Openwrt xray server + gRPC + Reality + Vision + Nginx (TLS1.3) + acme + Cloudflare

tomleehk

Preparation

1. A router supported by openwrt with at least 32M ROM ( e.g. Newifi 3 D2 )
2. Openwrt stable release with minimum version 22.03 ( https://downloads.openwrt.org/releases/ ). Note that to support Reality the xray-core must be of version 1.8 or above which can only be available for openwrt image with version 22.03 or above.   
3. WinSCP (download at https://winscp.net/eng/download.php )
4. DDNS registration ( e.g. www.dynu.com )
5. Valid certificate ( e.g. Let's encrypt, https://www.sslforfree.com/ or openwrt acme package )
6. Openwrt webserver package supporting gRPC (e.g. Nginx )
7. Simple webpage source code
8. V2ray client ( e.g. V2rayNG, version 1.8 or above) supporting Reality
9. Knowledge of xray gRPC and Reality ( e.g. https://xtls.github.io/config/transports/grpc.html#grpcobject )
10. Knowledge of UNIX/openwrt
11. Knowledge of webserver setup

Target :
1. Router acts as https webserver (Port 443) with webpage and valid certificate to deal with the GFW.
2. The xray-core(gRPC) stays behind the webserver and the webserver uses gRPC_pass function to passthrough connection from client.
3. The xray-core(Reality) runs on port 8446 to receive connection from client directly.

tomleehk

Openwrt DDNS installation and configuration

In this example, www.dynu.com will be used as example
1) At https://www.dynu.com/en-US/ControlPanel/CreateAccount, register an account ( e.g. dynu_id/dynu_pwd as id/password)
2) At https://www.dynu.com/en-US/ControlPanel, select <DDNS Services>
3) At https://www.dynu.com/en-US/ControlPanel/DDNS, select <+Add>
4) At <Option 1: Use Our Domain Name>, register a host url for your router. e.g. testhost.ddnsfree.com and save your registration
5) Revisit  https://www.dynu.com/en-US/ControlPanel/DDNS and ensure your registration is successful.

Assume your router has been flashed with openwrt.
Use Windows browser to access 192.168.1.1. Openwrt luci will then show up and prompt you to setup a password for root. Follow accordingly and save your password for root.

Logout and login openwrt luci with root again.
System>>System
Timezone - Asia/Hong Kong   
Click<<Save/Apply>>

At Windows DOS prompt, run ssh client  
e.g. ssh root@192.168.1.1 to access openwrt command shell to install ddns package

opkg update   <<ENTER>>
opkg install luci-app-ddns   <<ENTER>>

After installation is complete, type
reboot -f  <<ENTER>>
to reboot router

After router reboots , use Windows browser to access 192.168.1.1 openwrt luci and login again.
Services >> Dynamic DNS
To add DDNS entry,
type dynu_ipv4, click <<Add>>, then
Basic Settings
DDNS Service provider [IPv4] - dynu.com
Lookup Hostname - testhost.ddnsfree.com
Domain - testhost.ddnsfree.com
Username - dynu_id
Password - dynu_pwd
Enabled - check
Click <<Save/Apply>>

Reboot router and verify
1) DDNS of testhost.ddnsfree.com can be updated with your router's WAN ip properly
2) Router time can be updated with local time

tomleehk

Acme installation and configuration

Note - The below sample uses API approach.

At openwrt command shell, type
    opkg update   <<ENTER>>
    opkg install luci-app-acme   <<ENTER>>
    opkg install acme-dnsapi      <<ENTER>>

Collect the API credentials from DDNS provider, e.g.
At https://www.dynu.com/en-US/ControlPanel/APICredentials
copy the credentials, e.g.
Client ID
39a7a033-c129-55b0-a013-b511150ace22
Secret
7hcYY7JSbSNa2RQcQh1fcJY5cp8YMg

At openwrt luci, Services>>ACME certs
State directory - /etc/acme
Account email - your email account that you registered at DYNU.com

1. Delete all sample templates
2. Add a new ACME entry with the name ACME

<General Setting>
Enabled - uncheck
Use staging server - uncheck
Key size - RSA2048
Domain names - testhost.ddnsfree.com
Click <<Save>>

<Challenge Validation>
Validation method - DNS
DNS API - dns_dynu
DNS API credentials - Dynu_ClientId="39a7a033-c129-55b0-a013-b511150ace22"
                                 Dynu_Secret="7hcYY7JSbSNa2RQcQh1fcJY5cp8YMg"
Click <<Save>>

3. Click <<Save / Apply>> and reboot router

4. At openwrt luci, Services>>ACME certs verify the content of ACME again.

5. <General Setting>
Enabled - check
Click <<Save>>
Click <<Save / Apply>>

6> The key/certificate files will be created at the folder /etc/acme/testhost.ddnsfree.com/ after 2 to 3 minutes.
     2 files : fullchain.cer and testhost.ddnsfree.com.key will be needed for Nginx setup.
   
Note
1) Check other supported DDNS providers at https://github.com/Neilpang/acme.sh/tree/master/dnsapi and corresponding credential parameters needed at https://github.com/Neilpang/acme.sh/wiki/dnsapi
2) The default account email MUST be changed, otherwise the acme script cannot work.

tomleehk

Xray-core installation and configuration

Run SSH client, e.g. ssh root@192.168.1.1 to access openwrt command shell.
opkg update   <<ENTER>>
opkg install xray-core  <<ENTER>>

After installation of packages is complete, type
opkg list-installed  <<ENTER>>
to verify xray-core version must be of v1.8 above.

In order to run xray server with reality,
1) a set of public key/private key created with x25519 algorithm is needed.
Run SSH client, e.g. ssh root@192.168.1.1 to access openwrt command shell, then
type
xray x25519 <<ENTER>>

A pair of keys will be generated
e.g.
Private key: YIHyZpW1NJLck_XTCG8IYMMqq1JG7w2Vm95HMAbB51g
Public key: Xh_hBw4E5SBFjreeAQQjnUMlvLvFPeELy2Xdvur6XwU

2) a string of ShortID which comprises letters 0 to f only, the string length must be a multiple of 2 and maximum string length is 16.
e.g. 6ba85179e30d4fc2
   
Assume xray server uses the following parameters
1) port = 8447
2) protocol = vless
3) uuid = c50bf28e-98cd-a351-b8d5-d60d56c376c7
4) network = gRPC
5) gRPC serviceName = whitelist

and

1) port 8446
2) protocol = vless
3) uuid = c50bf28e-98cd-a351-b8d5-d60d56c376c7
4) flow = xtls-rprx-vision
5) network = tcp
6) security = reality
7) realitySettings
     dest : www.amazon.com:443
     serverNames : www.amazon.com
     privateKey : YIHyZpW1NJLck_XTCG8IYMMqq1JG7w2Vm95HMAbB51g
     shortIds : 6ba85179e30d4fc2

Prepare a text file config.json with content

1. {
   
2.     "inbounds": [
   
3.    {
   
4.       "port": 8447,
   
5.       "protocol": "vless",
   
6.       "allocate": {
   
7.             "strategy": "always"
   
8.        },
   
9.       "settings": {
   
10.         "clients": [
    
11.           {
    
12.             "id": "c50bf28e-98cd-a351-b8d5-d60d56c376c7",
    
13.             "level": 0
    
14.           }
    
15.         ],
    
16.         "decryption": "none"
    
17.       },
    
18.         "streamSettings": {
    
19.         "network":"gRPC",
    
20.         "gRPCSettings": {"serviceName": "whitelist"}
    
21.         }
    
22.      },
    
23. 
    
24.      {   
    
25.             "port": 8446,
    
26.             "protocol": "vless",
    
27.             "settings": {
    
28.                 "clients": [
    
29.                     {
    
30.                         "id": "c50bf28e-98cd-a351-b8d5-d60d56c376c7",
    
31.                         "flow": "xtls-rprx-vision",
    
32.                         "level": 0
    
33.                     }
    
34.                 ],
    
35.                 "decryption": "none"
    
36.             },
    
37.             "streamSettings": {
    
38.                 "network": "tcp",
    
39.                 "security": "reality",
    
40.                 "realitySettings": {
    
41.                     "dest": "www.amazon.com:443",
    
42.                     "serverNames": [
    
43.                         "www.amazon.com"
    
44.                     ],
    
45.                     "privateKey": "YIHyZpW1NJLck_XTCG8IYMMqq1JG7w2Vm95HMAbB51g",
    
46.                     "shortIds": [
    
47.                         "6ba85179e30d4fc2"
    
48.                     ]
    
49.                 }
    
50.             }
    
51.         }
    
52.     ],
    
53.     "outbounds": [
    
54.     {
    
55.       "protocol": "freedom",
    
56.       "settings": {}
    
57.     }
    
58.     ]   
    
59. }

複製代碼

Run WINSCP to login router with
New Site
1) File protocol - SCP
2) Host Name - 192.168.1.1
3) Port Number - 22
4) User Name/Password - root / <root password>
You can use Save button to create a site profile for future re-use

Copy the above config.json to the folder /etc/xray/

Use WINSCP to edit the file /etc/config/xray
Change the content from

1.   config xray 'enabled'
   
2.         option enabled '0'

複製代碼

To

1. config xray 'enabled'
   
2.         option enabled '1'

複製代碼

IMPORTANT:
1. Create a firewall rule to open port 8446 at openwrt luci, Network >> Firewall >> Traffic Rules
    Name : Open8446
    Protocol : TCP and  UDP
    Source zone : wan and wan6
    Destination zone : This Device
    Destination port : 8446

2. Destination site must fulfil the following requirements :
    Overseas websites supporting TLSv1.3, H2
    Reference :
    https://www.duangvps.com/archives/1976

3. Technically the destination site can point to local webserver instead of external webserver

1. "realitySettings": {
   
2.                     "dest": "127.0.0.1:443",
   
3.                     "serverNames": [
   
4.                         " testhost.ddnsfree.com"
   
5.                          ],

複製代碼

Pros and Cons need further investigation.

Reboot router and access openwrt luci page
Status >> Processes
and search for xray to verify xray can be launched automatically.

tomleehk

Nginx/webpage installation and configuration

Run SSH client, e.g. ssh root@192.168.1.1 to access openwrt command shell.
opkg update   <<ENTER>>
opkg install nginx  <<ENTER>>

Use WINSCP to change the folder to /etc/nginx and rename the linked file uci.conf to uci.conf.bak
Use WINSCP to open the content of uci.conf.bak. Copy the content of uci.conf.bak to a NEW text file uci.conf.
Modify the NEW text file uci.conf accordingly

1.                root /www/webproj ;
   
2. 
   
3. ....
   
4.                listen 443 ssl http2 ;
   
5.                listen [::]:443 ssl http2 ;
   
6.                server_name  testhost.ddnsfree.com ;
   
7.                ssl_certificate      /etc/acme/testhost.ddnsfree.com/fullchain.cer;
   
8.                ssl_certificate_key  /etc/acme/testhost.ddnsfree.com/testhost.ddnsfree.com.key;
   
9.                ssl_protocols TLSv1.3;
   
10.                ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
11. ....
    
12. 
    
13.               location / {
    
14.                    root   /www/webproj;
    
15.                   index  index.html index.htm;
    
16.                }
    
17. 
    
18.               location /whitelist {
    
19.                grpc_pass grpc://127.0.0.1:8447;
    
20.               }
    
21. ....
    
22. 
    
23.               listen         80;
    
24.               listen    [::]:80;
    
25.               server_name  testhost.ddnsfree.com ;
    
26.               return         301 https://$server_name$request_uri;

複製代碼

or even replace the whole file uci.conf with the below content

1. # This file is re-created when Nginx starts.
   
2. # Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
   
3. # Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
   
4. # For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx
   
5. 
   
6. worker_processes auto;
   
7. 
   
8. user root;
   
9. 
   
10. events {}
    
11. 
    
12. http {
    
13.         access_log off;
    
14.         log_format openwrt
    
15.                 '$request_method $scheme://$host$request_uri => $status'
    
16.                 ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
    
17. 
    
18.         include mime.types;
    
19.         default_type application/octet-stream;
    
20.         sendfile on;
    
21. 
    
22.         client_max_body_size 128M;
    
23.         large_client_header_buffers 2 1k;
    
24. 
    
25.         gzip on;
    
26.         gzip_vary on;
    
27.         gzip_proxied any;
    
28. 
    
29.         root /www/webproj ;
    
30. 
    
31.         server {
    
32.                listen 443 ssl http2 ;
    
33.                listen [::]:443 ssl http2 ;
    
34.                server_name  testhost.ddnsfree.com ;
    
35.                ssl_certificate      /etc/acme/testhost.ddnsfree.com/fullchain.cer;
    
36.                ssl_certificate_key  /etc/acme/testhost.ddnsfree.com/testhost.ddnsfree.com.key;
    
37.                ssl_protocols TLSv1.3;
    
38.                ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
39.                ssl_session_cache shared:SSL:32k;
    
40.                ssl_session_timeout 64m;
    
41.                access_log off; # logd openwrt;
    
42. 
    
43.        location / {
    
44.                root   /www/webproj;
    
45.                index  index.html index.htm;
    
46.                   }
    
47. 
    
48.        location /whitelist {
    
49.                grpc_pass grpc://127.0.0.1:8447;
    
50.                   }
    
51.       }
    
52. 
    
53.       server {
    
54.                 listen         80;
    
55.                 listen    [::]:80;
    
56.                 server_name  testhost.ddnsfree.com ;
    
57.                 return         301 https://$server_name$request_uri;
    
58.       }
    
59. 
    
60. 
    
61. }

複製代碼

Save the modified uci.conf to the folder /etc/nginx

download site for simple webage log-in.zip : https://gofile.io/d/kpXBcJ
Suppose using the above simple webpage   (index.html,css/style.css). Use WinSCP to create folders /www/webproj and /www/webproj/css. Copy index.html to /www/webproj and style.css to /www/webproj/css

IMPORTANT :
1. The openwrt luci is still using port 80 and 443. You need to use WINSCP to modify the file /etc/config/uhttpd to release the port 80 and 443.

From

1. config uhttpd 'main'
   
2.         list listen_http '0.0.0.0:80'
   
3.         list listen_http '[::]:80'
   
4.         list listen_https '0.0.0.0:443'
   
5.         list listen_https '[::]:443'
   
6.         option redirect_https '0'
   
7.         option home '/www'

複製代碼

To

1. config uhttpd 'main'
   
2.         list listen_http '0.0.0.0:8080'
   
3.         list listen_http '[::]:8080'
   
4. #        list listen_https '0.0.0.0:443'
   
5. #        list listen_https '[::]:443'
   
6.         option redirect_https '0'
   
7.         option home '/www'

複製代碼

2. Create a firewall rule to open port 443 at openwrt luci, Network >> Firewall >> Traffic Rules
    Name : Open443
    Protocol : TCP and  UDP
    Source zone : wan and wan6
    Destination zone : This Device
    Destination port : 443


Reboot the router and access openwrt luci at http://192.168.1.1:8080
Status >> Processes
and search for nginx to verify nginx can be launch automatically.

Use browser to launch https://testhost.ddnsfree.com and it should show your simple webpage with valid certificate.

Use the below online TLS tester
https://www.cdn77.com/tls-test
to test your webserver  https://testhost.ddnsfree.com
It should deliver result like

1. Great! The tested resource is running on the latest TLS 1.3.
   
2. TLS 1.3        enabled
   
3. TLS 1.2        disabled
   
4. TLS 1.1 (deprecated)        disabled
   
5. TLS 1.0 (deprecated)        disabled
   
6. Enabled SSL protocol versions
   
7. SSLv3 (deprecated)        disabled
   
8. SSLv2 (deprecated)        disabled

複製代碼

Use the below online http2 tester
https://tools.keycdn.com/http2-test
to test your webserver  https://testhost.ddnsfree.com
It should deliver result like

1. HTTP/2 protocol is supported.
   
2. ALPN extension is supported.

複製代碼

tomleehk

V2rayNG client configuration

To support xray(Reality) the V2RayNG must be of version 1.8 above.
By the time of releasing this walk-through, the version available at Google Play Store is 1.7.x.
You can get the 1.8.x pre-release version at
https://github.com/2dust/v2rayNG/releases
and manually install the .apk file.

The configurations are

1) gRPC
remarks : testhost.ddnsfree.com.grpc
address : testhost.ddnsfree.com
port : 443
id : c50bf28e-98cd-a351-b8d5-d60d56c376c7
Network : grpc
gRPC mode : gun
gRPC serviceName : whitelist
tls : tls
SNI : testhost.ddnsfree.com
allowInsecure : true

2) Reality
remarks : testhost.ddnsfree.com.reality
address : testhost.ddnsfree.com
port : 8446
id : c50bf28e-98cd-a351-b8d5-d60d56c376c7
flow : xtls-rprx-vision
Network : tcp
TCP : reality
SNI : www.amazon.com
Fingerprint : random
PublicKey : Xh_hBw4E5SBFjreeAQQjnUMlvLvFPeELy2Xdvur6XwU
ShortId : 6ba85179e30d4fc2

tomleehk

Use CloudFlare to passthrough gRPC traffic

1. Follow the below steps to setup the basic CloudFlare proxy
http://www.telecom-cafe.com/forum/viewthread.php?tid=7761

2. At your Cloudflare setup, go to Traffic
gRPC = Turn On

3. If everythings are fine, nogfw.cf will be proxied to testhost.ddnsfree.com after a few minutes.

At the browser, if you access https://nogfw.cf, you should see your simple webpage that you installed at Nginx

Verification :
Use browser to access https://nogfw.cf, verify the valid certificate issued by cloudflare for nogfw.cf.
Use browser to access https://testhost.ddnsfree.com, verify the valid certificate issued by Let's encrypt for testhost.ddnsfree.com.

4. No need to carry out any change on Nginx, xray etc. on your router.

5. V2RayNG client configuration
remarks : nogfw.cf.grpc
address : nogfw.cf
port : 443
id : c50bf28e-98cd-a351-b8d5-d60d56c376c7
Network : grpc
gRPC mode : gun
gRPC serviceName : whitelist
tls : tls
SNI : nogfw.cf
allowInsecure : true

Remark : Using CloudFlare is optional and therefore whether to make use of CloudFlare is up to your decision.

milanolarry

十扑.........

milanolarry

想請教，Xray setting 有時會見到有一個 Camouflage site, 如  www.YYYYYYYYY.com 或 www.XXXXXXX.com 等，想問是否當 Xray 收到任何沒有 uuid 及 public cert 的要求時便會把要求轉發到這些網站？試過在自己的 Xray 不用 uuid / cert，但被溜覽器封鎖，說該網站沒有 www.YYYYYYYYY.com 或 www.XXXXXXX.com 的 valid cert 云云。

tomleehk

想請教，Xray setting 有時會見到有一個 Camouflage site, 如   或  等，想問是否當 Xray 收到任何沒有 uui ...
milanolarry 發表於 2023-5-20 18:30

對...據網上資料, 掩人耳目

milanolarry

起左 Xray，行 Reality，接得通，行得郁，但用 browser 入去時候就去吾到 camouflage site (M$), 淨係話 Invalid URL，正吾正常？

tomleehk

起左 Xray，行 Reality，接得通，行得郁，但用 browser 入去時候就去吾到 camouflage site (M$), 淨係話 In ...
milanolarry 發表於 2023-5-25 18:27

所描述嘅情况從無出現過

milanolarry

即係會出 cover 個 site？

tomleehk

即係會出 cover 個 site？
milanolarry 發表於 2023-5-26 22:27

一直出到無問題

tomleehk

起左 Xray，行 Reality，接得通，行得郁，但用 browser 入去時候就去吾到 camouflage site (M$), 淨係話 In ...
milanolarry 發表於 2023-5-25 18:27

xray reality 選擇cover site 要小心, 避免出現microsoft.com 的問題
https://blog.misaka.rest/2023/07/15/pick-reality-dest-domain/