-
Notifications
You must be signed in to change notification settings - Fork 80
Home
Billy.Zheng edited this page Oct 27, 2018
·
42 revisions
Last updated on 2018/10/27
使用 白名单 方式,通过维护一份国内 IP/Domain 列表,实现自动翻墙的透明代理,为合理的科学上网提供便利。
这个教程的唯一目的是为个人学习、及满足工作查资料的需要, 请不要在国内的公共社区或公共场合传播,由此
引发的不可预知的责任,本资源一概不承担,请见谅。
本文基于网络上大量资料整理,此不一一列举,没有大量网友的无私分享,就不会有这个文章。
本部署脚本最早基于华硕(ASUS) RT-AC66U,但在基于 ARM 架构的 RT-AC87U、RT-5300 上也可以运行。 应该适合于任何支持 Entware 包管理的 Merlin(梅林) 路由器。
采用 OpenWRT 的路由器(支持 Entware 包管理),经过简单的 hack, 应该也可以完美工作,因为思路是一样的。
- ss+dnsmasq+udprelay 需要 tproxy 支持,要求梅林固件版本不低于: 380.68+,其他部署方式不需要。
- opkg 路由器包管理系统, Entware-ng
- 可以登陆路由器的 ssh 客户端。
- 一定的 CLI 操作能力。
以 Linux 下为例: 你的 U 盘驱动器在 Linux 的设备为 /dev/sdd1
注意!! 以下操作需谨慎,确保指定正确的设备,因为这是格式化操作,因不了解危险性,造成的任何数据丢失,本教程不承担责任!
# mkfs.ext3 /dev/sdd1将 U 盘插入到路由器 U 口上,然后登陆路由器,按照以下提示操作:
- 系统管理 => 系统设置
- ``Format JFFS partition at next boot
选择是`。 -
Enable JFFS custom scripts and configs选择是。 -
Enable SSH选择LAN+WAN, 或者LAN如果你只想通过网线联网时, 才登录 ssh. - 如果希望无密码登陆,
SSH Authentication key, 将你的ssh公钥粘帖到这里, 不懂啥是公钥, 请自行百度. - 最后, 点击
应用本页面设置,等待提示完成后, 务必重新启动路由器, 确保再次进来时,Format JFFS partition at next boot选项已经恢复成否. - 测试 ssh 登录是否成功, 假设 192.168.50.1 是你的路由器 IP:
$ ssh admin@192.168.50.1- 如果出现了如下提示符, 进入下一步.
ASUSWRT-Merlin RT-AC87U 380.65-0 Fri Feb 3 05:19:42 UTC 2017 admin@RT-AC87U-4A68:/tmp/home/root#
- 键入命令
entware-setup.sh, 来初始化包管理系统 opkg.
admin@RT-AC66U-20F0:/tmp/home/root# entware-setup.sh如果你的 U 盘分区格式没问题,这个脚本会出现类似如下提示让你选择:
admin@RT-AC66U-20F0:/tmp/mnt/sda/asusware/etc# entware-setup.sh
Info: This script will guide you through the Entware installation.
Info: Script modifies "entware" folder only on the chosen drive,
Info: no other data will be changed. Existing installation will be
Info: replaced with this one. Also some start scripts will be installed,
Info: the old ones will be saved on Entware partition with name
Info: like /tmp/mnt/sda1/jffs_scripts_backup.tgz
Info: Looking for available partitions...
[1] --> /tmp/mnt/sda
=> Please enter partition number or 0 to exit
[0-1]: 此时选择 1 即可, 等待安装完成.
如果运行 opkg --version, 返回对应的版本信息, 表示安装成功, exit 退出路由器.
下载 链接. 如果你使用 mac 或 linux, 使用下面的 curl 命令就足够了.
$: curl -L https://github.com/zw963/asuswrt-merlin-transparent-proxy/archive/master.zip > transparent-proxy.zip
$: unzip transparent-proxy.zip
Archive: transparent-proxy.zip
ee43fd6ad2aa2e890b7f792c309fa5e270442676
creating: asuswrt-merlin-transparent-proxy-master/
inflating: asuswrt-merlin-transparent-proxy-master/.gitignore
inflating: asuswrt-merlin-transparent-proxy-master/LICENSE
inflating: asuswrt-merlin-transparent-proxy-master/README.md
creating: asuswrt-merlin-transparent-proxy-master/functions/
inflating: asuswrt-merlin-transparent-proxy-master/functions/deploy_start.sh
inflating: asuswrt-merlin-transparent-proxy-master/generate_dns
creating: asuswrt-merlin-transparent-proxy-master/route/
creating: asuswrt-merlin-transparent-proxy-master/router/opt/
creating: asuswrt-merlin-transparent-proxy-master/router/opt/etc/
creating: asuswrt-merlin-transparent-proxy-master/router/opt/etc/dnsmasq.d/
extracting: asuswrt-merlin-transparent-proxy-master/router/opt/etc/dnsmasq.d/foreign_domains.conf
creating: asuswrt-merlin-transparent-proxy-master/router/opt/etc/init.d/
inflating: asuswrt-merlin-transparent-proxy-master/router/opt/etc/init.d/S22ss-tunnel
inflating: asuswrt-merlin-transparent-proxy-master/router/opt/etc/iptables.sh
inflating: asuswrt-merlin-transparent-proxy-master/router/opt/etc/patch_router
inflating: asuswrt-merlin-transparent-proxy-master/router/opt/etc/restart_dnsmasq
inflating: asuswrt-merlin-transparent-proxy-master/ss+dnsmasq
inflating: asuswrt-merlin-transparent-proxy-master/ss+dnsmasq+chinadns
首先进入项目目录
$ cd ~/asuswrt-merlin-transparent-proxy-master创建 shadowsocks 配置文件 router/opt/etc/shadowsocks.json 脚本.
$ touch router/opt/etc/shadowsocks.json使用编辑器打开 shadowsocks.json, 内容示例如下.
// 这只是一个例子, 如果你要复制修改, 麻烦先手动删除所有 // 开头的注释!
{
"server":"123.123.123.123", // 这是你国外服务器地址(服务器上应该运行一个 shadowsocks server)
"server_port": 12345, // ss-server 监听的端口
"local_address":"192.168.1.1", // 确保这个地址设为你的路由器 ip 地址
"local_port": 1080, // 无需更改
"password": "yours_password", // ss-server 上设定的密码.
"timeout":600, // 不用改
"method":"aes-256-cfb" // ss-server 上设定的加密方式
}此时有以下几个选择:
- ss+dnsmasq+udprelay (RC-AC68U 以上支持),只需要 ss-redir 一个命令自己全部搞定,但据网友反馈,可能存在 DNS 污染,不够稳定。
- ss+dnsmasq+dnscrypt DNS 请求全部加密传输,可有效防止 DNS 投毒,老的 MIPS 架构路由器(AC66U)也工作的很好, 首选方案. 前提是你必须在远程 VPS 上架设 dnscrypt server, 详见 dnscrypt-wrapper 你也可以使用一些免费的 dnscrypt server, 详情, 查看 dnscrypt-proxy 的介绍.
- ss+chinadns 和 ss+chinadns+dnscrypt 方案基本不再维护, 此方案比较省流量,但据网友反应,也存在 DNS 污染,
- 及访问国外某些未被墙的网站速度比较慢的问题。
作者主要用 ss+dnsmasq+dnscrypt,其他方案不保证一直可用.
请注意: 下面的步骤是在你的宿主机(工作电脑上)的命令行下操作, 执行之前确保使用 ssh 可以正确登录路由器.
$ ./ss+dnsmasq+dnscrypt admin@192.168.50.1或
$ ./ss+dnsmasq+dnscrypt admin@router.asus.com下面是 ss+dnsmasq+dnscrypt 安装成功输出示例, 供部署参考.
╰─ $ ./ss+dnsmasq+dnscrypt admin@192.168.50.1
rsync is not installed in remote host, fallback to use scp command.
dnscrypt-proxy.sh 100% 186 73.8KB/s 00:00
foreign_domains.conf 100% 34 12.1KB/s 00:00
iptables.sh 100% 4793 1.5MB/s 00:00
iptables_disable.sh 100% 466 204.2KB/s 00:00
patch_router 100% 1504 477.6KB/s 00:00
restart_dnsmasq 100% 84 35.3KB/s 00:00
shadowsocks.json 100% 194 85.8KB/s 00:00
localips 100% 265 109.0KB/s 00:00
update_ip_whitelist 100% 488 199.2KB/s 00:00
update_dns_whitelist 100% 463 191.2KB/s 00:00
chinadns_chnroute.txt 100% 121KB 3.6MB/s 00:00
user_ip_whitelist.txt 100% 35 14.3KB/s 00:00
user_domain_name_whitelist.txt 100% 42 18.3KB/s 00:00
remote host missing bash, try to install it...
Installing bash (4.3.42-1a) to root...
Downloading http://pkg.entware.net/binaries/armv7/bash_4.3.42-1a_armv7soft.ipk
Installing libncurses (6.0-1c) to root...
Downloading http://pkg.entware.net/binaries/armv7/libncurses_6.0-1c_armv7soft.ipk
Installing libncursesw (6.0-1c) to root...
Downloading http://pkg.entware.net/binaries/armv7/libncursesw_6.0-1c_armv7soft.ipk
Configuring libncursesw.
Configuring libncurses.
Configuring bash.
***********************************************************
Remote deploy scripts is started !!
***********************************************************
opkg version 0.1.8
Package libc (2.23-6) installed in root is up to date.
Package libssp (6.3.0-6) installed in root is up to date.
Installing libev (4.22-1) to root...
Downloading http://pkg.entware.net/binaries/armv7/libev_4.22-1_armv7soft.ipk
Installing libmbedtls (2.4.2-1) to root...
Downloading http://pkg.entware.net/binaries/armv7/libmbedtls_2.4.2-1_armv7soft.ipk
Installing libpcre (8.40-2) to root...
Downloading http://pkg.entware.net/binaries/armv7/libpcre_8.40-2_armv7soft.ipk
Package libpthread (2.23-6) installed in root is up to date.
Installing libsodium (1.0.12-1) to root...
Downloading http://pkg.entware.net/binaries/armv7/libsodium_1.0.12-1_armv7soft.ipk
Installing haveged (1.9.1-5) to root...
Downloading http://pkg.entware.net/binaries/armv7/haveged_1.9.1-5_armv7soft.ipk
Installing libhavege (1.9.1-5) to root...
Downloading http://pkg.entware.net/binaries/armv7/libhavege_1.9.1-5_armv7soft.ipk
Installing zlib (1.2.11-1) to root...
Downloading http://pkg.entware.net/binaries/armv7/zlib_1.2.11-1_armv7soft.ipk
Installing libopenssl (1.0.2k-1) to root...
Downloading http://pkg.entware.net/binaries/armv7/libopenssl_1.0.2k-1_armv7soft.ipk
Configuring libev.
Configuring libpcre.
Configuring libmbedtls.
Configuring libsodium.
Configuring libhavege.
Configuring haveged.
Configuring zlib.
Configuring libopenssl.
Installing shadowsocks-libev (3.0.6-1) to root...
Downloading http://pkg.entware.net/binaries/armv7/shadowsocks-libev_3.0.6-1_armv7soft.ipk
Installing libudns (0.4-1) to root...
Downloading http://pkg.entware.net/binaries/armv7/libudns_0.4-1_armv7soft.ipk
Collected errors:
* resolve_conffiles: Existing conffile /opt/etc/shadowsocks.json is different from the conffile in the new package. The new conffile will be placed at /opt/etc/shadowsocks.json-opkg.
Configuring libudns.
Configuring shadowsocks-libev.
Installing dnscrypt-proxy (1.9.5-2) to root...
Downloading http://pkg.entware.net/binaries/armv7/dnscrypt-proxy_1.9.5-2_armv7soft.ipk
By default, dnscrypt-proxy will use the OpenDNS dnscrypt server.
You may choose another one if you wish:
Configuring dnscrypt-proxy.
skip install iptables
`"local_address":"192.168.50.1",' is replaced with `"local_address":"192.168.50.1",' for /opt/etc/shadowsocks.json
`UPSTREAM_PORT' is replaced with `65053' for /opt/etc/dnsmasq.d/foreign_domains.conf
`ss-local' is replaced with `ss-redir' for /opt/etc/init.d/S22shadowsocks
cat: can't open '/opt/share/dnscrypt-proxy/dnscrypt-resolvers.csv': No such file or directory
cat: can't open '/opt/share/dnscrypt-proxy/dnscrypt-resolvers.csv': No such file or directory
--2017-09-11 14:36:12-- https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf
Resolving raw.githubusercontent.com... 151.101.72.133
Connecting to raw.githubusercontent.com|151.101.72.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1392384 (1.3M) [text/plain]
Saving to: '/opt/etc/dnsmasq.d/accelerated-domains.china.conf.bak'
0K .......... .......... .......... .......... .......... 3% 152K 9s
50K .......... .......... .......... .......... .......... 7% 145K 8s
100K .......... .......... .......... .......... .......... 11% 107K 9s
150K .......... .......... .......... .......... .......... 14% 66.9K 11s
200K .......... .......... .......... .......... .......... 18% 83.9K 11s
250K .......... .......... .......... .......... .......... 22% 62.4K 12s
300K .......... .......... .......... .......... .......... 25% 74.7K 11s
350K .......... .......... .......... .......... .......... 29% 46.4K 12s
400K .......... .......... .......... .......... .......... 33% 34.8K 13s
450K .......... .......... .......... .......... .......... 36% 50.1K 13s
500K .......... .......... .......... .......... .......... 40% 83.3K 12s
550K .......... .......... .......... .......... .......... 44% 45.4K 12s
600K .......... .......... .......... .......... .......... 47% 39.2K 11s
650K .......... .......... .......... .......... .......... 51% 51.8K 11s
700K .......... .......... .......... .......... .......... 55% 27.6K 11s
750K .......... .......... .......... .......... .......... 58% 23.0K 11s
800K .......... .......... .......... .......... .......... 62% 26.7K 10s
850K .......... .......... .......... .......... .......... 66% 34.2K 10s
900K .......... .......... .......... .......... .......... 69% 74.2K 8s
950K .......... .......... .......... .......... .......... 73% 68.8K 7s
1000K .......... .......... .......... .......... .......... 77% 76.5K 6s
1050K .......... .......... .......... .......... .......... 80% 67.5K 5s
1100K .......... .......... .......... .......... .......... 84% 61.5K 4s
1150K .......... .......... .......... .......... .......... 88% 33.1K 3s
1200K .......... .......... .......... .......... .......... 91% 30.5K 2s
1250K .......... .......... .......... .......... .......... 95% 58.9K 1s
1300K .......... .......... .......... .......... .......... 99% 47.3K 0s
1350K ......... 100% 287K=27s
2017-09-11 14:36:40 (49.6 KB/s) - '/opt/etc/dnsmasq.d/accelerated-domains.china.conf.bak' saved [1392384/1392384]
dnsmasq: syntax check OK.
server=/#/127.0.0.1#65053
Shutting down dnscrypt-proxy... done.
Starting dnscrypt-proxy... done.
dnsmasq: syntax check OK.
Checking ss-redir... alive.
Shutting down ss-redir... done.
Checking dnscrypt-proxy... alive.
Shutting down dnscrypt-proxy... done.
Checking haveged... alive.
Shutting down haveged... done.
Starting haveged... done.
Starting dnscrypt-proxy... done.
Starting ss-redir... done.
dnsmasq: syntax check OK.
server=/#/127.0.0.1#65053
Shutting down dnscrypt-proxy... done.
Starting dnscrypt-proxy... done.
Applying iptables rule, it may take several minute to finish ...
ss-redir not enable udp redir, skip UDP rule.
github 下载最新代码, 以上方式再次运行以上命令即可.
$: ssh admin@router.asus.com /opt/etc/toggle_proxy.sh disable如果你不想配置 SSH 自动登录, 又对这个脚本做了什么不太放心, 你可以选择手动部署.
- 打开 脚本,尝试搞明白那些命令在干什么。
- ssh 登录路由器。
- 手动一行一行的粘帖(或手敲)命令执行.
如果部署出现问题,可以选择以下步骤进行恢复:
- 请拔掉 U 盘后, 重启路由器, 如果可以进入管理界面, 格式化 jffs 分区重来.
- 点按路由器的重置按钮(按住不放几秒钟), 重置整个路由器.
用户自定义的白名单文件可以在路由器内 /opt/etc 下创建, 也可以在部署前, 项目 router/opt/etc/ 下手动创建.
以下任意改动如需生效,宿主机运行: $: ssh admin@router.asus.com /opt/etc/patch_router 即可。
╰─ $ cat router/opt/etc/user_ip_whitelist.txt
81.4.123.217 # 这个 ip 我希望直连
# 151.101.72.133 # 这一行被注释掉了.
╰─ $ cat router/opt/etc/user_domain_name_whitelist.txt
pkg.entware.net
# raw.githubusercontent.com
╰─ $ cat router/opt/etc/user_domain_name_blocklist.txt
www.baidu.com # 我不想让别人通过我的路由器访问百度
╰─ $ cat router/opt/etc/dnscrypt-proxy.sh
resolver_address_with_port='服务器地址:端口'
provider_name='2.dnscrypt-cert.domain.com' # domain.com 可以随便改,2.dnscrypt-cert 部分不要改
provider_key='3750:AED7:CEAB:DA91:137A:AFCD:3330:AEAA:2FEB:22AB:07FB:KVCE:3E72:31A3:5F1E:FE78' # 替换为你自己的.
# tcp_only=true # DNS 使用 TCP 代替 UDP, 开启这个后,dnsmasq 的域名缓存将失效, 但是可以有效的防止 DNS 投毒, 建议开启。(移除开始的那个 #)
直接编辑路由器 /opt/etc/shadowsocks.json
最后路由器中运行 /opt/etc/patch_router 让更改生效.
感谢以下项目的不断努力,才让我们探索自由,科学上网的愿望变为现实。
新增服务器端 Shadowsocks部署脚本, 方便不会在服务器上配置 Shadowsocks 的网友.
本脚本应该在 Centos 7 与 Ubuntu 16.04 下完美工作. 这个版本的 shadowsocks-libev 依赖 mbedtls, Ubuntu 14.04 没有提供这个包, 因此不在考虑之列.
操作步骤如下:
- 购买一台可以连接外网的 VPS。 (推荐:linode, vultr 的日本主机或新加坡主机)
- 配置 VPS 主机 ssh 自动登录.(root 权限)
- 部署之前, 修改 你的密码 为你要设定的服务器密码。
- 假设你的 VPS IP 地址是: 123.123.123.123, 运行:
./deploy_ss_to_vps root@123.123.123.123,等待完成。
补充:
基于你选择的服务商, 如果是 Centos 7 可能需要手动添加 epel 的 source 进来, 否则找不到 mbedtls-devel 这个包.
$: rpm -ivh http://download.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm然后重新运行部署脚本.
有问题, 提 issue, 会不定期解决.