Configuration of transparent V2Ray proxy server using Raspberry Pi —— Watch YouTube and CCTV5 Simultaneously
[i=s] 本帖最後由 角色 於 2019-2-21 00:20 編輯 [/i]I have written three posts about the configuration methods of transparent (web) server used in mainland China[1,2,3]. In the previous configurations, the remote free websites could be accessed such as Facebook, YouTube, etc. However there were problems in accessing the local mainland websites. The main cause of the problems are due to the poor design of routing rules used, which will be described later. The network configuration of this post is:
[attach]4290[/attach]
The right-hand-side is HK or other free-world ISP sites. An ordinary V2Ray node (server) is installed which will be used for letting the remote V2ray node (client) installed in mainland China. The left-hand-side is the network used in mainland China. In general we got the internet access via the local mainland China ISP. An ordinary WiFi router is installed at home/in office.
The configuration of V2ray node (server) is a general one which can be easily realised by general methods.
The configuration of V2ray node (client) is more complex and will be shown later. The IP address of the V2ray node (client) is 192.168.4.22. The gateway and nameserver are the same, i.e., 192.168.4.1.
The router 2 used in mainland China has to be configured as follows:
1. Router (WAN) IP is obtained via DHCP client method (got ISP gateway and ISP DNS server IPs)
2. Router (LAN) IP is 192.168.4.1
2. Router (LAN DHCP server):
- IP address distribution range: 192.168.4.100-192.168.4.200
- Gateway: 192.168.4.22
- DNS server: 192.168.4.22
PC and mobile device obtained IPs, gateway, dns server from the router 2 via DHCP method.
References:
[1] [url]http://www.telecom-cafe.com/forum/viewthread.php?tid=7300&extra=page%3D1[/url]
[2] [url]http://www.telecom-cafe.com/forum/viewthread.php?tid=7301&extra=page%3D2[/url]
[3] [url]http://www.telecom-cafe.com/forum/viewthread.php?tid=7304&extra=page%3D2[/url] [i=s] 本帖最後由 角色 於 2019-2-21 00:23 編輯 [/i]
The config.json configuration file used in client v2ray node is as follows:[code]
{
"dns": {
"servers": [
"8.8.8.8",
{
"domains": ["geosite:cn"],
"port": 53,
"address": "114.114.114.114"
},
"localhost"
]
},
"inbounds": [
{
"port": 1081,
"listen": "192.168.4.22",
"protocol": "socks",
"sniffing": {
"enabled": true,
"destOverride": ["http","tls"]
},
"settings": {
"udp,tcp": true
}
},
{
"protocol": "dokodemo-door",
"port": 12345,
"domainOverride": ["tls","http"],
"settings": {
"network": "tcp,udp",
"followRedirect": true
}
},
{
"protocol": "dokodemo-door",
"port": 53,
"tag": "dns-in",
"listen": "192.168.4.22",
"settings": {
"address": "8.8.8.8",
"port": 53,
"network": "udp,tcp"
}
}
],
"outbounds": [
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "123.123.123.123", #hostname or IP address of the remote V2Ray server
"port": 10086, #remote side port number of the v2ray server
"users": [
{"id": "UUID"} # put your UUID here
]
}
]
}
},
{
"protocol": "freedom",
"tag": "direct",
"settings": {}
},
{
"protocol": "dns",
"tag": "dns-out"
}
],
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"inboundTag": "dns-in",
"outboundTag": "dns-out"
},
{
"type": "field",
"outboundTag": "direct",
"domain": [ "geosite:cn" ]
},
{
"type": "field",
"ip": ["geoip:private"],
"ip": ["geoip:cn"],
"outboundTag": "direct"
}
]
}
}
[/code] [i=s] 本帖最後由 角色 於 2019-2-20 14:19 編輯 [/i]
Apart from the config.json, we need configure the firewall of the Linux box with the client V2ray node as follows:[code]
#!/bin/bash
# TCP
# Create new chain
iptables -t nat -N V2RAY
# Ignore LANs and any other addresses you'd like to bypass the proxy
# See Wikipedia and RFC5735 for full list of reserved networks.
iptables -t nat -A V2RAY -d 0.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 10.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 127.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 169.254.0.0/16 -j RETURN
iptables -t nat -A V2RAY -d 172.16.0.0/12 -j RETURN
iptables -t nat -A V2RAY -d 192.168.0.0/16 -j RETURN
iptables -t nat -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t nat -A V2RAY -d 240.0.0.0/4 -j RETURN
# Anything else should be redirected to Dokodemo-door's local port
iptables -t nat -A V2RAY -p tcp -j REDIRECT --to-ports 12345
# Apply the rules
iptables -t nat -A PREROUTING -p tcp -j V2RAY
#iptables -t nat -A OUTPUT -p tcp -j V2RAY
#UDP
# Create new chain
ip route add local 0.0.0.0/0 dev lo table 100
ip rule add fwmark 1 table 100
iptables -t mangle -N V2RAY_MARK
# Ignore LANs and any other addresses you'd like to bypass the proxy
# See Wikipedia and RFC5735 for full list of reserved networks.
iptables -t mangle -A V2RAY_MARK -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 240.0.0.0/4 -j RETURN
# Anything else should be redirected to Dokodemo-door's local port
iptables -t mangle -A V2RAY_MARK -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
# Add any UDP rules
iptables -t mangle -A PREROUTING -p udp -j V2RAY_MARK
#iptables -t mangle -A OUTPUT -j V2RAY_MARK
[/code].
The output chain rules used line 23 and 47 are used for local access within the v2Ray machine. Since we do not plan to access the website locally, then they are commented out. The reason of not able to access the local sites such as CCTV5 is due to the routing section. We need to separate the "domain" and "ip".
Previous routing configuration[code]
"routing": {
"domainStrategy": "IPOnDemand",
"rules": [{
"type": "field",
"domain": ["geosite:cn"],
"ip": ["geoip:private"],
"ip": ["geoip:cn"],
"outboundTag": "direct"
}]
}
[/code]Present routing configuration[code]
{
"type": "field",
"outboundTag": "direct",
"domain": [ "geosite:cn" ]
},
{
"type": "field",
"ip": ["geoip:private"],
"ip": ["geoip:cn"],
"outboundTag": "direct"
}
[/code] [i=s] 本帖最後由 角色 於 2019-2-21 12:13 編輯 [/i]
Test results:
Able to see YouTube and CCTV5 at the same time on pc, mobile phone and iPad without any vpn/proxy client installed in devices. The performance is very satisfactory.
Please note that the DNS provided by the V2ray is very intelligent, it means for local IP, it will goes locally 114.114.114.114. Otherwise it will go to the remote site 8.8.8.8 via the vmess tunnel.
頁:
[1]