Openwrt xray server + gRPC + Reality + Vision + Nginx (TLS1.3) + acme + Cloudflare

tomleehk

Preparation

1. A router supported by openwrt with at least 32M ROM ( e.g. Newifi 3 D2 )
2. Openwrt stable release with minimum version 22.03 ( https://downloads.openwrt.org/releases/ ). Note that to support Reality the xray-core must be of version 1.8 or above which can only be available for openwrt image with version 22.03 or above.   
3. WinSCP (download at https://winscp.net/eng/download.php )
4. DDNS registration ( e.g. www.dynu.com )
5. Valid certificate ( e.g. Let's encrypt, https://www.sslforfree.com/ or openwrt acme package )
6. Openwrt webserver package supporting gRPC (e.g. Nginx )
7. Simple webpage source code
8. V2ray client ( e.g. V2rayNG, version 1.8 or above) supporting Reality
9. Knowledge of xray gRPC and Reality ( e.g. https://xtls.github.io/config/transports/grpc.html#grpcobject )
10. Knowledge of UNIX/openwrt
11. Knowledge of webserver setup

Target :
1. Router acts as https webserver (Port 443) with webpage and valid certificate to deal with the GFW.
2. The xray-core(gRPC) stays behind the webserver and the webserver uses gRPC_pass function to passthrough connection from client.
3. The xray-core(Reality) runs on port 8446 to receive connection from client directly.

tomleehk

Nginx 與 Reality 均要用上443，其中一個不用會否較容易出問題。
milanolarry 發表於 2023-12-30 18:50

識用haproxy亦可以令所有嘢共用443 port

milanolarry

Nginx 與 Reality 均要用上443，其中一個不用會否較容易出問題。

99BB

上次v2ray搞唔掂，今次試吓呢個搞唔搞得掂

tomleehk

起左 Xray，行 Reality，接得通，行得郁，但用 browser 入去時候就去吾到 camouflage site (M$), 淨係話 In ...
milanolarry 發表於 2023-5-25 18:27

xray reality 選擇cover site 要小心, 避免出現microsoft.com 的問題
https://blog.misaka.rest/2023/07/15/pick-reality-dest-domain/

tomleehk

即係會出 cover 個 site？
milanolarry 發表於 2023-5-26 22:27

一直出到無問題

milanolarry

即係會出 cover 個 site？

tomleehk

起左 Xray，行 Reality，接得通，行得郁，但用 browser 入去時候就去吾到 camouflage site (M$), 淨係話 In ...
milanolarry 發表於 2023-5-25 18:27

所描述嘅情况從無出現過

milanolarry

起左 Xray，行 Reality，接得通，行得郁，但用 browser 入去時候就去吾到 camouflage site (M$), 淨係話 Invalid URL，正吾正常？

tomleehk

想請教，Xray setting 有時會見到有一個 Camouflage site, 如   或  等，想問是否當 Xray 收到任何沒有 uui ...
milanolarry 發表於 2023-5-20 18:30

對...據網上資料, 掩人耳目

milanolarry

想請教，Xray setting 有時會見到有一個 Camouflage site, 如  www.YYYYYYYYY.com 或 www.XXXXXXX.com 等，想問是否當 Xray 收到任何沒有 uuid 及 public cert 的要求時便會把要求轉發到這些網站？試過在自己的 Xray 不用 uuid / cert，但被溜覽器封鎖，說該網站沒有 www.YYYYYYYYY.com 或 www.XXXXXXX.com 的 valid cert 云云。

milanolarry

十扑.........

tomleehk

Use CloudFlare to passthrough gRPC traffic

1. Follow the below steps to setup the basic CloudFlare proxy
http://www.telecom-cafe.com/forum/viewthread.php?tid=7761

2. At your Cloudflare setup, go to Traffic
gRPC = Turn On

3. If everythings are fine, nogfw.cf will be proxied to testhost.ddnsfree.com after a few minutes.

At the browser, if you access https://nogfw.cf, you should see your simple webpage that you installed at Nginx

Verification :
Use browser to access https://nogfw.cf, verify the valid certificate issued by cloudflare for nogfw.cf.
Use browser to access https://testhost.ddnsfree.com, verify the valid certificate issued by Let's encrypt for testhost.ddnsfree.com.

4. No need to carry out any change on Nginx, xray etc. on your router.

5. V2RayNG client configuration
remarks : nogfw.cf.grpc
address : nogfw.cf
port : 443
id : c50bf28e-98cd-a351-b8d5-d60d56c376c7
Network : grpc
gRPC mode : gun
gRPC serviceName : whitelist
tls : tls
SNI : nogfw.cf
allowInsecure : true

Remark : Using CloudFlare is optional and therefore whether to make use of CloudFlare is up to your decision.

tomleehk

V2rayNG client configuration

To support xray(Reality) the V2RayNG must be of version 1.8 above.
By the time of releasing this walk-through, the version available at Google Play Store is 1.7.x.
You can get the 1.8.x pre-release version at
https://github.com/2dust/v2rayNG/releases
and manually install the .apk file.

The configurations are

1) gRPC
remarks : testhost.ddnsfree.com.grpc
address : testhost.ddnsfree.com
port : 443
id : c50bf28e-98cd-a351-b8d5-d60d56c376c7
Network : grpc
gRPC mode : gun
gRPC serviceName : whitelist
tls : tls
SNI : testhost.ddnsfree.com
allowInsecure : true

2) Reality
remarks : testhost.ddnsfree.com.reality
address : testhost.ddnsfree.com
port : 8446
id : c50bf28e-98cd-a351-b8d5-d60d56c376c7
flow : xtls-rprx-vision
Network : tcp
TCP : reality
SNI : www.amazon.com
Fingerprint : random
PublicKey : Xh_hBw4E5SBFjreeAQQjnUMlvLvFPeELy2Xdvur6XwU
ShortId : 6ba85179e30d4fc2

tomleehk

Nginx/webpage installation and configuration

Run SSH client, e.g. ssh root@192.168.1.1 to access openwrt command shell.
opkg update   <<ENTER>>
opkg install nginx  <<ENTER>>

Use WINSCP to change the folder to /etc/nginx and rename the linked file uci.conf to uci.conf.bak
Use WINSCP to open the content of uci.conf.bak. Copy the content of uci.conf.bak to a NEW text file uci.conf.
Modify the NEW text file uci.conf accordingly

1.                root /www/webproj ;
   
2. 
   
3. ....
   
4.                listen 443 ssl http2 ;
   
5.                listen [::]:443 ssl http2 ;
   
6.                server_name  testhost.ddnsfree.com ;
   
7.                ssl_certificate      /etc/acme/testhost.ddnsfree.com/fullchain.cer;
   
8.                ssl_certificate_key  /etc/acme/testhost.ddnsfree.com/testhost.ddnsfree.com.key;
   
9.                ssl_protocols TLSv1.3;
   
10.                ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
11. ....
    
12. 
    
13.               location / {
    
14.                    root   /www/webproj;
    
15.                   index  index.html index.htm;
    
16.                }
    
17. 
    
18.               location /whitelist {
    
19.                grpc_pass grpc://127.0.0.1:8447;
    
20.               }
    
21. ....
    
22. 
    
23.               listen         80;
    
24.               listen    [::]:80;
    
25.               server_name  testhost.ddnsfree.com ;
    
26.               return         301 https://$server_name$request_uri;

複製代碼

or even replace the whole file uci.conf with the below content

1. # This file is re-created when Nginx starts.
   
2. # Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
   
3. # Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
   
4. # For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx
   
5. 
   
6. worker_processes auto;
   
7. 
   
8. user root;
   
9. 
   
10. events {}
    
11. 
    
12. http {
    
13.         access_log off;
    
14.         log_format openwrt
    
15.                 '$request_method $scheme://$host$request_uri => $status'
    
16.                 ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
    
17. 
    
18.         include mime.types;
    
19.         default_type application/octet-stream;
    
20.         sendfile on;
    
21. 
    
22.         client_max_body_size 128M;
    
23.         large_client_header_buffers 2 1k;
    
24. 
    
25.         gzip on;
    
26.         gzip_vary on;
    
27.         gzip_proxied any;
    
28. 
    
29.         root /www/webproj ;
    
30. 
    
31.         server {
    
32.                listen 443 ssl http2 ;
    
33.                listen [::]:443 ssl http2 ;
    
34.                server_name  testhost.ddnsfree.com ;
    
35.                ssl_certificate      /etc/acme/testhost.ddnsfree.com/fullchain.cer;
    
36.                ssl_certificate_key  /etc/acme/testhost.ddnsfree.com/testhost.ddnsfree.com.key;
    
37.                ssl_protocols TLSv1.3;
    
38.                ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
39.                ssl_session_cache shared:SSL:32k;
    
40.                ssl_session_timeout 64m;
    
41.                access_log off; # logd openwrt;
    
42. 
    
43.        location / {
    
44.                root   /www/webproj;
    
45.                index  index.html index.htm;
    
46.                   }
    
47. 
    
48.        location /whitelist {
    
49.                grpc_pass grpc://127.0.0.1:8447;
    
50.                   }
    
51.       }
    
52. 
    
53.       server {
    
54.                 listen         80;
    
55.                 listen    [::]:80;
    
56.                 server_name  testhost.ddnsfree.com ;
    
57.                 return         301 https://$server_name$request_uri;
    
58.       }
    
59. 
    
60. 
    
61. }

複製代碼

Save the modified uci.conf to the folder /etc/nginx

download site for simple webage log-in.zip : https://gofile.io/d/kpXBcJ
Suppose using the above simple webpage   (index.html,css/style.css). Use WinSCP to create folders /www/webproj and /www/webproj/css. Copy index.html to /www/webproj and style.css to /www/webproj/css

IMPORTANT :
1. The openwrt luci is still using port 80 and 443. You need to use WINSCP to modify the file /etc/config/uhttpd to release the port 80 and 443.

From

1. config uhttpd 'main'
   
2.         list listen_http '0.0.0.0:80'
   
3.         list listen_http '[::]:80'
   
4.         list listen_https '0.0.0.0:443'
   
5.         list listen_https '[::]:443'
   
6.         option redirect_https '0'
   
7.         option home '/www'

複製代碼

To

1. config uhttpd 'main'
   
2.         list listen_http '0.0.0.0:8080'
   
3.         list listen_http '[::]:8080'
   
4. #        list listen_https '0.0.0.0:443'
   
5. #        list listen_https '[::]:443'
   
6.         option redirect_https '0'
   
7.         option home '/www'

複製代碼

2. Create a firewall rule to open port 443 at openwrt luci, Network >> Firewall >> Traffic Rules
    Name : Open443
    Protocol : TCP and  UDP
    Source zone : wan and wan6
    Destination zone : This Device
    Destination port : 443


Reboot the router and access openwrt luci at http://192.168.1.1:8080
Status >> Processes
and search for nginx to verify nginx can be launch automatically.

Use browser to launch https://testhost.ddnsfree.com and it should show your simple webpage with valid certificate.

Use the below online TLS tester
https://www.cdn77.com/tls-test
to test your webserver  https://testhost.ddnsfree.com
It should deliver result like

1. Great! The tested resource is running on the latest TLS 1.3.
   
2. TLS 1.3        enabled
   
3. TLS 1.2        disabled
   
4. TLS 1.1 (deprecated)        disabled
   
5. TLS 1.0 (deprecated)        disabled
   
6. Enabled SSL protocol versions
   
7. SSLv3 (deprecated)        disabled
   
8. SSLv2 (deprecated)        disabled

複製代碼

Use the below online http2 tester
https://tools.keycdn.com/http2-test
to test your webserver  https://testhost.ddnsfree.com
It should deliver result like

1. HTTP/2 protocol is supported.
   
2. ALPN extension is supported.

複製代碼