ITGeeker技术奇客

树莓派刷原生OpenWRT 安装V2ray作为旁路由(网关或透明代理)让全屋免配置走代理

itgeeker
,

ITGeeker之前有配置过OpenWRT使用SS+ChinaDNS+DNS-Forwarder来做代理:

虽然obfs混淆不被ss支持了,但使用起来还是没有问题的。不过最近服务器支持V2ray了,所以又用OpenWRT配置了V2ray的透明代理,或者说是网关,ITGeeker喜欢把它叫成旁路由,你喜欢怎么称呼都可以,技术奇客这里安装再旁路由器里,就称旁路由了。

先来个简化的拓扑图,具体配置图文的确比较繁杂,看的懂下面的完整配置文件的应该可以自己配置。有需要图文说明的请留言将优先更新。

by itgeeker.net

V2ray其实相当于打包了好多上面的应用,安装起来比较方便,功能强大了很多,但配置起来却不是更方便,幸亏openwrt版的预先内置配置很有用。

完整配置文档

来自/var/etc/v2ray/v2ray.main.json文件,我这里配置了6个自有的outbond服务器,4个v2ray+2个ss。只要替换上你自己的服务器地址、ID、alterId、security或者SS的密码,理论上就可自动实现代理了。

在V2ray的全局设置中,设置config文件应该可以实现,但还未亲自测试。
{
	"log": {
		"access": "/dev/null",
		"loglevel": "warning",
		"error": "/var/log/v2ray-error.log"
	},
	"dns": {
		"hosts": {
			"example.com": "127.0.0.1"
		},
		"servers": [
			"1.1.1.1",
			"8.8.8.8",
			{
				"address": "114.114.114.114",
				"port": 53,
				"domains": [
					"geosite:cn",
					"ntp.org"
				]
			},
			{
				"address": "223.5.5.5",
				"port": 53,
				"domains": [
					"geosite:cn"
				]
			},
			"202.96.209.5"
		]
	},
	"routing": {
		"domainStrategy": "IPOnDemand",
		"rules": [
			{
				"type": "field",
				"ip": [
					"geoip:private",
					"geoip:cn"
				],
				"outboundTag": "direct"
			},
			{
				"type": "field",
				"domain": [
					"geosite:cn"
				],
				"outboundTag": "direct"
			},
			{
				"type": "field",
				"protocol": [
					"bittorrent"
				],
				"outboundTag": "direct"
			},
			{
				"type": "field",
				"domain": [
					"geosite:category-ads-all"
				],
				"outboundTag": "block"
			},
			{
				"type": "field",
				"port": "53",
				"network": "udp",
				"inboundTag": [
					"transparent"
				],
				"outboundTag": "dns_out"
			},
			{
				"type": "field",
				"ip": [
					"114.114.114.114",
					"223.5.5.5"
				],
				"outboundTag": "direct"
			},
			{
				"type": "field",
				"ip": [
					"1.1.1.1",
					"8.8.8.8",
					"208.67.222.222"
				],
				"outboundTag": "proxy"
			},
			{
				"type": "field",
				"port": "123",
				"network": "udp",
				"outboundTag": "direct"
			}
		],
		"balancers": [
			{
				"tag": "balancer",
				"selector": [
					"server1",
					"server2",
					"server3",
					"server4",
					"proxy"
				]
			}
		]
	},
	"inbounds": [
		{
			"port": 10800,
			"protocol": "socks",
			"settings": {
				"auth": "noauth",
				"udp": true,
				"ip": "0.0.0.0"
			},
			"streamSettings": {
				"sockopt": {
					
				}
			},
			"tag": "in_proxy",
			"sniffing": {
				"enabled": true,
				"destOverride": [
					"http",
					"tls"
				]
			}
		},
		{
			"port": 10811,
			"protocol": "dokodemo-door",
			"settings": {
				"followRedirect": true,
				"network": "tcp,udp",
				"timeout": 30
			},
			"streamSettings": {
				"sockopt": {
					
				}
			},
			"tag": "transparent",
			"sniffing": {
				"enabled": true,
				"destOverride": [
					"http",
					"tls"
				]
			}
		}
	],
	"outbounds": [
		{
			"protocol": "vmess",
			"settings": {
				"vnext": [
					{
						"address": "server3.domain.com",
						"port": YOUR SERVER ID PORT,
						"users": [
							{
								"id": "YOUR SERVER ID“
								"alterId": 0,
								"security": "auto"
							}
						]
					}
				]
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "proxy",
			"mux": {
				"enabled": true,
				"concurrency": 8
			}
		},
		{
			"protocol": "freedom",
			"settings": {
				
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "direct",
			"mux": {
				"enabled": true,
				"concurrency": 8
			}
		},
		{
			"protocol": "blackhole",
			"settings": {
				
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "block"
		},
		{
			"protocol": "dns",
			"settings": {
				
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "dns_out"
		},
		{
			"protocol": "vmess",
			"settings": {
				"vnext": [
					{
						"address": "server5.domain.com",
						"port": YOUR SERVER ID PORT,
						"users": [
							{
								"id": "YOUR SERVER ID“
								"alterId": 0,
								"security": "auto"
							}
						]
					}
				]
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "server5",
			"mux": {
				"enabled": true,
				"concurrency": 8
			}
		},
		{
			"protocol": "vmess",
			"settings": {
				"vnext": [
					{
						"address": "server4.domain.com",
						"port": YOUR SERVER ID PORT,
						"users": [
							{
								"id": "YOUR SERVER ID“
								"alterId": 0,
								"security": "auto"
							}
						]
					}
				]
			},
			"streamSettings": {
				"network": "tcp",
				"tcpSettings": {
					"header": {
						"type": "none"
					}
				},
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "server4"
		},
		{
			"protocol": "vmess",
			"settings": {
				"vnext": [
					{
						"address": "server801.domain.com",
						"port": YOUR SERVER ID PORT,
						"users": [
							{
								"id": "YOUR SERVER ID“
								"alterId": 0,
								"security": "auto"
							}
						]
					}
				]
			},
			"streamSettings": {
				"network": "tcp",
				"tcpSettings": {
					"header": {
						"type": "none"
					}
				},
				"sockopt": {
					"mark": 255
				}
			},
			"tag": "server801",
			"mux": {
				"enabled": true,
				"concurrency": 8
			}
		},
		{
			"protocol": "shadowsocks",
			"settings": {
				"servers": [
					{
						"address": "server1.domain.com",
						"port": YOUR SERVER ID PORT,
						"method": "aes-256-gcm",
						"password": "YOUR SS PASSWORD",
						"ota": false
					}
				]
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255,
					"tcpFastOpen": true
				}
			},
			"tag": "server1"
		},
		{
			"protocol": "shadowsocks",
			"settings": {
				"servers": [
					{
						"address": "server2.domain.com",
						"port": YOUR SERVER ID PORT,
						"method": "aes-256-gcm",
						"password": "YOUR SS PASSWORD",
						"ota": false
					}
				]
			},
			"streamSettings": {
				"sockopt": {
					"mark": 255,
					"tcpFastOpen": true
				}
			},
			"tag": "server2"
		}
	]
}

防火墙iptables配置

命令行输入执行或者添加到OpenWrt 管理界面面 Network -> Firewall -> Custom Rules

ipset -N gfwlist iphash
iptables -t nat -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1081
iptables -t nat -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1081
ipset add gfwlist 8.8.8.8

开启UDP需要 iptables-mod-tproxy 模块,请确保已经安装好。

opkg install iptables-mod-tproxy

OpenWRT dnsmasq-full配置

可参考:OpenWRT dnsmasq-full配置

cd /etc/dnsmasq.d && wget https://cokebar.github.io/gfwlist2dnsmasq/dnsmasq_gfwlist_ipset.conf

#若下载错误,请安装
opkg install libustream-mbedtls coreutils-base64 ca-certificates ca-bundle

这里我们需要把dnsmasq_gfwlist_ipset.conf里类似server=/hp.com/127.0.0.1#5353的行全部删除,在win10可用vsc等编辑软件,正则搜索

server=/(.*)

替换为空就行。记得

# 重启dnsmasq
/etc/init.d/dnsmasq restart

dnsmasq-china-list安装(可选)

作为前置优化国内外网站用,请参考官方发安装方法,国内外各大代码网站都有他们的官方代码:

V2ray透明代理的问题解决

如果重启主路由和旁路由了还不能上网,可以按以下方式检查:

  • 旁路由配置是否正确?可以参考

刷了OpenWRT的路由器+旁路由配置方法+无缝漫游配置(树莓派3B/3B+/4B使用OpenWRT系统做旁路由)

  • 旁路由是否开启 IP 转发?
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/10-default.conf
sysctl -p
  • 测试旁路由自身是否可以通过代理上网?
curl -x socks5://127.0.0.1:1080 google.com

结果应为:

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
  • 再检查一遍iptables命令是否被正确执行?
  • 还不行,找个高手指导一下吧

这里用的是redirect的方式走代理,不支持ipv6,据说tproxy的方式可以支持ipv6

by itgeeker.net

评论

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

奇客罗方公众号 奇客罗方小程序 奇客罗方客服 ITGeeker Telegram

网站由ITGeeker技术奇客开发并管理;隶属于GeekerCloud奇客罗方智能科技
Site designed and developed by ITGeekerwhich is a sub-website of GeekerCloud
网站地图 | 沪ICP备2021031434号-4