標題: Configuration of transparent V2Ray proxy server using Raspberry Pi —— Watch YouTube and CCTV5 Simultaneously [打印本頁]

---

作者: 角色    時間: 2019-2-20 13:40     標題: Configuration of transparent V2Ray proxy server using Raspberry Pi —— Watch YouTube and CCTV5 Simultaneously

本帖最後由 角色 於 2019-2-21 00:20 編輯

I have written three posts about the configuration methods of transparent (web) server used in mainland China[1,2,3]. In the previous configurations, the remote free websites could be accessed such as Facebook, YouTube, etc. However there were problems in accessing the local mainland websites. The main cause of the problems are due to the poor design of routing rules used, which will be described later. The network configuration of this post is:

[attach]4290[/attach]

The right-hand-side is HK or other free-world ISP sites. An ordinary V2Ray node (server) is installed which will be used for letting the remote V2ray node (client) installed in mainland China. The left-hand-side is the network used in mainland China. In general we got the internet access via the local mainland China ISP. An ordinary WiFi router is installed at home/in office.

The configuration of V2ray node (server) is a general one which can be easily realised by general methods.

The configuration of V2ray node (client) is more complex and will be shown later. The IP address of the V2ray node (client) is 192.168.4.22. The gateway and nameserver are the same, i.e., 192.168.4.1.

The router 2 used in mainland China has to be configured as follows:

1. Router (WAN) IP is obtained via DHCP client method (got ISP gateway and ISP DNS server IPs)
2. Router (LAN) IP is 192.168.4.1
2. Router (LAN DHCP server):
    - IP address distribution range: 192.168.4.100-192.168.4.200
    - Gateway: 192.168.4.22
    - DNS server: 192.168.4.22

PC and mobile device obtained IPs, gateway, dns server from the router 2 via DHCP method.

References:
[1] http://www.telecom-cafe.com/foru ... &extra=page%3D1
[2] http://www.telecom-cafe.com/foru ... &extra=page%3D2
[3] http://www.telecom-cafe.com/foru ... &extra=page%3D2

---

作者: 角色    時間: 2019-2-20 14:01

本帖最後由 角色 於 2019-2-21 00:23 編輯

The config.json configuration file used in client v2ray node is as follows:

1. {
   
2.   "dns": {
   
3.     "servers": [
   
4.       "8.8.8.8",
   
5.       {
   
6.         "domains": ["geosite:cn"],
   
7.         "port": 53,
   
8.         "address": "114.114.114.114"
   
9.       },
   
10.       "localhost"
    
11.     ]
    
12.   },
    
13.   "inbounds": [
    
14.     {
    
15.       "port": 1081,  
    
16.       "listen": "192.168.4.22",
    
17.       "protocol": "socks",
    
18.       "sniffing": {
    
19.         "enabled": true,
    
20.         "destOverride": ["http","tls"]
    
21.       },
    
22.       "settings": {
    
23.         "udp,tcp": true
    
24.       }
    
25.     },
    
26.     {
    
27.       "protocol": "dokodemo-door",
    
28.       "port": 12345,
    
29.       "domainOverride": ["tls","http"],
    
30.       "settings": {
    
31.         "network": "tcp,udp",
    
32.         "followRedirect": true
    
33.       }
    
34.     },
    
35.     {
    
36.       "protocol": "dokodemo-door",
    
37.       "port": 53,
    
38.       "tag": "dns-in",
    
39.       "listen": "192.168.4.22",
    
40.       "settings": {
    
41.         "address": "8.8.8.8",
    
42.         "port": 53,
    
43.         "network": "udp,tcp"
    
44.       }
    
45.     }
    
46.   ],
    
47.   "outbounds": [
    
48.     {
    
49.       "protocol": "vmess",
    
50.       "settings": {
    
51.         "vnext": [
    
52.           {
    
53.             "address": "123.123.123.123",   #hostname or IP address of the remote V2Ray server
    
54.             "port": 10086, #remote side port number of the v2ray server
    
55.             "users": [
    
56.               {"id": "UUID"} # put your UUID here
    
57.             ]
    
58.           }
    
59.         ]
    
60.       }
    
61.     },
    
62.     {
    
63.       "protocol": "freedom",
    
64.       "tag": "direct",
    
65.       "settings": {}
    
66.     },
    
67.     {
    
68.       "protocol": "dns",
    
69.       "tag": "dns-out"
    
70.     }
    
71.   ],
    
72.   "routing": {
    
73.     "domainStrategy": "IPIfNonMatch",
    
74.     "rules": [
    
75.       {
    
76.         "type": "field",
    
77.         "inboundTag": "dns-in",
    
78.         "outboundTag": "dns-out"
    
79.       },
    
80.       {
    
81.         "type": "field",
    
82.         "outboundTag": "direct",
    
83.         "domain": [ "geosite:cn" ]
    
84.       },
    
85.       {
    
86.         "type": "field",
    
87.         "ip": ["geoip:private"],
    
88.         "ip": ["geoip:cn"],
    
89.         "outboundTag": "direct"
    
90.       }
    
91.     ]
    
92.   }
    
93. }

複製代碼

---

作者: 角色    時間: 2019-2-20 14:04

本帖最後由 角色 於 2019-2-20 14:19 編輯

Apart from the config.json, we need configure the firewall of the Linux box with the client V2ray node as follows:

1. #!/bin/bash
   
2. 
   
3. # TCP
   
4. # Create new chain
   
5. iptables -t nat -N V2RAY
   
6. 
   
7. # Ignore LANs and any other addresses you'd like to bypass the proxy
   
8. # See Wikipedia and RFC5735 for full list of reserved networks.
   
9. iptables -t nat -A V2RAY -d 0.0.0.0/8 -j RETURN
   
10. iptables -t nat -A V2RAY -d 10.0.0.0/8 -j RETURN
    
11. iptables -t nat -A V2RAY -d 127.0.0.0/8 -j RETURN
    
12. iptables -t nat -A V2RAY -d 169.254.0.0/16 -j RETURN
    
13. iptables -t nat -A V2RAY -d 172.16.0.0/12 -j RETURN
    
14. iptables -t nat -A V2RAY -d 192.168.0.0/16 -j RETURN
    
15. iptables -t nat -A V2RAY -d 224.0.0.0/4 -j RETURN
    
16. iptables -t nat -A V2RAY -d 240.0.0.0/4 -j RETURN
    
17. 
    
18. # Anything else should be redirected to Dokodemo-door's local port
    
19. iptables -t nat -A V2RAY -p tcp -j REDIRECT --to-ports 12345
    
20. 
    
21. # Apply the rules
    
22. iptables -t nat -A PREROUTING -p tcp -j V2RAY
    
23. #iptables -t nat -A OUTPUT -p tcp -j V2RAY
    
24. 
    
25. #UDP
    
26. # Create new chain
    
27. ip route add local 0.0.0.0/0 dev lo table 100
    
28. ip rule add fwmark 1 table 100
    
29. iptables -t mangle -N V2RAY_MARK
    
30. 
    
31. # Ignore LANs and any other addresses you'd like to bypass the proxy
    
32. # See Wikipedia and RFC5735 for full list of reserved networks.
    
33. iptables -t mangle -A V2RAY_MARK -d 0.0.0.0/8 -j RETURN
    
34. iptables -t mangle -A V2RAY_MARK -d 10.0.0.0/8 -j RETURN
    
35. iptables -t mangle -A V2RAY_MARK -d 127.0.0.0/8 -j RETURN
    
36. iptables -t mangle -A V2RAY_MARK -d 169.254.0.0/16 -j RETURN
    
37. iptables -t mangle -A V2RAY_MARK -d 172.16.0.0/12 -j RETURN
    
38. iptables -t mangle -A V2RAY_MARK -d 192.168.0.0/16 -j RETURN
    
39. iptables -t mangle -A V2RAY_MARK -d 224.0.0.0/4 -j RETURN
    
40. iptables -t mangle -A V2RAY_MARK -d 240.0.0.0/4 -j RETURN
    
41. 
    
42. # Anything else should be redirected to Dokodemo-door's local port
    
43. iptables -t mangle -A V2RAY_MARK -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
    
44. 
    
45. # Add any UDP rules
    
46. iptables -t mangle -A PREROUTING -p udp -j V2RAY_MARK
    
47. #iptables -t mangle -A OUTPUT -j V2RAY_MARK

複製代碼

.

The output chain rules used line 23 and 47 are used for local access within the v2Ray machine. Since we do not plan to access the website locally, then they are commented out.

---

作者: 角色    時間: 2019-2-20 14:22

The reason of not able to access the local sites such as CCTV5 is due to the routing section.  We need to separate the "domain" and "ip".

Previous routing configuration

1.   "routing": {
   
2.     "domainStrategy": "IPOnDemand",
   
3.     "rules": [{
   
4.       "type": "field",
   
5.       "domain": ["geosite:cn"],
   
6.       "ip": ["geoip:private"],
   
7.       "ip": ["geoip:cn"],
   
8.       "outboundTag": "direct"
   
9.     }]
   
10.   }

複製代碼

Present routing configuration

1.       {
   
2.         "type": "field",
   
3.         "outboundTag": "direct",
   
4.         "domain": [ "geosite:cn" ]
   
5.       },
   
6.       {
   
7.         "type": "field",
   
8.         "ip": ["geoip:private"],
   
9.         "ip": ["geoip:cn"],
   
10.         "outboundTag": "direct"
    
11.       }

複製代碼

---

作者: 角色    時間: 2019-2-20 17:35

本帖最後由 角色 於 2019-2-21 12:13 編輯

Test results:

Able to see YouTube and CCTV5 at the same time on pc, mobile phone and iPad without any vpn/proxy client installed in devices. The performance is very satisfactory.

Please note that the DNS provided by the V2ray is very intelligent, it means for local IP, it will goes locally 114.114.114.114. Otherwise it will go to the remote site 8.8.8.8 via the vmess tunnel.

---

歡迎光臨 電訊茶室 (http://telecom-cafe.com/forum/)

Powered by Discuz! 7.2