Across the …, we can reach every corner in the world
注意:以下內容在Netgear R7000 xwrt-merlin上經過測試。openwrt類似,還有更易用的LuCI圖形化配置
思路:chinadns作為dnsmasq的上游,通過ss-tunnel查詢國外dns服務器分辨投毒。利用iptables分流請求,ipset中儲存國內IP地址與本地和保留地址,符合條件的直連,其餘通過ss-redir轉發至VPS
1. 配置entware環境
準備一個U盤,格式化為ext3(R7k merlin不支持ext4)。打開路由器的jffs。打開路由器的SSH,登錄後:
entware-setup.sh
更新:
opkg update
opkg upgrade
安裝sftp服務器便於文件傳輸:
opkg install openssh-sftp-server
安裝lsof用於查看佔用端口:
opkg install lsof
安裝所需軟件:
opkg install shadowsocks-libev-ss-redir
opkg install shadowsocks-libev-ss-tunnel
opkg install simple-obfs
opkg install chinadns
opkg install rng-tools // *obfs插件若提示收集不到足夠的隨機數,可安裝rng-tools包
2. 配置SS與chinadns
測試redir是否能夠正常工作:
ss-redir -s [VPS的IP地址] -p [服務器端口號,e.g. 8086] -b 0.0.0.0 -l [本地端口號,e.g. 1080] -k [密碼,e.g. pass.123] -m chacha20-ietf-poly1305 -t 60 -u --plugin obfs-local --plugin-opts "obfs=tls;obfs-host=cloudfront.net"
redir啟動腳本:
安裝後默認生成配置文件 S22shadowsocks 於 /opt/etc/init.d 目錄下,編輯其中內容
PROCS=ss-local 改為 PROCS=ss-redir
redir配置json:
{
"server": "[VPS的IP地址]",
"server_port": "[服務器端口號,e.g. 8086]",
"local_address": "0.0.0.0",
"local_port": "[本地端口號,e.g. 1080]", // 此處監聽端口是轉發流量的,記作portA
"password": "[密碼,e.g. pass.123]",
"method": "chacha20-ietf-poly1305",
"timeout": 60,
"mode": "tcp_and_udp",
"plugin": "obfs-local",
"plugin_opts": "obfs=tls;obfs-host=cloudfront.net"
}
tunnel啟動腳本:
直接複製一份 S22shadowsocks 的腳本,編輯其中內容
PROCS=ss-redir 改為 PROCS=ss-tunnel
tunnel配置json:
{
"server": "[VPS的IP地址]",
"server_port": "[服務器端口號,e.g. 8086]",
"local_address": "0.0.0.0",
"local_port": "[本地端口號,e.g. 1088]", // 此處監聽端口是為chinadns服務的,記作portB
"password": "[密碼,e.g. pass.123]",
"method": "chacha20-ietf-poly1305",
"tunnel_address": "8.8.8.8:53",
"mode": "tcp_and_udp",
"plugin": "obfs-local",
"plugin_opts": "obfs=tls;obfs-host=cloudfront.net"
}
chinadns啟動腳本:
安裝後默認生成配置文件 S56chinadns 於 /opt/etc/init.d 目錄下,編輯其中內容
在 ARGS= 的後面追加 -s 114.114.114.114,127.0.0.1:[portB] ,114可更換任意國內可用的dns
並記下這裡 -p 後的端口號,記作portC
更新chnroute:
curl 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | grep ipv4 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /opt/etc/chinadns_chnroute.txt
3. 配置iptables分流,儲存ipset列表
*可以用bestroutetb生成一個優化過chnroute,這個步驟需要在本地主機或者VPS上進行:
apt-get install npm
npm install -g bestroutetb
bestroutetb -p custom --rule-format=$'%prefix/%length\n' --group-header=$'---%name-start\n' --group-footer=$'---%name-end\n' --group-gateway -f -o /tmp/chnroutes.txt
sed -e '/---vpn-start/,/---vpn-end/d' -e '/^---/d' /tmp/chnroutes.txt > /tmp/tb.txt
生成的tb.txt備用
在ipset中生成兩個直連的列表:
ipset create loprivate hash:net
ipset add loprivate 0.0.0.0/8
ipset add loprivate 10.0.0.0/8
ipset add loprivate 127.0.0.0/8
ipset add loprivate 169.254.0.0/16
ipset add loprivate 172.16.0.0/12
ipset add loprivate 192.168.0.0/16
ipset add loprivate 224.0.0.0/4
ipset add loprivate 240.0.0.0/4
以及:
ipset create chnip hash:net
while read rule; do (ipset add chnip $rule); done < /opt/etc/chinadns_chnroute.txt // *或者tb.txt
並保存:
ipset save > /opt/etc/saved.ipset
配置iptables:
iptables -t nat -N SHADOWSOCKS
iptables -t nat -A SHADOWSOCKS -d [VPS的IP地址] -j RETURN
iptables -t nat -A SHADOWSOCKS -m set --match-set loprivate dst -j RETURN
iptables -t nat -A SHADOWSOCKS -m set --match-set chnip dst -j RETURN
iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports [portA]
4. 啟動服務
使用腳本:
/opt/etc/init.d/[ss-redir腳本] start
/opt/etc/init.d/[ss-tunnel腳本] start
/opt/etc/init.d/[chinadns腳本] start
然後分別檢查一下是否報錯:
/opt/etc/init.d/[腳本] check
如果顯示dead,一般是PROCS中名稱有誤,或者是端口被佔用需要更換,也可能是配置文件語法錯(漏了逗號?)
檢查端口:
lsof -i |grep [端口號]
配置dnsmasq:
編輯 /etc/dnsmasq.conf
最後添加兩行:
no-resolv
server=127.0.0.1#[portC]
並重啟dnsmasq
使更改生效:
iptables -t nat -A PREROUTING -p tcp --dport 21:5000 -j SHADOWSOCKS
至此已實現分流與轉發
5. 配置路由器的重啟自動恢復
在 /jffs/scripts/ 下的 service-start 腳本最後添加內容:
ipset restore < /opt/etc/saved.ipset
iptables -t nat -N SHADOWSOCKS
iptables -t nat -A SHADOWSOCKS -d [VPS的IP地址] -j RETURN
iptables -t nat -A SHADOWSOCKS -m set --match-set loprivate dst -j RETURN
iptables -t nat -A SHADOWSOCKS -m set --match-set chnip dst -j RETURN
iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports [portA]
iptables -t nat -A PREROUTING -p tcp --dport 21:5000 -j SHADOWSOCKS
新建 dnsmasq.postconf ,內容:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "no-resolv" $CONFIG
pc_append "server=127.0.0.1#[portC]" $CONFIG
並賦予權限:
chmod a+rx /jffs/scripts/*
Reference:
https://icymind.com/learn-from-gfw/
https://gist.github.com/wen-long/8644243
https://blog.microdog.me/2016/06/28/Speed-Up-Network-Accessing-To-Overseas-Services-On-Your-Server/
http://www.q2zy.com/articles/2015/11/04/router-configuration-3/
https://xufooo.ml/2016/06/zybo%e5%bc%80%e5%8f%91%e6%9d%bflinux%e4%b8%8b%e9%80%8f%e6%98%8e%e4%bb%a3%e7%90%86fq%e4%bb%a5%e5%8f%8a%e5%8e%bb%e5%9b%bd%e5%86%85%e5%b9%bf%e5%91%8a/
https://zzz.buzz/zh/gfw/2016/02/16/deploy-shadowsocks-on-routers/
https://cokebar.info/archives/664
https://github.com/goodbest/Merlin-SS-config
https://github.com/YtnbFirewings/asus-merlin-cross-the-gfw
https://www.bjwf125.com/?p=9
https://fooy.github.io/blog/2016/06/18/setup-transparent-proxy-on-r7000/
https://www.zfl9.com/ss-redir.html
沒有留言:
張貼留言