ac68u ss + chinadns + redsocks 全局ss代理
- 开启了SSH后。用SSH登录路由器。
nvram set jffs2_on=1
nvram set jffs2_enable=1
nvram set jffs2_format=1
nvram set jffs2_scripts=1
nvram commit
- 重启
reboot
- 验证JFFS2是否开启成功
nvram show | grep "jffs"
下面是开启的结果:
jffs2_on=1
jffs2_exec=
jffs2_enable=1
jffs2_size=65798144
jffs2_format=0
jffs2_scripts=1
log_path=/jffs
size: 55375 bytes (10161 left)
启用了 JFFS 后,才可安装entware。 安装方法如下:
- 插入U盘,U盘格式化为 EXT2 、 EXT3 或 EXT4 都可以。格式化的方法,可以用电脑格式化。或在SSH下面。
mount #查看分区格式是否ext2或ext3 格式,如果不是,需要将将sda1格式化为ext2或ext3.
umount /mnt/sda1 #先卸载才能格式化 umount /tmp/mnt/awrt
mkfs.ext3 /dev/sda1 #格式化成ext3.
mount /dev/sda1 /mnt/sda1 #重新挂载好
- 在线安装,梅林系统内置命令
entware-setup.sh
- 离线安装
rm /tmp/opt
ln -s /mnt/sda1/entware /tmp/opt
TODO 下载lib直接复制到文件夹
opkg install shadowsocks redsocks chinadns
所有访问墙外的流量最后都会转到shadowsocks,ac68u路由器
通过iptables将所有流量转到redsocks,redsocks再转发到shadowsocks完成翻墙,gfw会对禁止访问的域名进行dns污染可能找不到真实ip,使用chinadns是防止dns污染。访问链路如下:
tcp ==> redsocks ==> ss-local ==> 墙外
dns query ==> dnsmasq:53 ==> chinadns:1053 ==> ss-tunnel:5353 ==> 8.8.8.8
- shadowsocks
修改配置 /opt/etc/shadowsocks.json
{
"server":"47.x.x.x",
"server_port":5334,
"local_address": "127.0.0.1",
"local_port":1080,
"password":"xxxx",
"timeout":300,
"method":"aes-256-cfb",
"workers": 1
}
opkg安装ss后会自动加入开机启动中/opt/etc/init.d/S22shadowsocks无需改动,新建/opt/etc/init.d/S22sstunnel开机自启动ss-tunnel,ss-tunnel用于转发dns查询,开启代理后所有国外站dns全部都走5353端口:
#!/bin/sh
ENABLED=yes
PROCS=ss-tunnel
ARGS="-s ss_server_ip -p 8334 -b 127.0.0.1 -l 5353 -k password -m aes-256-cfb -L 8.8.8.8:53 -u"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -z "$(which $PROCS)" ] && exit 0
. /opt/etc/init.d/rc.func
- chinadns
修改/opt/etc/init.d/S56chinadns,指定dns查询的上级dns,国内会查询114.114.114.114,国外会查询127.0.0.1:5353==8.8.8.8:53,防止dns污染:
#!/bin/sh
ENABLED=yes
PROCS=chinadns
ARGS="-s 114.114.114.114,127.0.0.1:5353 -l /opt/etc/chinadns_iplist.txt -c /opt/etc/chinadns_chnroute.txt -p 1053"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.fun
下载更新国内IP段:
wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /opt/etc/chinadns_chnroute.txt
wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /opt/etc/chinadns_iplist.txt
- redsocks
修改 /opt/etc/redsocks.conf,tcp流量全部走31338
base{
log_debug = off;
log_info = on;
log = "file:/mnt/sda1/log/redsocks.log";
daemon = on;
redirector = iptables;
user = nobody;
group = nobody;
}
redsocks {
local_ip = 0.0.0.0;
local_port = 31338;
ip = 127.0.0.1;
port = 1080;
type = socks5;
}
- dnsmasq
修改 /opt/etc/dnsmasq.conf,1053端口是chaindns的dns查询端口,dnsmasq:53 ==> chaindns:1053 ==> ss-tunnle:5353 ==> 8.8.8.8:53
conf-dir=/opt/etc/dnsmasq.d
no-resolv
server=127.0.0.1#1053
- ipset
使用ipset主要是为了访问国内ip时不走代理,提升访问国内网站的速度。
cd /opt/tmp/
curl -sL http://f.ip.cn/rt/chnroutes.txt | egrep -v '^$|^#' > cidr_cn
ipset -N cidr_cn hash:net
for i in `cat cidr_cn`; do echo ipset -A cidr_cn $i >> ipset.sh; done
rm -f ipset.sh cidr_cn
ipset save > /opt/etc/ipset.conf
开机启动/opt/etc/init.d/S20ipset,第一次设置完ipset保存规则ipset save > /opt/etc/iptables.conf
,设置开机自动加载:
#!/bin/sh
ipset restore -f /opt/etc/ipset.conf
- iptables
iptablest 开机自动加载iptables的ss代理规则,第一次设置完iptables规则后保存到iptables-save > /opt/etc/iptables.conf
,开机自动加载规则/opt/etc/init.d/S21iptables
#!/bin/sh
iptables-restore /opt/etc/iptables.conf
- 快捷脚本
ssup 开启ss全局
SOCKS_SERVER=x.x.x.x # SOCKS 服务器的 IP 地址
# Setup the ipset
ipset restore -f /opt/etc/ipset.conf
# 在nat表中新增一个链,名叫:SHADOWSOCKS
iptables -t nat -N SHADOWSOCKS
# Allow connection to the server
iptables -t nat -A SHADOWSOCKS -d $SOCKS_SERVER -j RETURN
# Allow connection to reserved networks
iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
# Allow connection to chinese IPs
iptables -t nat -A SHADOWSOCKS -p tcp -m set --match-set cidr_cn dst -j RETURN
# 如果你想对 icmp 协议也实现智能分流,可以加上下面这一条
iptables -t nat -A SHADOWSOCKS -p icmp -m set --match-set cidr_cn dst -j RETURN
# Redirect to Shadowsocks
# 把1081改成你的shadowsocks本地端口
iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-port 31338
# 如果你想对 icmp 协议也实现智能分流,可以加上下面这一条
iptables -t nat -A SHADOWSOCKS -p icmp -j REDIRECT --to-port 31338
# 将SHADOWSOCKS链中所有的规则追加到OUTPUT链中
iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS
# 如果你想对 icmp 协议也实现智能分流,可以加上下面这一条
iptables -t nat -A OUTPUT -p icmp -j SHADOWSOCKS
# 内网流量流经 shadowsocks 规则链
iptables -t nat -A PREROUTING -s 192.168/16 -j SHADOWSOCKS
# 内网流量源NAT
iptables -t nat -A POSTROUTING -s 192.168/16 -j MASQUERADE
ssdown 关闭ss全局
iptables -t nat -D OUTPUT -p icmp -j SHADOWSOCKS
iptables -t nat -D OUTPUT -p tcp -j SHADOWSOCKS
iptables -t nat -F SHADOWSOCKS
iptables -t nat -X SHADOWSOCKS
ipset destroy cidr_cn
gfw相关IP段 https://github.com/felixonmars/dnsmasq-china-list
dnsmasq防污染配置文件:https://cokebar.github.io/gfwlist2dnsmasq/dnsmasq_gfwlist.conf
https://w2x.me/2018/12/26/%E8%B7%AF%E7%94%B1%E5%99%A8%E9%80%8F%E6%98%8E%E4%BB%A3%E7%90%86/
https://github.com/RMerl/asuswrt-merlin/wiki/Compile-Firmware-from-source-using-Ubuntu