dhcp.@dnsmasq[0].server='/example.com/10.60.8.11'
uci add_list dhcp.@dnsmasq[0].server='/example-inc.com/10.60.8.11'
uci add_list dhcp.@dnsmasq[0].rebind_domain='example.com'
uci add_list dhcp.@dnsmasq[0].rebind_domain='example-inc.com'
echo -e '\nmin-cache-ttl=600' >> /etc/dnsmasq.conf
tail /etc/dnsmasq.conf
uci set dropbear.@dropbear[0].GatewayPorts='on'
uci set dropbear.@dropbear[0].Port='56789'
uci changes
uci commit
Dnsmasq + ipset + iptables 基于域名的流量管理 2016-11-04
ipset create vpn hash:ip
ipset list vpn
script
SITE=
ROOT_PASS=
WIFI_PASS=
WIFI_SSID=
SSHD_PORT=
SS_IPADDR=
SS_PORT=
SS_PASSWD=
arch=$(opkg print-architecture|tail -n 1|awk '{print $2}')
echo -e "${ROOT_PASS}\n${ROOT_PASS}" | (passwd $USER)
uci set system.@system[0].hostname='LEDE'
uci set system.@system[0].zonename='Asia/Shanghai'
uci set system.@system[0].timezone='CST-8'
uci set dropbear.@dropbear[0].GatewayPorts='on'
uci set dropbear.@dropbear[0].Port="$SSHD_PORT"
wget http://${SITE}/pub -O /etc/dropbear/authorized_keys
chmod 600 /etc/dropbear/authorized_keys
ls -lh /etc/dropbear/
uci set wireless.@wifi-device[0].disabled='0'
uci set wireless.@wifi-device[0].country='CN'
uci set wireless.@wifi-device[0].txpower='17'
uci set wireless.@wifi-iface[0].ssid="$WIFI_SSID"
uci set wireless.@wifi-iface[0].encryption='psk2'
uci set wireless.@wifi-iface[0].key="$WIFI_PASS"
## WIFI: 5G
FIVE_PASS=
FIVE_SSID=
uci set wireless.@wifi-device[0].hidden='1'
uci set wireless.@wifi-device[1].disabled='1'
uci set wireless.@wifi-iface[1].ssid="$FIVE_SSID"
uci set wireless.@wifi-iface[1].encryption='psk2'
uci set wireless.@wifi-iface[1].key="$FIVE_PASS"
uci changes
uci commit
wifi
uci delete network.globals.ula_prefix
uci delete network.wan6
uci set network.lan.ipaddr='192.168.11.1'
cat /etc/opkg.conf
echo "src/gz openwrt_dist http://${SITE}/packages/LEDE/base/${arch}
src/gz openwrt_dist_luci http://${SITE}/packages/LEDE/luci" >> /etc/opkg.conf
cat /etc/opkg.conf
wget http://${SITE}/packages/openwrt-dist.pub -O /tmp/openwrt-dist.pub
opkg-key add /tmp/openwrt-dist.pub && opkg update
opkg install bind-dig ChinaDNS luci-app-chinadns dns-forwarder luci-app-dns-forwarder shadowsocks-libev luci-app-shadowsocks simple-obfs ip-full iptables-mod-tproxy
uci set shadowsocks.@general[0].startup_delay=2
uci set shadowsocks.@servers[0].server="$SS_IPADDR"
uci set shadowsocks.@servers[0].server_port="$SS_PORT"
uci set shadowsocks.@servers[0].password="$SS_PASSWD"
uci set shadowsocks.@servers[0].fast_open='1'
uci set shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'
SS_CFGID=$(uci show shadowsocks.@servers[0].alias|awk -F '.' '{print $2}')
uci set shadowsocks.@transparent_proxy[0].main_server="$SS_CFGID"
uci set shadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
uci set shadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.txt'
ls -lh /etc/rc.d|grep -i shadowsocks
/etc/init.d/shadowsocks enable
echo net.ipv4.tcp_fastopen=3 >> /etc/sysctl.d/local.conf
sysctl -w net.ipv4.tcp_fastopen=3
sysctl net.ipv4.tcp_fastopen
uci set chinadns.@chinadns[0].enable=1
uci set chinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'
uci set dns-forwarder.@dns-forwarder[0].enable=1
uci set dhcp.lan.ra_management='1'
uci set dhcp.@dnsmasq[0].nohosts=1
uci set dhcp.@dnsmasq[0].noresolv=1
uci set dhcp.@dnsmasq[0].cachesize='1600'
uci set dhcp.@dnsmasq[0].local=127.0.0.1#5353
echo -e '\nmin-cache-ttl=600' >> /etc/dnsmasq.conf
tail /etc/dnsmasq.conf
uci changes
uci commit && reboot
dig +short dropbox.com
Netgear WNDR4300
https://wiki.openwrt.org/toh/netgear/wndr4300
keep holding RESET until the power LED begins to flash orange and then green. once the power LED is flashing green, release RESET.
TFTP 修复模式:按住 reset 直到电源灯由 橙色闪烁 状态变到 绿色闪烁 状态
Linux 及 MacOS 下刷机命令:
factory_img=/tmp/lede-17.01.4-ar71xx-nand-wndr4300-ubi-factory.img
echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nput $factory_img\n" | tftp 192.168.1.1