OpenWRT与ShadowSocks

pic

难道不想冲破天际

看看外面的样子吗?

Requirement

  • 一台OpenWRT路由器
  • ShadowSocks
  • luci-app-shadowsocks-spec
  • pdnsd
  • dnsmasq-full
  • ipset,iptables

What

  • OpenWRT,嵌入式Linux发行版.非传统静态系统
  • ShadowSocks,代理通道
  • luci-app-shadowsocks-spec,在OpeWRT上为SS准备的图形配置界面
  • pdnsd,缓存DNS代理服务器
  • DNSmasq,把地址-域名映射关系放入cache中
  • ipset,iptables,配置域名标记

How

  • 刷OpenWRT不在本文支持范围
  • ShadowSocks,采用aa65535编译版本.选择对应CPU下载.
  • luci-app-shadowsocks-spec,pdnsd,DNSmasq,ipset,iptables皆由opkg获取

Go!

opkg

opkg是OpenWRT内置的source

Manipulation

update Update list of available packages
upgrade <pkgs> Upgrade packages
install <pkgs> Install package(s)
configure <pkgs> Configure unpacked package(s)
remove <pkgs> Remove package(s)
flag <flag> <pkgs> Flag package(s)

Informational Commands

Informational Commands
list List available packages
list-installed List installed packages
list-upgradable List installed and upgradable packages
list-changed-conffiles List user modified configuration files
files <pkg> List files belonging to <pkg>
search <file> List package providing <file>
find <regexp> List packages whose name or description matches

pdnsd

ssh登入你的路由器

opkg update    //    安装前务必update最新的list

opkg install pdnsd

cd /etc

vi pdnsd.conf

配置下段代码

global {

    perm_cache=1024;

    cache_dir="/var/pdnsd";

    run_as="nobody";

    server_port = 1053;

    server_ip = 127.0.0.1;

    status_ctl = on;

    query_method=tcp_only;

    min_ttl=15m;

    max_ttl=1w;

    timeout=10;

}

server {

    label= "googledns";

    ip = 8.8.8.8;

    root_server = on;

    uptest = none;

}

server_port = 1053;使用1053端口.

query_method=tcp_only;只用tcp转发

ip = 8.8.8.8;转发ip

设置开机启动

/etc/init.d/pdnsd enable
/etc/init.d/pdnsd restart

至此,pdnsd配置完毕

DNSmasq&ipset

ssh登入你的路由器

opkg update
opkg list-installed
dnsmasq -v

Dnsmasq version 2.71 Copyright (c) 2000-2014 Simon Kelley

Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC

ipset即为支持ipset.如果不支持,请卸载当前dnsmasq,安装full版

opkg remove dnsmasq
opkg install dnsmasq-full
opkg install ipset iptables-mod-nat-extra

安装完毕后

cd /etc
vi dnsmasq.conf

最后一行,加入

conf-dir=/etc/dnsmasq.d

为保持代码整洁,在etc下新建dnsmasq.d文件夹,在dnsmasq.d下新建新的conf,在此暂命名为fuckgfw.conf

vi /etc/dnsmasq.d/fuckgfw.conf

插入代码

server=/.live.com/127.0.0.1#1053
ipset=/.live.com/fuckgfw

server=/.live.com/127.0.0.1#1053代表将live.com转发1053端口,即之前配置好的pdnsd

ipset=/.live.com/fuckgfw代表为改域名打上fuckgfw标记,缓存DNS至ip

fuckgfw标记在iptables中用到

至此,DNSmasq和ipset配置完毕

ShadowSocks与Luci-ShadowSocks

aa65535编译好的ipk传至路由器/tmp

opkg update
opkg install shadowsocks
opkg install luci-app-shadowsocks-spec

在路由器的图形界面配置ShadowSocks对应参数.

{
"server":"服务器地址",
"server_port":8888, #服务器端口
"local_port":1080, #本地sock5代理端口
"password":"1111",
"timeout":300,
"method":"rc4-md5"
}

设置开机启动

/etc/init.d/shadowsocks enable

ipset&iptables

先用ipset创建一个set,此处创建的名字为fuckgfw,然后将此set中所有ip都转发到ShadowSocks监听的1080端口.

ipset -N fuckgfw iphash
iptables -t nat -A PREROUTING -p tcp -m set --match-set fuckgfw dst -j REDIRECT --to-port 1080

建议将上述代码写入/etc/rc.local.每次开机自动运行.

重启DNSmasq

/etc/init.d/dnsmasq restart

Debug

通过下面的命令查看set中的IP,这样可以确定解析是否正常,并且查看某网站是否正确的被加到了ipset

ipset list fuckgfw

通过下面的命令可以清理掉set中所有ip

ipset flush fuckgfw