電訊茶室 - Powered by Discuz! Board

標題: Openwrt xray server + gRPC + Reality + Vision + Nginx (TLS1.3) + acme + Cloudflare [打印本頁]

作者: tomleehk 時間: 2023-5-18 18:50 標題: Openwrt xray server + gRPC + Reality + Vision + Nginx (TLS1.3) + acme + Cloudflare

本帖最後由 tomleehk 於 2023-5-20 13:42 編輯

Preparation

1. A router supported by openwrt with at least 32M ROM ( e.g. Newifi 3 D2 )
2. Openwrt stable release with minimum version 22.03 ( https://downloads.openwrt.org/releases/ ). Note that to support Reality the xray-core must be of version 1.8 or above which can only be available for openwrt image with version 22.03 or above.
3. WinSCP (download at https://winscp.net/eng/download.php )
4. DDNS registration ( e.g. www.dynu.com )
5. Valid certificate ( e.g. Let's encrypt, https://www.sslforfree.com/ or openwrt acme package )
6. Openwrt webserver package supporting gRPC (e.g. Nginx )
7. Simple webpage source code
8. V2ray client ( e.g. V2rayNG, version 1.8 or above) supporting Reality
9. Knowledge of xray gRPC and Reality ( e.g. https://xtls.github.io/config/transports/grpc.html#grpcobject )
10. Knowledge of UNIX/openwrt
11. Knowledge of webserver setup

Target :
1. Router acts as https webserver (Port 443) with webpage and valid certificate to deal with the GFW.
2. The xray-core(gRPC) stays behind the webserver and the webserver uses gRPC_pass function to passthrough connection from client.
3. The xray-core(Reality) runs on port 8446 to receive connection from client directly.

作者: tomleehk 時間: 2023-5-18 18:51

本帖最後由 tomleehk 於 2023-5-19 08:57 編輯

Openwrt DDNS installation and configuration

In this example, www.dynu.com will be used as example
1) At https://www.dynu.com/en-US/ControlPanel/CreateAccount, register an account ( e.g. dynu_id/dynu_pwd as id/password)
2) At https://www.dynu.com/en-US/ControlPanel, select <DDNS Services>
3) At https://www.dynu.com/en-US/ControlPanel/DDNS, select <+Add>
4) At <Option 1: Use Our Domain Name>, register a host url for your router. e.g. testhost.ddnsfree.com and save your registration
5) Revisit  https://www.dynu.com/en-US/ControlPanel/DDNS and ensure your registration is successful.

Assume your router has been flashed with openwrt.
Use Windows browser to access 192.168.1.1. Openwrt luci will then show up and prompt you to setup a password for root. Follow accordingly and save your password for root.

Logout and login openwrt luci with root again.
System>>System
Timezone - Asia/Hong Kong
Click<<Save/Apply>>

At Windows DOS prompt, run ssh client
e.g. ssh root@192.168.1.1 to access openwrt command shell to install ddns package

opkg update <<ENTER>>
opkg install luci-app-ddns <<ENTER>>

After installation is complete, type
reboot -f  <<ENTER>>
to reboot router

After router reboots , use Windows browser to access 192.168.1.1 openwrt luci and login again.
Services >> Dynamic DNS
To add DDNS entry,
type dynu_ipv4, click <<Add>>, then
Basic Settings
DDNS Service provider [IPv4] - dynu.com
Lookup Hostname - testhost.ddnsfree.com
Domain - testhost.ddnsfree.com
Username - dynu_id
Password - dynu_pwd
Enabled - check
Click <<Save/Apply>>

Reboot router and verify
1) DDNS of testhost.ddnsfree.com can be updated with your router's WAN ip properly
2) Router time can be updated with local time

作者: tomleehk 時間: 2023-5-18 18:52

本帖最後由 tomleehk 於 2023-5-19 13:28 編輯

Acme installation and configuration

Note - The below sample uses API approach.

At openwrt command shell, type
opkg update <<ENTER>>
opkg install luci-app-acme <<ENTER>>
opkg install acme-dnsapi    <<ENTER>>

Collect the API credentials from DDNS provider, e.g.
At https://www.dynu.com/en-US/ControlPanel/APICredentials
copy the credentials, e.g.
Client ID
39a7a033-c129-55b0-a013-b511150ace22
Secret
7hcYY7JSbSNa2RQcQh1fcJY5cp8YMg

At openwrt luci, Services>>ACME certs
State directory - /etc/acme
Account email - your email account that you registered at DYNU.com

1. Delete all sample templates
2. Add a new ACME entry with the name ACME

<General Setting>
Enabled - uncheck
Use staging server - uncheck
Key size - RSA2048
Domain names - testhost.ddnsfree.com
Click <<Save>>

<Challenge Validation>
Validation method - DNS
DNS API - dns_dynu
DNS API credentials - Dynu_ClientId="39a7a033-c129-55b0-a013-b511150ace22"
                              Dynu_Secret="7hcYY7JSbSNa2RQcQh1fcJY5cp8YMg"
Click <<Save>>

3. Click <<Save / Apply>> and reboot router

4. At openwrt luci, Services>>ACME certs verify the content of ACME again.

5. <General Setting>
Enabled - check
Click <<Save>>
Click <<Save / Apply>>

6> The key/certificate files will be created at the folder /etc/acme/testhost.ddnsfree.com/ after 2 to 3 minutes.
   2 files : fullchain.cer and testhost.ddnsfree.com.key will be needed for Nginx setup.

Note
1) Check other supported DDNS providers at https://github.com/Neilpang/acme.sh/tree/master/dnsapi and corresponding credential parameters needed at https://github.com/Neilpang/acme.sh/wiki/dnsapi
2) The default account email MUST be changed, otherwise the acme script cannot work.

作者: tomleehk 時間: 2023-5-18 18:53

本帖最後由 tomleehk 於 2023-11-18 01:09 編輯

Xray-core installation and configuration

Run SSH client, e.g. ssh root@192.168.1.1 to access openwrt command shell.
opkg update <<ENTER>>
opkg install xray-core  <<ENTER>>

After installation of packages is complete, type
opkg list-installed  <<ENTER>>
to verify xray-core version must be of v1.8 above.

In order to run xray server with reality,
1) a set of public key/private key created with x25519 algorithm is needed.
Run SSH client, e.g. ssh root@192.168.1.1 to access openwrt command shell, then
type
xray x25519 <<ENTER>>

A pair of keys will be generated
e.g.
Private key: YIHyZpW1NJLck_XTCG8IYMMqq1JG7w2Vm95HMAbB51g
Public key: Xh_hBw4E5SBFjreeAQQjnUMlvLvFPeELy2Xdvur6XwU

2) a string of ShortID which comprises letters 0 to f only, the string length must be a multiple of 2 and maximum string length is 16.
e.g. 6ba85179e30d4fc2

Assume xray server uses the following parameters
1) port = 8447
2) protocol = vless
3) uuid = c50bf28e-98cd-a351-b8d5-d60d56c376c7
4) network = gRPC
5) gRPC serviceName = whitelist

and

1) port 8446
2) protocol = vless
3) uuid = c50bf28e-98cd-a351-b8d5-d60d56c376c7
4) flow = xtls-rprx-vision
5) network = tcp
6) security = reality
7) realitySettings
   dest : www.amazon.com:443
   serverNames : www.amazon.com
   privateKey : YIHyZpW1NJLck_XTCG8IYMMqq1JG7w2Vm95HMAbB51g
   shortIds : 6ba85179e30d4fc2

Prepare a text file config.json with content

{
"inbounds": [
{
"port": 8447,
"protocol": "vless",
"allocate": {
"strategy": "always"
},
"settings": {
"clients": [
{
"id": "c50bf28e-98cd-a351-b8d5-d60d56c376c7",
"level": 0
}
],
"decryption": "none"
},
"streamSettings": {
"network":"gRPC",
"gRPCSettings": {"serviceName": "whitelist"}
}
},
{
"port": 8446,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "c50bf28e-98cd-a351-b8d5-d60d56c376c7",
"flow": "xtls-rprx-vision",
"level": 0
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"dest": "www.amazon.com:443",
"serverNames": [
"www.amazon.com"
],
"privateKey": "YIHyZpW1NJLck_XTCG8IYMMqq1JG7w2Vm95HMAbB51g",
"shortIds": [
"6ba85179e30d4fc2"
]
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
}
]
}

複製代碼

Run WINSCP to login router with
New Site
1) File protocol - SCP
2) Host Name - 192.168.1.1
3) Port Number - 22
4) User Name/Password - root / <root password>
You can use Save button to create a site profile for future re-use

Copy the above config.json to the folder /etc/xray/

Use WINSCP to edit the file /etc/config/xray
Change the content from

config xray 'enabled'
option enabled '0'

複製代碼

config xray 'enabled'
option enabled '1'

複製代碼

IMPORTANT:
1. Create a firewall rule to open port 8446 at openwrt luci, Network >> Firewall >> Traffic Rules
Name : Open8446
Protocol : TCP and UDP
Source zone : wan and wan6
Destination zone : This Device
Destination port : 8446

2. Destination site must fulfil the following requirements :
Overseas websites supporting TLSv1.3, H2
Reference :
https://www.duangvps.com/archives/1976

3. Technically the destination site can point to local webserver instead of external webserver

"realitySettings": {
"dest": "127.0.0.1:443",
"serverNames": [
" testhost.ddnsfree.com"
],

複製代碼

Pros and Cons need further investigation.

Reboot router and access openwrt luci page
Status >> Processes
and search for xray to verify xray can be launched automatically.

作者: tomleehk 時間: 2023-5-18 18:54

本帖最後由 tomleehk 於 2023-5-21 13:11 編輯

Nginx/webpage installation and configuration

Run SSH client, e.g. ssh root@192.168.1.1 to access openwrt command shell.
opkg update <<ENTER>>
opkg install nginx <<ENTER>>

Use WINSCP to change the folder to /etc/nginx and rename the linked file uci.conf to uci.conf.bak
Use WINSCP to open the content of uci.conf.bak. Copy the content of uci.conf.bak to a NEW text file uci.conf.
Modify the NEW text file uci.conf accordingly

root /www/webproj ;
....
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
server_name testhost.ddnsfree.com ;
ssl_certificate /etc/acme/testhost.ddnsfree.com/fullchain.cer;
ssl_certificate_key /etc/acme/testhost.ddnsfree.com/testhost.ddnsfree.com.key;
ssl_protocols TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
....
location / {
root /www/webproj;
index index.html index.htm;
}
location /whitelist {
grpc_pass grpc://127.0.0.1:8447;
}
....
listen 80;
listen [::]:80;
server_name testhost.ddnsfree.com ;
return 301 https://$server_name$request_uri;

複製代碼

or even replace the whole file uci.conf with the below content

# This file is re-created when Nginx starts.
# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx
worker_processes auto;
user root;
events {}
http {
access_log off;
log_format openwrt
'$request_method $scheme://$host$request_uri => $status'
' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
include mime.types;
default_type application/octet-stream;
sendfile on;
client_max_body_size 128M;
large_client_header_buffers 2 1k;
gzip on;
gzip_vary on;
gzip_proxied any;
root /www/webproj ;
server {
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
server_name testhost.ddnsfree.com ;
ssl_certificate /etc/acme/testhost.ddnsfree.com/fullchain.cer;
ssl_certificate_key /etc/acme/testhost.ddnsfree.com/testhost.ddnsfree.com.key;
ssl_protocols TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:32k;
ssl_session_timeout 64m;
access_log off; # logd openwrt;
location / {
root /www/webproj;
index index.html index.htm;
}
location /whitelist {
grpc_pass grpc://127.0.0.1:8447;
}
}
server {
listen 80;
listen [::]:80;
server_name testhost.ddnsfree.com ;
return 301 https://$server_name$request_uri;
}
}

複製代碼

Save the modified uci.conf to the folder /etc/nginx

download site for simple webage log-in.zip : https://gofile.io/d/kpXBcJ
Suppose using the above simple webpage (index.html,css/style.css). Use WinSCP to create folders /www/webproj and /www/webproj/css. Copy index.html to /www/webproj and style.css to /www/webproj/css

IMPORTANT :
1. The openwrt luci is still using port 80 and 443. You need to use WINSCP to modify the file /etc/config/uhttpd to release the port 80 and 443.

From

config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '0'
option home '/www'

複製代碼

config uhttpd 'main'
list listen_http '0.0.0.0:8080'
list listen_http '[::]:8080'
# list listen_https '0.0.0.0:443'
# list listen_https '[::]:443'
option redirect_https '0'
option home '/www'

複製代碼

2. Create a firewall rule to open port 443 at openwrt luci, Network >> Firewall >> Traffic Rules
Name : Open443
Protocol : TCP and UDP
Source zone : wan and wan6
Destination zone : This Device
Destination port : 443

Reboot the router and access openwrt luci at http://192.168.1.1:8080
Status >> Processes
and search for nginx to verify nginx can be launch automatically.

Use browser to launch https://testhost.ddnsfree.com and it should show your simple webpage with valid certificate.

Use the below online TLS tester
https://www.cdn77.com/tls-test
to test your webserver https://testhost.ddnsfree.com
It should deliver result like

Great! The tested resource is running on the latest TLS 1.3.
TLS 1.3 enabled
TLS 1.2 disabled
TLS 1.1 (deprecated) disabled
TLS 1.0 (deprecated) disabled
Enabled SSL protocol versions
SSLv3 (deprecated) disabled
SSLv2 (deprecated) disabled

複製代碼

Use the below online http2 tester
https://tools.keycdn.com/http2-test
to test your webserver https://testhost.ddnsfree.com
It should deliver result like

HTTP/2 protocol is supported.
ALPN extension is supported.

複製代碼

作者: tomleehk 時間: 2023-5-18 18:54

本帖最後由 tomleehk 於 2023-6-24 21:12 編輯

V2rayNG client configuration

To support xray(Reality) the V2RayNG must be of version 1.8 above.
By the time of releasing this walk-through, the version available at Google Play Store is 1.7.x.
You can get the 1.8.x pre-release version at
https://github.com/2dust/v2rayNG/releases
and manually install the .apk file.

The configurations are

1) gRPC
remarks : testhost.ddnsfree.com.grpc
address : testhost.ddnsfree.com
port : 443
id : c50bf28e-98cd-a351-b8d5-d60d56c376c7
Network : grpc
gRPC mode : gun
gRPC serviceName : whitelist
tls : tls
SNI : testhost.ddnsfree.com
allowInsecure : true

2) Reality
remarks : testhost.ddnsfree.com.reality
address : testhost.ddnsfree.com
port : 8446
id : c50bf28e-98cd-a351-b8d5-d60d56c376c7
flow : xtls-rprx-vision
Network : tcp
TCP : reality
SNI : www.amazon.com
Fingerprint : random
PublicKey : Xh_hBw4E5SBFjreeAQQjnUMlvLvFPeELy2Xdvur6XwU
ShortId : 6ba85179e30d4fc2

作者: tomleehk 時間: 2023-5-18 18:54

本帖最後由 tomleehk 於 2023-5-20 18:10 編輯

Use CloudFlare to passthrough gRPC traffic

1. Follow the below steps to setup the basic CloudFlare proxy
http://www.telecom-cafe.com/forum/viewthread.php?tid=7761

2. At your Cloudflare setup, go to Traffic
gRPC = Turn On

3. If everythings are fine, nogfw.cf will be proxied to testhost.ddnsfree.com after a few minutes.

At the browser, if you access https://nogfw.cf, you should see your simple webpage that you installed at Nginx

Verification :
Use browser to access https://nogfw.cf, verify the valid certificate issued by cloudflare for nogfw.cf.
Use browser to access https://testhost.ddnsfree.com, verify the valid certificate issued by Let's encrypt for testhost.ddnsfree.com.

4. No need to carry out any change on Nginx, xray etc. on your router.

5. V2RayNG client configuration
remarks : nogfw.cf.grpc
address : nogfw.cf
port : 443
id : c50bf28e-98cd-a351-b8d5-d60d56c376c7
Network : grpc
gRPC mode : gun
gRPC serviceName : whitelist
tls : tls
SNI : nogfw.cf
allowInsecure : true

Remark : Using CloudFlare is optional and therefore whether to make use of CloudFlare is up to your decision.

作者: milanolarry 時間: 2023-5-18 19:04

十扑.........

作者: milanolarry 時間: 2023-5-20 18:30

本帖最後由 milanolarry 於 2023-5-20 20:21 編輯

想請教，Xray setting 有時會見到有一個 Camouflage site, 如 www.YYYYYYYYY.com 或 www.XXXXXXX.com 等，想問是否當 Xray 收到任何沒有 uuid 及 public cert 的要求時便會把要求轉發到這些網站？試過在自己的 Xray 不用 uuid / cert，但被溜覽器封鎖，說該網站沒有 www.YYYYYYYYY.com 或 www.XXXXXXX.com 的 valid cert 云云。

作者: tomleehk 時間: 2023-5-20 18:37

本帖最後由 tomleehk 於 2023-5-20 18:39 編輯

想請教，Xray setting 有時會見到有一個 Camouflage site, 如或等，想問是否當 Xray 收到任何沒有 uui ...
milanolarry 發表於 2023-5-20 18:30

對...據網上資料, 掩人耳目

作者: milanolarry 時間: 2023-5-25 18:27

起左 Xray，行 Reality，接得通，行得郁，但用 browser 入去時候就去吾到 camouflage site (M$), 淨係話 Invalid URL，正吾正常？

作者: tomleehk 時間: 2023-5-26 18:57

起左 Xray，行 Reality，接得通，行得郁，但用 browser 入去時候就去吾到 camouflage site (M$), 淨係話 In ...
milanolarry 發表於 2023-5-25 18:27

所描述嘅情况從無出現過

作者: milanolarry 時間: 2023-5-26 22:27

即係會出 cover 個 site？

作者: tomleehk 時間: 2023-5-27 09:02

即係會出 cover 個 site？
milanolarry 發表於 2023-5-26 22:27

一直出到無問題

作者: tomleehk 時間: 2023-7-16 14:49

本帖最後由 tomleehk 於 2023-7-16 14:52 編輯

起左 Xray，行 Reality，接得通，行得郁，但用 browser 入去時候就去吾到 camouflage site (M$), 淨係話 In ...
milanolarry 發表於 2023-5-25 18:27

xray reality 選擇cover site 要小心, 避免出現microsoft.com 的問題
https://blog.misaka.rest/2023/07/15/pick-reality-dest-domain/

作者: 99BB 時間: 2023-12-9 16:23

上次v2ray搞唔掂，今次試吓呢個搞唔搞得掂

作者: milanolarry 時間: 2023-12-30 18:50

Nginx 與 Reality 均要用上443，其中一個不用會否較容易出問題。

作者: tomleehk 時間: 2023-12-30 23:22

Nginx 與 Reality 均要用上443，其中一個不用會否較容易出問題。
milanolarry 發表於 2023-12-30 18:50

識用haproxy亦可以令所有嘢共用443 port

歡迎光臨電訊茶室 (http://telecom-cafe.com/forum/)