返回列表 發帖

Openwrt v2ray server + tls1.3 + websocket + webserver + acme 入門篇

本帖最後由 tomleehk 於 2020-4-6 13:32 編輯

Preparation
1. A router supported by openwrt with at least 32M ROM ( e.g. Newifi 3 D2 )
2. Openwrt stable release ( e.g 18.06.4, https://downloads.openwrt.org/releases/ )
3. WinSCP (download at https://winscp.net/eng/download.php )
4. OpenSSH ( e.g. https://github.com/PowerShell/Win32-OpenSSH/releases )
5. V2ray package ( e.g. https://github.com/kuoruan/openwrt-v2ray/releases )
6. DDNS registration ( e.g. www.dynu.com )
7. Valid certificate ( e.g. Let's encrypt, https://www.sslforfree.com/ )
8. Openwrt webserver package supporting websocket proxy (e.g. lighttpd )
9. Simple webpage source code (e.g. https://www.template.net/web-tem ... gin-form-templates/ )
9. V2ray client ( e.g. Kitsunebi )
10. Knowledge of V2ray ( e.g. https://www.v2ray.com/ )
11. Knowledge of UNIX/openwrt
12. Knowledge of webserver setup

Target

Router acts as https webserver with functioning webpage and valid certificate to deal with the GFW.
The v2ray server stays behind the webserver and uses the webserver's proxy function as cover-up.

本帖最後由 tomleehk 於 2019-7-26 16:31 編輯

Openwrt DDNS installation and configuration

In this example, www.dynu.com will be used as example
1) At https://www.dynu.com/en-US/ControlPanel/CreateAccount, register an account ( e.g. dynu_id/dynu_pwd as id/password)
2) At https://www.dynu.com/en-US/ControlPanel, select <DDNS Services>
3) At https://www.dynu.com/en-US/ControlPanel/DDNS, select <+Add>
4) At <Option 1: Use Our Domain Name>, register a host url for your router. e.g. testhost.ddnsfree.com and save your registration
5) Revisit  https://www.dynu.com/en-US/ControlPanel/DDNS and ensure your registration is successful.

Assume your router has been flashed with openwrt.
Use Windows browser to access 192.168.1.1. Openwrt luci will then show up and prompt you to setup a password for root. Follow accordingly and save your password for root.

Logout and login openwrt luci with root again.
System>>System
Timezone - Asia/Hong Kong   
Click<<Save/Apply>>

At Windows DOS prompt, run ssh client  
e.g. ssh root@192.168.1.1 to access openwrt command shell to install ddns package

opkg update   <<ENTER>>
opkg install luci-app-ddns   <<ENTER>>

After installation is complete, type
reboot -f  <<ENTER>>
to reboot router

After router reboots , use Windows browser to access 192.168.1.1 openwrt luci and login again.
Services >> Dynamic DNS
To add DDNS entry,
type dynu_ipv4, click <<Add>>, then
Basic Settings
DDNS Service provider [IPv4] - dynu.com
Lookup Hostname - testhost.ddnsfree.com
Domain - testhost.ddnsfree.com
Username - dynu_id
Password - dynu_pwd
Enabled - check
Click <<Save/Apply>>

Reboot router and verify
1) DDNS of testhost.ddnsfree.com can be updated with your router's WAN ip properly
2) Router time can be updated with local time

TOP

本帖最後由 tomleehk 於 2020-8-4 22:13 編輯

V2ray server installation and configuration

Download V2ray package(e.g. v2ray-core_4.20.0-1_mipsel_24kc.ipk) for your router at https://github.com/kuoruan/openwrt-v2ray/releases to PC.
Rename v2ray-core_4.20.0-1_mipsel_24kc.ipk to v2ray.ipk

Update on 4-Aug-2020:  
You can also try the mini-versions, (e.g. v2ray-core-mini_4.26.0-2_mipsel_24kc.ipk) and enjoy the benefit of substantial reduction in package size. This mini version was also found working on Newifi 3 D2.

Run WINSCP to login router with
New Site
1) File protocol - SCP
2) Host Name - 192.168.1.1
3) Port Number - 22
4) User Name/Password - root / <root password>
You can use Save button to create a site profile for future re-use

After login, use WINSCP to upload v2ray.ipk to /tmp/tmp on the router. Ensure "Transfer mode" is binary at <Transfer Settings>

Run SSH client, e.g. ssh root@192.168.1.1 to access openwrt command shell.
cd /tmp/tmp  <<ENTER>>
opkg update   <<ENTER>>
opkg install v2ray.ipk  <<ENTER>>

The v2ray package is rather huge and therefore be patient to wait for the linux command prompt to turn up again. Normally it will take 5 to 10 minutes to complete the installation.

After installation is complete, type
reboot -f  <<ENTER>>
to reboot router

Assume v2ray server uses the following parameters
1) port = 8443
2) protocol = vmess
3) uuid = c50bf28e-98cd-a351-b8d5-d60d56c376c7
4) network = ws
5) path = /vpath
6) host = testhost.ddnsfree.com


your v2ray.json file should have
  1. {
  2.   "inbounds": [
  3.     {
  4.       "port": 8443,
  5.       "protocol": "vmess",
  6.       "allocate": {
  7.             "strategy": "always"
  8.         },
  9.       "settings": {
  10.         "clients": [
  11.           {
  12.             "id": "c50bf28e-98cd-a351-b8d5-d60d56c376c7",
  13.             "alterId": 64,
  14.             "security": "auto",
  15.             "level": 0
  16.           }
  17.         ]
  18.       },
  19.         "streamSettings": {
  20.         "network":"ws",
  21.         "wsSettings": {
  22.             "connectionReuse": true,
  23.             "path": "/vpath",
  24.             "headers": {
  25.                  "Host": "testhost.ddnsfree.com"
  26.             }
  27.         }
  28.         }
  29.      }
  30.   ],
  31.   "outbounds": [
  32.     {
  33.       "protocol": "freedom",
  34.       "settings": {}
  35.     }
  36.   ]
  37. }
複製代碼
Use WINSCP to access the router and create the v2ray.json at /etc/config

Sample v2ray startup file
  1. START=99

  2. USE_PROCD=1
  3. LimitNOFILE=1048576
  4. LimitNPROC=512

  5. start_service() {
  6.         mkdir /var/log/v2ray > /dev/null 2>&1
  7.         ulimit -n 99999
  8.         procd_open_instance
  9.         procd_set_param respawn
  10.         procd_set_param command /usr/bin/v2ray -config /etc/config/v2ray.json
  11.         procd_set_param file /etc/config/v2ray.json
  12.         procd_set_param stdout 1
  13.         procd_set_param stderr 1
  14.         procd_set_param pidfile /var/run/v2ray.pid
  15.         procd_close_instance
  16. }
複製代碼
Use WINSCP to create the startup file v2ray (set attribute 755) at /etc/init.d/


At openwrt command shell, type
/etc/init.d/v2ray enable  <<ENTER>>
/etc/init.d/v2ray start     <<ENTER>>

TOP

本帖最後由 tomleehk 於 2021-10-2 00:12 編輯

Lighttpd/webpage installation and configuration

At openwrt command shell, type
    opkg update <<ENTER>>
    opkg install lighttpd-mod-openssl <<ENTER>>
    opkg install lighttpd-mod-proxy <<ENTER>>
    opkg install lighttpd-mod-redirect <<ENTER>>

After installation is complete, edit lighttpd configuration file (/etc/lighttpd/lighttpd.conf) with WINSCP

Note
1) Conflicting with luci (using port 80), default installation of lighttpd uses port 80 and therefore it may not be able to launch properly. To resolve, lighttpd server port MUST be changed to run at a port other than 80 (e.g. 8080).

2) Suppose using the attached simple webpage (index.html,css/style.css). Use WinSCP to create folders /www/webproj and /www/webproj/css. Copy index.html to /www/webproj and style.css to /www/webproj/css
Alternative download site for log-in.zip https://gofile.io/?c=8ejjcJ

3) Assume v2ray server configuration using path = "/vpath"

4) Assume the files ca_bundle.crt, server.crt and server.key are placed at  /www/ssl/,
    at the same folder,
    cat server.key server.crt  > lighttpd.pem   <<ENTER>>
    to generate the .pem file for lighttpd               

Sample configuration file should have
  1. server.modules = ("mod_openssl","mod_proxy","mod_redirect")

  2. server.document-root        = "/www/webproj/"
  3. server.upload-dirs          = ( "/tmp" )
  4. server.errorlog             = "/var/log/lighttpd/error.log"
  5. server.pid-file             = "/var/run/lighttpd.pid"
  6. server.username             = "http"
  7. server.groupname            = "www-data"
  8. server.max-fds              = 8192
  9. server.max-connections     = 4096


  10. index-file.names            = ( "index.php", "index.html",
  11.                                 "index.htm", "default.htm",
  12.                                 "index.lighttpd.html" )

  13. static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

  14. ### Options that are useful but not always necessary:
  15. #server.chroot               = "/"
  16. server.port                 = 8080
  17. #server.bind                 = "localhost"
  18. #server.tag                  = "lighttpd"
  19. #server.errorlog-use-syslog  = "enable"
  20. #server.network-backend      = "write"

  21. ### Use IPv6 if available
  22. #include_shell "/usr/share/lighttpd/use-ipv6.pl"

  23. #dir-listing.encoding        = "utf-8"
  24. #server.dir-listing          = "enable"

  25. include       "/etc/lighttpd/mime.conf"
  26. include_shell "cat /etc/lighttpd/conf.d/*.conf"

  27. $SERVER["socket"] == ":443" {
  28.   ssl.engine = "enable"
  29.   ssl.pemfile = "/www/ssl/lighttpd.pem"
  30.   ssl.ca-file = "/www/ssl/ca_bundle.crt"
  31.   ssl.openssl.ssl-conf-cmd = ("Ciphersuites" => "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")
  32.   ssl.use-sslv2 = "disable"
  33.   ssl.use-sslv3 = "disable"
  34. }

  35. $HTTP["url"] =~ "^/vpath" {
  36.   $HTTP["host"] == "testhost.ddnsfree.com" {
  37.      proxy.header = ( "upgrade" => "enable")
  38.      proxy.server = ( "" => (("host" => "127.0.0.1","port" => 8443)))
  39.   }
  40.   else {
  41.         url.redirect = ( "" => "/" )
  42.        }
  43. }
複製代碼
Note
1) Open port 443 at openwrt luci, Network >> Firewall >> Traffic Rules and create the rule to open port 443
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

本帖最後由 tomleehk 於 2019-9-28 22:46 編輯

V2ray client installation and configuration

Using Kitsunebi as illustration, client configuration should have
Address - testhost.ddnsfree.com
Port - 443
UUID - c50bf28e-98cd-a351-b8d5-d60d56c376c7
Alterid - 64
Security - auto
Network - ws
Path - /vpath
Host - testhost.ddnsfree.com
TLS - check

TOP

本帖最後由 tomleehk 於 2020-5-14 08:34 編輯

luci-app-acme installation and configuration

Be careful.. The latest version 2.8.3.1 (Nov 2019) acme was found with some problems to get the certificate. Some workaround is needed to make it work.

At openwrt command shell, type
    opkg update   <<ENTER>>
    opkg install luci-app-acme   <<ENTER>>
    opkg install acme-dnsapi      <<ENTER>>

The latest version 2.8.3.1 (Nov 2019) acme was found to install package wget-nossl which will make the api script stop working. After installation of luci-app-acme and acme-dnsapi, the following extra steps are needed as workaround.
  1. opkg update
  2. opkg remove --force-depends wget-nossl
  3. opkg upgrade wget
複製代碼
Note - The below sample uses API approach.

Collect the API credentials from DDNS provider, e.g.
At https://www.dynu.com/en-US/ControlPanel/APICredentials
copy the credentials, e.g.
Client ID
39a7a033-c129-55b0-a013-b511150ace22
Secret
7hcYY7JSbSNa2RQcQh1fcJY5cp8YMg

At openwrt luci, Services>>ACME certs
State directory - /etc/acme
Account email - any email other than the default email, e.g. your email
Enabled - check
Use staging server - uncheck
Key length - 2048
Domain names - testhost.ddnsfree.com
DNS API - dns_dynu
DNS API credentials - Dynu_ClientId="39a7a033-c129-55b0-a013-b511150ace22"
                                 Dynu_Secret="7hcYY7JSbSNa2RQcQh1fcJY5cp8YMg"

Click <<Save/Apply>>

Note
1) Check other supported DDNS providers at https://github.com/Neilpang/acme.sh/tree/master/dnsapi and corresponding credential parameters needed at https://github.com/Neilpang/acme.sh/wiki/dnsapi
2) The default account email MUST be changed, otherwise the acme script cannot work.
3) The key/certificate files will be saved at the folder /etc/acme/testhost.ddnsfree.com/

TOP

本帖最後由 tomleehk 於 2019-10-19 14:19 編輯

Enable Openwrt Hardware Flow offloading

If you are using MT7621 router, e.g. newifi 3 d2,
you can enable hardware flow offloading at Firewall>>General Settings to improve throughput/performance.

附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

本帖最後由 tomleehk 於 2019-10-19 14:19 編輯

Automation

1) If you are familiar with Openwrt, you can use cron jobs and scripts to automate renewal of certificates for the webserver.
https://openwrt.org/docs/guide-user/base-system/cron

2) You can also use the package watchcat
     https://openwrt.org/packages/pkgdata/watchcat
     https://openwrt.org/packages/pkgdata/luci-app-watchcat
     to reboot your router and get a new WAN ip whenever your ip is blocked by GFW

3) You need to change the WAN port MAC address before your router can get a new WAN ip. Corresponding scripting and automation can be found via google.

4) You can also install email client package, e.g.msmtp, ssmtp to send your renewed WAN ip as email to your webmail. Even when DDNS is not working, you still can know your router IP from the Email. Corresponding scripting and automation can also be found via google.

... and possibly some other automations.
All up to your imagination...
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

本帖最後由 tomleehk 於 2019-10-19 14:06 編輯

Further work

To share the same port (e.g. 443) by V2ray, SSH, SS and Openconnect etc. with the help of proxy servers.

Reference :
HAProxy to Nginx (Web + V2Ray WebSocket) + OpenConnect + SSH + ShadowsocksR (TLS OBFS)
https://gist.github.com/techotak ... 2eb5da244b2be8590d9

Proved working in a stable manner with my devices. However, the trivial trade-off is speed/response.


拯救被墙的IP,CDN + v2ray,安全的科学上网方
https://blog.sprov.xyz/2019/03/11/cdn-v2ray-safe-proxy/

Openwrt v2ray server + tls + websocket + webserver + cert + cdn 保護篇
http://www.telecom-cafe.com/foru ... tid=7761&page=1

TOP

本帖最後由 tomleehk 於 2019-10-19 14:07 編輯

[OpenWrt]V2Ray定制构建

https://blog.iknet.top/post/v2ray-reduce-build.html
V2Ray这么一款爱国上网利器大家一定不陌生,苦在它是用Golang写的,编译出来的大小着实惊人。对于嵌入式设备来说,18M的它,几乎是没法放进小小的ROM。就算经过UPX压缩,也有6M的大小。

这时候,我们就可以通过定制自己的V2Ray来达到精简的目的了qwq

Custom build
https://github.com/kuoruan/openwrt-v2ray

TOP

本帖最後由 gameplayer 於 2019-10-2 11:06 編輯
Lighttpd/webpage installation and configuration

At openwrt command shell, type
    opkg update
    ...
tomleehk 發表於 2019-7-17 13:24



    CHING,請問
2)  Use WinSCP to create folders /www/webproj and /www/webproj/css. Copy index.html to /www/webproj and style.css to /www/webproj/css

這兩個folders 系邊個目錄create?

TOP

本帖最後由 tomleehk 於 2019-10-2 15:25 編輯
CHING,請問
2)  Use WinSCP to create folders /www/webproj and /www/webproj/css. Copy index.ht ...

這兩個folders 系邊個目錄create?

gameplayer 發表於 2019-10-2 11:04


喺最top嘅level, 你會見folder /www,
你只要喺 /www 下面 create folder webproj
再喺 /www/webproj create folder css

TOP

本帖最後由 gameplayer 於 2019-10-2 17:39 編輯
V2ray server installation and configuration

Download V2ray package(e.g. v2ray-core_4.20.0-1_mipsel_ ...
tomleehk 發表於 2019-7-17 13:13


root@OpenWrt:/etc/init.d# v2ray start
V2Ray 4.20.0 (V2Fly, a community-driven edition of V2Ray.) OpenWrt - Release 3
A unified platform for anti-censorship.
main: failed to load config:  > v2ray.com/core/main/confloader/external: config file not readable > open : no such file or directory

CHING,打完v2ray start,出現main: failed to load config。邊到有配置不當?個v2ray.json 有問題?
去到這步,v2ray server 已啟動?可以連接?因為想知道這步之前的是否都正確,再配置下一步。
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

喺最top嘅level, 你會見folder /www,
你只要喺 /www 下面 create folder webproj
再喺 /www/webproj cre ...
tomleehk 發表於 2019-10-2 12:22



    明白!

TOP

Lighttpd/webpage installation and configuration

At openwrt command shell, type
    opkg update
    ...
tomleehk 發表於 2019-7-17 13:24



    請問這 三個檔案 ca_bundle.crt, server.crt and server.key 要系邊到搵到?

TOP

返回列表