返回列表 發帖

Configuration of transparent V2Ray proxy server using Raspberry Pi —— Watch YouTube and CCTV5 Simultaneously

本帖最後由 角色 於 2019-2-21 00:20 編輯

I have written three posts about the configuration methods of transparent (web) server used in mainland China[1,2,3]. In the previous configurations, the remote free websites could be accessed such as Facebook, YouTube, etc. However there were problems in accessing the local mainland websites. The main cause of the problems are due to the poor design of routing rules used, which will be described later. The network configuration of this post is:



The right-hand-side is HK or other free-world ISP sites. An ordinary V2Ray node (server) is installed which will be used for letting the remote V2ray node (client) installed in mainland China. The left-hand-side is the network used in mainland China. In general we got the internet access via the local mainland China ISP. An ordinary WiFi router is installed at home/in office.

The configuration of V2ray node (server) is a general one which can be easily realised by general methods.

The configuration of V2ray node (client) is more complex and will be shown later. The IP address of the V2ray node (client) is 192.168.4.22. The gateway and nameserver are the same, i.e., 192.168.4.1.

The router 2 used in mainland China has to be configured as follows:

1. Router (WAN) IP is obtained via DHCP client method (got ISP gateway and ISP DNS server IPs)
2. Router (LAN) IP is 192.168.4.1
2. Router (LAN DHCP server):
    - IP address distribution range: 192.168.4.100-192.168.4.200
    - Gateway: 192.168.4.22
    - DNS server: 192.168.4.22

PC and mobile device obtained IPs, gateway, dns server from the router 2 via DHCP method.

References:
[1] http://www.telecom-cafe.com/foru ... &extra=page%3D1
[2] http://www.telecom-cafe.com/foru ... &extra=page%3D2
[3] http://www.telecom-cafe.com/foru ... &extra=page%3D2
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

本帖最後由 角色 於 2019-2-21 00:23 編輯

The config.json configuration file used in client v2ray node is as follows:
  1. {
  2.   "dns": {
  3.     "servers": [
  4.       "8.8.8.8",
  5.       {
  6.         "domains": ["geosite:cn"],
  7.         "port": 53,
  8.         "address": "114.114.114.114"
  9.       },
  10.       "localhost"
  11.     ]
  12.   },
  13.   "inbounds": [
  14.     {
  15.       "port": 1081,  
  16.       "listen": "192.168.4.22",
  17.       "protocol": "socks",
  18.       "sniffing": {
  19.         "enabled": true,
  20.         "destOverride": ["http","tls"]
  21.       },
  22.       "settings": {
  23.         "udp,tcp": true
  24.       }
  25.     },
  26.     {
  27.       "protocol": "dokodemo-door",
  28.       "port": 12345,
  29.       "domainOverride": ["tls","http"],
  30.       "settings": {
  31.         "network": "tcp,udp",
  32.         "followRedirect": true
  33.       }
  34.     },
  35.     {
  36.       "protocol": "dokodemo-door",
  37.       "port": 53,
  38.       "tag": "dns-in",
  39.       "listen": "192.168.4.22",
  40.       "settings": {
  41.         "address": "8.8.8.8",
  42.         "port": 53,
  43.         "network": "udp,tcp"
  44.       }
  45.     }
  46.   ],
  47.   "outbounds": [
  48.     {
  49.       "protocol": "vmess",
  50.       "settings": {
  51.         "vnext": [
  52.           {
  53.             "address": "123.123.123.123",   #hostname or IP address of the remote V2Ray server
  54.             "port": 10086, #remote side port number of the v2ray server
  55.             "users": [
  56.               {"id": "UUID"} # put your UUID here
  57.             ]
  58.           }
  59.         ]
  60.       }
  61.     },
  62.     {
  63.       "protocol": "freedom",
  64.       "tag": "direct",
  65.       "settings": {}
  66.     },
  67.     {
  68.       "protocol": "dns",
  69.       "tag": "dns-out"
  70.     }
  71.   ],
  72.   "routing": {
  73.     "domainStrategy": "IPIfNonMatch",
  74.     "rules": [
  75.       {
  76.         "type": "field",
  77.         "inboundTag": "dns-in",
  78.         "outboundTag": "dns-out"
  79.       },
  80.       {
  81.         "type": "field",
  82.         "outboundTag": "direct",
  83.         "domain": [ "geosite:cn" ]
  84.       },
  85.       {
  86.         "type": "field",
  87.         "ip": ["geoip:private"],
  88.         "ip": ["geoip:cn"],
  89.         "outboundTag": "direct"
  90.       }
  91.     ]
  92.   }
  93. }
複製代碼

TOP

本帖最後由 角色 於 2019-2-20 14:19 編輯

Apart from the config.json, we need configure the firewall of the Linux box with the client V2ray node as follows:
  1. #!/bin/bash

  2. # TCP
  3. # Create new chain
  4. iptables -t nat -N V2RAY

  5. # Ignore LANs and any other addresses you'd like to bypass the proxy
  6. # See Wikipedia and RFC5735 for full list of reserved networks.
  7. iptables -t nat -A V2RAY -d 0.0.0.0/8 -j RETURN
  8. iptables -t nat -A V2RAY -d 10.0.0.0/8 -j RETURN
  9. iptables -t nat -A V2RAY -d 127.0.0.0/8 -j RETURN
  10. iptables -t nat -A V2RAY -d 169.254.0.0/16 -j RETURN
  11. iptables -t nat -A V2RAY -d 172.16.0.0/12 -j RETURN
  12. iptables -t nat -A V2RAY -d 192.168.0.0/16 -j RETURN
  13. iptables -t nat -A V2RAY -d 224.0.0.0/4 -j RETURN
  14. iptables -t nat -A V2RAY -d 240.0.0.0/4 -j RETURN

  15. # Anything else should be redirected to Dokodemo-door's local port
  16. iptables -t nat -A V2RAY -p tcp -j REDIRECT --to-ports 12345

  17. # Apply the rules
  18. iptables -t nat -A PREROUTING -p tcp -j V2RAY
  19. #iptables -t nat -A OUTPUT -p tcp -j V2RAY

  20. #UDP
  21. # Create new chain
  22. ip route add local 0.0.0.0/0 dev lo table 100
  23. ip rule add fwmark 1 table 100
  24. iptables -t mangle -N V2RAY_MARK

  25. # Ignore LANs and any other addresses you'd like to bypass the proxy
  26. # See Wikipedia and RFC5735 for full list of reserved networks.
  27. iptables -t mangle -A V2RAY_MARK -d 0.0.0.0/8 -j RETURN
  28. iptables -t mangle -A V2RAY_MARK -d 10.0.0.0/8 -j RETURN
  29. iptables -t mangle -A V2RAY_MARK -d 127.0.0.0/8 -j RETURN
  30. iptables -t mangle -A V2RAY_MARK -d 169.254.0.0/16 -j RETURN
  31. iptables -t mangle -A V2RAY_MARK -d 172.16.0.0/12 -j RETURN
  32. iptables -t mangle -A V2RAY_MARK -d 192.168.0.0/16 -j RETURN
  33. iptables -t mangle -A V2RAY_MARK -d 224.0.0.0/4 -j RETURN
  34. iptables -t mangle -A V2RAY_MARK -d 240.0.0.0/4 -j RETURN

  35. # Anything else should be redirected to Dokodemo-door's local port
  36. iptables -t mangle -A V2RAY_MARK -p udp -j TPROXY --on-port 12345 --tproxy-mark 1

  37. # Add any UDP rules
  38. iptables -t mangle -A PREROUTING -p udp -j V2RAY_MARK
  39. #iptables -t mangle -A OUTPUT -j V2RAY_MARK
複製代碼
.

The output chain rules used line 23 and 47 are used for local access within the v2Ray machine. Since we do not plan to access the website locally, then they are commented out.

TOP

The reason of not able to access the local sites such as CCTV5 is due to the routing section.  We need to separate the "domain" and "ip".

Previous routing configuration
  1.   "routing": {
  2.     "domainStrategy": "IPOnDemand",
  3.     "rules": [{
  4.       "type": "field",
  5.       "domain": ["geosite:cn"],
  6.       "ip": ["geoip:private"],
  7.       "ip": ["geoip:cn"],
  8.       "outboundTag": "direct"
  9.     }]
  10.   }
複製代碼
Present routing configuration
  1.       {
  2.         "type": "field",
  3.         "outboundTag": "direct",
  4.         "domain": [ "geosite:cn" ]
  5.       },
  6.       {
  7.         "type": "field",
  8.         "ip": ["geoip:private"],
  9.         "ip": ["geoip:cn"],
  10.         "outboundTag": "direct"
  11.       }
複製代碼

TOP

本帖最後由 角色 於 2019-2-21 12:13 編輯

Test results:

Able to see YouTube and CCTV5 at the same time on pc, mobile phone and iPad without any vpn/proxy client installed in devices. The performance is very satisfactory.

Please note that the DNS provided by the V2ray is very intelligent, it means for local IP, it will goes locally 114.114.114.114. Otherwise it will go to the remote site 8.8.8.8 via the vmess tunnel.

TOP

返回列表