電訊茶室 - Powered by Discuz! Board

標題: V2RAY 透明代理 [打印本頁]

作者: harold 時間: 2019-11-4 16:33 標題: V2RAY 透明代理

各位大大好
小弟买了NewWifi3 D2,刷了openwrt。想建做一个V2RAY 透明代理。伺服器的运作正常，手機也可以跟伺服器連上的。但在Openwrt上，config 設定好了，用curl -x socks5h://127.0.0.1:1080 google.com 能成功！但行完個iptables script 就出唔到街！！希望有高人指點一下！！

hostip2=`dig -t A +short myservername`

iptables -t nat -N V2RAY
iptables -t nat -A V2RAY -d 192.168.1.0/24 -j RETURN
iptables -t nat -A V2RAY -p tcp -j RETURN -m mark --mark 0xff
iptables -t nat -A V2RAY -d $hostip2 -j RETURN
iptables -t nat -A V2RAY -p tcp -j REDIRECT --to-ports 12345
iptables -t nat -A PREROUTING -p tcp -j V2RAY
iptables -t nat -A OUTPUT -p tcp -j V2RAY

ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -N V2RAY_MASK
iptables -t mangle -A V2RAY_MASK -d 192.168.1.0/24 -j RETURN
iptables -t mangle -A V2RAY_MASK -d $hostip2 -j RETURN
iptables -t mangle -A V2RAY_MASK -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
iptables -t mangle -A PREROUTING -p udp -j V2RAY_MASK

作者: kingwilliam 時間: 2019-11-4 17:26

尝试删除这 command

# iptables -t nat -A OUTPUT -p tcp -j V2RAY

作者: harold 時間: 2019-11-4 17:50

本帖最後由 harold 於 2019-11-4 17:52 編輯

回復 2# kingwilliam

謝謝回覆，刪了這句，用curl -x socks5h://127.0.0.1:1080 google.com試，是成功的
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

但見到個traceroute 唔係經v2ray 出街
都係唔得！！

root@NewWifi2:/etc/config/v2ray# nslookup yahoo.com
;; connection timed out; no servers could be reached

openwet v2raylog
access log

2019/11/04 09:38:50 tcp:127.0.0.1:51382 accepted tcp:google.com:80

Error Log
2019/11/04 09:41:47 [Info] [1233314671] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:47 [Info] [3426222809] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/dns: connection ends > read udp [::]:58180: use of closed network connection
2019/11/04 09:41:47 [Info] [1861001045] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/dns: connection ends > read udp [::]:38624: use of closed network connection
2019/11/04 09:41:47 [Info] [1270780447] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:47 [Info] [94799612] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/dns: connection ends > read udp [::]:50145: use of closed network connection
2019/11/04 09:41:47 [Info] [4049665343] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:47 [Info] [599269511] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:47 [Info] [94799612] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:47 [Info] [1914257993] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/dns: connection ends > read udp [::]:58998: use of closed network connection
2019/11/04 09:41:47 [Info] [1914257993] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:47 [Info] [2073637797] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/dns: connection ends > read udp [::]:50168: use of closed network connection
2019/11/04 09:41:47 [Info] [1757298620] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/dns: connection ends > read udp [::]:58208: use of closed network connection
2019/11/04 09:41:47 [Info] [2073637797] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:47 [Info] [433643460] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/dns: connection ends > read udp [::]:43714: use of closed network connection
2019/11/04 09:41:47 [Info] [1936823959] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/dns: connection ends > read udp [::]:56221: use of closed network connection
2019/11/04 09:41:47 [Info] [433643460] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:47 [Info] [1936823959] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:47 [Info] [859169318] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/dns: connection ends > read udp [::]:39749: use of closed network connection
2019/11/04 09:41:47 [Info] [859169318] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:47 [Info] [2910144706] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:47 [Info] [3391070210] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/dns: connection ends > read udp [::]:52234: use of closed network connection
2019/11/04 09:41:47 [Info] [3391070210] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > v2ray.com/core/proxy/dokodemo: failed to transport response > io: read/write on closed pipe
2019/11/04 09:41:48 [Info] [3417725582] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: connection ends > context canceled

作者: kingwilliam 時間: 2019-11-5 07:20

v2ray 只處理 tcp和udp. 所以ping, traceroute 和pptp 這類是不會處理的。

作者: harold 時間: 2019-11-5 09:16

本帖最後由 harold 於 2019-11-14 09:40 編輯

回復 4# kingwilliam

即是當全局VPN 是無可能!!我本想放隻盒子上去睇!! 咁應該無行!
我依家socket5/HTTP 都無問題, 一落iptables , 連router的全死, 連DNS 都resolve 唔到!! 頭都痕!! 請問用ss-tproxy 啲啲會唔會簡單一啲

作者: kingwilliam 時間: 2019-11-5 09:48

本帖最後由 kingwilliam 於 2019-11-6 11:37 編輯

先分開全局VPN 問題.

mytvsuper box 我都有用, 完全沒問題. 只要設定好透明代理就完成(但一定要有tcp和udp, 因mytv box 是用tcp https取data, udp取ntp, 如不能連接udp 123, 隻box就會停在黑畫面不停轉圈)

如你是tvb隻 mytv box帶上國內收看的話有幾點要留意
760 大約高峰6.5Mbit/s 平均700kbit/s
1080 大約高峰8.5Mbit/s 平均900kbit/s
平均每 10秒取1次buffer
所以QoS只要保持到3Mbit/s 基本上一定流暢

作者: kingwilliam 時間: 2019-11-5 09:56

本帖最後由 kingwilliam 於 2019-11-6 11:41 編輯

回復 5# harold

再解答為甚麼你"原先"的iptable一落就會死, 而抽起 "# iptables -t nat -A OUTPUT -p tcp -j V2RAY" 就正常.(利申, linux我也是半途出家, 有錯請包容)

iptables PREROUTING 是指有 packet 入來如何處理
iptables output 是指系統本身, 如張自已也送上 v2ray, 就會形成 dead loop(在這例子)

所以 v2ray 留意幾點
1. v2ray 最基本是用來上網(tcp and udp)
2. 如想處理所有 protocol (即不只tcp udp, 還包括pptp ping traceroute 這類), 就要 vpn over v2ray
3. VPN over v2ray 要選tcp 或 udp 的vpn(所以不能用pptp, 因pptp要用GRE)

作者: tomleehk 時間: 2019-11-5 10:10

本帖最後由 tomleehk 於 2019-11-5 10:23 編輯

回復 kingwilliam

請問用ss-tproxy 啲啲會唔會簡單一啲

harold 發表於 2019-11-5 09:16

純經驗分享

openwrt + ss-client + iptables 做透明代理我試過喺work 嘅
當中亦喺ss-client設定加上 iptables scripts

測試方法我用bt download去確定 udp 能轉發至 server

但因為無長期實際需要, 純研究性質, 無再深入研究及實踐

作者: harold 時間: 2019-11-5 13:52

回復 6# kingwilliam

我好想用你個方法!!! 但我依家腦出血都唔明乜事!!

作者: harold 時間: 2019-11-5 13:54

回復 8# tomleehk

謝謝你的分享, 但我發現openwet 上SS 無obfs, 加上我要長期用!! 怕被封!!

作者: harold 時間: 2019-11-5 13:58

本帖最後由 harold 於 2019-11-14 09:37 編輯

我依家懷疑緊係唔係我個dokodem-door 有錯, 能否指導一下!! 謝謝你們的付出!!

我己經建咗DNS-over-HTTPS, port 係5353, 但我又唔懂係v2ray轉!!

{
  "log": {
"access": "/var/log/v2rayaccess.log",
"error": "/var/log/v2rayerror.log",
//"loglevel": "warning"
"loglevel": "debug"
},

"inbounds":
[
{
   "tag":"transparent",
   "port": 12345,
   "protocol": "dokodemo-door",
   "settings": {"network": "tcp,udp","followRedirect": true},
   "sniffing": {"enabled": true,"destOverride": ["http","tls"]},
   "sockopt": {"mark": 255},
   "streamSettings": {"sockopt": { "tproxy": "tproxy" }}
},
{
   "port": 1081,
   "protocol": "http",
   "settings": {"network": "tcp,udp"},
   "sockopt": {"mark": 255},
   "sniffing": {"enabled": true,"destOverride": ["http", "tls"]}
}
//發現http,socks唔可以一齊行{
// "port": 1080,
// "protocol": "socks",
// "sniffing": {"enabled": true,"destOverride": ["http", "tls"]}
// }
],

"outbounds":[
{
"tag": "proxy",
"protocol": "vmess",
"settings": {
   "vnext": [
   {
      "address": "server_address",
      "port": 8080,
      "users": [{"id": "uuid","level": 1,"alterId": 64,"security": "aes-128-gcm"}]
      }
            ]
            },

"streamSettings": {
"sockopt": {"mark": 255},
   "network": "ws",
      //"security": "true",
      "security": "tls",
      //"allowInsecure": true,
      "tlsSettings": {"allowInsecure": true,"serverName": "server_address"},
      "wsSettings": { "path": "/v2/" }
      //"mux": {"enabled": true,"concurrency": 8}
                  },
"mux": {"enabled": true}
},
{
   "tag": "direct",
   "protocol": "freedom",
   "settings": {"domainStrategy": "UseIP"},
   "streamSettings": {"sockopt": {"mark": 255}}
},
{
   "tag": "block",
   "protocol": "blackhole",
   "settings": {"response": {"type": "http"}}
},
{
   "tag": "dns-out",
   "protocol": "dns",
   "streamSettings": {"sockopt": {"mark": 255}}
}
  ],

"dns": {
"servers": [
   "8.8.8.8","1.1.1.1","114.114.114.114",
   {
      "address": "223.5.5.5",
      "port": 53,
      "domains": ["geosite:cn"]
   }
]
      },

// "outboundDetour": [
//       {
//          "protocol": "freedom",
//          "settings": {},
//          "tag": "direct"
//       }
// ],

"routing": {
"domainStrategy": "IPOnDemand",
"rules": [
   {"type": "field","inboundTag": ["transparent"],"port": 53,"network": "udp","outboundTag": "dns-out"},
   {"type": "field","inboundTag": ["transparent"],"port": 123,"network": "udp","outboundTag": "direct"},
   {"type": "field","ip": ["223.5.5.5","114.114.114.114"],"outboundTag": "direct"},
   {"type": "field","ip": ["8.8.8.8","1.1.1.1"],"outboundTag": "proxy"},
   {"type": "field","protocol":["bittorrent"],"outboundTag": "direct"},
   {"type": "field","ip": ["geoip:private","geoip:cn"],"outboundTag": "direct" },
   {"type": "field","domain": ["geosite:cn"],"outboundTag": "direct"},
   {"type": "field","ip": ["192.168.1.0/24"],"outboundTag": "direct"}
   ]
         }
}

作者: harold 時間: 2019-11-5 14:02

本帖最後由 harold 於 2019-11-5 14:07 編輯

回復 7# kingwilliam
nslookup yahoo.com
;; connection timed out; no servers could be reached
Server log
2019/11/05 14:05:43 tcp:x.x.x.x:10408 accepted udp:8.8.8.8:53
Server side 見到DNS request, 都返唔到!
當我抽起啲句iptables -t mangle -A PREROUTING -p udp -j V2RAY_MASK

我就可以resolve 到個DNS!!

求命吖!!
nslookup yahoo.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: yahoo.com
Address 1: 98.137.246.7

作者: kingwilliam 時間: 2019-11-5 16:23

本帖最後由 kingwilliam 於 2019-11-5 16:47 編輯

回復 11# harold

今晚才有空細看你的config, 看完再回覆你。

你的NewWifi3 D2,刷了openwrt。
1。還保留 port 53 dns嗎？
1a。如有可否port53轉到5301?

作者: harold 時間: 2019-11-5 16:47

回復 13# kingwilliam

有

作者: tomleehk 時間: 2019-11-5 16:54

本帖最後由 tomleehk 於 2019-11-5 18:25 編輯

我當年Openwrt + ss-client udp轉發所用嘅script, 不知有無幫助

ip route add local default dev lo table 100
ip rule add fwmark 1 lookup 100
iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 1080 --tproxy-mark 0x01/0x01
iptables -t mangle -A SHADOWSOCKS_MARK -p udp --dport 53 -j MARK --set-mark 1
iptables -t mangle -I -d 127.0.0.0/24 -j RETURN
iptables -t mangle -I PREROUTING -d 192.168.0.0/16 -j RETURN
iptables -t mangle -I PREROUTING -d 10.42.0.0/16 -j RETURN
iptables -t mangle -I PREROUTING -d 0.0.0.0/8 -j RETURN
iptables -t mangle -I PREROUTING -d 10.0.0.0/8 -j RETURN
iptables -t mangle -I PREROUTING -d 172.16.0.0/12 -j RETURN
iptables -t mangle -I PREROUTING -d 224.0.0.0/4 -j RETURN
iptables -t mangle -I PREROUTING -d 240.0.0.0/4 -j RETURN
iptables -t mangle -I PREROUTING -d 169.254.0.0/16 -j RETURN
iptables -t mangle -I PREROUTING -d 255.255.0.0/8 -j RETURN
iptables -t mangle -A PREROUTING -j SHADOWSOCKS
iptables -t mangle -A PREROUTING -j SHADOWSOCKS
iptables -t mangle -A OUTPUT -j SHADOWSOCKS_MARK

複製代碼

其中 --on-port 1080, 1080 喺 ss-client 嘅 listening port

太耐無研究..而家唔記得d細節

作者: harold 時間: 2019-11-5 19:21

回復 15# tomleehk

謝謝你的分享，我用了這個script,dns 可過V2Ray ，但網頁都是直出。好頭痕。。。。

作者: tomleehk 時間: 2019-11-5 19:49

本帖最後由 tomleehk 於 2019-11-5 19:53 編輯

回復 16# harold

我當年Openwrt + ss-client tcp轉發所用嘅script, 不知有無幫助

#!/bin/sh
#create a new chain named SHADOWSOCKS
iptables -t nat -N SHADOWSOCKS
# Ignore your shadowsocks server's addresses
# It's very IMPORTANT, just be careful.
iptables -t nat -A SHADOWSOCKS -p tcp --dport 993 -j RETURN
# Ignore LANs IP address
iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
# Anything else should be redirected to shadowsocks's local port
iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 1080
# Apply the rules
iptables -t nat -I PREROUTING -p tcp -j SHADOWSOCKS

複製代碼

其中
iptables -t nat -A SHADOWSOCKS -p tcp --dport 993 -j RETURN
--dport 993, 993 喺 server side 嘅listening port

iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 1080
--to-ports 1080 , 1080 喺 client side 嘅listening port

Good Luck !!

作者: harold 時間: 2019-11-5 20:40

V2ray 用唔到！！

作者: kingwilliam 時間: 2019-11-5 21:38

本帖最後由 kingwilliam 於 2019-11-6 06:34 編輯

回復 11# harold
＊
＊
＊
以下config.json是跟你之前的config作了一些改動
！！！一定要修改openwrt內dns port到5301！！！
＊
＊
＊
加入部份
<-- add by kingwilliam (有1項)
刪除部份
<-- disabled by kingwilliam (有7項)

{
"log": {
"access": "/var/log/v2rayaccess.log",
"error": "/var/log/v2rayerror.log",
//"loglevel": "warning"
"loglevel": "debug"
},
"inbounds": [
{
"tag":"transparent",
"port": 12345,
"protocol": "dokodemo-door",
"settings": {"network": "tcp,udp","followRedirect": true},
"sniffing": {"enabled": true,"destOverride": ["http","tls"]}
// "sockopt": {"mark": 255} <-- disabled by kingwilliam
// "streamSettings": {"sockopt": { "tproxy": "tproxy" }} <-- disabled by kingwilliam
},
// dokodemo-door:53 <--- add by kingwilliam
{
"tag": "dns-in",
"port": 53,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 5301,
"network": "udp,tcp"
}
},
{
"port": 1081,
"protocol": "http",
"sniffing": {"enabled": true,"destOverride": ["http", "tls"]}
// "settings": {"network": "tcp,udp"}, <-- disabled by kingwilliam
// "sockopt": {"mark": 255}, <-- disabled by kingwilliam
},
{
"port": 1080,
"protocol": "socks",
"sniffing": {"enabled": true,"destOverride": ["http", "tls"]}
}
],
"outbounds":[
{
"tag": "proxy",
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "server_address",
"port": 8080,
"users": [{"id": "uuid","level": 1,"alterId": 64,"security": "aes-128-gcm"}]
}
]
},
"streamSettings": {
"sockopt": {"mark": 255},
"network": "ws",
//"security": "true",
"security": "tls",
//"allowInsecure": true,
"tlsSettings": {"allowInsecure": true,"serverName": "server_address"},
"wsSettings": { "path": "/v2/" }
//"mux": {"enabled": true,"concurrency": 8}
},
"mux": {"enabled": true}
},
{
"tag": "direct",
"protocol": "freedom",
// "settings": {"domainStrategy": "UseIP"}, <-- disabled by kingwilliam
"streamSettings": {"sockopt": {"mark": 255}}
},
{
"tag": "block",
"protocol": "blackhole",
"settings": {"response": {"type": "http"}}
},
{
"tag": "dns-out",
"protocol": "dns",
"streamSettings": {"sockopt": {"mark": 255}}
}
],
"dns": {
"servers": [
"8.8.8.8","1.1.1.1",
//,"114.114.114.114", <-- disabled by kingwilliam
{
"address": "223.5.5.5",
"port": 53,
"domains": ["geosite:cn","ntp.org","changip.com","amy.dns04.com"]
}
]
},
"routing": {
// "domainStrategy": "IPOnDemand", <-- disabled by kingwilliam
"rules": [
// {"type": "field","inboundTag": ["transparent"],"port": 53,"network": "udp","outboundTag": "dns-out"}, <-- disabled by kingwilliam
// dns route <- add by kingwilliam
{
"type": "field",
"inboundTag": "dns-in",
"outboundTag": "dns-out"
},
{"type": "field","inboundTag": ["transparent"],"port": 123,"network": "udp","outboundTag": "direct"},
{"type": "field","ip": ["223.5.5.5","114.114.114.114"],"outboundTag": "direct"},
{"type": "field","ip": ["8.8.8.8","1.1.1.1"],"outboundTag": "proxy"},
{"type": "field","protocol":["bittorrent"],"outboundTag": "direct"},
{"type": "field","ip": ["geoip:private","geoip:cn"],"outboundTag": "direct" },
{"type": "field","domain": ["geosite:cn"],"outboundTag": "direct"},
{"type": "field","ip": ["192.168.1.0/24"],"outboundTag": "direct"}
]
}
}

複製代碼

＊
＊
＊
iptables
加入部份
iptables -t mangle -A V2RAY_MARK -p udp --dport 53 -j RETURN
刪除部份
<-- disabled by kingwilliam (有1項)

hostip2=`dig -t A +short myservername`
iptables -t nat -N V2RAY
iptables -t nat -A V2RAY -d $hostip2 -j RETURN
iptables -t nat -A V2RAY -d 0.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 127.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 192.168.1.0/24 -j RETURN
iptables -t nat -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t nat -A V2RAY -d 240.0.0.0/4 -j RETURN
iptables -t nat -A V2RAY -p tcp -j RETURN -m mark --mark 0xff
iptables -t nat -A V2RAY -p tcp -j REDIRECT --to-ports 12345
iptables -t nat -A PREROUTING -p tcp -j V2RAY
# iptables -t nat -A OUTPUT -p tcp -j V2RAY <-- disabled by kingwilliam
ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N V2RAY_MASK
iptables -t mangle -A V2RAY_MASK -d $hostip2 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 192.168.1.0/24 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_MARK -p udp --dport 53 -j RETURN
iptables -t mangle -A V2RAY_MASK -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
iptables -t mangle -A PREROUTING -p udp -j V2RAY_MASK

複製代碼

＊
＊
＊
［［［　　　解說　　　］］］
１。iptables 內的 mark0xff 等同 config.json 內的"sockopt": {"mark": 255}, 目的是識別那個數據包是入, 那個數據包是出.
所以入的數據不用打mark (就是這原因 config.json 內所有inbound "sockopt": {"mark": 255} 都給刪除.
同一原因, outbound全都要保留

iptables -t nat -A V2RAY -p tcp -j RETURN -m mark --mark 0xff
意思是 tcp 有mark 255 就直連

２。你在routing內攔截udp 53, 好多人都在官網發問接近問題,所以我加入dokodemo-door:53, 同時在iptables 加入udp 53直連.　前題是openwrt dns port 一定要改走.

３。direct freedom 不用刻意用 "useip". 沒甚麼作為所以給刪除

４。dns servers 內114. 不應同 1.1. 8.8. 放在同一層所以給刪除

５。 routing 不需用 "ipondemand", 在你的設定看不到有需要所以給刪除

６。inbounds socks同http 是可以共全的, 同時在 http "settings": {"network": "tcp,udp"} 也給我刪除.

以上改動希望可以幫到你, 如有問題請告知, 看看可否再調配

作者: harold 時間: 2019-11-5 22:47

本帖最後由 harold 於 2019-11-5 22:54 編輯

回復 19# kingwilliam

多謝你的無私詳細付出！！小弟萬分感激！
Openwrt 內的DNS 我在/etc/config/dhcp 內改了5301，也用nslookup yahoo.com 127.0.0.1#5301 試用是可行的
nslookup yahoo.com 127.0.0.1#53
Server:       127.0.0.1
Address:       127.0.0.1#53
Name:    yahoo.com
Address 1: 98.137.246.8

nslookup yahoo.com 127.0.0.1#5301
Server:       127.0.0.1
Address:       127.0.0.1#5301
Name:    yahoo.com
Address 1: 72.30.35.9

但行完個 script 都係resolve 唔到DNS，

！！真的唔明在那裏出問題！！
nslookup yahoo.com 127.0.0.1#53
;; connection timed out; no servers could be reached

nslookup yahoo.com 127.0.0.1#5301
;; connection timed out; no servers could be reached

作者: kingwilliam 時間: 2019-11-5 22:58

回復 20# harold

V2ray config 都已update? 因加入了dokodemo 53

作者: harold 時間: 2019-11-5 23:02

回復 6# kingwilliam

咁係唔係要udp 123 route去v2ray出。把direct改成proxy

作者: harold 時間: 2019-11-5 23:04

回復 21# kingwilliam

但行完iptable就resolve唔到DNS。

作者: harold 時間: 2019-11-5 23:05

回復 21# kingwilliam

全部都跟了你的設定。R爆頭。。。

作者: kingwilliam 時間: 2019-11-5 23:27

回復 24# harold

抱歉, 原來小了 routing dns
已在之前coding後補加入

// dns route <- add by kingwilliam
{
"type": "field",
"inboundTag": "dns-in",
"outboundTag": "dns-out"
}

複製代碼

可再試試

作者: kingwilliam 時間: 2019-11-5 23:30

回復 22# harold

其實 udp 123 只是 ntp (network time protocol) 影響不太大, routing 內的 udp 123, 可以刪除.

作者: harold 時間: 2019-11-5 23:47

本帖最後由 harold 於 2019-11-14 09:35 編輯

回復 26# kingwilliam

成功了！！我加了一句！！我好多謝你的耐心教導
iptables -t mangle -A V2RAY_MASK -d 127.0.0.1 -j RETURN

但我啲問題，啲部Openwrt會放在國內用，主要來看電視合子！上下FB，IG，TG，WP！
這樣的設定，能否避免了DNS pollution嗎？dns over https 等於無用嗎？
我用 changeip 做 dynamic dns, 國內能可以用到嗎？

小弟多謝你的教導！！真的開心都訓唔著！！
多謝大大！！多謝各位的幫助！！

作者: harold 時間: 2019-11-6 00:05

本帖最後由 harold 於 2019-11-6 00:08 編輯

回復 25# kingwilliam

謝謝你的努力！！加咗啲句時得時唔得！！

作者: kingwilliam 時間: 2019-11-6 06:39

本帖最後由 kingwilliam 於 2019-11-6 07:16 編輯

回復 28# harold

在上面的iptables tcp同udp已追加四組subnet

iptables -t nat -A V2RAY -d 0.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 127.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t nat -A V2RAY -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_MARK -d 240.0.0.0/4 -j RETURN

複製代碼

可再試試

作者: kingwilliam 時間: 2019-11-6 06:48

回復 27# harold

Q1: 主要來看MYTV 電視合子.
A1: 在 http://www.telecom-cafe.com/foru ... =7774&pid=47642 有一些數據如你要看mytv superbox, 寬頻下限要有3Mbit/s 有10Mbit/s最好(是翻牆後的速度)

Q2:要睇FB，IG，TG，WP
A2: 一定沒問題

Q3: dns over https 等於無用嗎？
A3: dns over v2ray 即等同 dns over https. 如你在openwrt已設定dns over https應已用不到

Q4: 這樣的設定，能否避免了DNS pollution嗎？
A4: 能

Q5: 我用 changeip 做 dynamic dns, 國內能可以用到嗎？
A5: 要試

作者: harold 時間: 2019-11-6 07:59

回復 30# kingwilliam

好多謝你的回覆。我會努力試。謝謝你。萬分感激

作者: kingwilliam 時間: 2019-11-6 11:27

回復 31# harold

為科學上網一同研究

作者: harold 時間: 2019-11-6 15:45

發現當未能連上v2ray時，dns resolve唔到，即係係v2ray Server address一定要入ip address.

作者: kingwilliam 時間: 2019-11-6 16:03

回復 33# harold

先問 server 是fixed Ip 還是 dynamic IP

作者: harold 時間: 2019-11-6 16:35

dynamic IP

作者: kingwilliam 時間: 2019-11-6 18:35

回復 35# harold

因不知你的network diagram, 暫估你的v2ray 系統是直接取真IP. 同時這系統又不是長開。如果真的如這推算。只能建議這系統長開，或在這系統前放一隻沒甚要求的router. 另國內那邊可正常運作。

作者: tomleehk 時間: 2019-11-6 21:01

本帖最後由 tomleehk 於 2019-11-6 21:27 編輯

發現當未能連上v2ray時，dns resolve唔到，即係係v2ray Server address一定要入ip address. ...
harold 發表於 2019-11-6 15:45

喺唔喺講緊呢句 ?

iptables -t nat -A V2RAY -d $hostip2 -j RETURN

複製代碼

如果喺, 參考我嘅ss-client tcp 轉發 script, 試吓改用 v2ray server 嘅 port

作者: harold 時間: 2019-11-7 07:53

我之前試係IPTABLE FX 全部table加reload firewall的。但一重啟後只行完script就唔work.要等到再fx table,再行一次個script.就可以。

另一個問題是個設備用1.0.0.1dns的話就resolve唔到IP.但當人手改回openwrt粒ip就可以了。
在openwrt介面改用dns又唔得

作者: harold 時間: 2019-11-8 06:46

問題解決了很多，之前設定的DNS OVER HTTP令DNS resolve唔穩定。初步知道，全部設定是正確的。謝謝各位大大的無私教導。萬分感激

作者: harold 時間: 2019-11-11 17:22

本帖最後由 harold 於 2019-11-11 17:53 編輯

回復 harold

因不知你的network diagram, 暫估你的v2ray 系統是直接取真IP. 同時這系統又不是長開。如果 ...
kingwilliam 發表於 2019-11-6 18:35

對不起, 又是我!! 我想再深入明白!!

            {
                     "tag": "dns-in",
                     "port": 53,
                     "protocol": "dokodemo-door",
                     "settings": {
                              "address": "127.0.0.1",
                              "port": 5301,
                              "network": "udp,tcp"
                     }
            },
上面啲句是否即係把所有DNS 由port 53 轉到自己的5301

"dns": {
            "servers": [
                     "8.8.8.8","1.1.1.1",
                     {
                              "address": "223.5.5.5",
                              "port": 53,
                              "domains": ["geosite:cn"]
                     }
            ]
      },

{"type": "field","inboundTag": ["transparent"],"port": 123,"network": "udp","outboundTag": "direct"},

如果加咗啲句即是當連上v2ray, 所以DNS 都由"8.8.8.8","1.1.1.1" OR "223.5.5.5"走, port 5301 就唔會再forward, 我的想法正確嗎? 請指考!!

如果正確, 當我長期用v2ray,  "tag": "dns-in", 是否可以不用指去5301? 直指8.8.8.8 會有乜結果?
如果v2raydns唔用53port, 係唔係要用iptable轉 53 去v2ray DNS port?

對不起，問題比較多。謝謝你。

作者: kingwilliam 時間: 2019-11-11 21:10

本帖最後由 kingwilliam 於 2019-11-12 11:10 編輯

回復 40# harold

前置:
1. 你的router已安裝有dns服務, 而port是用5301
2. 你的router dns服務會forward到你ISP提供給你的 DNS服務器(可能是114.114.114.114)
3. 假設你的router IP 是 192.168.0.254
4. 假設你network client
ip : 192.168.0.101
nm : 255.255.255.0
gw : 192.168.0.254
dns : 192.168.0.254

這樣設定的話, 你的router會有2個dns服務
192.168.0.254:53 (v2ray提供)
192.168.0.254:5301 -> 114.114.114.114 (系統設定)

"dns": {
"servers": [
{
"address": "223.5.5.5",
"port": 53,
"domains": ["geosite:cn"]
},
"8.8.8.8","1.1.1.1"
]
},
"rounting: [
"rules: [
{
"type": "field",
"inboundTag": "dns-in",
"outboundTag": "dns-out"
}
]
],
"inbounds": [
{
"tag": "dns-in",
"port": 53,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 5301,
"network": "udp,tcp"
}
}
],
"outbounds": [
{
"tag": "dns-out",
"protocol": "dns"
}
]

複製代碼

5. 上面的設定基本上是配合透明代理而設定, 在(4)的client設定都看到 dns都是指著v2ray. 但v2ray dns只能處理 A和AAAA 記錄, 但dns是一個非常大的系統還有ns(name server), mx(mail exchange) 很多很多. 所以v2ray 內的dns 要先分流 A,AAAA 和其他的記錄處理.

6. 例A: client要看www.google.com,

v2ray 流程是 [inbounds] -> [routing] -> [outbounds]
client 會發出 dns 要求問 192.168.0.254:53 www.google.com的IP
v2ray inbounds dns-in 53 會收到要求
routing "inboundTag": "dns-in" -> "outboundTag": "dns-out"
outbounds "dns-out" 分流如要求A,AAAA紀錄就用 v2ray dns
v2ray dns 會看要求的 FQDN是否在 "domains": ["geosite:cn"] 如果是就用 223.5.5.5 不是就用 "8.8.8.8","1.1.1.1"
所以www.google.com ip就是由 "8.8.8.8","1.1.1.1" 回答的
當然, 如果要求是 www.taobao.com 就會由 223.5.5.5 回答

7. 例B: client要發電郵到 jd.com

v2ray 流程是 [inbounds] -> [routing] -> [outbounds]
client 會發出 dns 要求問 192.168.0.254:53 jd.com 的mx紀錄
v2ray inbounds tag dns-in 53 會收到要求
routing "inboundTag": "dns-in" -> "outboundTag": "dns-out"
outbounds "dns-out" 分流如要求A,AAAA紀錄就用 v2ray dns, 如果要求是其他dns紀錄就會用原生帶來的dns服務器.
因在 inbounds dns-in 是帶來 127.0.0.1:5301, 所以v2ray 就會問127.0.0.1:5301取jd.com的mx紀綠

Q1:如果加咗啲句即是當連上v2ray, 所以DNS 都由"8.8.8.8","1.1.1.1" OR "223.5.5.5"走, port 5301 就唔會再forward, 我的想法正確嗎? 請指考!!
A1:就算只用來上網也不能, 上面已輕輕帶過 dns是一個很大的系統, 就算只上網除了A,AAAA紀錄外, 還有 cname, ns限多限多, 所以在7.例B會看到dns dokodem-door帶來的127.0.0.1:5301如何參與運作.

Q2:如果正確, 當我長期用v2ray, "tag": "dns-in", 是否可以不用指去5301? 直指8.8.8.8 會有乜結果?
A2:互聯網是一個全球系統.如果www.taobao.com只得1個伺服器在國內, 如在美國的客戶想采購, 就要越洋過來, 速度非常慢外, 也會另系統超負荷，所以就發展出geodns, 即你身在國內www.taobao.com會可能取到 4.5.6.7的國內ip, 如在美國去www.taobao.com 會取到美國16.17.18.19美國 ip. 簡單點講就是淘寶可在全球放上數個到數十個伺服器, 根據你在不用地方,就給你最近的伺服器. 如果你的vps在美國, 如沒了dns server geosite:cn分流, 全都用vps那邊的dns. 你就會發現, 就算你身在國內去淘寶都會非常慢, 看到的物品可能全是國外的物品, 愛奇藝會說你地區限制不能播放. 所以v2ray才有dns分流. 所以8.8.8.8,1.1.1.1,223.5.5.5和 127.0.0.1:5301最好全都保留.

最後 8.8.8.8 1.1.1.1只要留一個就可以.

作者: harold 時間: 2019-11-12 14:14

回復 41# kingwilliam

多謝你的超詳細解釋!! 萬分感激!!

作者: harold 時間: 2019-11-12 21:21

本帖最後由 harold 於 2019-11-14 09:34 編輯

回復 41# kingwilliam

對不起，又是我有問題！！代理我已經設定好，電腦手機都肯定是走代理的！但我用個盒子見都個流量是直出的，為什麼呢？
IPV4 TCP mySUPER-Box.lan:35464 202.126.54.105:80 160.80 MB (197715 封包數.)
IPV4 TCP mySUPER-Box.lan:34416 202.126.54.117:80 5.06 MB (6319 封包數.)
IPV4 TCP mySUPER-Box.lan:35495 202.126.54.105:80 204.85 KB (305 封包數.)
IPV4 TCP mySUPER-Box.lan:33313 95.211.254.163:443 147.00 KB (740 封包數.)
IPV4 TCP mySUPER-Box.lan:53859 147.75.111.32:443 8.40 KB (27 封包數.)
IPV4 TCP mySUPER-Box.lan:40133 119.28.37.97:80 3.03 KB (7 封包數.)
IPV4 TCP mySUPER-Box.lan:33329 119.28.37.97:80 3.03 KB (7 封包數.)
IPV4 TCP mySUPER-Box.lan:46414 119.28.37.97:80 3.03 KB (7 封包數.)
IPV4 TCP mySUPER-Box.lan:44945 119.28.37.97:80 3.03 KB (7 封包數.)
IPV4 TCP mySUPER-Box.lan:38395 119.28.37.97:80 3.03 KB (7 封包數.)
IPV4 TCP mySUPER-Box.lan:53468 119.28.37.97:80 3.03 KB (7 封包數.)
IPV4 TCP mySUPER-Box.lan:52483 157.255.77.99:5287 922 B (7 封包數.)
IPV4 UDP mySUPER-Box.lan:33062 NewWifi2.lan:53 144 B (2 封包數.)

作者: kingwilliam 時間: 2019-11-13 09:28

本帖最後由 kingwilliam 於 2019-11-13 09:33 編輯

回復 43# harold

有沒有多點資料如何得知其他是走代理？全都是走透明代理嗎？可否提供 client config.json, iptables 和v2ray debug access error log

如檔案不小可用付件型式放上來

作者: harold 時間: 2019-11-13 14:19

回復 44# kingwilliam

謝謝你的回覆我用openwrt 的即時連線看到的，但我用電腦手機看 https://whatismyipaddress.com/ 和 fast.com 都是得出是走透明代理的，我只怕是否因為個盒子有特別嘢要再設定！

作者: kingwilliam 時間: 2019-11-13 16:44

回復 45# harold

mytvsuper box沒特別設定, 最簡單方法是看server那邊log便知.

作者: harold 時間: 2019-11-13 20:21

回復 29# kingwilliam [/bd
之前 114.114.114.114 的DNS 唔能夠係本地過，必要走代理！！
當改了
iptables -t mangle -A V2RAY_MARK -p udp ！ --dport 53 -j RETURN
114.114.114.114 DNS 就可以走本地過，不用走代理！“！”係相反的意思，但唔明UDP 相反才可以走本地呢？
作者: harold 時間: 2019-11-13 21:34

回復 46# kingwilliam

係server side ，我見到有好多連線！有啲應該個盒子的！只係唔知是否全部都係走代理吧！
作者: tomleehk 時間: 2019-12-15 16:57

本帖最後由 tomleehk 於 2019-12-21 08:39 編輯

Openwrt V2ray 透明代理 tls + ws (實踐編)
http://www.telecom-cafe.com/forum/viewthread.php?tid=7789
參考網上文章, 左砌右砌加加減減, 初步睇結果喺成功做到tcp+dns轉發, 速度唔算好高, 足夠一般使用

歡迎光臨電訊茶室 (http://telecom-cafe.com/forum/) Powered by Discuz! 7.2