Openwrt v2ray server + tls1.3 + websocket + webserver + acme 入門篇

tomleehk

Preparation
1. A router supported by openwrt with at least 32M ROM ( e.g. Newifi 3 D2 )
2. Openwrt stable release ( e.g 18.06.4, https://downloads.openwrt.org/releases/ )
3. WinSCP (download at https://winscp.net/eng/download.php )
4. OpenSSH ( e.g. https://github.com/PowerShell/Win32-OpenSSH/releases )
5. V2ray package ( e.g. https://github.com/kuoruan/openwrt-v2ray/releases )
6. DDNS registration ( e.g. www.dynu.com )
7. Valid certificate ( e.g. Let's encrypt, https://www.sslforfree.com/ )
8. Openwrt webserver package supporting websocket proxy (e.g. lighttpd )
9. Simple webpage source code (e.g. https://www.template.net/web-tem ... gin-form-templates/ )
9. V2ray client ( e.g. Kitsunebi )
10. Knowledge of V2ray ( e.g. https://www.v2ray.com/ )
11. Knowledge of UNIX/openwrt
12. Knowledge of webserver setup

Target
Router acts as https webserver with functioning webpage and valid certificate to deal with the GFW.
The v2ray server stays behind the webserver and uses the webserver's proxy function as cover-up.

tomleehk

Openwrt DDNS installation and configuration

In this example, www.dynu.com will be used as example
1) At https://www.dynu.com/en-US/ControlPanel/CreateAccount, register an account ( e.g. dynu_id/dynu_pwd as id/password)
2) At https://www.dynu.com/en-US/ControlPanel, select <DDNS Services>
3) At https://www.dynu.com/en-US/ControlPanel/DDNS, select <+Add>
4) At <Option 1: Use Our Domain Name>, register a host url for your router. e.g. testhost.ddnsfree.com and save your registration
5) Revisit  https://www.dynu.com/en-US/ControlPanel/DDNS and ensure your registration is successful.

Assume your router has been flashed with openwrt.
Use Windows browser to access 192.168.1.1. Openwrt luci will then show up and prompt you to setup a password for root. Follow accordingly and save your password for root.

Logout and login openwrt luci with root again.
System>>System
Timezone - Asia/Hong Kong   
Click<<Save/Apply>>

At Windows DOS prompt, run ssh client  
e.g. ssh root@192.168.1.1 to access openwrt command shell to install ddns package

opkg update   <<ENTER>>
opkg install luci-app-ddns   <<ENTER>>

After installation is complete, type
reboot -f  <<ENTER>>
to reboot router

After router reboots , use Windows browser to access 192.168.1.1 openwrt luci and login again.
Services >> Dynamic DNS
To add DDNS entry,
type dynu_ipv4, click <<Add>>, then
Basic Settings
DDNS Service provider [IPv4] - dynu.com
Lookup Hostname - testhost.ddnsfree.com
Domain - testhost.ddnsfree.com
Username - dynu_id
Password - dynu_pwd
Enabled - check
Click <<Save/Apply>>

Reboot router and verify
1) DDNS of testhost.ddnsfree.com can be updated with your router's WAN ip properly
2) Router time can be updated with local time

tomleehk

V2ray server installation and configuration

Download V2ray package(e.g. v2ray-core_4.20.0-1_mipsel_24kc.ipk) for your router at https://github.com/kuoruan/openwrt-v2ray/releases to PC.
Rename v2ray-core_4.20.0-1_mipsel_24kc.ipk to v2ray.ipk

Update on 4-Aug-2020:  
You can also try the mini-versions, (e.g. v2ray-core-mini_4.26.0-2_mipsel_24kc.ipk) and enjoy the benefit of substantial reduction in package size. This mini version was also found working on Newifi 3 D2.

Run WINSCP to login router with
New Site
1) File protocol - SCP
2) Host Name - 192.168.1.1
3) Port Number - 22
4) User Name/Password - root / <root password>
You can use Save button to create a site profile for future re-use

After login, use WINSCP to upload v2ray.ipk to /tmp/tmp on the router. Ensure "Transfer mode" is binary at <Transfer Settings>

Run SSH client, e.g. ssh root@192.168.1.1 to access openwrt command shell.
cd /tmp/tmp  <<ENTER>>
opkg update   <<ENTER>>
opkg install v2ray.ipk  <<ENTER>>

The v2ray package is rather huge and therefore be patient to wait for the linux command prompt to turn up again. Normally it will take 5 to 10 minutes to complete the installation.

After installation is complete, type
reboot -f  <<ENTER>>
to reboot router

Assume v2ray server uses the following parameters
1) port = 8443
2) protocol = vmess
3) uuid = c50bf28e-98cd-a351-b8d5-d60d56c376c7
4) network = ws
5) path = /vpath
6) host = testhost.ddnsfree.com


your v2ray.json file should have

1. {
   
2.   "inbounds": [
   
3.     {
   
4.       "port": 8443,
   
5.       "protocol": "vmess",
   
6.       "allocate": {
   
7.             "strategy": "always"
   
8.         },
   
9.       "settings": {
   
10.         "clients": [
    
11.           {
    
12.             "id": "c50bf28e-98cd-a351-b8d5-d60d56c376c7",
    
13.             "alterId": 64,
    
14.             "security": "auto",
    
15.             "level": 0
    
16.           }
    
17.         ]
    
18.       },
    
19.         "streamSettings": {
    
20.         "network":"ws",
    
21.         "wsSettings": {
    
22.             "connectionReuse": true,
    
23.             "path": "/vpath",
    
24.             "headers": {
    
25.                  "Host": "testhost.ddnsfree.com"
    
26.             }
    
27.         }
    
28.         }
    
29.      }
    
30.   ],
    
31.   "outbounds": [
    
32.     {
    
33.       "protocol": "freedom",
    
34.       "settings": {}
    
35.     }
    
36.   ]
    
37. }

複製代碼

Use WINSCP to access the router and create the v2ray.json at /etc/config

Sample v2ray startup file

1. START=99
   
2. 
   
3. USE_PROCD=1
   
4. LimitNOFILE=1048576
   
5. LimitNPROC=512
   
6. 
   
7. start_service() {
   
8.         mkdir /var/log/v2ray > /dev/null 2>&1
   
9.         ulimit -n 99999
   
10.         procd_open_instance
    
11.         procd_set_param respawn
    
12.         procd_set_param command /usr/bin/v2ray -config /etc/config/v2ray.json
    
13.         procd_set_param file /etc/config/v2ray.json
    
14.         procd_set_param stdout 1
    
15.         procd_set_param stderr 1
    
16.         procd_set_param pidfile /var/run/v2ray.pid
    
17.         procd_close_instance
    
18. }

複製代碼

Use WINSCP to create the startup file v2ray (set attribute 755) at /etc/init.d/


At openwrt command shell, type
/etc/init.d/v2ray enable  <<ENTER>>
/etc/init.d/v2ray start     <<ENTER>>

tomleehk

Lighttpd/webpage installation and configuration

At openwrt command shell, type
    opkg update <<ENTER>>
    opkg install lighttpd-mod-openssl <<ENTER>>
    opkg install lighttpd-mod-proxy <<ENTER>>
    opkg install lighttpd-mod-redirect <<ENTER>>

After installation is complete, edit lighttpd configuration file (/etc/lighttpd/lighttpd.conf) with WINSCP

Note
1) Conflicting with luci (using port 80), default installation of lighttpd uses port 80 and therefore it may not be able to launch properly. To resolve, lighttpd server port MUST be changed to run at a port other than 80 (e.g. 8080).

2) Suppose using the attached simple webpage (index.html,css/style.css). Use WinSCP to create folders /www/webproj and /www/webproj/css. Copy index.html to /www/webproj and style.css to /www/webproj/css
Alternative download site for log-in.zip https://gofile.io/?c=8ejjcJ

3) Assume v2ray server configuration using path = "/vpath"

4) Assume the files ca_bundle.crt, server.crt and server.key are placed at  /www/ssl/,
    at the same folder,
    cat server.key server.crt  > lighttpd.pem   <<ENTER>>
    to generate the .pem file for lighttpd               

Sample configuration file should have

1. server.modules = ("mod_openssl","mod_proxy","mod_redirect")
   
2. 
   
3. server.document-root        = "/www/webproj/"
   
4. server.upload-dirs          = ( "/tmp" )
   
5. server.errorlog             = "/var/log/lighttpd/error.log"
   
6. server.pid-file             = "/var/run/lighttpd.pid"
   
7. server.username             = "http"
   
8. server.groupname            = "www-data"
   
9. server.max-fds              = 8192
   
10. server.max-connections     = 4096
    
11. 
    
12. 
    
13. index-file.names            = ( "index.php", "index.html",
    
14.                                 "index.htm", "default.htm",
    
15.                                 "index.lighttpd.html" )
    
16. 
    
17. static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
    
18. 
    
19. ### Options that are useful but not always necessary:
    
20. #server.chroot               = "/"
    
21. server.port                 = 8080
    
22. #server.bind                 = "localhost"
    
23. #server.tag                  = "lighttpd"
    
24. #server.errorlog-use-syslog  = "enable"
    
25. #server.network-backend      = "write"
    
26. 
    
27. ### Use IPv6 if available
    
28. #include_shell "/usr/share/lighttpd/use-ipv6.pl"
    
29. 
    
30. #dir-listing.encoding        = "utf-8"
    
31. #server.dir-listing          = "enable"
    
32. 
    
33. include       "/etc/lighttpd/mime.conf"
    
34. include_shell "cat /etc/lighttpd/conf.d/*.conf"
    
35. 
    
36. $SERVER["socket"] == ":443" {
    
37.   ssl.engine = "enable"
    
38.   ssl.pemfile = "/www/ssl/lighttpd.pem"
    
39.   ssl.ca-file = "/www/ssl/ca_bundle.crt"
    
40.   ssl.openssl.ssl-conf-cmd = ("Ciphersuites" => "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")
    
41.   ssl.use-sslv2 = "disable"
    
42.   ssl.use-sslv3 = "disable"
    
43. }
    
44. 
    
45. $HTTP["url"] =~ "^/vpath" {
    
46.   $HTTP["host"] == "testhost.ddnsfree.com" {
    
47.      proxy.header = ( "upgrade" => "enable")
    
48.      proxy.server = ( "" => (("host" => "127.0.0.1","port" => 8443)))
    
49.   }
    
50.   else {
    
51.         url.redirect = ( "" => "/" )
    
52.        }
    
53. }

複製代碼

Note
1) Open port 443 at openwrt luci, Network >> Firewall >> Traffic Rules and create the rule to open port 443

tomleehk

V2ray client installation and configuration

Using Kitsunebi as illustration, client configuration should have
Address - testhost.ddnsfree.com
Port - 443
UUID - c50bf28e-98cd-a351-b8d5-d60d56c376c7
Alterid - 64
Security - auto
Network - ws
Path - /vpath
Host - testhost.ddnsfree.com
TLS - check

tomleehk

luci-app-acme installation and configuration

Be careful.. The latest version 2.8.3.1 (Nov 2019) acme was found with some problems to get the certificate. Some workaround is needed to make it work.

At openwrt command shell, type
    opkg update   <<ENTER>>
    opkg install luci-app-acme   <<ENTER>>
    opkg install acme-dnsapi      <<ENTER>>

The latest version 2.8.3.1 (Nov 2019) acme was found to install package wget-nossl which will make the api script stop working. After installation of luci-app-acme and acme-dnsapi, the following extra steps are needed as workaround.

1. opkg update
   
2. opkg remove --force-depends wget-nossl
   
3. opkg upgrade wget

複製代碼

Note - The below sample uses API approach.

Collect the API credentials from DDNS provider, e.g.
At https://www.dynu.com/en-US/ControlPanel/APICredentials
copy the credentials, e.g.
Client ID
39a7a033-c129-55b0-a013-b511150ace22
Secret
7hcYY7JSbSNa2RQcQh1fcJY5cp8YMg

At openwrt luci, Services>>ACME certs
State directory - /etc/acme
Account email - any email other than the default email, e.g. your email
Enabled - check
Use staging server - uncheck
Key length - 2048
Domain names - testhost.ddnsfree.com
DNS API - dns_dynu
DNS API credentials - Dynu_ClientId="39a7a033-c129-55b0-a013-b511150ace22"
                                 Dynu_Secret="7hcYY7JSbSNa2RQcQh1fcJY5cp8YMg"

Click <<Save/Apply>>

Note
1) Check other supported DDNS providers at https://github.com/Neilpang/acme.sh/tree/master/dnsapi and corresponding credential parameters needed at https://github.com/Neilpang/acme.sh/wiki/dnsapi
2) The default account email MUST be changed, otherwise the acme script cannot work.
3) The key/certificate files will be saved at the folder /etc/acme/testhost.ddnsfree.com/

tomleehk

Enable Openwrt Hardware Flow offloading

If you are using MT7621 router, e.g. newifi 3 d2,
you can enable hardware flow offloading at Firewall>>General Settings to improve throughput/performance.

tomleehk

Automation

1) If you are familiar with Openwrt, you can use cron jobs and scripts to automate renewal of certificates for the webserver.
https://openwrt.org/docs/guide-user/base-system/cron

2) You can also use the package watchcat
     https://openwrt.org/packages/pkgdata/watchcat
     https://openwrt.org/packages/pkgdata/luci-app-watchcat
     to reboot your router and get a new WAN ip whenever your ip is blocked by GFW

3) You need to change the WAN port MAC address before your router can get a new WAN ip. Corresponding scripting and automation can be found via google.

4) You can also install email client package, e.g.msmtp, ssmtp to send your renewed WAN ip as email to your webmail. Even when DDNS is not working, you still can know your router IP from the Email. Corresponding scripting and automation can also be found via google.

... and possibly some other automations.
All up to your imagination...

tomleehk

Further work

To share the same port (e.g. 443) by V2ray, SSH, SS and Openconnect etc. with the help of proxy servers.

Reference :
HAProxy to Nginx (Web + V2Ray WebSocket) + OpenConnect + SSH + ShadowsocksR (TLS OBFS)
https://gist.github.com/techotak ... 2eb5da244b2be8590d9

Proved working in a stable manner with my devices. However, the trivial trade-off is speed/response.


拯救被墙的IP，CDN + v2ray，安全的科学上网方
https://blog.sprov.xyz/2019/03/11/cdn-v2ray-safe-proxy/

Openwrt v2ray server + tls + websocket + webserver + cert + cdn 保護篇
http://www.telecom-cafe.com/foru ... tid=7761&page=1

tomleehk

[OpenWrt]V2Ray定制构建

https://blog.iknet.top/post/v2ray-reduce-build.html
V2Ray这么一款爱国上网利器大家一定不陌生，苦在它是用Golang写的，编译出来的大小着实惊人。对于嵌入式设备来说，18M的它，几乎是没法放进小小的ROM。就算经过UPX压缩，也有6M的大小。

这时候，我们就可以通过定制自己的V2Ray来达到精简的目的了qwq

Custom build
https://github.com/kuoruan/openwrt-v2ray

tomleehk

CHING，請問
2)  Use WinSCP to create folders /www/webproj and /www/webproj/css. Copy index.ht ...

這兩個folders 系邊個目錄create?

gameplayer 發表於 2019-10-2 11:04

喺最top嘅level, 你會見folder /www,
你只要喺 /www 下面 create folder webproj
再喺 /www/webproj create folder css

tomleehk

root@OpenWrt:/etc/init.d# v2ray start
V2Ray 4.20.0 (V2Fly, a community-driven edition of V2Ray.) O ...
gameplayer 發表於 2019-10-2 17:17

v2ray server 肯定未啟動

At openwrt command shell, type
/etc/init.d/v2ray enable  <<ENTER>>
/etc/init.d/v2ray start     <<ENTER>>

由 /etc 開始type哂全句

tomleehk

請問這 三個檔案 ca_bundle.crt, server.crt and server.key 要系邊到搵到？
gameplayer 發表於 2019-10-2 17:19

Post #1

Preparation
....
7. Valid certificate ( e.g. Let's encrypt, https://www.sslforfree.com/ )
....

呢d cert/key 檔案喺你幫你個webserver 嘅 domain 事先申請同預備定

經 Let's encrypt, https://www.sslforfree.com/ 申請, 免費有效3個月, 可免費renew
但你要有webserver同network知識先

亦可以經其他付費途徑申請有效期耐一d嘅cert/key檔案

Reference
https://www.freecodecamp.org/news/free-https-c051ca570324/

建議你先多了解 unix/openwrt, webserver(e.g. certificate, ssl/tls, proxy 等等..)
否則之後步驟可能會比較吃力

亦可以先搞掂v2ray 部分,
再利用另一隻openwrt router去研究webserver+cert嘅相關技術
cert/key出了錯webserver啟動唔到就連唔到後面嘅v2ray server
掌握到webserver技術之後, 成功起到一個有cert嘅網站, 再合併v2ray喺同一隻router上面

tomleehk

root@OpenWrt:~# /etc/init.d/v2ray enable
-ash: /etc/init.d/v2ray: not found
root@OpenWrt:~# /et ...
gameplayer 發表於 2019-10-3 00:13

/etc/init.d/v2ray 呢個 startup file 不存在
或者未set 好attritube/permission 755

睇番post #3, 要人手用winscp去create 同 set attribute/permission 755

tomleehk

另一個主要原因喺要用openconnect
openconnect只有openwrt同linux有installation package