Openwrt V2ray 透明代理 tls + ws (實踐編)(頁 1) - VPN 研究室 - 電訊茶室

tomleehk 發表於 2019-12-20 20:37

Openwrt V2ray 透明代理 tls + ws (實踐編)

[i=s] 本帖最後由 tomleehk 於 2019-12-21 08:39 編輯 [/i]

Openwrt V2ray 透明代理 tls + ws (實踐編)

參考網上文章, 呢d網友嘅文章比較完整
[color=DarkGreen][i]
V2RAY透明代理
[url]https://ibcl.us/HC5962-V2Ray_20190518/[/url]
[url]https://xdays.me/V2RAY%E9%80%8F%E6%98%8E%E4%BB%A3%E7%90%86/[/url]

[/i][/color]

左砌右砌加加減減, 初步睇結果喺成功做到tcp+dns轉發, 速度唔算好高, 足夠一般使用

tomleehk 發表於 2019-12-21 07:36

[i=s] 本帖最後由 tomleehk 於 2019-12-21 11:28 編輯 [/i]

將v2ray作為OpenWrt 透明代理, 需要安裝一些package
opkg update <<ENTER>>
opkg install bash kmod-ipt-tproxy iptables-mod-tproxy bind-dig <<ENTER>>

tomleehk 發表於 2019-12-21 07:41

[i=s] 本帖最後由 tomleehk 於 2019-12-27 12:20 編輯 [/i]

v2ray.json[code]

{
  "inbounds": [
{
   "port": 1080,
   "listen": "0.0.0.0",
   "protocol": "socks",
   "sniffing": {
      "enabled": true,
      "destOverride": ["http", "tls"]
   },
   "settings": {
      "auth": "noauth",
      "udp": true
   }
},
{
   "port": 8080,
   "listen": "0.0.0.0",
   "protocol": "http",
   "sniffing": {
      "enabled": true,
      "destOverride": ["http", "tls"]
   },
   "settings": {
      "timeout": 300
   }
},
{
   "port": 12345,
   "protocol": "dokodemo-door",
   "sniffing": {
      "enabled": true,
      "destOverride": ["http", "tls"]
   },
   "settings": {
      "network": "tcp,udp",
      "timeout": 0,
      "followRedirect": true
   }
}
  ],
  "outbounds": [
{
   "protocol": "vmess",
   "settings": {
      "vnext": [
      {
         "address": "server ip",
         "port": 443,
         "users": [
            {
            "id": "779e81cb-79b6-3377-b2b5-ce402c21b8f5",
            "security": "aes-128-gcm",
            "alterId": 64
            }
         ]
      }
      ]
   },
   "streamSettings": {
      "network": "ws",
      "security": "tls",
      "tlsSettings": {"allowInsecure": true,"serverName": "server url"},
      "wsSettings": {
      "path": "/vpath"
      }
   }
}
  ]
}

[/code]v2ray 啟動 script[code]#!/bin/sh /etc/rc.common
# "new" style init script
# Look at /lib/functions/service.sh on a running system for explanations of what other SERVICE_
# options you can use, and when you might want them.

START=80
STOP=20
APP=v2ray
SERVICE_WRITE_PID=1
SERVICE_DAEMONIZE=1
PREFIX=/usr/bin

start() {
service_start $PREFIX/v2ray -config $PREFIX/v2ray.json
$PREFIX/client_proxy.sh start
}

stop() {
$PREFIX/client_proxy.sh stop
service_stop $PREFIX/v2ray
}[/code]成功啟動後可以用
ps | grep "v2ray"
curl -Is -x 127.0.0.1:8080 [url]https://www.google.com[/url]
curl  -x  socks5://127.0.0.1:1080  [url]www.google.com[/url]
睇吓有無正確嘅response

留意port 1080及port 8080呢2段嘅config只喺方便用curl測試connection,
本身運作上並非必要

tomleehk 發表於 2019-12-21 07:43

[i=s] 本帖最後由 tomleehk 於 2019-12-21 08:37 編輯 [/i]

Iptable scripts[code]#!/bin/bash
# -*- coding: utf-8 -*-

start() {

# Chain TCP
  iptables -t nat -N V2RAY
# Reserved IP TCP
  iptables -t nat -A V2RAY -d 0.0.0.0/8 -j RETURN
  iptables -t nat -A V2RAY -d 10.0.0.0/8 -j RETURN
  iptables -t nat -A V2RAY -d 127.0.0.0/8 -j RETURN
  iptables -t nat -A V2RAY -d 169.254.0.0/16 -j RETURN
  iptables -t nat -A V2RAY -d 172.16.0.0/12 -j RETURN
  iptables -t nat -A V2RAY -d 192.168.0.0/16 -j RETURN
  iptables -t nat -A V2RAY -d 224.0.0.0/4 -j RETURN
  iptables -t nat -A V2RAY -d 240.0.0.0/4 -j RETURN
# VPS IP
  iptables -t nat -A V2RAY -d <v2ray server ip> -j RETURN
# Apply Forwarding Rules TCP
  iptables -t nat -A V2RAY -p tcp -j REDIRECT --to-ports 12345
  iptables -t nat -A PREROUTING -p tcp -j V2RAY
  iptables -t nat -A OUTPUT -p tcp -j V2RAY

# UDP Redirect
  iptables -t mangle -N V2RAY
  iptables -t mangle -A V2RAY -p udp -j RETURN -m mark --mark 0xff
  iptables -t mangle -A V2RAY -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01
  iptables -t mangle -N V2RAY_MARK
  iptables -t mangle -A V2RAY_MARK -p udp -j RETURN -m mark --mark 0xff
  iptables -t mangle -A V2RAY_MARK -p udp --dport 53 -j MARK --set-mark 1

# add route for udp traffic
  ip route add local default dev lo table 100
  ip rule add fwmark 1 lookup 100

# Apply the rules
# apply udp tproxy for traffic forworded by this proxy
  iptables -t mangle -A PREROUTING -j V2RAY
# apply udp tproxy for proxy itself
  iptables -t mangle -A OUTPUT -j V2RAY_MARK
}

stop() {
iptables -t nat -D PREROUTING  -p tcp -j V2RAY
iptables -t nat -D OUTPUT -p tcp -j V2RAY
iptables -t nat -F V2RAY
iptables -t nat -X V2RAY
iptables -t mangle -D PREROUTING -j V2RAY
iptables -t mangle -F V2RAY
iptables -t mangle -X V2RAY
iptables -t mangle -D OUTPUT -j V2RAY
iptables -t mangle -F V2RAY_MARK
iptables -t mangle -X V2RAY_MARK
ip rule del fwmark 1 lookup 100
ip route del local default dev lo table 100
}

case $1 in
start)
start
;;
stop)
stop
;;
*)
echo "$0 start|stop"
;;
esac[/code]規則中 v2ray listening port (12345）要按實際情況修改。

tomleehk 發表於 2019-12-21 12:56

[i=s] 本帖最後由 tomleehk 於 2019-12-21 13:02 編輯 [/i]

dns , routing tab 可按實際情況config
暫時一切tcp轉發,dns轉發功能都work

yiucsw 發表於 2019-12-21 21:04

看起来，透明代理複雜多。Performance 如何？

tomleehk 發表於 2019-12-22 11:45

[i=s] 本帖最後由 tomleehk 於 2019-12-22 11:50 編輯 [/i]

穩定性足夠..ofca 跑速約15mb..
用iptables 效能已經喺最好..
初步試只可直連v2ray server, 經 cdn 好似cloudflare喺唔通, 留番俾其人有需要嘅人研究吓

yiucsw 發表於 2020-1-15 08:35

[i=s] 本帖最後由 yiucsw 於 2020-1-15 08:48 編輯 [/i]

昨天重装Newif3 v2ray client. 看到Luci-app-v2ray 有更新，試了一下，只要加你的vmess outbound parameter. V2ray 便能用。再跟你的TPROXY v2ray.config，click troxy tab。好像便不用set sock5, whatismyipaddress 顯示Server IP 地址。不知道是不是TRPROXY。
感謝你的幫忙。

*luci-app-v2ray 是在中國Client用的。不用set iptables, 不用set startup script.

yiucsw 發表於 2020-1-15 09:00

[i=s] 本帖最後由 yiucsw 於 2020-1-15 09:04 編輯 [/i]

luci-app-v2ray generated script.
[size=1][code]
{
"log": {
"access": "\/var\/log\/v2ray-access.log",
"loglevel": "warning",
"error": "\/var\/log\/v2ray-error.log"
},
"routing": {
"domainStrategy": "IPOnDemand",
"rules": [
{
"type": "field",
"ip": [
"geoip:private",
"geoip:cn"
],
"outboundTag": "direct"
},
{
"type": "field",
"domain": [
"geosite:cn"
],
"outboundTag": "direct"
},
{
"type": "field",
"protocol": [
"bittorrent"
],
"outboundTag": "direct"
},
{
"type": "field",
"port": "53",
"network": "udp",
"inboundTag": [
"transparent"
],
"outboundTag": "dns_out"
},
{
"type": "field",
"ip": [
"1.1.1.1",
"8.8.8.8",
"208.67.222.222"
],
"outboundTag": "proxy"
}
]
},
"inbounds": [
{
"listen": "0.0.0.0",
"port": 1080,
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": false
},
"streamSettings": {
"sockopt": {

}
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
},
{
"port": 1081,
"protocol": "dokodemo-door",
"settings": {
"followRedirect": true,
"network": "tcp"
},
"streamSettings": {
"sockopt": {
"tproxy": "redirect"
}
},
"tag": "transparent",
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
}
],
"outbounds": [
{
"sendThrough": "0.0.0.0",
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "yourservr.dynu.net",
"port": 443,
"users": [
{
"id": "8b737d60-a000-4a0f-8de3-218fa0c0a3d8",
"alterId": 64,
"security": "chacha20-poly1305"
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"tlsSettings": {
"serverName": "yourserver.dynu.net",
"allowInsecure": true,
"allowInsecureCiphers": false,
"disableSystemRoot": false,
"certificates": [

]
},
"wsSettings": {
"path": "\/vpath"
},
"sockopt": {
"mark": 255
}
},
"tag": "proxy",
"mux": {
"enabled": true,
"concurrency": 8
}
},
{
"protocol": "freedom",
"settings": {

},
"streamSettings": {
"sockopt": {
"mark": 255
}
},
"tag": "direct"
},
{
"protocol": "dns",
"settings": {

},
"streamSettings": {
"sockopt": {
"mark": 255
}
},
"tag": "dns_out"
}
]
}

[/code][/size]

Hope it works。

321 發表於 2020-2-18 12:45

mips router跑v2ray似乎很吃力,要用上softfloat去執行,效能底下.
建議用trojan,因為不依賴CPU floating 計算功能,所以效率高很多

頁: [1]

電訊茶室's Archiver

Openwrt V2ray 透明代理 tls + ws (實踐編)