WHAT

各个服务的依赖关系:

img_openwrt_shadowsocks

dns-forwarder 通过 TCP 查询 8.8.8.8 作为 ChinaDNS 的 上游 替代 ss-tunnel 使用 UDP 查询 8.8.8.8 的旧方案

GFW 干扰 UDP 丢包较严重

repo

OpenWrt-dist is a depot of OpenWrt/LEDE device.

http://openwrt-dist.sourceforge.net/packages/

OpenWrt-dist 提供 ChinaDNSdns-forwardershadowsocks-libevsimple-obfs 软件包

http://openwrt-dist.sourceforge.net/ 被墙了,需要在 VPS 上自建 软件源

  1. 安装 WEB 服务 httpd 软件包
  2. 下载路由器 CPU 架构对应的软件包

so easy

VPS 安装并启动 httpd 服务:

yum install -y httpd && service httpd start

查询路由器 CPU 架构:

root@OpenWrt:~# opkg print-architecture
arch all 1
arch noarch 1
arch ar71xx 10

root@OpenWrt:~# opkg print-architecture|tail -n 1|awk '{print $2}'
ar71xx

下载 openwrt 对应 CPU 架构的源及公钥到 httpd 目录下:

arch=ar71xx
opkg_key="http://openwrt-dist.sourceforge.net/packages/openwrt-dist.pub"
luci_repo="http://openwrt-dist.sourceforge.net/packages/OpenWrt/luci/"
base_repo="http://openwrt-dist.sourceforge.net/packages/OpenWrt/base/${arch}/"

cd /var/www/html/
wget -c -m -np -nv -nH -e robots=off -R html --reject-regex "\?.=.;.=." "$luci_repo"
wget -c -m -np -nv -nH -e robots=off -R html --reject-regex "\?.=.;.=." "$base_repo"
wget -c -nv "$opkg_key" -O /var/www/html/packages/openwrt-dist.pub

# du -sh /var/www/html/packages/
744K    /var/www/html/packages/

# tree /var/www/html/packages/
/var/www/html/packages/
├── OpenWrt
│   ├── base
│   │   └── ar71xx
│   │       ├── ChinaDNS_1.3.2-5_ar71xx.ipk
│   │       ├── dns-forwarder_1.2.1-1_ar71xx.ipk
│   │       ├── libmbedtls_2.5.1-2_ar71xx.ipk
│   │       ├── libsodium_1.0.12-1_ar71xx.ipk
│   │       ├── libudns_0.4-1_ar71xx.ipk
│   │       ├── Packages
│   │       ├── Packages.gz
│   │       ├── Packages.sig
│   │       ├── shadowsocks-libev_3.0.8-1_ar71xx.ipk
│   │       ├── shadowsocks-libev-server_3.0.8-1_ar71xx.ipk
│   │       ├── ShadowVPN_0.2.0-1_ar71xx.ipk
│   │       ├── simple-obfs_0.0.3-1_ar71xx.ipk
│   │       └── simple-obfs-server_0.0.3-1_ar71xx.ipk
│   └── luci
│       ├── luci-app-chinadns_1.6.1-1_all.ipk
│       ├── luci-app-dns-forwarder_1.6.1-1_all.ipk
│       ├── luci-app-shadowsocks_1.8.1-1_all.ipk
│       ├── luci-app-shadowsocks-without-ipset_1.8.1-1_all.ipk
│       ├── luci-app-shadowvpn_1.6.1-1_all.ipk
│       ├── Packages
│       ├── Packages.gz
│       └── Packages.sig
└── openwrt-dist.pub

4 directories, 22 files

下载 LEDE 对应 CPU 架构的源及公钥到 httpd 目录下:

root@LEDE:~# arch=$(opkg print-architecture|tail -n 1|awk '{print $2}')
root@LEDE:~# echo $arch
mipsel_24kc

arch=mipsel_24kc
opkg_key="http://openwrt-dist.sourceforge.net/packages/openwrt-dist.pub"
luci_repo="http://openwrt-dist.sourceforge.net/packages/LEDE/luci/"
base_repo="http://openwrt-dist.sourceforge.net/packages/LEDE/base/${arch}/"

cd /var/www/html
wget -c -m -np -nv -nH -e robots=off -R html --reject-regex "\?.=.;.=." "$luci_repo"
wget -c -m -np -nv -nH -e robots=off -R html --reject-regex "\?.=.;.=." "$base_repo"
wget -c -nv "$opkg_key" -O /var/www/html/packages/openwrt-dist.pub

# tree /var/www/html/packages/LEDE/
/var/www/html/packages/LEDE/
├── base
│   └── mipsel_24kc
│       ├── ChinaDNS_1.3.2-5_mipsel_24kc.ipk
│       ├── dns-forwarder_1.2.1-1_mipsel_24kc.ipk
│       ├── libcares_1.13.0-1_mipsel_24kc.ipk
│       ├── libmbedtls_2.5.1-2_mipsel_24kc.ipk
│       ├── libsodium_1.0.12-1_mipsel_24kc.ipk
│       ├── libudns_0.4-1_mipsel_24kc.ipk
│       ├── Packages
│       ├── Packages.gz
│       ├── Packages.manifest
│       ├── Packages.sig
│       ├── shadowsocks-libev_3.1.0-1_mipsel_24kc.ipk
│       ├── shadowsocks-libev-server_3.1.0-1_mipsel_24kc.ipk
│       ├── ShadowVPN_0.2.0-1_mipsel_24kc.ipk
│       ├── simple-obfs_0.0.3-2_mipsel_24kc.ipk
│       └── simple-obfs-server_0.0.3-2_mipsel_24kc.ipk
└── luci
    ├── luci-app-chinadns_1.6.1-1_all.ipk
    ├── luci-app-dns-forwarder_1.6.1-1_all.ipk
    ├── luci-app-shadowsocks_1.8.1-1_all.ipk
    ├── luci-app-shadowsocks-without-ipset_1.8.1-1_all.ipk
    ├── luci-app-shadowvpn_1.6.1-1_all.ipk
    ├── Packages
    ├── Packages.gz
    ├── Packages.manifest
    └── Packages.sig

3 directories, 24 files

TP Link WR703N

opkg

导入 openwrt-dist.pub 公钥:

wget http://fuckgfw.com/packages/openwrt-dist.pub -O /tmp/openwrt-dist.pub
cat /tmp/openwrt-dist.pub
opkg-key add /tmp/openwrt-dist.pub

root@OpenWrt:/# wget http://fuckgfw.com/packages/openwrt-dist.pub -O /tmp/openwrt-dist.pub
Connecting to fuckgfw.com (45.67.89.10:80)
openwrt-dist.pub     100% |****************************************|   104   0:00:00 ETA

root@OpenWrt:/# cat /tmp/openwrt-dist.pub
untrusted comment: public key 5c42250627d305bc
RWRcQiUGJ9MFvK9/3ma8yAZebnrCfGvZJN/qbjaVozu6Ey9+Ihgnggae

root@OpenWrt:/# opkg-key add /tmp/openwrt-dist.pub

更新软件源:

root@OpenWrt:/tmp# cat /etc/opkg.conf
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature 1
src/gz openwrt_dist http://fuckgfw.com/packages/OpenWrt/base/ar71xx
src/gz openwrt_dist_luci http://fuckgfw.com/packages/OpenWrt/luci

root@OpenWrt:~# opkg update
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/Packages.gz.
Updated list of available packages in /var/opkg-lists/openwrt_dist.
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/Packages.sig.
Signature check passed.
Downloading http://fuckgfw.com/packages/OpenWrt/luci/Packages.gz.
Updated list of available packages in /var/opkg-lists/openwrt_dist_luci.
Downloading http://fuckgfw.com/packages/OpenWrt/luci/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_base.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/luci/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_luci.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/luci/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_packages.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/routing/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_routing.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/routing/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/telephony/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_telephony.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/telephony/Packages.sig.
Signature check passed.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/management/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_management.
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/management/Packages.sig.
Signature check passed.

安装软件包:

root@OpenWrt:~# opkg install curl bind-dig ChinaDNS luci-app-chinadns dns-forwarder luci-app-dns-forwarder shadowsocks-libev luci-app-shadowsocks
Installing curl (7.40.0-3) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/curl_7.40.0-3_ar71xx.ipk.
Installing libcurl (7.40.0-3) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libcurl_7.40.0-3_ar71xx.ipk.
Installing libpolarssl (1.3.14-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libpolarssl_1.3.14-1_ar71xx.ipk.
Installing bind-dig (9.9.8-P3-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/bind-dig_9.9.8-P3-1_ar71xx.ipk.
Installing bind-libs (9.9.8-P3-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/bind-libs_9.9.8-P3-1_ar71xx.ipk.
Installing libopenssl (1.0.2g-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libopenssl_1.0.2g-1_ar71xx.ipk.
Installing zlib (1.2.8-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/zlib_1.2.8-1_ar71xx.ipk.
Installing ChinaDNS (1.3.2-5) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/ChinaDNS_1.3.2-5_ar71xx.ipk.
Installing luci-app-chinadns (1.6.1-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/luci/luci-app-chinadns_1.6.1-1_all.ipk.
Installing dns-forwarder (1.2.1-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/dns-forwarder_1.2.1-1_ar71xx.ipk.
Installing luci-app-dns-forwarder (1.6.1-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/luci/luci-app-dns-forwarder_1.6.1-1_all.ipk.
Installing shadowsocks-libev (3.0.8-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/shadowsocks-libev_3.0.8-1_ar71xx.ipk.
Installing libev (4.19-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/libev_4.19-1_ar71xx.ipk.
Installing libudns (0.4-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/libudns_0.4-1_ar71xx.ipk.
Installing libpcre (8.38-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/libpcre_8.38-1_ar71xx.ipk.
Installing libpthread (0.9.33.2-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libpthread_0.9.33.2-1_ar71xx.ipk.
Installing libsodium (1.0.12-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/libsodium_1.0.12-1_ar71xx.ipk.
Installing libmbedtls (2.5.1-2) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/base/ar71xx/libmbedtls_2.5.1-2_ar71xx.ipk.
Installing luci-app-shadowsocks (1.8.1-1) to root...
Downloading http://fuckgfw.com/packages/OpenWrt/luci/luci-app-shadowsocks_1.8.1-1_all.ipk.
Installing ipset (6.24-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/ipset_6.24-1_ar71xx.ipk.
Installing kmod-ipt-ipset (3.18.23-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/kmod-ipt-ipset_3.18.23-1_ar71xx.ipk.
Installing kmod-nfnetlink (3.18.23-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/kmod-nfnetlink_3.18.23-1_ar71xx.ipk.
Installing libmnl (1.0.3-2) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libmnl_1.0.3-2_ar71xx.ipk.
Configuring zlib.
Configuring libev.
Configuring libudns.
Configuring libpcre.
Configuring libpthread.
Configuring libsodium.
Configuring libmbedtls.
Configuring shadowsocks-libev.
Configuring kmod-nfnetlink.
Configuring libpolarssl.
Configuring libcurl.
Configuring libmnl.
Configuring ChinaDNS.
Configuring luci-app-chinadns.
Configuring curl.
Configuring dns-forwarder.
Configuring kmod-ipt-ipset.
Configuring ipset.
Configuring libopenssl.
Configuring bind-libs.
Configuring luci-app-dns-forwarder.
Configuring bind-dig.
Configuring luci-app-shadowsocks.

软件包占用大概 3M 空间:

root@OpenWrt:~# df -hT
Filesystem           Type            Size      Used Available Use% Mounted on
rootfs               rootfs         12.5M      3.3M      9.2M  26% /
/dev/root            squashfs        2.3M      2.3M         0 100% /rom
tmpfs                tmpfs          29.8M    664.0K     29.2M   2% /tmp
tmpfs                tmpfs          29.8M     44.0K     29.8M   0% /tmp/root
tmpfs                tmpfs         512.0K         0    512.0K   0% /dev
/dev/mtdblock3       jffs2          12.5M      3.3M      9.2M  26% /overlay
overlayfs:/overlay   overlay        12.5M      3.3M      9.2M  26% /

ss-redir 支持 UDP 代理 依赖 ipiptables-mod-tproxy 软件包:

root@OpenWrt:~# opkg find ip
ip - 4.0.0-1 - Routing control utility (Minimal)

root@OpenWrt:~# opkg find ip-full
ip-full - 4.0.0-1 - Routing control utility (Full)

root@OpenWrt:~# opkg find *tproxy*
iptables-mod-tproxy - 1.4.21-1 - Transparent proxy iptables extensions.

 Matches:
 - socket

 Targets:
 - TPROXY

kmod-ipt-tproxy - 3.18.23-1 - Kernel modules for Transparent Proxying

root@OpenWrt:~# opkg install ip iptables-mod-tproxy
Installing ip (4.0.0-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/ip_4.0.0-1_ar71xx.ipk.
Installing iptables-mod-tproxy (1.4.21-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/iptables-mod-tproxy_1.4.21-1_ar71xx.ipk.
Installing kmod-ipt-tproxy (3.18.23-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/kmod-ipt-tproxy_3.18.23-1_ar71xx.ipk.
Configuring ip.
Configuring kmod-ipt-tproxy.
failed to find a module named nf_tproxy_core
Configuring iptables-mod-tproxy.

config

默认配置:

root@OpenWrt:~# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

root@OpenWrt:/tmp# uci show dns-forwarder
dns-forwarder.@dns-forwarder[0]=dns-forwarder
dns-forwarder.@dns-forwarder[0].enable='0'
dns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
dns-forwarder.@dns-forwarder[0].listen_port='5300'
dns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'

root@OpenWrt:/tmp# uci show chinadns
chinadns.@chinadns[0]=chinadns
chinadns.@chinadns[0].enable='0'
chinadns.@chinadns[0].bidirectional='0'
chinadns.@chinadns[0].chnroute='/etc/chinadns_chnroute.txt'
chinadns.@chinadns[0].port='5353'
chinadns.@chinadns[0].server='223.5.5.5,8.8.4.4'

root@OpenWrt:/tmp# uci show shadowsocks
shadowsocks.@general[0]=general
shadowsocks.@general[0].startup_delay='0'
shadowsocks.@transparent_proxy[0]=transparent_proxy
shadowsocks.@transparent_proxy[0].main_server='nil'
shadowsocks.@transparent_proxy[0].udp_relay_server='nil'
shadowsocks.@transparent_proxy[0].local_port='1234'
shadowsocks.@socks5_proxy[0]=socks5_proxy
shadowsocks.@socks5_proxy[0].server='nil'
shadowsocks.@socks5_proxy[0].local_port='1080'
shadowsocks.@port_forward[0]=port_forward
shadowsocks.@port_forward[0].server='nil'
shadowsocks.@port_forward[0].local_port='5300'
shadowsocks.@port_forward[0].destination='8.8.4.4:53'
shadowsocks.@servers[0]=servers
shadowsocks.@servers[0].alias='sample'
shadowsocks.@servers[0].fast_open='0'
shadowsocks.@servers[0].server='127.0.0.1'
shadowsocks.@servers[0].server_port='8388'
shadowsocks.@servers[0].timeout='60'
shadowsocks.@servers[0].password='barfoo!'
shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'
shadowsocks.@access_control[0]=access_control
shadowsocks.@access_control[0].self_proxy='1'

root@OpenWrt:~# cat /etc/config/dns-forwarder

config dns-forwarder
        option enable '0'
        option listen_addr '0.0.0.0'
        option listen_port '5300'
        option dns_servers '8.8.8.8'

root@OpenWrt:~# cat /etc/config/chinadns

config chinadns
        option enable '0'
        option bidirectional '0'
        option chnroute '/etc/chinadns_chnroute.txt'
        option port '5353'
        option server '223.5.5.5,8.8.4.4'

root@OpenWrt:~# cat /etc/config/shadowsocks

config general
        option startup_delay '0'

config transparent_proxy
        list main_server 'nil'
        option udp_relay_server 'nil'
        option local_port '1234'

config socks5_proxy
        list server 'nil'
        option local_port '1080'

config port_forward
        list server 'nil'
        option local_port '5300'
        option destination '8.8.4.4:53'

config servers
        option alias 'sample'
        option fast_open '0'
        option server '127.0.0.1'
        option server_port '8388'
        option timeout '60'
        option password 'barfoo!'
        option encrypt_method 'chacha20-ietf-poly1305'

config access_control
        option self_proxy '1'

配置 DNSmasq 服务:

uci set dhcp.@dnsmasq[0].nohosts=1
uci set dhcp.@dnsmasq[0].noresolv=1
uci set dhcp.@dnsmasq[0].local=127.0.0.1#5353
uci changes
uci commit

root@OpenWrt:~# uci set dhcp.@dnsmasq[0].nohosts=1
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].noresolv=1
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].local=127.0.0.1#5353
root@OpenWrt:~# uci changes
dhcp.cfg02411c.nohosts='1'
dhcp.cfg02411c.noresolv='1'
dhcp.cfg02411c.local='127.0.0.1#5353'
root@OpenWrt:~# uci commit

TODO :关闭 「Use DNS servers advertised by peer」 避免 WAN 接口连接外网时被 上层路由器 指定 DNS 服务器:

参考:OpenWrt Router 2017-02-17

uci set network.wan.peerdns=0

配置 shadowsocks 服务:

uci set shadowsocks.@servers[0].server=45.67.89.10
uci set shadowsocks.@servers[0].server_port=12345
uci set shadowsocks.@servers[0].password=SS_SRV_PASS
uci set shadowsocks.@servers[0].encrypt_method=chacha20-ietf-poly1305

uci set shadowsocks.@transparent_proxy[0].main_server=cfg0a4a8f

uci set shadowsocks.@access_control[0].lan_target=SS_SPEC_WAN_AC
uci set shadowsocks.@access_control[0].wan_bp_list=/etc/chinadns_chnroute.txt
uci changes
uci commit

root@OpenWrt:~# uci set shadowsocks.@servers[0].server=45.67.89.10
root@OpenWrt:~# uci set shadowsocks.@servers[0].server_port=12345
root@OpenWrt:~# uci set shadowsocks.@servers[0].password=SS_SRV_PASS
root@OpenWrt:~# uci set shadowsocks.@servers[0].encrypt_method=chacha20-ietf-poly1305
root@OpenWrt:~#
root@OpenWrt:~# uci set shadowsocks.@transparent_proxy[0].main_server=cfg0a4a8f
root@OpenWrt:~#
root@OpenWrt:~# uci set shadowsocks.@access_control[0].lan_target=SS_SPEC_WAN_AC
root@OpenWrt:~# uci set shadowsocks.@access_control[0].wan_bp_list=/etc/chinadns_chnroute.txt
root@OpenWrt:~# uci changes
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='V_VL_Fuck_GFW'
shadowsocks.cfg043a58.main_server='cfg0a4a8f'
shadowsocks.cfg0c4417.lan_target='SS_SPEC_WAN_AC'
shadowsocks.cfg0c4417.wan_bp_list='/etc/chinadns_chnroute.txt'
root@OpenWrt:~# uci commit

配置 dns-forwarder 服务:

uci set dns-forwarder.@dns-forwarder[0].enable=1
uci set dns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
uci set dns-forwarder.@dns-forwarder[0].listen_port='5300'
uci set dns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
uci changes
uci commit

root@OpenWrt:/tmp# uci set dns-forwarder.@dns-forwarder[0].enable=1
root@OpenWrt:/tmp# uci changes
dns-forwarder.cfg02e1e3.enable='1'
root@OpenWrt:/tmp# uci commit

配置 ChinaDNS 服务:

uci set chinadns.@chinadns[0].enable=1
uci set chinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'
uci changes
uci commit

root@OpenWrt:/tmp# uci set chinadns.@chinadns[0].enable=1
root@OpenWrt:/tmp# uci set chinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'
root@OpenWrt:/tmp# uci changes
chinadns.cfg0265ad.enable='1'
chinadns.cfg0265ad.server='223.5.5.5,127.0.0.1:5300'
root@OpenWrt:/tmp# uci commit

启动 shadowsocks 服务:

/etc/init.d/shadowsocks enable
/etc/init.d/shadowsocks start
pgrep -lf ss
netstat -lntpu|grep ss

root@OpenWrt:~# /etc/init.d/shadowsocks enable
root@OpenWrt:~# /etc/init.d/shadowsocks start
 2017-08-27 02:14:01 INFO: set MTU to 1492

root@OpenWrt:~# pgrep -lf ss
296 ss-redir -c /var/etc/shadowsocks.cfg0a4a8f.json -l 1234 --mtu 1492 -f /var/run/ss-redir-cfg0a4a8f.pid

root@OpenWrt:~# netstat -lntpu|grep ss
Proto Recv-Q Send-Q Local Address    Foreign Address    State     PID/Program name
tcp        0      0 0.0.0.0:1234     0.0.0.0:*          LISTEN    296/ss-redir

启动 dns-forwarder 服务:

/etc/init.d/dns-forwarder enable
/etc/init.d/dns-forwarder start
pgrep -lf dns-forwarder
netstat -lntpu|grep dns-forwarder

root@OpenWrt:~# /etc/init.d/dns-forwarder enable
root@OpenWrt:~# /etc/init.d/dns-forwarder start

root@OpenWrt:~# pgrep -lf dns-forwarder
3180 /usr/bin/dns-forwarder -b 0.0.0.0 -p 5300 -s 8.8.8.8

root@OpenWrt:~# netstat -lntpu|grep dns-for
Proto Recv-Q Send-Q Local Address    Foreign Address    State     PID/Program name
udp        0      0 0.0.0.0:5300     0.0.0.0:*                    3180/dns-forwarder

启动 ChinaDNS 服务:

/etc/init.d/chinadns enable
/etc/init.d/chinadns start
pgrep -lf chinadns
netstat -lntpu|grep chinadns

root@OpenWrt:~# /etc/init.d/chinadns enable
root@OpenWrt:~# /etc/init.d/chinadns start

root@OpenWrt:~# pgrep -lf chinadns
3241 /usr/bin/chinadns -m -p 5353 -s 223.5.5.5,127.0.0.1:5300 -c /etc/chinadns_chnroute.txt

root@OpenWrt:~# netstat -lntpu|grep chinadns
Proto Recv-Q Send-Q Local Address    Foreign Address    State     PID/Program name
udp        0      0 0.0.0.0:5353     0.0.0.0:*                    3241/chinadns

测试 DNS 解析:

root@OpenWrt:~# dig +short dropbox.com @223.5.5.5
8.7.198.45

root@OpenWrt:~# dig +short dropbox.com @127.0.0.1 -p 5353
162.125.248.1

root@OpenWrt:~# dig +short dropbox.com @127.0.0.1 -p 5300
162.125.248.1

root@OpenWrt:~# dig +short dropbox.com
162.125.248.1

重启 dnsmasq 服务:

root@OpenWrt:~# cat /var/etc/dnsmasq.conf
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast

dhcp-range=lan,192.168.12.100,192.168.12.249,255.255.255.0,12h
no-dhcp-interface=eth0

root@OpenWrt:~# /etc/init.d/dnsmasq restart
root@OpenWrt:~# cat /var/etc/dnsmasq.conf
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
no-hosts
no-resolv
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=127.0.0.1#5353
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast

dhcp-range=lan,192.168.12.100,192.168.12.249,255.255.255.0,12h
no-dhcp-interface=eth0

xiaomi nano

repo

注意: 网线插在 LAN 口才能 SSH

$ ssh root@192.168.1.1

BusyBox v1.25.1 () built-in shell (ash)

     _________
    /        /\      _    ___ ___  ___
   /  LE    /  \    | |  | __|   \| __|
  /    DE  /    \   | |__| _|| |) | _|
 /________/  LE  \  |____|___|___/|___|                      lede-project.org
 \        \   DE /
  \    LE  \    /  -----------------------------------------------------------
   \  DE    \  /    Reboot (17.01.2, r3435-65eec8bd5f)
    \________\/    -----------------------------------------------------------

=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------

root@LEDE:~# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      842/uhttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1005/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1027/dropbear
tcp        0      0 :::80                   :::*                    LISTEN      842/uhttpd
tcp        0      0 :::53                   :::*                    LISTEN      1005/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      1027/dropbear

root@LEDE:~# df -hT
Filesystem           Type            Size      Used Available Use% Mounted on
/dev/root            squashfs        2.3M      2.3M         0 100% /rom
tmpfs                tmpfs          29.8M    428.0K     29.4M   1% /tmp
tmpfs                tmpfs          29.8M     52.0K     29.8M   0% /tmp/root
tmpfs                tmpfs         512.0K         0    512.0K   0% /dev
/dev/mtdblock6       jffs2           4.3M    276.0K      4.0M   6% /overlay
overlayfs:/overlay   overlay         4.3M    276.0K      4.0M   6% /

安装软件包:

arch=mipsel_24kc
echo "src/gz openwrt_dist http://fuckgfw.com/packages/LEDE/base/${arch}
src/gz openwrt_dist_luci http://fuckgfw.com/packages/LEDE/luci" >> /etc/opkg.conf
cat /etc/opkg.conf

root@LEDE:~# cat /etc/opkg.conf
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature 1
src/gz openwrt_dist http://fuckgfw.com/packages/LEDE/base/mipsel_24kc
src/gz openwrt_dist_luci http://fuckgfw.com/packages/LEDE/luci

root@LEDE:~# wget http://fuckgfw.com/packages/openwrt-dist.pub -O /tmp/openwrt-dist.pub
Downloading 'http://fuckgfw.com/packages/openwrt-dist.pub'
Connecting to 45.67.89.10:80
Writing to '/tmp/openwrt-dist.pub'
/tmp/openwrt-dist.pu 100% |*******************************|   104   0:00:00 ETA
Download completed (104 bytes)

root@LEDE:~# opkg-key add /tmp/openwrt-dist.pub

root@LEDE:~# opkg update
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_dist
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/Packages.sig
Signature check passed.
Downloading http://fuckgfw.com/packages/LEDE/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_dist_luci
Downloading http://fuckgfw.com/packages/LEDE/luci/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7628/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_core
Downloading http://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7628/packages/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_base
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_luci
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/luci/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_packages
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_routing
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/routing/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_telephony
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/telephony/Packages.sig
Signature check passed.

root@LEDE:~# opkg install bind-dig ChinaDNS luci-app-chinadns dns-forwarder luci-app-dns-forwarder shadowsocks-libev luci-app-shadowsocks simple-obfs ip-full iptables-mod-tproxy
Installing bind-dig (9.10.4-P5-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/bind-dig_9.10.4-P5-1_mipsel_24kc.ipk
Installing zlib (1.2.11-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/zlib_1.2.11-1_mipsel_24kc.ipk
Installing libopenssl (1.0.2k-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/libopenssl_1.0.2k-1_mipsel_24kc.ipk
Installing bind-libs (9.10.4-P5-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/bind-libs_9.10.4-P5-1_mipsel_24kc.ipk
Installing ChinaDNS (1.3.2-5) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/ChinaDNS_1.3.2-5_mipsel_24kc.ipk
Installing luci-app-chinadns (1.6.1-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/luci/luci-app-chinadns_1.6.1-1_all.ipk
Installing dns-forwarder (1.2.1-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/dns-forwarder_1.2.1-1_mipsel_24kc.ipk
Installing luci-app-dns-forwarder (1.6.1-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/luci/luci-app-dns-forwarder_1.6.1-1_all.ipk
Installing shadowsocks-libev (3.1.0-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/shadowsocks-libev_3.1.0-1_mipsel_24kc.ipk
Installing libev (4.22-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/libev_4.22-1_mipsel_24kc.ipk
Installing libcares (1.13.0-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/libcares_1.13.0-1_mipsel_24kc.ipk
Installing libpcre (8.41-2) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/packages/libpcre_8.41-2_mipsel_24kc.ipk
Installing libsodium (1.0.12-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/libsodium_1.0.12-1_mipsel_24kc.ipk
Installing libmbedtls (2.5.1-2) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/libmbedtls_2.5.1-2_mipsel_24kc.ipk
Installing luci-app-shadowsocks (1.8.1-1) to root...
Downloading http://fuckgfw.com/packages/LEDE/luci/luci-app-shadowsocks_1.8.1-1_all.ipk
Installing kmod-nfnetlink (4.4.71-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7628/packages/kmod-nfnetlink_4.4.71-1_mipsel_24kc.ipk
Installing kmod-ipt-ipset (4.4.71-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7628/packages/kmod-ipt-ipset_4.4.71-1_mipsel_24kc.ipk
Installing libmnl (1.0.4-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/libmnl_1.0.4-1_mipsel_24kc.ipk
Installing ipset (6.30-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/ipset_6.30-1_mipsel_24kc.ipk
Installing simple-obfs (0.0.3-2) to root...
Downloading http://fuckgfw.com/packages/LEDE/base/mipsel_24kc/simple-obfs_0.0.3-2_mipsel_24kc.ipk
Installing ip-full (4.4.0-9) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/ip-full_4.4.0-9_mipsel_24kc.ipk
Installing iptables-mod-tproxy (1.4.21-2) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mipsel_24kc/base/iptables-mod-tproxy_1.4.21-2_mipsel_24kc.ipk
Installing kmod-ipt-tproxy (4.4.71-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7628/packages/kmod-ipt-tproxy_4.4.71-1_mipsel_24kc.ipk
Configuring zlib.
Configuring libev.
Configuring libcares.
Configuring libpcre.
Configuring libsodium.
Configuring libmbedtls.
Configuring shadowsocks-libev.
Configuring ip-full.
Configuring kmod-nfnetlink.
Configuring kmod-ipt-tproxy.
Configuring libmnl.
Configuring ChinaDNS.
Configuring luci-app-chinadns.
Configuring dns-forwarder.
Configuring kmod-ipt-ipset.
Configuring ipset.
Configuring iptables-mod-tproxy.
Configuring libopenssl.
Configuring bind-libs.
Configuring simple-obfs.
Configuring luci-app-dns-forwarder.
Configuring bind-dig.
Configuring luci-app-shadowsocks.

配置 shadowsocks-libev 服务:

root@LEDE:~# uci set shadowsocks.@servers[0]=servers
root@LEDE:~# uci set shadowsocks.@servers[0].server='45.67.89.10'
root@LEDE:~# uci set shadowsocks.@servers[0].server_port=12345
root@LEDE:~# uci set shadowsocks.@servers[0].password=YOUR_SS_PASSWORD
root@LEDE:~# uci set shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'

root@LEDE:~# uci changes
shadowsocks.cfg0a4a8f='servers'
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='YOUR_SS_PASSWORD'

root@LEDE:~# SS_CFGID=$(uci show shadowsocks.@servers[0].alias|awk -F '.' '{print $2}')
root@LEDE:~# uci set shadowsocks.@transparent_proxy[0].main_server="$SS_CFGID"

root@LEDE:~# uci changes
shadowsocks.cfg0a4a8f='servers'
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='YOUR_SS_PASSWORD'
shadowsocks.cfg043a58.main_server='cfg0a4a8f'

root@LEDE:~# uci set shadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
root@LEDE:~# uci set shadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.txt'

root@LEDE:~# uci changes
shadowsocks.cfg0a4a8f='servers'
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='YOUR_SS_PASSWORD'
shadowsocks.cfg043a58.main_server='cfg0a4a8f'
shadowsocks.cfg0c4417.lan_target='SS_SPEC_WAN_AC'
shadowsocks.cfg0c4417.wan_bp_list='/etc/chinadns_chnroute.txt'

root@LEDE:~# uci show shadowsocks
shadowsocks.@general[0]=general
shadowsocks.@general[0].startup_delay='0'
shadowsocks.@transparent_proxy[0]=transparent_proxy
shadowsocks.@transparent_proxy[0].udp_relay_server='nil'
shadowsocks.@transparent_proxy[0].local_port='1234'
shadowsocks.@transparent_proxy[0].main_server='cfg0a4a8f'
shadowsocks.@socks5_proxy[0]=socks5_proxy
shadowsocks.@socks5_proxy[0].server='nil'
shadowsocks.@socks5_proxy[0].local_port='1080'
shadowsocks.@port_forward[0]=port_forward
shadowsocks.@port_forward[0].server='nil'
shadowsocks.@port_forward[0].local_port='5300'
shadowsocks.@port_forward[0].destination='8.8.4.4:53'
shadowsocks.@servers[0]=servers
shadowsocks.@servers[0].alias='sample'
shadowsocks.@servers[0].fast_open='0'
shadowsocks.@servers[0].timeout='60'
shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'
shadowsocks.@servers[0].server='45.67.89.10'
shadowsocks.@servers[0].server_port='12345'
shadowsocks.@servers[0].password='YOUR_SS_PASSWORD'
shadowsocks.@access_control[0]=access_control
shadowsocks.@access_control[0].self_proxy='1'
shadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
shadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.txt'

root@LEDE:~# /etc/init.d/shadowsocks enable

root@LEDE:~# /etc/init.d/shadowsocks start
 2017-09-23 14:28:43 INFO: set MTU to 1492

root@LEDE:~# pgrep -lf ss
379 ss-redir -c /var/etc/shadowsocks.cfg0a4a8f.json -l 1234 --mtu 1492 -f /var/run/ss-redir-cfg0a4a8f.pid

root@LEDE:~# netstat -lntpu|grep ss
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:1234            0.0.0.0:*               LISTEN      379/ss-redir

配置 dns-forwarder 服务:

root@LEDE:~# uci set dns-forwarder.@dns-forwarder[0]=dns-forwarder
root@LEDE:~# uci set dns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
root@LEDE:~# uci set dns-forwarder.@dns-forwarder[0].listen_port='5300'
root@LEDE:~# uci set dns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
root@LEDE:~# uci set dns-forwarder.@dns-forwarder[0].enable='1'

root@LEDE:~# uci changes
dns-forwarder.cfg02e1e3='dns-forwarder'
dns-forwarder.cfg02e1e3.enable='1'

root@LEDE:~# uci commit

root@LEDE:~# uci show dns-forwarder
dns-forwarder.@dns-forwarder[0]=dns-forwarder
dns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
dns-forwarder.@dns-forwarder[0].listen_port='5300'
dns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
dns-forwarder.@dns-forwarder[0].enable='1'

root@LEDE:~# /etc/init.d/dns-forwarder enable

root@LEDE:~# /etc/init.d/dns-forwarder start

root@LEDE:~# pgrep -lf dns-for
3763 /usr/bin/dns-forwarder -b 0.0.0.0 -p 5300 -s 8.8.8.8

root@LEDE:~# netstat -lntpu|grep dns-for
udp        0      0 0.0.0.0:5300            0.0.0.0:*                           3763/dns-forwarder

配置 ChinaDNS 服务:

root@LEDE:~# uci set chinadns.@chinadns[0]=chinadns
root@LEDE:~# uci set chinadns.@chinadns[0].bidirectional='0'
root@LEDE:~# uci set chinadns.@chinadns[0].chnroute='/etc/chinadns_chnroute.txt'
root@LEDE:~# uci set chinadns.@chinadns[0].port='5353'
root@LEDE:~# uci set chinadns.@chinadns[0].enable='1'
root@LEDE:~# uci set chinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'

root@LEDE:~# uci changes
chinadns.cfg0265ad='chinadns'
chinadns.cfg0265ad.enable='1'
chinadns.cfg0265ad.server='223.5.5.5,127.0.0.1:5300'

root@LEDE:~# uci commit

root@LEDE:~# /etc/init.d/chinadns enable

root@LEDE:~# /etc/init.d/chinadns start

root@LEDE:~# pgrep -lf chinadns
3895 /usr/bin/chinadns -m -p 5353 -s 223.5.5.5,127.0.0.1:5300 -c /etc/chinadns_chnroute.txt

root@LEDE:~# netstat -lntpu|grep chinadns
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           3895/chinadns

配置 WIFI :

uci set wireless.@wifi-device[0].country='CN'
uci set wireless.@wifi-device[0].disabled='0'
uci set wireless.@wifi-device[0].txpower='17'
uci set wireless.@wifi-iface[0].ssid='fuckgfw'
uci set wireless.@wifi-iface[0].encryption='psk2'
uci set wireless.@wifi-iface[0].key='YOUR_WIFI_PASSWORD'

root@LEDE:~# uci changes
wireless.radio0.disabled='0'
wireless.radio0.country='CN'
wireless.radio0.txpower='17'
wireless.default_radio0.ssid='fuckgfw'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='YOUR_WIFI_PASSWORD'

root@LEDE:~# uci commit

root@LEDE:~# uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='11'
wireless.radio0.hwmode='11g'
wireless.radio0.path='platform/10300000.wmac'
wireless.radio0.htmode='HT20'
wireless.radio0.disabled='0'
wireless.radio0.country='CN'
wireless.radio0.txpower='17'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid='fuckgfw'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='YOUR_WIFI_PASSWORD'

使用 wifi 命令启动无线:

root@LEDE:~# wifi status
{
  "radio0": {
    "up": false,
    "pending": false,
    "autostart": true,
    "disabled": true,
    "retry_setup_failed": false,
    "config": {
      "channel": "11",
      "hwmode": "11g",
      "path": "platform\/10300000.wmac",
      "htmode": "HT20",
      "disabled": true
    },
    "interfaces": [
      {
        "section": "default_radio0",
        "config": {
          "mode": "ap",
          "ssid": "LEDE",
          "encryption": "none",
          "network": [
            "lan"
          ],
          "mode": "ap"
        }
      }
    ]
  }
}

root@LEDE:~# wifi

root@LEDE:~# wifi status
{
  "radio0": {
    "up": true,
    "pending": false,
    "autostart": true,
    "disabled": false,
    "retry_setup_failed": false,
    "config": {
      "channel": "11",
      "hwmode": "11g",
      "path": "platform\/10300000.wmac",
      "htmode": "HT20",
      "country": "CN",
      "disabled": false
    },
    "interfaces": [
      {
        "section": "default_radio0",
        "ifname": "wlan0",
        "config": {
          "mode": "ap",
          "ssid": "fuckgfw",
          "encryption": "psk2",
          "key": "YOUR_WIFI_PASSWORD",
          "network": [
            "lan"
          ],
          "mode": "ap"
        }
      }
    ]
  }
}

配置 network :

root@LEDE:~# uci delete network.globals.ula_prefix
root@LEDE:~# uci delete network.wan6
root@LEDE:~# uci set network.wan.peerdns=0
root@LEDE:~# uci set network.lan.ipaddr='192.168.11.1'

root@LEDE:~# uci changes
-network.globals.ula_prefix
-network.wan6
network.wan.peerdns='0'
network.lan.ipaddr='192.168.11.1'

root@LEDE:~# uci commit

配置 DNSmasq 服务:

root@LEDE:~# pgrep -lf dnsmasq
1069 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg02411c -k -x /var/run/dnsmasq/dnsmasq.cfg02411c.pid

root@LEDE:~# cat /var/etc/dnsmasq.conf.cfg02411c|sed -e '/^#/d' -e '/^$/d'
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq
dhcp-range=lan,192.168.1.100,192.168.1.249,255.255.255.0,12h
no-dhcp-interface=eth0.2

uci set dhcp.@dnsmasq[0].nohosts='1'
uci set dhcp.@dnsmasq[0].noresolv='1'
uci set dhcp.@dnsmasq[0].local='127.0.0.1#5353'
uci changes
uci commit

root@LEDE:~# uci set dhcp.@dnsmasq[0].nohosts='1'
root@LEDE:~# uci set dhcp.@dnsmasq[0].noresolv='1'
root@LEDE:~# uci set dhcp.@dnsmasq[0].local='127.0.0.1#5353'

root@LEDE:~# uci changes
dhcp.cfg02411c.nohosts='1'
dhcp.cfg02411c.noresolv='1'
dhcp.cfg02411c.local='127.0.0.1#5353'

root@LEDE:~# uci commit

重启网络服务和 DNSmasq 服务 (备份 history 记录):

root@LEDE:~# /etc/init.d/network restart && /etc/init.d/dnsmasq restart

root@LEDE:~# cat /var/etc/dnsmasq.conf.cfg02411c|sed -e '/^#/d' -e '/^$/d'
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
no-hosts
no-resolv
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=127.0.0.1#5353
dhcp-leasefile=/tmp/dhcp.leases
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq
dhcp-range=lan,192.168.11.100,192.168.11.249,255.255.255.0,12h

root@LEDE:~# dig +short dropbox.com
162.125.248.1

DNSmasq 配置 no-resolv 没有生效:

root@LEDE:~# cat /etc/resolv.conf
# Interface wan
nameserver 192.168.8.1
search lan
# Interface wan6
nameserver fe80::e695:6eff:fe40:6576%eth0.2
search lan

root@LEDE:~# dig +short dropbox.com @127.0.0.1
162.125.248.1

root@LEDE:~# dig +short dropbox.com
243.185.187.39

需要:

  • 禁用 IPv6
  • 禁用 上游 DHCP 分配的 nameserver

禁用 IPv6

[OpenWrt-Users] how to switch off IPV6 completely [on a BB 14.07 (r42625) - final release]

I set the dhcp server ipv6 settings all to disabled on both wan and lan (i.e. Router Advertisement-Service -> disabled , DHCPv6-Service -> disabled, NDP-Proxy -> disabled)

Disable IPv6 with OpenWRT

Network > Interfaces blank out the IPv6 ULA-Prefix box

清空 IPv6 ULA-Prefix

root@LEDE:~# uci show network.globals
network.globals=globals
network.globals.ula_prefix='fdd3:b9a9:2288::/48'

uci delete network.globals.ula_prefix

删除 wan6 网卡设备:

uci delete network.wan6

禁用 上游 DHCP 分配的 nameserver

uci set network.wan.peerdns=0

排障过程:

root@LEDE:~# uci set network.wan.peerdns=0
root@LEDE:~# uci changes
network.wan.peerdns='0'

root@LEDE:~# cat /etc/resolv.conf
# Interface wan
# Interface wan6
nameserver fe80::e695:6eff:fe40:6576%eth0.2                             ## ---+
search lan                                                                    |
                                                                              |
root@LEDE:~# dig dropbox.com                                                  |
                                                                              |
; <<>> DiG 9.10.4-P5 <<>> dropbox.com                                         |
;; global options: +cmd                                                       |
;; Got answer:                                                                |
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51090                     |
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1          |
                                                                              |
;; OPT PSEUDOSECTION:                                                         |
; EDNS: version: 0, flags:; udp: 1280                                         |
;; QUESTION SECTION:                                                          |
;dropbox.com.                   IN      A                                     |
                                                                              |
;; ANSWER SECTION:                                                            |
dropbox.com.            227     IN      A       243.185.187.39                |
                                                                              |
;; Query time: 13 msec                                                        |
;; SERVER: fe80::e695:6eff:fe40:6576%6#53(fe80::e695:6eff:fe40:6576%6)  ## ---+ 上游 IPv6 DNS
;; WHEN: Wed Aug 30 00:38:57 UTC 2017
;; MSG SIZE  rcvd: 56

root@LEDE:~# dig +short dropbox.com @127.0.0.1
162.125.248.1

root@LEDE:~# dig +short dropbox.com
243.185.187.39

root@LEDE:~# uci show network.globals
network.globals=globals
network.globals.ula_prefix='fdd3:b9a9:2288::/48'

root@LEDE:~# uci delete network.globals.ula_prefix
root@LEDE:~# uci delete network.wan6
root@LEDE:~# uci changes
-dhcp.lan.ra
-dhcp.lan.dhcpv6
-network.globals.ula_prefix
-network.wan6

root@LEDE:~# cat /etc/resolv.conf
# Interface wan

root@LEDE:~# dig +short dropbox.com
162.125.248.1

ChinaDNS

release date
v1.3.2-5 2017-08-24
v1.3.2-4 2016-08-30

源码:https://github.com/aa65535/openwrt-chinadns/releases

下载:http://openwrt-dist.sourceforge.net/archives/ChinaDNS/1.3.2-5/

原理:

关于线路优化的问题 #59

ChinaDNS 需要设置两组上游 DNS 服务器:国内 DNS 和 「国外 DNS 或者 可信 DNS」 是否是国内 DNS 是根据 chnroute 判断的。国内 DNS 通过当前 ISP 提供的流量解析(不经过代理),如果返回的结果也是 国内 IP,则采用此结果,否则采用 「国外 DNS 或者 可信 DNS」的解析结果。

国外 DNS 通过所使用的代理流量解析,而访问解析的目标站点也是提供代理流量。另外「国外 DNS 或者 可信 DNS」的结果 优先级 是高于国内 DNS 的,所以一旦先返回的结果是「国外 DNS 或者 可信 DNS」的,就直接采用了,导致国内 DNS 的解析结果被忽略,导致访问 国内站点 速度变慢(因为是「国外 DNS 或者 可信 DNS」的解析结果),所以 ChinaDNS 上游服务器是不能在本地做缓存的。

  • ChinaDNS 默认是国内 DNS 比「国外 DNS 或者 可信 DNS」响应速度要快
  • ChinaDNS 每次都会向 所有上游 DNS 同时 发送解析请求

使用 pdnsd 作为「国外 DNS 或者 可信 DNS」时,第一次请求的确是这样,这时 ChinaDNS 可以正确处理,但是当第二次请求时,因为 pdnsd 缓存的作用,pdnsd 比国内 DNS 先响应,这样的结果就是解析 国内站点 时也采用的是 pdnsd 的结果,可能会 导致国内站点解析到国外 影响访问速度。

一个域名解析请求会同时向国内 DNS 和国外 DNS(ChinaDNS 设置的上游 DNS)发送,请求的结果如果是国外 DNS 先返回,那么采用国外 DNS 的结果(你上面说国外 DNS 结果有优先);请求的结果如果是国内 DNS 先返回,又分两种情况:1、如果国内 DNS 返回的结果是国内的 IP 地址,那么采用;2、如果返回的是国外的地址,那么不采用国内 DNS 的结果而采用国外 DNS 的结果。

pdnsd 不适合做上游是因为有缓存,有缓存会出现上游设置的 国外 DNS (pdnsd) 的返回结果速度永远比国内 DNS 返回快

可信 DNS 比国内 DNS 先返回结果 #48

不要在可信 DNS 上面使用缓存,应该在 ChinaDNS 下游使用缓存

ChinaDNS 不能使用国外 IP #55

如果国内 DNS 返回的结果是国内的 IP,且比国外 DNS 返回的要快,是会采用国内 DNS 的结果,建议 不要使用运营商提供的 DNS 服务器,改用 114 或者其他公共 DNS

使用 -v 调试:

root@OpenWrt:~# ps | awk '$5 == "\/usr\/bin\/chinadns"{for(i=5;i<=NF;i++)printf $i" ";print "-v"}'
/usr/bin/chinadns -p 5354 -s 223.5.5.5,127.0.0.1:5353 -c /etc/shadowsocks/ignore.list -m -v

https://github.com/aa65535/openwrt-chinadns/releases/tag/v1.3.2-2

使用 # 分开 IP 和 port 的 DNS 服务器即被认为是 可信 DNS,如:

-s 223.5.5.5,127.0.0.1#5353

此处的 127.0.0.1可信 DNS 服务器,当指定了可信 DNS 后其他国外 IP 的 DNS 将被忽略,且压缩指针功能也不再生效(但是 -m 参数依然需要加)

  • 可信 DNS 服务器不论 IP 是否国外,一律被当做国外 DNS 处理
  • 国外 DNS 和可信 DNS 至少指定一个

配置:

root@OpenWrt:~# opkg files ChinaDNS
Package ChinaDNS (1.3.2-1) is installed on root and has the following files:
/etc/init.d/chinadns
/usr/bin/chinadns
/etc/config/chinadns
/etc/chinadns_chnroute.txt

root@OpenWrt:~# uci show chinadns
chinadns.@chinadns[0]=chinadns
chinadns.@chinadns[0].enable=1
chinadns.@chinadns[0].compression=1
chinadns.@chinadns[0].bidirectional=0
chinadns.@chinadns[0].port=5354
chinadns.@chinadns[0].chnroute=/etc/shadowsocks/ignore.list
chinadns.@chinadns[0].server=223.5.5.5,127.0.0.1:5353

使用一段时间后只有国内 DNS 在工作 #14

不需要使用 ChinaDNS 查询的域名可以在 dnsmasq 中设置

server=/.microsoft.com/223.5.5.5

国内小运营商网络访问cdn节点 #42

没错,这小运营商的网络极不稳定,连 baidu.com 的延迟变化幅度极大。也就是说查询 CDN 节点时,国内 DNS 返回时间可能比国外要长,然后 chinadns 直接使用了先返回的国外节点。

OpenWRT 自动翻墙路由器 DNS 解析的改善 (旧)

https://github.com/felixonmars/dnsmasq-china-list

解析 Google 域名的问题 #68

此应为 ChinaDNS 误判,是 FAKE IP。在现在污染 IP 完全随机的情况下会有各种 bug

注意:使用 ChinaDNS 做防污染并不是他主要的作用,并且在当前的环境下,尽量不要单纯使用 CHinaDNS 作为防污染手段,一来有 bug,二来 DNS 服务器是根据你的实际 IP 返回的解析结果而不是根据代理服务器的 IP 这样造成解析出的 IP 可能离你的实际位置近但是离代理较远,反而速度慢。比如说服务器在美国,但是单纯使用 chinadns 就可能造成解析 google.com 到香港的情况。ChinaDNS 的主要作用是优选解析结果,国外 DNS 一定要通过代理走;这样既杜绝了污染也可以获取最佳的解析结果。

dns-forwarder 是走 TCP 的吗? #4

向上游 DNS 查询时使用的是 TCP。 0.0.0.0:5300 是内网的监听端口当然是 UDP了,不然怎么接受 DNS 查询。

DNS-Forwarder 的作用就是将下游的 UDP 协议的 DNS 查询转换成 TCP 协议的 DNS 查询后发送到上游服务器。

抛弃 UDP, 用 TCP 查询 DNS 我的 DNS 查询的流程就是: dnsmasq -> ChinaDNS -> DNS-Forwarder -> SS (TCP) -> 国外DNS服务器(e.g: 8.8.8.8)

shadowsocks-libev

release date
v3.0.8 2017-07-27

源码:https://github.com/shadowsocks/openwrt-shadowsocks/releases

下载:http://openwrt-dist.sourceforge.net/archives/shadowsocks-libev/3.0.8/

crontab

更新 IP 列表:

root@OpenWrt:~# crontab -l
0 5 * * 1 sh -x /root/update.apnic.ip.sh > /tmp/update.apinic.ip.log 2>&1

更新脚本:

#!/bin/sh

apnic_url='http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'
#wget -c -O- "$apnic_url"|awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/shadowsocks/ignore.list.new
curl -s "$apnic_url"|awk -F\| '/CN\|ipv4/{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/shadowsocks/ignore.list.new

service_stop () {
    echo "__STOP: $1 ---------------------------"
    local service="$1"
    local count=0
    while [ $count -le 5 ]
    do
        if pgrep -lf "$service"
        then
            [ x"$service" = x'ss' ] && service='shadowsocks'
            echo "/etc/init.d/$service stop"
            /etc/init.d/$service stop
            sleep 1s
            count=`expr $count + 1`
            continue
        else
            break
        fi
    done
}

service_start () {
    echo "__START: $1 ---------------------------"
    local service="$1"
    local count=0
    while [ $count -le 5 ]
    do
        if pgrep -lf "$service"
        then
            break
        else
            [ x"$service" = x'ss' ] && service='shadowsocks'
            echo "/etc/init.d/$service start"
            /etc/init.d/$service start
            sleep 1s
            count=`expr $count + 1`
            continue
        fi
    done
}

pgrep -lf 'dns|ss'

if [ -s /etc/shadowsocks/ignore.list.new ]
then
    ls -l /etc/shadowsocks/ignore.list*
    wc -l /etc/shadowsocks/ignore.list*
    mv -f /etc/shadowsocks/ignore.list /etc/shadowsocks/ignore.list.bak
    mv -f /etc/shadowsocks/ignore.list.new /etc/shadowsocks/ignore.list

    service_stop dnsmasq
    service_stop chinadns
    service_stop ss

    sleep 2s

    service_start ss
    service_start chinadns
    service_start dnsmasq
else
    echo "__ERROR: download apnic IP list FAILED"
fi

TODO:

  • curl 下载优化
  • 备份日期

ss 黑名单 (Bypassed IP) :

root@LEDE:~# uci add_list shadowsocks.@access_control[0].wan_bp_ips='45.67.89.10'

root@LEDE:~# uci changes
shadowsocks.cfg0c4417.wan_bp_ips+='45.67.89.10'

root@LEDE:~# uci commit

root@LEDE:~# tail -n 7 /etc/config/shadowsocks

config access_control
       option self_proxy '1'
       option lan_target 'SS_SPEC_WAN_AC'
       option wan_bp_list '/etc/chinadns_chnroute.txt'
       list wan_bp_ips '45.67.89.10'

root@LEDE:~# /etc/init.d/shadowsocks restart
 2018-01-31 15:50:49 INFO: set MTU to 1492
 2018-01-31 15:50:49 INFO: using tcp fast open

root@LEDE:~# ipset list ss_spec_dst_bp|grep 45.67.89.10
45.67.89.10

用 OpenWRT + Shadowsocks 实现全自动爬梯子指南 2015-11-08

分析 iptables + ipset 匹配规则

如何让路由器科学上网 2016-11-25

Name: ss_spec_lan_no # 局域网禁止访问的 IP 段集合
Name: ss_spec_lan_bp # 局域网可以直连的 IP 段集合
Name: ss_spec_lan_fw # 局域网需要转发的 IP 段集合
Name: ss_spec_wan_sp # 局域网或者是 shadowsocks 服务器等 IP 段集合
Name: ss_spec_wan_bp # 外网需要直连的 IP 段集合 这个集合非常大
Name: ss_spec_wan_fw # 外网需要转发的 IP 段集合

http://code.taobao.org/svn/luci-app-adbyby/

http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_ar71xx.ipk 为ar71xx版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_arm.ipk 为arm版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_armv7.ipk 为armv7版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_ralink.ipk 为7620A(N)和7621潘多拉专用版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_ramips_24kec.ipk 为7620A(N)和7621OPENWRT官版专用版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_x64.ipk 为X64版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_x86.ipk 为X86版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_mipsel_24kec_dsp.ipk为最新潘多拉专用版(2016.10之后)

http://code.taobao.org/svn/luci-app-adbyby/adbyby_mini_2.7-7.0_ralink.ipk 为7620A(N)和7621潘多拉小闪存专用版(每次开机时下载主程序到内存中运行)
http://code.taobao.org/svn/luci-app-adbyby/adbyby_mini_2.7-7.0_mipsel_24kec_dsp.ipk 为最新潘多拉小闪存专用版(2016.10之后)

opkg install http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_ralink.ipk

reference

openwrt-dist 项目介绍的防 DNS 劫持:https://sourceforge.net/p/openwrt-dist/wiki/DNS/

防 DNS 劫持 - 方案五 (已过时,但原理一致):https://sourceforge.net/p/openwrt-dist/wiki/Plan5/

抛弃 UDP 用 TCP 查询 DNS 2017-05-17

DNS 查询流程: DNSmasq -> ChinaDNS -> dns-forwarder -> SS (TCP) -> 国外 DNS 服务器 (8.8.8.8)

通过 抓包 介绍 DNS 污染:科学上网的一些原理 2015-02-08

x86_64 服务器翻墙翻案:ss-redir 透明代理 2017-04-29

openwrt 下 shadowsocks + chinadns 自动分流的补遗 2015-01-10

目前污染源采用了随机污染的手段,将目标导引到随机的外国网站去(这是一种恐怖主义行为!大炮)

当查询结果不是中国地址时,选择国际服务器的那个结果,但要求这个查询结果必须至少 0.3 秒后才有效 (防止污染)

对于 SS 中转 DNS 请求,这个想法很好,但是性能也堪忧。就算是亚太地区的 SS 服务器 100ms 延迟总是有的, 一个查询 0.1 秒来再 0.1 秒去,再加上 SS 服务器到 DNS 的时间 (双向),速度也几乎等同于直接连接 8.8.8.8

使用 EdgeMax 路由器自动翻墙 2016-10-20

img_ss

参数 含义
-d 双向过滤:默认 开启
-m 启用 压缩指针: 默认 开启

双向过滤:当国外 DNS 服务器返回的查询结果是国内 IP,或者当国内 DNS 服务器返回的查询结果是国外 IP 则过滤掉这个结果(较为严格的模式);去掉勾选的话只是过滤国内 DNS 的国外 IP 结果

利用 GFW 遇到压缩指针时的一个 bug 来精确识别来自 GFW 的抢答污染,从而极大提高识别的准确性和识别的效率,推荐启用,启用后 IPList 和等待时间将禁用(因为用不到了)

图文教程:

OpenWRT 编译 Shadowsocks 实现透明代理 2017-08-18

从头到尾,通过 OpenWrt 固件实现路由器智能代理及建立访客网络流量控制 2017-05-20

使用 OpenWrt 打造透明路由 2016-11-15

ipset + iptables

root@LEDE:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

root@LEDE:~# ipset -L|grep Name
Name: ss_spec_src_ac
Name: ss_spec_src_bp
Name: ss_spec_src_fw
Name: ss_spec_dst_sp
Name: ss_spec_dst_bp
Name: ss_spec_dst_fw

root@LEDE:~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 17347 packets, 2136K bytes)
 pkts bytes target     prot opt in     out     source               destination
 8042  561K SS_SPEC_LAN_DG       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
17347 2136K prerouting_rule      all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */
14244 1080K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 3103 1057K zone_wan_prerouting  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT 7919 packets, 577K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 17338 packets, 1106K bytes)
 pkts bytes target     prot opt in     out     source               destination
16216  973K SS_SPEC_WAN_DG  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 13834 packets, 885K bytes)
 pkts bytes target     prot opt in     out     source               destination
30520 2059K postrouting_rule      all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */
   48 11264 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
16686 1174K zone_wan_postrouting  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain SS_SPEC_LAN_AC (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN          all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_src_bp src
    0     0 SS_SPEC_WAN_FW  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_src_fw src
    0     0 SS_SPEC_WAN_AC  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_src_ac src
 7901  552K SS_SPEC_WAN_AC  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SS_SPEC_LAN_DG (1 references)
 pkts bytes target     prot opt in     out     source               destination
  141  8554 RETURN          all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_dst_sp dst
 7901  552K SS_SPEC_LAN_AC  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SS_SPEC_WAN_AC (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SS_SPEC_WAN_FW  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_dst_fw dst
 4693  302K RETURN          all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_dst_bp dst
 9925  653K SS_SPEC_WAN_FW  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SS_SPEC_WAN_DG (1 references)
 pkts bytes target     prot opt in     out     source               destination
 9499  570K RETURN          all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_dst_sp dst
 6717  403K SS_SPEC_WAN_AC  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SS_SPEC_WAN_FW (3 references)
 pkts bytes target     prot opt in     out     source               destination
 9925  653K REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            redir ports 1234

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   48 11264 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
14244 1080K prerouting_lan_rule   all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
16686 1174K postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */
16686 1174K MASQUERADE            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3103 1057K prerouting_wan_rule   all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */

用 OpenWRT + Shadowsocks 实现全自动爬梯子指南 2015-11-08

iptables + tproxy 实现 ss-redir 的 UDP 转发的方法 2016-11-17

逻辑其实很简单,就是把需要转发的 UDP 包打上一个任意的标志,然后交给 TProxy 配合 iptables 进行转发

OpenWrt 做 UDP 转发需要的依赖是:iptables-mod-tproxy, kmod-ipt-tproxyip-full

OpenWRT router 2016-03-29

*/10 * * * * /root/tester >> /var/log/shadowsocks_watchdog.log 2>&1
0 1 * * 7 echo "" > /var/log/shadowsocks_watchdog.log

#!/bin/sh

LOGTIME=$(date "+%Y-%m-%d %H:%M:%S")

wget --spider --quiet --tries=1 --timeout=3 www.google.co.jp

if [ "$?" == "0" ]
then
    echo '['$LOGTIME'] No Problem.'
    exit 0
else
    wget --spider --quiet --tries=1 --timeout=3 www.baidu.com
    if [ "$?" == "0" ]
    then
        echo '['$LOGTIME'] Problem detected, restarting shadowsocks.'
        /etc/init.d/shadowsocks restart
    else
        echo '['$LOGTIME'] Network Problem. Do nothing.'
    fi
fi

UDP

ssr-redir 是否支持 -u 启动 udp 的代理 #33 2016-07-07

opkg update
opkg install iptables-mod-tproxy kmod-ipt-tproxy ip iptables-mod-geoip

由于游戏需要加速主要原因是直接访问速度慢,而不是目标地址在墙后,所以再使用 gfwlist 就不太合适了,参考:https://0066.in/archives/568 的教程,使用 iptables-mod-geoip 的模块,来判断目标 IP 是否是大陆 IP,如果不是则翻墙,类似于大陆白名单模式,由于这个只涉及到 UDP 的特定端口转发,所以不会影响到平时的 gfwlist 的 tcp 翻墙。

VLAN

从头到尾,通过 OpenWrt 固件实现路由器智能代理及建立访客网络流量控制

图解设置 guest 网段

DNSmasq

https://leamtrop.com/2017/05/14/shadowsocks-proxy-on-lede/

http://www.keepwn.com/howto/route-traffic-selectively-by-domain-on-openwrt/

https://github.com/robbie-cao/kb-openwrt

pdnsd

使用 ipset 让 openwrt 上的 shadowsocks 更智能的重定向流量 2014-07-08

继续折腾 WNDR3800 之 shadowsocks 2014-11-24

openwrt 默认安装的 dnsmasq 不支持 ipset 需要先卸载,换成 dnsmasq-full

root@LEDE:~# dnsmasq -v
Dnsmasq version 2.78  Copyright (c) 2000-2017 Simon Kelley
Compile time options:
IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua
TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

在 OpenWRT 上配置 Shadowsocks 并通过 Dnsmasq + ipset 按域名翻墙 2015-06-05

SS_IPADDR=
SS_PORT=
SS_PASSWD=

uci set shadowsocks.@servers[0].server="$SS_IPADDR"
uci set shadowsocks.@servers[0].server_port="$SS_PORT"
uci set shadowsocks.@servers[0].password="$SS_PASSWD"
uci set shadowsocks.@servers[0].fast_open='1'
uci set shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'
uci set shadowsocks.@servers[0].plugin='obfs-local'
uci set shadowsocks.@servers[0].plugin_opts='obfs=tls;obfs-host=itunes.apple.com;fast-open'

SS_CFGID=$(uci show shadowsocks.@servers[0].alias|awk -F '.' '{print $2}')

uci set shadowsocks.@transparent_proxy[0].main_server="$SS_CFGID"
uci set shadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
uci set shadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.txt'

ls -lh /etc/rc.d|grep -i shadowsocks
/etc/init.d/shadowsocks enable

echo net.ipv4.tcp_fastopen=3 >> /etc/sysctl.d/local.conf
sysctl -p

uci set chinadns.@chinadns[0].enable=1
uci set chinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'
uci set dns-forwarder.@dns-forwarder[0].enable=1

uci set dhcp.lan.ra_management='1'
uci set dhcp.@dnsmasq[0].nohosts=1
uci set dhcp.@dnsmasq[0].noresolv=1
uci set dhcp.@dnsmasq[0].cachesize='1600'
uci set dhcp.@dnsmasq[0].local=127.0.0.1#5353
uci add_list dhcp.@dnsmasq[0].server='/example.com/10.60.8.11'
uci add_list dhcp.@dnsmasq[0].server='/example-inc.com/10.60.8.11'
uci add_list dhcp.@dnsmasq[0].rebind_domain='example.com'
uci add_list dhcp.@dnsmasq[0].rebind_domain='example-inc.com'

echo -e '\nmin-cache-ttl=600' >> /etc/dnsmasq.conf
tail /etc/dnsmasq.conf

uci set dropbear.@dropbear[0].GatewayPorts='on'
uci set dropbear.@dropbear[0].Port='56789'

uci changes
uci commit

Dnsmasq + ipset + iptables 基于域名的流量管理 2016-11-04

ipset create vpn hash:ip
ipset list vpn

script

SITE=
ROOT_PASS=
WIFI_PASS=
WIFI_SSID=
SSHD_PORT=
SS_IPADDR=
SS_PORT=
SS_PASSWD=

arch=$(opkg print-architecture|tail -n 1|awk '{print $2}')

echo -e "${ROOT_PASS}\n${ROOT_PASS}" | (passwd $USER)

uci set system.@system[0].hostname='LEDE'
uci set system.@system[0].zonename='Asia/Shanghai'
uci set system.@system[0].timezone='CST-8'

uci set dropbear.@dropbear[0].GatewayPorts='on'
uci set dropbear.@dropbear[0].Port="$SSHD_PORT"

wget http://${SITE}/pub -O /etc/dropbear/authorized_keys
chmod 600 /etc/dropbear/authorized_keys
ls -lh /etc/dropbear/

uci set wireless.@wifi-device[0].disabled='0'
uci set wireless.@wifi-device[0].country='CN'
uci set wireless.@wifi-device[0].txpower='17'
uci set wireless.@wifi-iface[0].ssid="$WIFI_SSID"
uci set wireless.@wifi-iface[0].encryption='psk2'
uci set wireless.@wifi-iface[0].key="$WIFI_PASS"

## WIFI: 5G

FIVE_PASS=
FIVE_SSID=

uci set wireless.@wifi-device[0].hidden='1'
uci set wireless.@wifi-device[1].disabled='1'
uci set wireless.@wifi-iface[1].ssid="$FIVE_SSID"
uci set wireless.@wifi-iface[1].encryption='psk2'
uci set wireless.@wifi-iface[1].key="$FIVE_PASS"

uci changes
uci commit

wifi

uci delete network.globals.ula_prefix
uci delete network.wan6
uci set network.lan.ipaddr='192.168.11.1'

cat /etc/opkg.conf

echo "src/gz openwrt_dist http://${SITE}/packages/LEDE/base/${arch}
src/gz openwrt_dist_luci http://${SITE}/packages/LEDE/luci" >> /etc/opkg.conf

cat /etc/opkg.conf

wget http://${SITE}/packages/openwrt-dist.pub -O /tmp/openwrt-dist.pub
opkg-key add /tmp/openwrt-dist.pub && opkg update
opkg install bind-dig ChinaDNS luci-app-chinadns dns-forwarder luci-app-dns-forwarder shadowsocks-libev luci-app-shadowsocks simple-obfs ip-full iptables-mod-tproxy

uci set shadowsocks.@general[0].startup_delay=2

uci set shadowsocks.@servers[0].server="$SS_IPADDR"
uci set shadowsocks.@servers[0].server_port="$SS_PORT"
uci set shadowsocks.@servers[0].password="$SS_PASSWD"
uci set shadowsocks.@servers[0].fast_open='1'
uci set shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'

SS_CFGID=$(uci show shadowsocks.@servers[0].alias|awk -F '.' '{print $2}')

uci set shadowsocks.@transparent_proxy[0].main_server="$SS_CFGID"
uci set shadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
uci set shadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.txt'

ls -lh /etc/rc.d|grep -i shadowsocks
/etc/init.d/shadowsocks enable

echo net.ipv4.tcp_fastopen=3 >> /etc/sysctl.d/local.conf
sysctl -w net.ipv4.tcp_fastopen=3
sysctl net.ipv4.tcp_fastopen

uci set chinadns.@chinadns[0].enable=1
uci set chinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'

uci set dns-forwarder.@dns-forwarder[0].enable=1

uci set dhcp.lan.ra_management='1'
uci set dhcp.@dnsmasq[0].nohosts=1
uci set dhcp.@dnsmasq[0].noresolv=1
uci set dhcp.@dnsmasq[0].cachesize='1600'
uci set dhcp.@dnsmasq[0].local=127.0.0.1#5353
echo -e '\nmin-cache-ttl=600' >> /etc/dnsmasq.conf
tail /etc/dnsmasq.conf

uci changes
uci commit && reboot

dig +short dropbox.com

Netgear WNDR4300

https://wiki.openwrt.org/toh/netgear/wndr4300

keep holding RESET until the power LED begins to flash orange and then green. once the power LED is flashing green, release RESET.

TFTP 修复模式:按住 reset 直到电源灯由 橙色闪烁 状态变到 绿色闪烁 状态

Linux 及 MacOS 下刷机命令:

factory_img=/tmp/lede-17.01.4-ar71xx-nand-wndr4300-ubi-factory.img
echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nput $factory_img\n" | tftp 192.168.1.1

网件 Netgear WNDR4300 路由器怎样刷 OpenWrt 自动翻墙固件