1.1
1.2
1.2.1
1.3
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.4
1.5
1.5.1
1.5.2
1.6
1.6.1
1.7
1.8
1.9
1.9.1
1.9.2
1.10
1.11
TableofContentsWHY
HOW:shadowsocks服务端
测速speedtest
HOW:shadowsocks客户端
Windows
Linux
MACOS
Android
iOS
WHAT:PACmode
HOW:浏览器代理插件
Firefox
Chrome
HOW:kcptun
DanteSOCKSserver
HOW:ssh
HOW:ocserv
HOW:openwrt
UCI
ChinaDNS+Shadowsocks
HOW:收集
HOW:赞助
1
科学上网漫游指南
NOTE:指南里的图片若无法显示,请下载PDF:
https://www.gitbook.com/download/pdf/book/lvii/outman
WHY战争即和平
自由即奴役
无知即力量——乔治·奥威尔《1984》
WHY
2
图片出处:大友克洋《大炮之街》1995
WHAT
图片出处:深入理解GFW:内部结构2010-02-18
HOW
WHY
3
图片出处:胡武功《告别老西安》
普通用户
介绍常见平台(Windows,MacOSX,android,iOS)科学上网方法:
shadowsocks客户端配置
求知用户
配置浏览器代理插件实现自定义翻墙
搞机用户
介绍shadowsocks和ocservSSLVPN服务的搭建
openwrt+shadowsocks路由器智能科学上网
WHY
4
WHY
5
Shadowsocks服务端
使用 shadowsocks-libev软件包来部署Shadowsocks服务端
https://github.com/shadowsocks/shadowsocks-libev
github的 README.md里面详细介绍了不同发行版的安装方法,其他发行版可以参考
README.md方法安装
install
CentOS7介绍Redhat系系统(CentOS7/Fedora25)下安装 shadowsocks-libev安装方法:
手动编译rpm包直接安装copr打包平台编译好的rpm二进制包
rpmbuild
自动动手源码打包,不求人,就几条命令
SPECS文件增加 --disable-documentation编译参数。不再依赖 asciidoc和 xmlto软件包:
+./configure--build=x86_64-redhat-linux-gnu--host=x86_64-redhat-linux-gn
u\
--program-prefix=--disable-dependency-tracking--prefix=/usr--exec-prefix
=/usr\
--bindir=/usr/bin--sbindir=/usr/sbin--sysconfdir=/etc--datadir=/usr/shar
e\
--includedir=/usr/include--libdir=/usr/lib64--libexecdir=/usr/libexec\
--localstatedir=/var--sharedstatedir=/var/lib--mandir=/usr/share/man\
--infodir=/usr/share/info--enable-shared--disable-documentation
创建打包目录:
HOW:shadowsocks服务端
6
mdkir-pv~/rpmbuild/{SPECS,SOURCES}
安装编译打包相关依赖包:
yuminstall-ygccmakeopenssl-develrpm-buildrpmdevtools
下载SPEC文件:
spec_url='https://raw.githubusercontent.com/lvii/outman/master/shadowsocks/
shadowsocks-libev.spec'
wget-c-nv-t5-T5"$spec_url"-O~/rpmbuild/SPECS/shadowsocks-libev.spec
更新为 X.X.X版本号:
sed-i's/^\(Version:\s\+\).*$/\1X.X.X/g'~/rpmbuild/SPECS/shadowsocks-libe
v.spec
下载源码:
#spectool-l-A-R~/rpmbuild/SPECS/shadowsocks-libev.spec
Source0:https://github.com/shadowsocks/shadowsocks-libev/archive/v2.5.6.ta
r.gz
#spectool-g-A-R~/rpmbuild/SPECS/shadowsocks-libev.spec
Gettinghttps://github.com/shadowsocks/shadowsocks-libev/archive/v2.5.6.tar
.gz
to/root/rpmbuild/SOURCES/v2.5.6.tar.gz
%Total%Received%XferdAverageSpeedTimeTimeTimeCurre
nt
DloadUploadTotalSpentLeftSpeed
1001370137001170--:--:--0:00:01--:--:--
117
1001516k1001516k00377k00:00:040:00:04--:--:--8
52k
编译打包:
HOW:shadowsocks服务端
7
#rpmbuild-bb--clean~/rpmbuild/SPECS/shadowsocks-libev.spec
......
Checkingforunpackagedfile(s):/usr/lib/rpm/check-files/root/rpmbuild/BU
ILDROOT/shadowsocks-libev-2.5.6-1.el7.centos.x86_64
Wrote:/root/rpmbuild/RPMS/x86_64/shadowsocks-libev-2.5.6-1.el7.centos.x86_
64.rpm
Executing(%clean):/bin/sh-e/var/tmp/rpm-tmp.7m3LGU
+umask022
+cd/root/rpmbuild/BUILD
+cdshadowsocks-libev-2.5.6
+/usr/bin/rm-rf/root/rpmbuild/BUILDROOT/shadowsocks-libev-2.5.6-1.el7.ce
ntos.x86_64
+exit0
Executing(--clean):/bin/sh-e/var/tmp/rpm-tmp.TEQR8H
+umask022
+cd/root/rpmbuild/BUILD
+rm-rfshadowsocks-libev-2.5.6
+exit0
打包完成后:
#tree-F~/rpmbuild
/root/rpmbuild/
├──BUILD/
├──BUILDROOT/
├──RPMS/
│└──x86_64/
│└──shadowsocks-libev-2.5.6-1.el7.centos.x86_64.rpm
├──SOURCES/
│└──v2.5.6.tar.gz
├──SPECS/
│└──shadowsocks-libev.spec
└──SRPMS/
7directories,3files
查看rpm内容:
HOW:shadowsocks服务端
8
#rpm-qlp~/rpmbuild/RPMS/x86_64/shadowsocks-libev-2.5.6-1.el7.centos.x86_
64.rpm
/etc/default/shadowsocks-libev
/etc/shadowsocks-libev/config.json
/usr/bin/ss-local
/usr/bin/ss-manager
/usr/bin/ss-nat
/usr/bin/ss-redir
/usr/bin/ss-server
/usr/bin/ss-tunnel
/usr/include/shadowsocks.h
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/shadowsocks-libev.service
/usr/lib64/libshadowsocks-libev.la
/usr/lib64/libshadowsocks-libev.so
/usr/lib64/libshadowsocks-libev.so.2
/usr/lib64/libshadowsocks-libev.so.2.0.0
/usr/lib64/pkgconfig
/usr/lib64/pkgconfig/shadowsocks-libev.pc
安装rpm包:
rpm-Uvh~/rpmbuild/RPMS/x86_64/shadowsocks-libev-2.5.6-1.el7.centos.x86_64
.rpm
binary在FedoraProject的copr自动打包平台上创建了RedHat系发行版(Fedora/CentOS)yum仓库:
https://copr.fedorainfracloud.org/coprs/outman/shadowsocks-libev/
编译好的rpm包位于:https://copr-be.cloud.fedoraproject.org/results/outman/shadowsocks-libev/epel-7-x86_64/
打好的rpm包可以直接使用 rpm命令安装,依赖 openssl已系统自带(base软件包组):
HOW:shadowsocks服务端
9
##CentOS7
rpm-Uvhhttps://copr-be.cloud.fedoraproject.org/results/outman/shadowsocks
-libev/epel-7-x86_64/00493747-shadowsocks-libev/shadowsocks-libev-2.5.6-1.e
l7.centos.x86_64.rpm
##Fedora25
rpm-Uvhhttps://copr-be.cloud.fedoraproject.org/results/outman/shadowsocks
-libev/fedora-25-x86_64/00493747-shadowsocks-libev/shadowsocks-libev-2.5.6-
1.fc25.x86_64.rpm
或是使用yum源安装:
##CentOS7
repo_url='https://copr.fedorainfracloud.org/coprs/outman/shadowsocks-libev/
repo/epel-7/outman-shadowsocks-libev-epel-7.repo'
wget-c-nv-t5-T5"$repo_url"-O/etc/yum.repos.d/outman-shadowsocks-libe
v.repo
yuminstall-yshadowsocks-libev
coprrpmbuild
创建 src.rpm源码包和上面手动编译打包类似,仅仅换用 -bs参数:
#rpmbuild-bs--clean~/rpmbuild/SPECS/shadowsocks-libev.spec
Wrote:/root/rpmbuild/SRPMS/shadowsocks-libev-2.5.6-1.el7.centos.src.rpm
Executing(--clean):/bin/sh-e/var/tmp/rpm-tmp.RovGRv
+umask022
+cd/root/rpmbuild/BUILD
+rm-rfshadowsocks-libev-2.5.6
+exit0
打好的 src.rpm源码包仅包含SPEC文件和源码包:
#rpm-qlp~/rpmbuild/SRPMS/shadowsocks-libev-2.5.6-1.el7.centos.src.rpm
shadowsocks-libev.spec
v2.5.6.tar.gz
将 src.rpm上传到copr平台即可完成打包
HOW:shadowsocks服务端
10
config查看 shadowsocks-libev包含的配置文件和相关命令:
#rpm-qlshadowsocks-libev|egrep'etc|bin|service'
/etc/default/shadowsocks-libev
/etc/shadowsocks-libev/config.json
/usr/bin/ss-local
/usr/bin/ss-manager
/usr/bin/ss-nat
/usr/bin/ss-redir
/usr/bin/ss-server
/usr/bin/ss-tunnel
/usr/lib/systemd/system/shadowsocks-libev.service
修改默认配置文件:
{
"server":"10.20.30.40",
"server_port":8388,
"local_port":1080,
"password":"your_password",
"timeout":60,
"method":"rc4-md5"
}
设置shadowsocks-libev服务开机自启动:
#systemctlenableshadowsocks-libev
Createdsymlinkfrom/etc/systemd/system/multi-user.target.wants/shadowsock
s-libev.serviceto/usr/lib/systemd/system/shadowsocks-libev.service.
启动shadowsocks-libev服务:
HOW:shadowsocks服务端
11
#systemctlstartshadowsocks-libev
#systemctlstatusshadowsocks-libev
●shadowsocks-libev.service-Shadowsocks-libevDefaultServerService
Loaded:loaded(/usr/lib/systemd/system/shadowsocks-libev.service;enabl
ed;vendorpreset:disabled)
Active:active(running)sinceTue2016-09-2014:03:19CST;7minago
Docs:man:shadowsocks-libev(8)
MainPID:39565(ss-server)
CGroup:/system.slice/shadowsocks-libev.service
└─39565/usr/bin/ss-server-aroot-c/etc/shadowsocks-libev/con
fig.json-u
Sep2014:03:19centossystemd[1]:StartedShadowsocks-libevDefaultServer
Service.
Sep2014:03:19centossystemd[1]:StartingShadowsocks-libevDefaultServe
rService...
Sep2014:03:19centosss-server[39565]:2016-09-2014:03:19INFO:UDPrela
yenabled
Sep2014:03:19centosss-server[39565]:2016-09-2014:03:19INFO:initiali
zingciphers...rc4-md5
Sep2014:03:19centosss-server[39565]:2016-09-2014:03:19INFO:tcpport
reuseenabled
Sep2014:03:19centosss-server[39565]:2016-09-2014:03:19INFO:udpport
reuseenabled
Sep2014:03:19centosss-server[39565]:2016-09-2014:03:19INFO:listenin
gat192.168.10.199:8388
确认服务进程和端口:
#pgrep-afss-server
39565/usr/bin/ss-server-aroot-c/etc/shadowsocks-libev/config.json-u
#netstat-lntup|grepss-server
tcp0010.20.30.40:83880.0.0.0:*LISTEN39565/ss-ser
ver
udp0010.20.30.40:83880.0.0.0:*39565/ss-ser
ver
HOW:shadowsocks服务端
12
security
OTA服务端和客户端启用OTA一次认证特性:
https://shadowsocks.org/en/spec/one-time-auth.html
One-timeauthentication(shortenedasOTA)isanewexperimentalfeaturedesignedtoimprovethesecurityagainstCCA.Youshouldunderstandtheprotocolbeforereadingthisdocument.
Bydefault,theserverthatsupportsOTAshouldruninthecompatiblemode.OTAisonlyappliediftheclient'srequestheaderhasaflagset.However,iftheserverswitchonOTAexplicitly,allclientsmustswitchonOTA,otherwiseconnectionswillbedenied.
TheauthenticationmethodisHMAC-SHA1whichhaswidesupportsamongallmajorplatformsandfairlygoodspeed.
Shadowsocks各分支的安全性2016-09-21:https://breakwa11.blogspot.com/2016/09/shadowsocks.html
Shadowsocks开启OTA:http://itony.me/907.html
关于ShadowsocksR和Shadowsocks的安全性
https://www.librehat.com/about-shadowsocks-r-and-the-security-of-shadowsocks/
Shadowsocks通过加入一次验证提高了对抗CCA的安全性,各大ports已经陆续完成了支
持。这里需要重申的是Shadowsocks的目标不是100%bug-free或100%bullet-proof,而是保
证连接轻量快速的同时让主流攻击手段的成本高到一般无法实施。
https://chriszheng.science/2016/03/11/Shadowsocks-libev-one-time-auth/
randomportshadowsocks多端口随机
https://gist.github.com/suikatomoki/89b1221dab19f64ba2b3
远程ss服务端:
HOW:shadowsocks服务端
13
#ss-server服务端(假设你的目前的服务端ss端口已经监听在23端口):
#-----------开始--------------
iptables-tnat-APREROUTING-ptcp-mmultiport--dport81:1023-jREDIRE
CT--to-ports23
iptables-tnat-APREROUTING-pudp-mmultiport--dport81:1023-jREDIRE
CT--to-ports23
#以下两条命令可选
serviceiptablessave
serviceiptablesrestart
#-----------结束--------------
本地openwrt路由器:
#ss-redir本地端(104.224.156.199自行修改成自己服务器ip):
#-----------开始--------------
iptables-tnat-IOUTPUT1-d104.224.156.199-ptcp--dport23-jDNAT--
to-destination104.224.156.199:81-1023--random
iptables-tnat-IOUTPUT1-d104.224.156.199-pudp--dport23-jDNAT--
to-destination104.224.156.199:81-1023--random
#以下两条命令可选
serviceiptablessave
serviceiptablesrestart
#openwrt
#/etc/init.d/firewallrestart
#-----------结束--------------
可使用 iptables-tnat-L-n--line-numbers命令查看nat规则是否已经生效
networkoptimize
TCPFastOpenhttps://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks
HOW:shadowsocks服务端
14
net-speeder对于海外高延时的VPS可以安装 net-speeder来提速
https://github.com/snooda/net-speeder
net-speeder作者写的原理介绍:
net-speeder网速优化/加速器(适用于高延迟不稳定链路加速)
HOW:shadowsocks服务端
15
由于光速的局限性,延迟会比较高(即使光沿直线传播,太平洋一个往返也要一百多毫
秒)。并且由于距离较远,途径路由跳数较多,并且网络拥堵的原因。经常会发生丢包的情
况。
对于平时使用最广泛的TCP协议来讲,发送端发出包后,接收端会回复ACK表示自己收到
了。用这种机制来保证可靠性。但对于高延迟链路来讲,如果每发送一个包都等待应答,那
么大部分时间都在等待数据包到达,而链路则空置了。为此一般会采用滑动窗口技术。即在
窗口满之前,发送端一直发送包,然后收到应答后将确认收到的包从窗口中移除。这样可以
提高链路利用率。
TCP还有一个特性则是拥塞控制。当发送端检测到链路发生丢包时,则会主动缩小窗口大
小以减慢发送速度,避免拥塞。不过对于跳数较多的链路来讲,只要有一个路由不够稳定丢
包,就会被发送端判断为拥塞,从而影响网络速度。
为了解决丢包问题,最简单粗暴的方法就是双倍发送,即同一份数据包发送两份。这样的话
在服务器带宽充足情况下,丢包率会平方级降低。
这种方式下,直接优点是降低丢包率,直接缺点是耗费双倍流量。一些延伸影响是更容易触
发快速恢复逻辑,避免了丢包时窗口缩减过快。一定程度也能提高网络速度。
最近比较忙,空闲时间做了一个最简单的程序,试用效果很好,在一台VPS上测试后发
现,未开启时单线程下载、ssh管道速度在十几K级别。开启后可以达到平均300KB+的速度。效果非常明显。但对于不加速就可以跑满带宽的类型来讲(多线程下载),开启后
反而由于多出来的无效流量,导致速度减半。所以对于多线程/高速链路,这个方案是不适
合的。
目前版本是最简单的逻辑,未来会进行细化(主动触发快速恢复、快速重传等),降低流量
浪费,提升加速效果。
目前程序起名net-speeder相对于修改协议栈来讲,由于后者需要重新升级编译内核,使用
用户态程序部署更方便,稳定性更高,兼容性更好。缺点则是性能开销稍大和自由度有损
失。总体比较起来,个人使用还是使用用户态程序更合适一些,特别是在虚拟机中使用
(OpenVZ,LXC等虚拟机无法自己定制内核)。
install安装方法参考github的 README.md即可,编译完成后,放在后台运行即可:
HOW:shadowsocks服务端
16
#/root/net-speeder-master/net_speedervenet0"ip"2>&1>/dev/null&
#pgrep-af'net_speedervenet0'
31263/root/net-speeder-master/net_speedervenet0ip
crontabnet_speeder程序运行一段时间会崩溃,所以写了个crontab自动检查启动:
$cat/root/net-speeder-master/net_speeder.cron.sh
#!/bin/bash
/bin/pgrep-af'net_speedervenet0'||/root/net-speeder-master/net_speeder
venet0"ip"2>&1>/dev/null&
crontab任务每隔15分钟运行一次:
#crontab-l
MAILTO=''
*/15****bash/root/net-speeder-master/net_speeder.cron.sh
troubleshooting
ERROR:FailedtoopenDNSresolversocket如果系统禁用ipv6但是 /etc/resolv.conf还有ipv6的DNS地址会导致服务无法启动:
HOW:shadowsocks服务端
17
#cat/etc/resolv.conf
nameserver8.8.8.8
nameserver2001:4860:4860::8844
nameserver2001:4860:4860::8888
#ss-server-cconfig.json
2016-12-2801:47:39INFO:usingtcpfastopen
2016-12-2801:47:39INFO:initializingciphers...rc4-md5
2016-12-2801:47:39ERROR:FailedtoopenDNSresolversocket
系统已经禁用IPV6:
#ipa
1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNqlen1
link/loopback00:00:00:00:00:00brd00:00:00:00:00:00
inet127.0.0.1/8scopehostlo
valid_lftforeverpreferred_lftforever
2:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststate
UPqlen1000
link/etherx4:x1:x4:xa:6a:x0brdff:ff:ff:ff:ff:ff
inet192.168.1.100/24brd192.168.1.255scopeglobaleth0
valid_lftforeverpreferred_lftforever
修改 /etc/resolv.conf配置文件,重启服务,测试恢复正常:
#cat/etc/resolv.conf
nameserver8.8.8.8
#chattr+i/etc/resolv.conf
#ss-server-cconfig.json
2016-12-2801:51:28INFO:usingtcpfastopen
2016-12-2801:51:28INFO:initializingciphers...rc4-md5
2016-12-2801:51:28INFO:tcpportreuseenabled
2016-12-2801:51:28INFO:listeningat192.168.1.100:10000
HOW:shadowsocks服务端
18
HOW:测速speedtest
traceroute手机上下载【BestTrace】app测试连接翻墙服务节点的路由跳数,并绘制地图:
1. 路由跳数
2. 地图:是否有绕路
Download下载
官方网站下载:https://www.ipip.net/download.html
Windows/MacOSX客户端
android/iOS客户端
googleplay下载:https://play.google.com/store/apps/details?id=net.ipip.traceroute
applestore下载:https://itunes.apple.com/cn/app/best-trace/id1026747589
下图是连接新加坡节点的路由地图:
测速speedtest
19
测速speedtest
20
带宽
还有比YouTube1080p更有说服力的么?——简单,粗暴,最有效:
https://youtu.be/UwsZmkrqXxE
视频右键菜单【详细统计信息】查看视频下载速率
iftopLinux可以使用 iftop命令监控连接的带宽: sudoiftop-iwlan0-B-F
45.67.89.0/24
-B设置Byte为单位。默认是bit-F过滤指定网段
按大写 P键,即可暂停,方便查看流量监控:
测速speedtest
21
Displaypaused4KB488KB732KB977KB1.19MB
└─────────────┴──────────────┴──────────────┴──────────────┴──────────────
45.67.89.10=>fedora.lan596KB366KB295KB
<=11.4KB6.12KB5.02KB
──────────────────────────────────────────────────────────────────────────
TX:cum:78.8MBpeak:5rates:596KB366KB295KB
RX:1.63MB11.4KB11.4KB6.12KB5.02KB
TOTAL:80.4MB607KB607KB373KB300KB
测速speedtest
22
HOW:shadowsocks客户端
下面主要介绍各个系统下shadowsocks客户端的使用:
WindowsLinuxMacOSXAndroid
HOW:shadowsocks客户端
23
shadowsocksonWindows注意:请不要使用360/搜狗/QQ...等国内浏览器,它们收集用户访问的URL上报国家
(GFW)
请使用chrome或firefox等开源浏览器
下载download
shadowsocksgithubrelease下载地址:
https://github.com/shadowsocks/shadowsocks-windows/releases
项目master分支:https://github.com/shadowsocks/shadowsocks-windows/tree/master
解压 Shadowsocks-X.X.X.zip得到 Shadowsocks.exe可执行程序,绿色无需安装,直接
运行
.NETFramework依赖
shadowsocks3.3.3之后的版本依赖.NETFramework4.6.2及以上版本
如果运行提示报错,从官网下载 .NETFramework4.6.2离线安装包:
Microsoft.NETFramework4.6.2(OfflineInstaller)forWindows7SP1...
https://www.microsoft.com/en-us/download/details.aspx?id=53344
Version:4.6.2
FileName:NDP462-KB3151800-x86-x64-AllOS-ENU.exe
FileSize:59.1MB
DatePublished:2016-07-20
安装.NETFramework4.5.X/4.6.X
https://msdn.microsoft.com/zh-cn/library/5a4x27ek(v=vs.110).aspx
Windows
24
hashcheck
请牢记XcodeGhost教训
github每个版本都带有校验值,下面是很早之前基于 2.5.8的示例
2.5.8版本之后github提供hash值,下面是之前在Linux下载的 2.5.6版本MD5哈希校
验:
$md5sumShadowsocks-win-2.5.6.zip
78aa11456e6616b4f419f2f95ebd8efbShadowsocks-win-2.5.6.zip
$md5sumShadowsocks.exe
e8fed3539e5e0e1866a59c444265db57Shadowsocks.exe
Windows上 Ctrl+R运行 powershell使用 CertUtil命令校验:
PSC:\Users\SM>cdD:\soft
PSD:\soft>CertUtil-hashfile.\Shadowsocks-win-2.5.6.zipMD5
MD5哈希(文件.\Shadowsocks-win-2.5.6.zip):
78aa11456e6616b4f419f2f95ebd8efb
CertUtil:-hashfile命令成功完成。
PSD:\soft>CertUtil-hashfile.\Shadowsocks.exeMD5
MD5哈希(文件.\Shadowsocks.exe):
e8fed3539e5e0e1866a59c444265db57
CertUtil:-hashfile命令成功完成。
CertUtil命令支持的哈稀算法: MD2MD4MD5SHA1SHA256SHA384SHA512
CertUtil-hashfilepathToFileToCheck[HashAlgorithm]
CertUtil-hashfileC:\TEMP\MyDataFile.imgMD5
Windows
25
HOWTO
1. 运行shadowsocks2. 配置代理服务
3. 连接代理服务
4. 开启系统代理
5. 科学上网ing6. 从 GFWList更新本地PAC文件
【运行】shadowsocks
解压下载好的文件:
第一次运行 Shadowsocks.exe会自动打开「编辑服务器」窗口:
Windows
26
在通知栏图标区域会出现纸飞机图标:
「右键」纸飞机图标会弹出「主菜单」:
【配置】代理服务
shadowsocks服务端配置文件格式:
Windows
27
{
"server":"45.67.89.10",##服务器IP地址
"server_port":37210,##服务器端口
"password":"V_VL_Fuck_GFW",##服务器密码
"method":"rc4-md5",##加密方案
"timeout":600,
"fast_open":true,
"local_port":7070##本地代理端口(默认1080即可)
}
根据上面的shadowsocks服务器端配置,填写对应客户端配置:
shadowsocks服务端配置 windows客户端对应配置项
"server":"45.67.89.10" 服务器IP地址
"server_port":37210 服务器端口
"password":"V_VL_Fuck_GFW" 服务器密码
"method":"rc4-md5" 加密方案
"local_port":7070 本地代理端口(不用修改,默认1080即可)
【连接】代理服务
填写好配置后,在「服务器」菜单中可以看到刚创建提交的代理服务配置:
选中菜单中的代理服务器配置,确认出现对号[√]后,表示与服务器建立连接
Windows
28
【启用】系统代理
启动「系统代理」:点击主菜单的【启用系统代理】选项,连接远程服务端:
若不启动「系统代理」上一步成功连接代理服务器后shadowsocks仅创建「SOCKS5代理」
系统代理与SOCKS5代理区别:
系统代理
浏览器的访问请求全部由shadowsocks创建的系统代理处理
浏览器默认不需要任何设置,也无需安装代理插件(Firefox除外)
如果浏览器安装了代理插件,需要禁用代理插件或把插件设置为使用系统代理
SOCKS5代理
Windows
29
若不【启用系统代理】shadowsocks成功连接代理服务器后,仅创建了「SOCKS5代理」
浏览器需要安装代理插件或设置浏览器的代理配置,才能科学上网
【测试】科学上网
如果代理成功,可以打开Google首页FeelingYourLucky:
【更新】PAC文件
更新PAC文件,点击主菜单的「PAC」选择「从GFWlist更新本地PAC」选项:
Windows
30
状态及故障诊断
鼠标悬停在通知栏图标会显示当前代理状态:
若代理失败,选择「服务器」菜单中的「编辑服务器」选项,重新确认配置
Windows
31
网络连接超时,中断导致代理失败,查看日志的详细信息,根据情况重启代理:
security
hash检查工具
微软自家的校验工具MicrosoftFileChecksumIntegrityVerifier( fciv)上一次更新是 2012-08-22:https://www.microsoft.com/en-us/download/details.aspx?id=11533
Windows
32
图片出处:https://github.com/shadowsocks/shadowsocks-windows/issues/318
HashTab右键属性查看文件 hash:
http://implbits.com/products/hashtab/
version
事件: 2015-08-22shadowsocks作者在警方压力下删除项目:
http://www.solidot.org/story?sid=45231
原维护者最后一次更新的版本是 2.5.6,随后githubissue出现关于新版本信任的讨论:
2.5.7及之后版本是否可以信任?
https://github.com/shadowsocks/shadowsocks-windows/issues/318
FOR强迫症:还有安全顾虑的可到virustotal上传文件进行病毒扫描:
https://www.virustotal.com/
Windows
33
现在shadowsocks已经更新至 3.3.5版本,可以自行下载升级 2016-11-07
Windows
34
HOW:Linux
shadowsocksonGNULinuxGNULinux用户需要借助浏览器代理插件科学漫游:
1. 安装 shadowsocks-libev或 python-shadowsocks软件包
2. 执行 ss-local-css.json命令创建「SOCKS5代理」
3. 配置浏览器代理插件后havefun...
软件包 SS客户端命令
shadowsocks-libev ss-local-css.json
python-shadowsocks sslocal-css.json
浏览器代理插件
Firefox代理插件:FoxyProxyStandard
https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/
Chrome代理插件:ProxySwitchyOmega
https://github.com/FelisCatus/SwitchyOmega/releases
Linux
35
shadowsocksonMacOSX
下载download
githubrelease下载地址:
Mac新版客户端:https://github.com/shadowsocks/ShadowsocksX-NG/releases/Mac旧版客户端:https://github.com/shadowsocks/shadowsocks-iOS/releases/
旧版 2.6.3版本下载:ShadowsocksX-2.6.3.dmg
旧版没法更新PAC文件列表(GFWList)手动解决方法请参考issue212:
https://github.com/shadowsocks/shadowsocks-iOS/issues/212
MD5hash
请牢记XcodeGhost教训
打开终端应用,使用 md5命令校验下载文件的MD5哈希值:
$md5Downloads/ShadowsocksX-2.6.3.dmg
MD5(Downloads/ShadowsocksX-2.6.3.dmg)=c3406e8d4a5009efaa74d3a37b53fed8
HOWTO
1. 运行ShadowsocksX2. 配置代理服务器
3. 连接代理服务器
4. 开启系统代理
5. 测试科学上网
6. 从 GFWList更新PAC文件
MACOS
36
【运行】ShadowsocksX
运行ShadowsocksX后,会在menubar显示「纸飞机」图标
默认图标为灰色表示「系统代理」未启动
【编辑】代理服务器
点击「纸飞机」选择「服务器」菜单,然后点击【打开服务器设定】选项:
弹出「服务器设定」窗口:
MACOS
37
根据服务端配置,填写对应的客户端配置:
shadowsocks服务端配置 mac客户端对应配置项
"server":"45.67.89.10" 服务器IP地址
"server_port":37210 服务器端口
"password":"V_VL_Fuck_GFW" 服务器密码
"method":"rc4-md5" 加密方案
【连接】代理服务器
选中「服务器」菜单创建的代理服务器配置,出现对号「√」表示与代理服务器建立连接
成功与代理服务器建立连接后,便会创建「SOCKS5代理」使用 lsof-Pn-i4|grepLISTEN命令可以查看端口
MACOS
38
【开启】系统代理
点击「主菜单」第二行【打开shadowsocks】启用「系统代理」:
1. 第一行:系统代理运行状态,显示「关闭」状态
2. 第二行:系统代理运行开关,默认系统代理没有启动(图标为灰色)
「系统代理」启动前后「主菜单」第一行代理状态和第二行运行开关选项变化:
菜单 启动代理前 启动代理后
menubar图标颜色 灰色 黑色
第一行:系统代理状态 Shadowsocks:关闭 Shadowsocks:打开
第二行:代理开关 打开Shadowsocks 关闭Shadowsocks
「系统代理」启动前:
MACOS
39
「系统代理」启动后:
系统代理启动后menubar的「纸飞机」图标也变为黑色:
系统代理vsSOCK5代理
「系统代理」与「SOCKS5代理」区别:
MACOS
40
系统代理
shadowsocks创建的「系统代理」将自动接管浏览器的访问全部请求
浏览器默认不需要任何设置,也无需安装代理插件(Firefox除外)
如果浏览器安装了代理插件,需要禁用代理插件或将代理插件设置为使用系统代理
SOCKS5代理
若不【启用系统代理】shadowsocks成功连接代理服务器后,仅创建了「SOCKS5代理」
浏览器需要安装代理插件并设置shadowsocks创建的SOCKS5代理端口,才能科学上网
【测试】科学上网
如果系统代理运行成功,就可以访问google。如果失败,请检查「服务器配置」是否正确:
MACOS
41
【更新】PAC文件
最后在主菜单中点击「从GFWList更新PAC文件」更新翻墙列表:
SOCKS5代理
Mac下shadowsocks客户端启用的端口:
$lsof-iTCP-sTCP:LISTEN-n-P
COMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAME
privoxy526i3uIPv40xa3a011e70t0TCP127.0.0.1:1087(LIS
TEN)##系统代理
ss-local537i5uIPv40xa322b3d70t0TCP127.0.0.1:1086(LIS
TEN)
Shadowsoc759i4uIPv40xa3f1dadf0t0TCP*:8090(LISTEN)
Shadowsoc759i9uIPv40xa3a5aff70t0TCP127.0.0.1:1080(LIS
TEN)##socks5端口
使用 curl--socks5127.0.0.1:1080http://cip.cc命令确认SOCKS5代理是否正常可
用:
MACOS
42
$curl--socks5127.0.0.1:1080http://cip.cc##指定socks5代理参数
IP:45.67.89.10
地址:美国加利福尼亚
数据二:美国|洛杉矶
URL:http://www.cip.cc/45.67.89.10
$curlhttp://cip.cc
IP:111.20.83.57
地址:中国北京
数据二:北京市|联通
URL:http://www.cip.cc/111.20.83.57
终端启动chrome指定SOCKS5代理参数:
open-a"GoogleChrome"--args\
--proxy-server="socks5://127.0.0.1:1080"\
--host-resolver-rules="MAP*0.0.0.0,EXCLUDElocalhost"
然后就可以在应用商店下载ProxySwitchyOmega插件
本地端口
旧版ShadowsocksX创建的「SOCKS5代理」端口默认是 1080:
$grep127~/.ShadowsocksX/gfwlist.js
varproxy="SOCKS5127.0.0.1:1080;SOCKS127.0.0.1:1080;DIRECT;";
新版ShadowsocksX-NG创建的「SOCKS5代理」端口默认改成 1086升级后别忘了修改代
理插件对应的端口:
MACOS
43
$cat"/Users/yourname/Library/ApplicationSupport/ShadowsocksX-NG/ss-local
-config.json"
{
"method":"rc4-md5",
"server":"IP",
"password":"...",
"local_address":"127.0.0.1",
"server_port":...,
"auth":false,
"timeout":60,
"local_port":1086
}
也可以自行修改 ~/.ShadowsocksX/gfwlist.js配置文件,自定义「SOCKS5代理」端口
MACOS
44
shadowsocks-android客户端使用
Download下载
shadowsocks-android是开源APP可以从github下载APK安装文件:
https://github.com/shadowsocks/shadowsocks-android/releases
GooglePlay下载地址:
https://play.google.com/store/apps/details?id=com.github.shadowsocks
setting设置
点击【配置文件】选项,创建新的配置文件,根据服务端配置修改下表的4处选项:
shadowsocks服务端配置 Android客户端对应配置项
"server":"45.67.89.10" 【服务器】
"server_port":37210 【远程端口】
"password":"V_VL_Fuck_GFW" 【密码】
"method":"rc4-md5" 【加密方法】
【本地端口】选项默认即可,不用修改
Android
45
Android
46
设置完成后,点击右上角的【飞机】图标,连接到服务器后:
1. 图标变为【绿色】
2. 手机通知栏出现【钥匙】图标
Android
47
Android
48
Android
49
iOS代理APP推荐wingy:免费,配置简单,功能齐全
wingywingy开发者twitter帐号:https://twitter.com/HelloWingy
wingy是基于NEKit开发的网络工具:https://zhuhaow.github.io/NEKit/
下载
目前有2个版本主要是针对不用的iOS版本,请根据APP兼容性描述下载正确的版本:
系统版本 开发者 对应APP下载链接
iOS9.3+ wangxiaojun https://itunes.apple.com/cn/app/id1148026741
iOS10.0+ SMARTLIMITED https://itunes.apple.com/cn/app/id1178584911
第一个蓝色图标APP适配 iOS9.3开发者为wangxiaojun第二个紫色图标APP适配 iOS10.0开发者为SMARTLIMITED
iOS
50
iOS
51
添加代理
安装好后打开APP点击右上角加号[+]:添加代理配置,代理类型选择
【Shadowsocks(R)】:
iOS
52
iOS
53
配置shadowsocks按照shadowsocks帐号信息填写配置,注意代理模式使用【全局代理模式】:
iOS
54
iOS
55
创建VPN配置
保存代理配置后,点击wingy的开关按钮
第一次启动会弹出是否允许APP在【设置】中添加VPN配置的对话框:「Allow」允许(左侧)
iOS
56
iOS
57
之后会自动跳转到【设置】—【VPN】下,并提示输入解锁密码二次确认
成功之后【设置】—【VPN】下出现wingy创建的VPN配置信息:
iOS
58
iOS
59
成功连接服务器之后wingy的开关按钮会变为已连接。状态栏也出现VPN图标:
iOS
60
iOS
61
此时就可以科学上网漫游了:
iOS
62
iOS
63
添加widgetwingy可以添加widget来的快速「开关」打开或关闭代理:
iOS
64
iOS
65
PotatsoAPPStore:https://itunes.apple.com/app/apple-store/id1070901416
https://potatso.com/
https://manual.potatso.com/
https://github.com/shadowsocks/Potatso
MumeVPN基于Potatso开发的Shadowsocks协议VPN客户端
APPStore:https://itunes.apple.com/cn/app/mume-vpn/id1144787928
https://github.com/liruqi/Mume-iOS
http://vpn.liruqi.info/ios/
http://api.liruqi.info/
http://mume.site/
iOS
66
PAC代理模式
翻墙原理就是通过shadowsocks创建的SOCKS5代理来访问被和谐的网站
代理模式
shadowsocks成功连接代理服务器后会创建一个SOCKS5代理: 127.0.0.1:1080
【系统代理】是由shadowsocks客户端在SOCKS5上层实现的代理功能
【系统代理】支持2种代理模式:
1. 自动代理模式(即PAC模式,默认)2. 全局代理模式
PAC代理模式
PAC维基百科:http://zh.wikipedia.org/zh/PAC
默认shadowsocks启用【系统代理】后使用的是【PAC代理模式】
【PAC代理模式】当浏览器访问某个网站时,会去匹配PAC配置文件 pac.txt里URL列表。如果能匹配到PAC文件配置的URL就会使用「SOCKS5代理」访问该网站;否则不使用
代理,直接访问网站。既节省ss流量,也会提高国内网站的访问速度,不然访问国内网站要
绕到国外代理再绕回来。
全局代理模式
全局代理模式所有请求全部走「SOCKS5代理」。访问国内网站时,将会先绕到国外的代理
服务器,然后在绕回来,南辕北辙了。当访问的网站没有包含在PAC文件的匹配规则列表时,
可以临时开启全局代理进行访问。
菜单选项
WHAT:PACmode
67
Windows下点击主菜单中的【系统代理模式】可以查看:
MacOSX点击「纸飞机」图标,主菜单的【自动代理模式】即为PAC模式:
编辑PAC规则
从GFWList同步的PAC规则后,会在本地生成的PAC文件:
WHAT:PACmode
68
系统 PAC文件路径
Windows pac.txt(与 Shadowsocks.exe同级目录)
MacOSX ~/.ShadowsocksX/gfwlist.js
菜单中选择【编辑GFWList的用户规则】选项,创建自定义的匹配规则:
WHAT:PACmode
69
HOW:浏览器代理插件
shadowsocks客户端有两种代理选项:
代理类型 代理模式
SOCKS5代理 SOCKS5(关闭【系统代理】后SOCKS5代理仍在运行)
系统代理PAC自动代理模式global全局代理模式
启用【系统代理】后IE、Chrome浏览器无需安装代理插件,浏览器默认设置使用的系统代
理就可以通过shadowsocks创建的【系统代理】科学上网了。使用【系统代理】时需要禁用浏览器的代理插件,或将其设置为使用系统代理
如果使用浏览器代理插件上网,可以关闭shadowsocks的系统代理
HOW:浏览器代理插件
70
然后配置浏览器的代理插件通过shadowsocks创建的SOCKS5代理来科学上网
HOW:浏览器代理插件
71
Firefox配置Firefox浏览器FoxyProxy插件+GFWlist订阅自动代理上网
使用Firefox+FoxyProxy插件代理上网,可以关闭shadowsocks的系统代理仅使用SOCKS5代理即可:
设置Firefox网络代理连接方式为:【不使用代理】即通过Foxyproxy管理代理
【高级】——【网络】——【连接】——【设置】
Firefox
72
安装FoxyProxy插件:
Firefox
73
配置FoxyProxy选项,点击右侧【新建代理服务器】按钮:
Firefox
74
设置新建代理的【常规】标签页的配置选项:
配置选项 操作步骤
代理名称 名字随便起,此处使用shadowsocks
使用此代理时的图标颜色 修改颜色,方便区分访问时所使用的代理
Firefox
75
设置【代理服务器细节】标签页的配置选项:
配置选项 操作步骤
主机或IP地址 127.0.0.1
端口 1080
SOCKS代理 SOCKSv5
Firefox
76
设置好代理服务器后,选择FoxyProxy的【模式订阅】标签页,点击右下角的【转到】按钮,新建模式订阅:
Firefox
77
配置选项 操作步骤
订阅名称 GFWlist
订阅网址 https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt
代理服务器 点击【添加代理服务器】按钮,选择上面创建的shadowsocks代理
更新频率 960分钟(16小时)
Format AutoProxy
Obfuscation Base64
Firefox
78
Firefox
79
最后修改【选择工作模式】:使用基于其预定义模板的代理服务器就可以匹配GFWlist规则自
动代理上网:
Firefox
80
Firefox
81
图文教程参考:
火狐浏览器+SS翻墙设置教程(Firefox+Foxyproxy+Shadowsocks)
Firefox浏览器扩展FoxyProxy使用说明
Firefox配置使用shadowsocks服务firefox下foxyproy使用
Firefox
82
ChromeChrome代理插件:ProxySwitchyOmega
https://github.com/FelisCatus/SwitchyOmega/releases
HOWTO1. 翻墙从googlestore安装插件
2. 配置SOCKS5代理服务器
3. 配置下载GFWlist规则,通过插件匹配规则自动代理上网
第一步需要先访问googlestore下载ProxySwitchyOmega插件:
https://chrome.google.com/webstore/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif
通过chrome命令启动浏览器后全局通过SOCKS5代理上网:ForcingChrometoUseSocks5Proxy
google-chrome--proxy-server="socks5://127.0.0.1:1080"\
--host-resolver-rules="MAP*0.0.0.0,EXCLUDElocalhost"
安装好ProxySwitchyOmega插件之后,点击图标选择【选项】菜单:
Chrome
83
修改【情景模式】中的【proxy】配置项:
代理服务器选项 配置
代理协议 SOCKS5
代理服务器 127.0.0.1
代理端口 1080
最后点击【应用选项】按钮保存配置
继续修改【情景模式】中的【autoswitch】配置项:
配置项 操作步骤
规则列表规则匹配规则列表的请求选择使用【proxy】代理默认情景模式选择【直接连接】
规则列表格式 勾选AutoProxy
规则列表网址 https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt
立即更新情景模式 点击按钮更新gfwlist
Chrome
84
然后点击【应用选项】按钮保存配置
点击图标选择【autoswitch】菜单即可匹配GFWlist规则自动代理上网:
情景模式 代理模式
proxy 全局代理,所有访问请求全部通过SOCKS5代理
autoswitch 自动代理,根据GFWlist规则匹配自动代理上网
Chrome
85
可以参考下面几篇图文教程:
科学上网—使用daili(Shadowsocks)之后一些网站无法访问的解决办法
shadowsocks科学上网
shadowsocks配合SwitchyOmega科学上网
Chrome
86
KCPTUNhttps://github.com/xtaci/kcptun
optionkcptun的参数都源自于kcp原始协议:https://github.com/skywind3000/kcp
工作模式:
intikcp_nodelay(ikcpcb*kcp,intnodelay,intinterval,intresend,intnc
)
参数 作用
nodelay 是否启用nodelay模式, 0不启用; 1启用
interval 协议内部工作的 interval单位毫秒,比如 10ms或者 20ms
resend快速重传模式,默认 0关闭,可以设置 2(2次ACK跨越将会直接重传)
nc 是否关闭流控,默认是 0代表不关闭 1代表关闭
normal 普通模式: ikcp_nodelay(kcp,0,40,0,0)
fast 极速模式: ikcp_nodelay(kcp,1,10,2,1)
最大窗口:
intikcp_wndsize(ikcpcb*kcp,intsndwnd,intrcvwnd);
该调用将会设置协议的最大发送窗口和最大接收窗口大小,默认为 32这个可以理解为TCP的 SND_BUF和 RCV_BUF只不过单位不一样 SND/RCV_BUF单位是字节,这个单位是包
HOW:kcptun
87
服务端与客户端必须一致的参数 含义
--crypt 加密算法
--key 密钥
--nocomp 压缩数据
--datashard 前向纠错
--parityshard 前向纠错
其余参数两边可独立设定
https://github.com/xtaci/kcptun/issues/342
--nodelay=0的多等一下,具体是多等多久呢,多等1/8RTT
nodelay是控制超时重传的时候是否再多等一会。inteval是超时重传的间隔,和下面的resend控制的快速重传没有关系resend只是控制快速重传,超过resend间隔没收到的包会立刻重
传,无需等到inteval到了再发送试下来030001的参数,RepeatSegs明显降低如果interval和repeat有关,那么fastresend是最大的嫌疑,因为就这个不受时间控制
nodelay这个参数俺一直都是关闭的,感觉太激进,时常突破窗口设置阈值interval估计和设计
初衷有关,(流速、流量),另一个帖子网友也提过这个问题,就是过大的interval会造成传输
曲线不稳,这在routeros里看的也很清楚,例如20M的阈值,那么可能5M、10M、20M这样跳,
HOW:kcptun
88
而小的interval则一直压着阈值上限走,感觉像是单次的传输VS多次传输
FEC前向纠错
在两端同时设定 -datashardn和 -parityshardm参数搭配:
1. fast+FEC(5,5)2. fast2+FEC(10,3)3. fast2+FEC(0,0)
注意:为了发挥FEC最佳效果,设置 parityshard/(parity+datashard)>packetloss比如 5/(5+5)>30%
窗口调整
简易窗口自我调优方法:
第一步:同时在两端逐步增大CLIENT的 rcvwnd和SERVER的 sndwnd
第二步:尝试下载,观察如果带宽利用率(服务器+客户端两端都要观察)接近物理带宽则停
止,否则跳转到第一步
计算带宽
在不丢包的情况下,有最大 --rcvwnd个数据包从网络上向你传输,以平均数据包大小
avgsize计算:
network_cap=rcvwnd*avgsize
数据流量,这个值再除以ping值 rtt等于最大带宽使用量:
max_bandwidth=network_cap/rtt=rcvwnd*avgsize/rtt
举例,假设 rcvwnd=1024,avgsize=1KB,rtt=400ms则:
max_bandwidth=1024*1KB/400ms=2.5MB/s~=25Mbps
HOW:kcptun
89
注意:以上计算不包括前向纠错的数据量
前向纠错是最大带宽量的一个固定比例增加:
max_bandwidth_fec=max_bandwidth*(datashard+parityshard)/datashard
举例,设 datashard=10,partiyshard=3则:
max_bandwidth_fec=max_bandwidth*(10+3)/10=1.3*max_bandwidth=1.3
*25Mbps=32.5Mbps
flow会消耗5倍以上流量
https://github.com/xtaci/kcptun/issues/91
1. ISP对UDP丢包极高,例如 50%2. 服务器,客户端本身的带宽较低,可以适当调低 sndwnd/rcvwnd3. 可以尝试 -dscp46参数降低丢包率
FEC前向纠错默认参数就会多消耗30%(可以调整)KCP协议头部平均多消耗5%(无法调
整)加上丢包2倍还算正常
多半是 sndwnd/rcvwnd太高,你可以在client先降低到128然后慢慢再加,边加边观察
服务端是 -mtu1350-cryptnone-nocomp-dscp46-sndwnd1024-rcvwnd1024-modefast2
客户端是 -cryptnone-mtu1350-sndwnd32-rcvwnd128-modefast2-dscp46-nocomp
100M肯定是超卖,实际一定达不到,否则不会出现这种程度的重传
为什么要降低客户端的 rcvwnd呢,我觉得应该降低服务器端的 sndwnd来调节速度,客户
端的 rcvwnd应该保持一个较大的值,服务器发来的数据照单全收
带宽不够就不要使用大窗口,量力而行
https://github.com/xtaci/kcp-go/blob/master/kcp.go#L657取二者的小者
HOW:kcptun
90
我的配置
server--cryptnone--mtu1400--sndwnd2048--rcvwnd2048-dscp46-modef
ast2
client--cryptnone--mtu1400--sndwnd128--rcvwnd512-dscp46-modefas
t2
实际消耗流量不到两倍
两边 -datashard0-parityshard0还可以更低,不过响应会慢,看你的接受程度
手动参数设定探讨
https://github.com/xtaci/kcptun/issues/137
策略1:通过超时重传+快速重传,响应速度优先(最大化响应时间):
-modemanual-nodelay1-resend2-nc1-interval20
策略2:仅仅通过超时重传,带宽效率优先(有效载比优先)
-modemanual-nodelay1-resend0-nc1-interval40或
-modemanual-nodelay0-resend0-nc1-interval20
策略3:尽可能通过FEC纠删,最大化传输速度(推荐):
-modefast-datashard5-parityshard5
响应速度,传输带宽,高载荷比三者是跷跷板:
比如响应速度,一个数据包发出后,判断对方是否接收到了,是等待一个RTT时间没有收到
ACK就重发,还是说要再等等看。真实的情况始终未知 -nodelay1就是不多等了,结果
ACK晚到了一点点,就多发包了; -nodelay0就是已经等了RTT后,再等等看,那么如果再
等了还等不到,这个时间就浪费了,响应时间就慢了,整体速度也拖慢了。乐观主义还是悲观主
义?
根据香农定理:
HOW:kcptun
91
1. 信道容量由带宽及信噪比决定,增大带宽、提高信噪比可以增大信道容量
2. 在要求的信道容量一定的情况下,提高信噪比可以降低带宽的需求,增加带宽可以降低
信噪比的需求
3. 香农公式给出了信道容量的极限,也就是说,实际无线制式中单信道容量不可能超过该
极限,只能尽量接近该极限。在卷积编码条件下,实际信道容量离香农极限还差3dB;在Turbo编码的条件下,接近了香农极限
1. 可以理解为,高丢包率==高噪音
2. 可以理解为,固定丢包率下增大发送带宽==更高的传输成功率(比如通过FEC)
固定传输带宽下降低丢包率==更高的传输成功率(比如通过DSCP)
策略1可以理解为,我非常悲观的判断包一旦超过RTT大概率丢失了,通过一切手段尽快重新发
送策略3也可以理解为,我假定我的纠错包能全部把丢失的包还原出来,每5个包,2个纠错
包,小于 2/7的均匀丢包率下( <28%),必定能还原出来,完全不需要重传
策略1对于网页访问这种突发性请求,查询较为友好策略2较为中庸策略3对于视频流这种较
为友好
200Mbps联通,日本vultr,ping136ms,UDP丢包30%左右:
server-modemanual-nodelay0-resend0-nc1-interval40-dscp46-nocom
p-mtu1400-cryptaes-128-datashard70-parityshard30
client-modemanual-nodelay0-resend0-nc1-interval40-nocomp-dscp4
6-mtu1400-cryptaes-128-datashard70-parityshard30
解释一下另一个问题: --datashard70--parityshard30和 --datashard7--parityshard3区别
回答:
1. 如果完全随机丢包(在时域上均匀分布)这两者没有差别,完全等价。
2. 如果在时域上不均匀,丢包一会儿有一会儿没有,这两者就有差别。 70/30的配置更又可
能把数据纠错出来, 7/3的配置很容易全丢无法恢复
选择在 70+30的这个大区间整体丢包 30%还是在 7+3的这个小区间整体丢包 30%?只有试试...
FEC对于大文件传输,比如用卫星传输8K电影到各个影院是非常合适的,对应fast.com测速
HOW:kcptun
92
对于突发性,交互性,试探性的请求,快速重传更合适,对应网页
对于y2b这种,只要过了最初的70+30的点,会慢慢快起来
如果有要快又要突发性好,那就只能以浪费带宽为代价了
x86平台推荐默认的 aes(AES-256)如果性能不行,考虑 aes192, aes128其他平台可以
考虑blowfish,cast5,twofish如果性能还是不行,考虑tea,salsa20
另外,如果承载的数据本身已经加密salsa20足以
https://github.com/xtaci/kcptun/issues/353
默认的kcp协议,丢一次包,退让一次。丢的越多等得越长,这个是必须做的退让。假如30s超时
rtt*(1+2+4+8...)>30s
就是断线时间
https://github.com/xtaci/kcptun/issues/342
一两句话说不清楚:fastretrans:快速重传,数据包乱序,中间丢包,fastack,fastresend,earlyretrans:没有后续包要发送了,无法触发快速重传阈值,采用的重传,参考Taillossprobelostseg:以上条件都不满足,数据包等待超时后也没到。产生的重传。
retranssegs:=fast+early+lost
低丢包网络可以考虑关闭FEC
https://github.com/xtaci/kcptun/issues/358
关于断流的分析及解决方法
https://github.com/xtaci/kcptun/issues/353
如果对流量不敏感,客户端性能又足够的话建议始终配置FEC。对于时常会抽风的网络情况来
说FEC是一贴良药。我现在一般情况下使用FEC(30,15),如果抽风实在严重就改成
FEC(5,5)。基本上可以非常稳定地使用了。
FEC(0,0)在网络情况好的时候确实速度很快且更省流量,但几乎每到晚高峰都得调整,太麻烦
了。
https://github.com/skywind3000/kcp/wiki
HOW:kcptun
93
https://github.com/xtaci/kcptun/issues/288
start-stop-daemon-S-q-b-m-p/tmp/var/kcp.pid-x/koolshare/bin/client_
linux_arm5---l127.0.0.1:1091-r$ss_basic_server:$ss_basic_kcp_port$ss_
basic_kcp_parameter
回馈,简易调节法,有需要看过来
https://github.com/xtaci/kcptun/issues/214
下载:客户端以 rcvwnd也就是接收为主,这里设定 256
上传:客户端的发送窗口 sndwnd相对来说就简单点,一般都是一个固定比例比如上传是下
载的 1/3等等
其实窗口大小等同于tcp的 sndbuf, rcvbuf,决定最大可同时发送的数据:
最大可用带宽=min(发送窗口大小,远端接收窗口大小)/rtt
解决了qos类型里面要丢大包,默认是丢50,小包是丢10。有同样困扰的朋友可以试试。一直
都按照应该丢小包或者甚至不丢包的思路走,今天瞎填个100,居然把问题解决了。
关于rcvwnd和sndwnd参数https://github.com/xtaci/kcptun/issues/409
rtt延迟通常反映了拥塞,保持wnd不变是比较利他的方式。特别是共享宽带
troubleshoot
sessionscavenged客户端sessionscavenged服务端brokenpipe:https://github.com/xtaci/kcptun/issues/277
server端没响应:https://github.com/xtaci/kcptun/issues/210
防火墙开放UDP
iptables-AINPUT-ptcp-mtcp--dport443-jACCEPT
iptables-IINPUT-pudp-mudp--dport443-jACCEPT
HOW:kcptun
94
把客户端和服务器端的下面这三个参数逐渐减小:
--rcvwnd1024--sndwnd1024--mtu500
Kcp用着用着偶尔就会断开{伪解决方案}:https://github.com/xtaci/kcptun/issues/228
UDP大流量被运营商自动封这个ip的udp连接
尝试服务端和客户端降低: MTU=512
对于UDP不能使用nmap进行批量测试,因为UDP没有三次握手,从而没有返回包Server-->Client
只能使用echoserver对单一端口进行手动测试
随机化端口方案:https://gist.github.com/suikatomoki/89b1221dab19f64ba2b3
不过这个不是针对每个packet随机化端口,而是针对每一个connection随机化端口
client:
iptables-tnat-IOUTPUT-d<vps_ip>-pudp--dport<kcp_server_port>-jD
NAT--to-destination<vps_ip>:4000-5000--random
server:
iptables-tnat-APREROUTING-pudp-mmultiport--dport4000:5000-jREDI
RECT--to-ports<kcp_server_port>
一直断,所以用了上面的随机端口方案,但发现,封的时候不是封服务器的UDP而且是对宽带
本身的UDP进出进行封堵,重新拨号换IP后就能连上了
UDP上行流量间歇性被封,下行流量是通的
封锁策略又变为封UDP下行流量,UDP上行流量没被封
会不会是路由器本身的问题,比如这个参数太小
net.core.rmem_max=26214400
HOW:kcptun
95
启动的时候,有没有出现 setsocketbuffer报错
kcptun-raw使用发 rawsocket和 libev远端通信为伪TCP报文,重新实现了kcptun的最基本功能(未实现加密和纠错等,仍在测试),只需一个程序即可,不需要再另外建立UDPoverTCP隧道,不容易“卡住”
https://github.com/Chion82/kcptun-raw
为缓解部分ISP对UDP断流的问题,通过伪造TCP报文,实现了简化版的kcptun。客户端和
服务端进程的直接通信方式为带伪TCP报头的IPpacket,通过rawsocket实现,需要通过
iptables绕过内核协议栈。
https://github.com/xtaci/kcptun/issues/391
那是ISP对UDP的封锁有的地区的运营商喜欢封UDP(流量一大直接切断),很多issues已经反映了这个问题
近两日出现断流现象(小的MTU?):https://github.com/xtaci/kcptun/issues/218
HOW:kcptun
96
dantehttp://www.inet.no/dante/
dante是款简单的socks代理程序,可以实现透明代理,配置简单
2017-02-06:Dante1.4.2isnowavailable.Thisisamaintenancereleasewithvariousbugfixesandnonewserverfeatures.
http://www.inet.no/dante/announce-1.4.2
2017更新的 dante-1.4.2版本在Linux仅修复了CFLAGS导致的编译错误:
configurecheck'prototypes'FAILEDwithCFLAGS'-grecord-gcc-switches'
之前其他的patch还得继续用 -_-;
rpmbuild安装rpmbuild编译环境以及dante编译依赖:
yuminstall-yautoconfautomakebinutilsgccmakerpm-buildrpmdevtools
yuminstall-ybisonflexglibc-devellibtoolpam-devel
patch源码编译安装需要3处修改:
1. socksify环境变量配置补丁
2. HAVE_SENDBUF_IOCTL补丁
3. AM_CONFIG_HEADER宏升级
patch1修复socksify环境变量,不然安装rpm包提示 libsocks.so.0依赖库缺失错误:
DanteSOCKSserver
97
#rpm-ivhdante-1.4.2-1.el7.centos.x86_64.rpm
error:Faileddependencies:
libsocks.so.0()(64bit)isneededbydante-1.4.2-1.el7.centos.x86_64
patch文件参考gentooebuild补丁:
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-proxy/dante/files/dante-1.4.0-socksify.patch
patch2另一个patch是修改 HAVE_SENDBUF_IOCTL参考gentoo,suse的补丁:
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-proxy/dante/files/dante-1.4.0-HAVE_SENDBUF_IOCTL.patch
https://build.opensuse.org/package/view_file/server:proxy/dante/dante-1.4.0-sendbuf_macro.patch
patch3还有autoconf已经弃用 AM_CONFIG_HEADER宏,替换为 AC_CONFIG_HEADERS:
error:'AM_CONFIG_HEADER':thismacroisobsolete.
Youshouldusethe'AC_CONFIG_HEADERS'macroinstead.
https://build.opensuse.org/package/view_file/server:proxy/dante/dante.spec
touchacinclude.m4
sed-i-e's:AM_CONFIG_HEADER:AC_CONFIG_HEADERS:'configure.ac
autoreconf--force--install--verbose
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-proxy/dante/dante-1.4.1-r1.ebuild
sed-i-e's:AM_CONFIG_HEADER:AC_CONFIG_HEADERS:'configure.ac
configure
DanteSOCKSserver
98
参考官网的精简版参数以及gentoo和suse打包的参数,最终:
%configure--disable-static--enable-shared--with-pic--with-libc=$DANTE_L
IBC\
--enable-preload--enable-clientdl--enable-serverdl--enable-drt-fallb
ack\
--without-gssapi--without-libwrap--without-upnp--without-glibc-secur
e\
--sysconfdir=/etc/dante--with-socks-conf=/etc/dante/socks.conf\
--with-sockd-conf=/etc/dante/sockd.conf
官网Prod版本的二进制编译参数,主要用作socks代理,去掉扩展参数:
https://www.inet.no/dante/sslfiles/binaries.html
--without-gssapi
--without-upnp(UPnPsupportdisabled)
--without-libwrap(libwrapsupportdisabled)
源码中自带的 dante-1.4.2/SPECS/dante.spec编译参数:
%configure--without-glibc-secure%{_extraflags}
gentooebuild的编译依赖以及编译参数:
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-proxy/dante/dante-1.4.1-r1.ebuild
DanteSOCKSserver
99
IUSE="debugkerberospamselinuxstatic-libstcpdupnp"
CDEPEND="
kerberos?(virtual/krb5)
pam?(virtual/pam)
tcpd?(sys-apps/tcp-wrappers)
upnp?(net-libs/miniupnpc:=)
userland_GNU?(virtual/shadow)
"
DEPEND="${CDEPEND}
sys-devel/bison
sys-devel/flex
"
econf\
--with-socks-conf="${EPREFIX}"/etc/socks/socks.conf\
--with-sockd-conf="${EPREFIX}"/etc/socks/sockd.conf\
--enable-preload\
--enable-clientdl\
--enable-serverdl\
--enable-drt-fallback\
--with-libc=libc.so.6\
$(use_enabledebug)\
$(use_withkerberosgssapi)\
$(use_withpam)\
$(use_withupnp)\
$(use_enablestatic-libsstatic)\
$(use_withtcpdlibwrap)
openSUSE的spec文件:https://build.opensuse.org/package/view_file/server:proxy/dante/dante.spec
DanteSOCKSserver
100
%build
DANTELIBC=`find/%{_lib}/-maxdepth1-iname"libc.so.*"`
%configure\
--disable-static\
--with-pic\
--enable-preload\
--enable-clientdl\
--enable-serverdl\
--enable-drt-fallback\
--enable-shared\
--with-libc=$DANTELIBC
最终完成的spec文件:
https://github.com/lvii/outman/blob/master/dante/SPECS/dante-1.4.2.spec
1. 下载spec文件到 ~/rpmbuild/SPECS/目录:
2. 下载补丁和配置文件到 ~/rpmbuild/SOURCES/目录
3. 使用 spectool下载源码
4. 使用 rpmbuild打包
编译所需的源码:
DanteSOCKSserver
101
#mkdir-pv~/rpmbuild/{SOURCES,SPECS}
##下载spec,patch等文件到相关路径
#spectool-l-A-R~/rpmbuild/SPECS/dante-1.4.2.spec
Source0:http://www.inet.no/dante//files/dante-1.4.2.tar.gz
Source1:sockd.service
Source2:sockd.init
Patch0:dante-1.4.2-sendbuf_macro.patch
Patch1:dante-1.4.2-socksify.patch
#spectool-g-A-R~/rpmbuild/SPECS/dante-1.4.2.spec
Gettinghttp://www.inet.no/dante//files/dante-1.4.2.tar.gzto/root/rpmbuil
d/SOURCES/dante-1.4.2.tar.gz
%Total%Received%XferdAverageSpeedTimeTimeTimeCur
rent
DloadUploadTotalSpentLeftSpe
ed
1001254k1001254k001064k00:00:010:00:01--:--:--10
68k
#spectool-g-A-R~/rpmbuild/SPECS/dante-1.4.2.spec
#rpmbuild-bb--clean~/rpmbuild/SPECS/dante.spec
install编译完成后,编译好的rpm包位于 ~/rpmbuild/RPMS/x86_64/目录
yuminstall~/rpmbuild/RPMS/x86_64/dante-1.4.2-1.el7.centos.x86_64.rpm
也可以使用yum直接安装在FedoraCopr平台上为CentOS7打包的rpm包:
yuminstallhttps://copr-be.cloud.fedoraproject.org/results/outman/dante/ep
el-7-x86_64/00515912-dante/dante-1.4.2-1.el7.centos.x86_64.rpm
DanteSOCKSserver
102
dante运行依赖 glibc-devel提供的 libdl.so库。安装好后使用 ldd即可查看依赖库
:
#ldd/usr/sbin/sockd
linux-vdso.so.1=>(0x00007ffd67f44000)
libm.so.6=>/lib64/libm.so.6(0x00007fa2a8208000)
libpam.so.0=>/lib64/libpam.so.0(0x00007fa2a7ff9000)
libcrypt.so.1=>/lib64/libcrypt.so.1(0x00007fa2a7dc1000)
libdl.so.2=>/lib64/libdl.so.2(0x00007fa2a7bbd000)
libc.so.6=>/lib64/libc.so.6(0x00007fa2a77fc000)
/lib64/ld-linux-x86-64.so.2(0x00007fa2a8510000)
libaudit.so.1=>/lib64/libaudit.so.1(0x00007fa2a75d3000)
libfreebl3.so=>/lib64/libfreebl3.so(0x00007fa2a73d0000)
libcap-ng.so.0=>/lib64/libcap-ng.so.0(0x00007fa2a71ca000)
#rpm-qf/lib64/libdl.so
glibc-devel-2.17-157.el7_3.1.x86_64
config修改 sockd服务配置文件 /etc/dante/sockd.conf并启动SOCKS5代理:
DanteSOCKSserver
103
logoutput:stderr
internal:127.0.0.1port=1080
external:45.67.89.10##<--公网IP
clientmethod:none
socksmethod:none
user.privileged:root
user.unprivileged:nobody
clientpass{
from:0.0.0.0/0to:0.0.0.0/0
log:error
}
clientblock{
from:0.0.0.0/0to:127.0.0.0/8
log:error
}
sockspass{
from:0.0.0.0/0to:0.0.0.0/0
command:bindconnectudpassociate
}
sockspass{
from:0.0.0.0/0to:0.0.0.0/0
command:bindreplyudpreply
log:error
}
socksblock{
from:0.0.0.0/0to:127.0.0.0/8
command:bindconnectudpassociate
log:connecterror
}
启动服务:
systemctlenablesockd
systemctlstartsockd
确认服务端口:
DanteSOCKSserver
104
#netstat-lntpu
ProtoRecv-QSend-QLocalAddressForeignAddressStatePID/Prog
ramname
tcp00127.0.0.1:10800.0.0.0:*LISTEN9070/soc
kd
KCPTUN使用kcptun服务端连接sockd服务提供的SOCKS代理,提供给客户端连接使用
创建随机密码:
#cat/dev/urandom|tr-cd'[:alnum:]'|head-c16|paste
NLe6avQOKIhpwxuM
将启动kcptun服务脚本 sockd.sh放到 server_linux_amd64:
DanteSOCKSserver
105
#!/bin/bash
real_path=$(readlink-e$0)
exec_path=$(dirname"$real_path")
exec_file="${exec_path}/server_linux_amd64"
log=/tmp/kcptun.socks.log
key='NLe6avQOKIhpwxuM'
pid=$(pgrep-f--"--key$key")
if[-n"$pid"]
then
kill"$pid"
rm-f"$log"
fi
"$exec_file"--nocomp--cryptsalsa20--key"$key"-t"127.0.0.1:1080"-l"
:10101"\
--modemanual--nodelay0--interval20--resend2--nc1--mtu1350--dscp
46\
--datashard64--parityshard16--log"$log"&
pgrep-af--"--key$key
kcptun服务启动后,可以看到对应端口:
#netstat-lnup
ProtoRecv-QSend-QLocalAddressForeignAddressStatePID/Progra
mname
udp000.0.0.0:101010.0.0.0:*9037/./ser
ver_linux
在Linux客户端可以使用kcptun客户端就可以在本地创建SOCKS5代理了:
DanteSOCKSserver
106
#!/bin/bash
real_path=$(readlink-e$0)
exec_path=$(dirname"$real_path")
exec_file="${exec_path}/client_linux_amd64"
pass_word="NLe6avQOKIhpwxuM"
IP=45.67.89.10
log=/tmp/kcptun.socks.log
pid=$(pgrep-f--"--key$pass_word")
if[-n"$pid"]
then
kill"$pid"
rm-f/tmp/kcptun.log
fi
"$exec_file"--nocomp--cryptsalsa20--key"$pass_word"-r"${IP}:10101"-
l":9090"\
--modemanual--nodelay0--interval20--resend2--nc1--mtu512--dscp
46\
--sndwnd256--rcvwnd512--datashard64--parityshard16--log"$log"&
kcptun客户端启动后出现 9090端口的SOCKS5代理,配合浏览器代理插件就可以科学上网
了:
#netstat-lntp
ProtoRecv-QSend-QLocalAddressForeignAddressStatePID/Progr
amname
tcp000.0.0.0:90900.0.0.0:*LISTEN1898/clie
nt_linux_a
DanteSOCKSserver
107
SOCKS5socks5proxy代理:动态端口转发(Dynamicportforwardings)
ssh-NTfnq-D7070$user@$hosname
参数 作用
-D7070 建立动态端口转发,监听在本地 7070端口
-f 将ssh转到后台运行,即认证之后ssh自动以后台运行。不在输出信息
-n 将stdio重定向到 /dev/null与 -f配合使用
-N 不执行脚本或命令,即通知sshd不运行设定的shell通常与 -f连用
-T 不分配TTY只做代理用
-q 安静模式,不输出错误/警告信息
HOW:ssh
108
ocserv(OpenConnectVPNServer)官网:http://www.infradead.org/ocserv/index.html
OpenConnectserver(ocserv)isanSSLVPNserver.Itspurposeistobeasecure,small,fastandconfigurableVPNserver.ItimplementstheOpenConnectSSLVPNprotocol,andhasalso(currentlyexperimental)compatibilitywithclientsusingtheAnyConnectSSLVPNprotocol.TheOpenConnectprotocolprovidesadualTCP/UDPVPNchannel,andusesthestandardIETFsecurityprotocolstosecureit.TheserverisimplementedprimarilyfortheGNU/LinuxplatformbutitscodeisdesignedtobeportabletootherUNIXvariantsaswell.
依赖:VPS需要支持创建VPN的 TUN设备
http://www.infradead.org/ocserv/platforms.html
anyotherplatformsupportingTUN/TAPdevicesandonwhichGnuTLSruns.
HOWTO安装 ocserv软件包,修改 ocserv配置文件
生成CA用来签发客户端证书
申请Let'sEncryptSSL服务端证书
手机安装anyconnectAPP配置,下载客户端证书,配置即可
Let'sEncrypt使用 certbot生成和续签Let'sEncryptSSL证书:
https://github.com/certbot/certbot
installhttps://certbot.eff.org/#centosrhel7-nginx
HOW:ocserv
109
从EPEL源中安装 certbot软件包:
#yuminstallepel-release
#yuminstallcertbot
DependenciesResolved
===========================================================================
=====
PackageArchVersionRepository
Size
===========================================================================
=====
Installing:
certbotnoarch0.8.1-2.el7epel
16k
Installingfordependencies:
dialogx86_641.2-4.20130523.el7base2
08k
pyOpenSSLx86_640.13.1-3.el7base1
33k
python-cffix86_640.8.6-2.el7base1
31k
python-cryptographyx86_640.8.2-1.el7base4
35k
python-enum34noarch1.0.4-1.el7base
52k
python-ndg_httpsclientnoarch0.3.2-1.el7epel
43k
python-parsedatetimenoarch1.5-3.el7epel
61k
python-plynoarch3.4-10.el7base1
23k
python-psutilx86_642.2.1-1.el7epel1
14k
python-pycparsernoarch2.14-1.el7base1
04k
python-requestsnoarch2.6.0-1.el7_1base
94k
HOW:ocserv
110
python-urllib3noarch1.10.2-2.el7_1base1
00k
python-zope-componentnoarch1:4.1.0-1.el7epel1
10k
python-zope-eventnoarch4.0.3-2.el7epel
79k
python-zope-interfacex86_644.0.5-4.el7base1
38k
python2-acmenoarch0.8.1-1.el7epel1
62k
python2-certbotnoarch0.8.1-2.el7epel3
46k
python2-configargparsenoarch0.10.0-1.el7epel
28k
python2-dialognoarch3.3.0-6.el7epel
94k
python2-mocknoarch1.0.1-9.el7epel
92k
python2-pyrfc3339noarch1.0-2.el7epel
13k
pytznoarch2012d-5.el7base
38k
TransactionSummary
===========================================================================
=====
Install1Package(+22Dependentpackages)
Totaldownloadsize:2.7M
Installedsize:13M
软件包 certbot包含的相关命令:
#rpm-qlcertbot|grepbin
/usr/bin/certbot
/usr/bin/letsencrypt
howto
HOW:ocserv
111
帮助手册:
#certbot--helpall
usage:
certbot[SUBCOMMAND][options][-ddomain][-ddomain]...
CertbotcanobtainandinstallHTTPS/TLS/SSLcertificates.Bydefault,
itwillattempttouseawebserverbothforobtainingandinstallingthe
cert.MajorSUBCOMMANDSare:
(default)runObtain&installacertinyourcurrentwebserver
certonlyObtaincert,butdonotinstallit(aka"auth")
installInstallapreviouslyobtainedcertinaserver
renewRenewpreviouslyobtainedcertsthatarenearexpiry
revokeRevokeapreviouslyobtainedcertificate
registerPerformtasksrelatedtoregisteringwiththeCA
rollbackRollbackserverconfigurationchangesmadeduringin
stall
config_changesShowchangesmadetoserverconfigduringinstallati
on
pluginsDisplayinformationaboutinstalledplugins
默认只有两个插件 webroot和 standalone:
#certbotplugins
*webroot
Description:Placefilesinwebrootdirectory
Interfaces:IAuthenticator,IPlugin
Entrypoint:webroot=certbot.plugins.webroot:Authenticator
*standalone
Description:Automaticallyuseatemporarywebserver
Interfaces:IAuthenticator,IPlugin
Entrypoint:standalone=certbot.plugins.standalone:Authenticator
插件 webroot需要搭配 nginx/apache等web服务使用,此处使用 standalone生成
证书即可:
注意:
HOW:ocserv
112
执行命令之前关闭 nginx或 ocserv等占用 80和 443端口的服务,不然
standalone模式会报错
#netstat-lntpu|egrep'80|443'
tcp000.0.0.0:800.0.0.0:*LISTEN12245/nginx:master
#servicenginxstop
Redirectingto/bin/systemctlstopnginx.service
#netstat-lntpu|egrep'80|443'
执行 standalone模式:
certbotcertonly--standalone\
-dexample.com-dwww.example.com\
--user-agent""--noninteractive\
--text--verbose--debug
如果顺利将在 /etc/letsencrypt/live/example.com目录下生成相关证书:
HOW:ocserv
113
#certbotcertonly--standalone--emailbob@outwall.com-doutwall.com--us
er-agent""--agree-tos--noninteractive--text--verbose--debug
certbot.main:Savingdebuglogto/var/log/letsencrypt/letsencrypt.log
requests.packages.urllib3.connectionpool:StartingnewHTTPSconnection(1):
acme-v01.api.letsencrypt.org
certbot.auth_handler:Performingthefollowingchallenges:
certbot.auth_handler:tls-sni-01challengeforoutwall.com
certbot.auth_handler:Waitingforverification...
certbot.auth_handler:Cleaningupchallenges
certbot.crypto_util:Generatingkey(2048bits):/etc/letsencrypt/keys/0001_
key-certbot.pem
certbot.crypto_util:CreatingCSR:/etc/letsencrypt/csr/0001_csr-certbot.pem
certbot.reporter:Reportingtouser:Congratulations!Yourcertificateandc
hainhavebeensavedat/etc/letsencrypt/live/outwall.com/fullchain.pem.Yo
urcertwillexpireon2017-01-09.Toobtainanewortweakedversionofth
iscertificateinthefuture,simplyruncertbotagain.Tonon-interactivel
yrenew*all*ofyourcertificates,run"certbotrenew"
certbot.reporter:Reportingtouser:IfyoulikeCertbot,pleaseconsidersu
pportingourworkby:
DonatingtoISRG/Let'sEncrypt:https://letsencrypt.org/donate
DonatingtoEFF:https://eff.org/donate-le
IMPORTANTNOTES:
-Congratulations!Yourcertificateandchainhavebeensavedat
/etc/letsencrypt/live/outwall.com/fullchain.pem.Yourcertwill
expireon2017-01-09.Toobtainanewortweakedversionofthis
certificateinthefuture,simplyruncertbotagain.To
non-interactivelyrenew*all*ofyourcertificates,run"certbot
renew"
-IfyoulikeCertbot,pleaseconsidersupportingourworkby:
DonatingtoISRG/Let'sEncrypt:https://letsencrypt.org/donate
DonatingtoEFF:https://eff.org/donate-le
对应目录树:
HOW:ocserv
114
#tree/etc/letsencrypt/
/etc/letsencrypt/
├──accounts
│└──acme-v01.api.letsencrypt.org
│└──directory
│└──3b24e8b936a74588021d76401ee376cd
│├──meta.json
│├──private_key.json
│└──regr.json
├──archive
│└──outwall.com
│├──cert1.pem
│├──chain1.pem
│├──fullchain1.pem
│└──privkey1.pem
├──csr
│└──0001_csr-certbot.pem
├──keys
│└──0001_key-certbot.pem
├──live
│└──outwall.com
│├──cert.pem->../../archive/outwall.com/cert1.pem
│├──chain.pem->../../archive/outwall.com/chain1.pem
│├──fullchain.pem->../../archive/outwall.com/fullchain1.pem
│├──privkey.pem->../../archive/outwall.com/privkey1.pem
│├──root.pem
│└──trusted.pem
└──renewal
└──outwall.com.conf
编辑ocserv配置文件 /etc/ocserv/ocserv.conf修改 server-cert和 server-key参数:
server-cert=/etc/letsencrypt/live/example.com/fullchain.pem
server-key=/etc/letsencrypt/live/example.com/privkey.pem
重启服务:
HOW:ocserv
115
serviceocservrestart
staging注意: --staging是用来测试申请证书的环境的测试模式:
--test-cert,--staging
Usethestagingservertoobtaintest(invalid)certs;
equivalentto--serverhttps://acme-staging.api.letsencrypt.org/directory(
default:False)
certbotrenewal--dry-run
HOW:ocserv
116
#certbotcertonly--standalone--emailbob@outwall.com-doutwall.com--us
er-agent""--agree-tos--noninteractive--text--verbose--test-cert--deb
ug
2016-10-0717:42:31,990:INFO:certbot.main:Savingdebuglogto/var/log/lets
encrypt/letsencrypt.log
2016-10-0717:42:33,107:INFO:requests.packages.urllib3.connectionpool:Start
ingnewHTTPSconnection(1):acme-staging.api.letsencrypt.org
2016-10-0717:42:33,371:INFO:certbot.auth_handler:Performingthefollowing
challenges:
2016-10-0717:42:33,371:INFO:certbot.auth_handler:tls-sni-01challengefor
outwall.com
2016-10-0717:42:33,425:INFO:certbot.auth_handler:Waitingforverification.
..
2016-10-0717:42:36,570:INFO:certbot.auth_handler:Cleaningupchallenges
2016-10-0717:42:36,767:INFO:certbot.crypto_util:Generatingkey(2048bits)
:/etc/letsencrypt/keys/0000_key-certbot.pem
2016-10-0717:42:36,773:INFO:certbot.crypto_util:CreatingCSR:/etc/letsenc
rypt/csr/0000_csr-certbot.pem
2016-10-0717:42:37,130:INFO:certbot.reporter:Reportingtouser:Congratula
tions!Yourcertificateandchainhavebeensavedat/etc/letsencrypt/live/
outwall.com/fullchain.pem.Yourcertwillexpireon2017-01-05.Toobtaina
newortweakedversionofthiscertificateinthefuture,simplyruncertb
otagain.Tonon-interactivelyrenew*all*ofyourcertificates,run"certb
otrenew"
IMPORTANTNOTES:
-Congratulations!Yourcertificateandchainhavebeensavedat
/etc/letsencrypt/live/outwall.com/fullchain.pem.Yourcertwill
expireon2017-01-05.Toobtainanewortweakedversionofthis
certificateinthefuture,simplyruncertbotagain.To
non-interactivelyrenew*all*ofyourcertificates,run"certbot
renew"
/etc/letsencrypt/renewal/outwall.com.conf配置文件:
HOW:ocserv
117
#renew_before_expiry=30days
version=0.8.1
cert=/etc/letsencrypt/live/outwall.com/cert.pem
privkey=/etc/letsencrypt/live/outwall.com/privkey.pem
chain=/etc/letsencrypt/live/outwall.com/chain.pem
fullchain=/etc/letsencrypt/live/outwall.com/fullchain.pem
#Optionsusedintherenewalprocess
[renewalparams]
authenticator=standalone
installer=None
account=...
user_agent=""
server=https://acme-staging.api.letsencrypt.org/directory
TODO: certbotrenew--renew-hookrestart_ocerv.sh在证书续期后重启ocerv服务:
--renew-hookRENEW_HOOKCommandtoberuninashellonceforeachsuccessfullyrenewedcertificate.Forthiscommand,theshellvariable$RENEWED_LINEAGEwillpointtotheconfiglivesubdirectorycontainingthenewcertsandkeys;theshellvariable$RENEWED_DOMAINSwillcontainaspace-delimitedlistofrenewedcertdomains(default:None)
魔兽世界TCP和UDP端
TCP11193724
UPD3724(一般用不到,语音聊天)
游戏服务器TCP3724
登录服务器TCP8085
MozillaSSLConfigurationGenerator
https://mozilla.github.io/server-side-tls/ssl-config-generator/
HOW:ocserv
118
nginx.conf file commentcert.pem servercertonlychain.pem intermediates
ssl_certificate fullchain.pem servercert+intermediates
ssl_certificate_key privkey.pem privatekey
QualysSSLLabs提供了全面的SSL安全性测试,填写你的网站域名,给自己的HTTPS配置
打个分
https://www.ssllabs.com/ssltest/index.html
https://community.letsencrypt.org/t/nginx-wordpress-sec-error-unknown-issuer/4071/4
server{
listen80;
server_namewww.marzycielskapoczta.pl;
return301https://marzycielskapoczta.pl$request_uri;
}
server{
listen443ssl;
server_namewww.marzycielskapoczta.pl;
root/disk2/wordpress;
#certssenttotheclientinSERVERHELLOareconcatenatedinssl_cert
ificate
ssl_certificate/etc/letsencrypt/live/www.marzycielskapoczta.pl/fullcha
in.pem;
ssl_certificate_key/etc/letsencrypt/live/www.marzycielskapoczta.pl/pri
vkey.pem;
ssl_session_timeout1d;
ssl_session_cacheshared:SSL:50m;
ssl_session_ticketsoff;
#Diffie-HellmanparameterforDHEciphersuites,recommended2048bits
ssl_dhparam/etc/ssl/certs/dhparam.pem;
#intermediateconfiguration.tweaktoyourneeds.
ssl_protocolsTLSv1TLSv1.1TLSv1.2;
ssl_ciphers'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
HOW:ocserv
119
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GC
M-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDH
E-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA
-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-A
ES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DH
E-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC
3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-S
HA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:
!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DE
S-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_cipherson;
#HSTS(ngx_http_headers_moduleisrequired)(15768000seconds=6mont
hs)
add_headerStrict-Transport-Securitymax-age=15768000;
#OCSPStapling---
#fetchOCSPrecordsfromURLinssl_certificateandcachethem
ssl_staplingon;
ssl_stapling_verifyon;
##verifychainoftrustofOCSPresponseusingRootCAandIntermediat
ecerts
ssl_trusted_certificate/etc/letsencrypt/live/www.marzycielskapoczta.pl
/fullchain.pem;
}
http://nginx.org/en/docs/http/configuring_https_servers.html#chains
openssls_client-connectwww.godaddy.com:443
curl-shttps://acme-staging.api.letsencrypt.org/acme/issuer-cert|openssl
x509-informder-text
curlhttp://cert.stg-root-x1.letsencrypt.org/|opensslx509-informder-o
utformpem-text
使用 --test-cert参数创建的测试证书:
HOW:ocserv
120
#certbotcertonly--standalone--emailbob@outwall.com-doutwall.com--us
er-agent""--agree-tos--noninteractive--text--verbose--test-cert--deb
ug
2016-10-0717:42:31,990:INFO:certbot.main:Savingdebuglogto/var/log/lets
encrypt/letsencrypt.log
2016-10-0717:42:33,107:INFO:requests.packages.urllib3.connectionpool:Start
ingnewHTTPSconnection(1):acme-staging.api.letsencrypt.org
2016-10-0717:42:33,371:INFO:certbot.auth_handler:Performingthefollowing
challenges:
2016-10-0717:42:33,371:INFO:certbot.auth_handler:tls-sni-01challengefor
outwall.com
2016-10-0717:42:33,425:INFO:certbot.auth_handler:Waitingforverification.
..
2016-10-0717:42:36,570:INFO:certbot.auth_handler:Cleaningupchallenges
2016-10-0717:42:36,767:INFO:certbot.crypto_util:Generatingkey(2048bits)
:/etc/letsencrypt/keys/0000_key-certbot.pem
2016-10-0717:42:36,773:INFO:certbot.crypto_util:CreatingCSR:/etc/letsenc
rypt/csr/0000_csr-certbot.pem
2016-10-0717:42:37,130:INFO:certbot.reporter:Reportingtouser:Congratula
tions!Yourcertificateandchainhavebeensavedat/etc/letsencrypt/live/
outwall.com/fullchain.pem.Yourcertwillexpireon2017-01-05.T
oobtainanewortweakedversionofthiscertificateinthefuture,simply
runcertbotagain.Tonon-interactivelyrenew*all*ofyourcertificates,
run"certbotrenew"
IMPORTANTNOTES:
-Congratulations!Yourcertificateandchainhavebeensavedat
/etc/letsencrypt/live/outwall.com/fullchain.pem.Yourcertwill
expireon2017-01-05.Toobtainanewortweakedversionofthis
certificateinthefuture,simplyruncertbotagain.To
non-interactivelyrenew*all*ofyourcertificates,run"certbot
renew"
证书的 CN是 FakeLEIntermediateX1不给信任的, --test-cert仅仅用来测试证书
链的:
#opensslx509-incert.pem-issuer-noout
issuer=/CN=FakeLEIntermediateX1
HOW:ocserv
121
https://community.letsencrypt.org/t/browser-not-trusted-certificate-authority/7981/4
youarecreatingyourcertificateusingLet'sEncryptstaging(testserver)sothecertcreatedforyourdomainhasbeenissuedbyhappyhackerfakeCA.ThisLet'sEncryptstagingservershouldbeusedjusttotestthatyourclientisworkingfineandcangeneratethechallenges,certificates...andsoonbutifyouwanttocreateavalidcertyoushouldusetherightserverin letsencrypt-autocommand.
Forstagingis:
--serverhttps://acme-staging.api.letsencrypt.org/directory
Forproductionis:
--serverhttps://acme-v01.api.letsencrypt.org/directory
InlastversionofLet'sEncryptclient(0.1.1)ifyoudon'tspecifyaserveritdefaultstoproductionandifyouwanttousestagingyoucanspecifytheserverforstagingorjustuseoneoftheseswitches( --test-certor --staging).
Thisisthehelpinfofortheseswitches:
--test-cert,--staging
Usethestagingservertoobtaintest(invalid)certs;
equivalentto--serverhttps://acme-
staging.api.letsencrypt.org/directory(default:False)
https://community.letsencrypt.org/t/cn-fake-le-intermediate-x1/13437
Thatmeansyouissuedthosecertificatesagainstthestagingserver(possiblywith --test-certor --dry-run).
https://gist.github.com/kyhau/1a02ba63958b3da874bc
Createcertificate
$sudo./[email protected]
agree-tos-dhi.helloworld.com
HOW:ocserv
122
Ifyouhaveanexistingapacheconfigwithwildcardserveralias:
$sudo./[email protected]
hi.helloworld.com--serverhttps://acme-v01.api.letsencrypt.org/directory
For --server:
acme-v01.api.letsencrypt.org(Production)
acme-staging.api.letsencrypt.org(Staging)
Needtouse --serverhttps://acme-v01.api.letsencrypt.org/directory.Notusing--server,orusing --serverhttps://acme-staging.api.letsencrypt.org/directory,theCertificateIssuewillbe CN=happyhackerfakeCA.
重命名staging相关的目录和文件,重新生成正式使用的证书:
/etc/letsencrypt/accounts
/etc/letsencrypt/renewal
#certbotcertonly--standalone--emailbob@outwall.com-doutwall.com--us
er-agent""--agree-tos--noninteractive--text--verbose--debug
2016-10-1122:22:38,177:INFO:certbot.main:Savingdebuglogto/var/log/lets
encrypt/letsencrypt.log
2016-10-1122:22:39,173:INFO:requests.packages.urllib3.connectionpool:Start
ingnewHTTPSconnection(1):acme-v01.api.letsencrypt.org
2016-10-1122:22:39,288:WARNING:certbot.main:Renewalconffile/etc/letsenc
rypt/renewal/outwall.com.confisbroken.Skipping.
2016-10-1122:22:39,463:INFO:certbot.auth_handler:Performingthefollowing
challenges:
2016-10-1122:22:39,463:INFO:certbot.auth_handler:tls-sni-01challengefor
outwall.com
2016-10-1122:22:39,526:INFO:certbot.auth_handler:Waitingforverification.
..
2016-10-1122:22:42,667:INFO:certbot.auth_handler:Cleaningupchallenges
2016-10-1122:22:43,247:INFO:certbot.crypto_util:Generatingkey(2048bits)
:/etc/letsencrypt/keys/0003_key-certbot.pem
2016-10-1122:22:43,252:INFO:certbot.crypto_util:CreatingCSR:/etc/letsenc
rypt/csr/0003_csr-certbot.pem
HOW:ocserv
123
2016-10-1122:22:43,605:INFO:certbot.reporter:Reportingtouser:Congratula
tions!Yourcertificateandchainhavebeensavedat/etc/letsencrypt/live/
outwall.com-0001/fullchain.pem.Yourcertwillexpireon2017-01-09.Toobt
ainanewortweakedversionofthiscertificateinthefuture,simplyrun
certbotagain.Tonon-interactivelyrenew*all*ofyourcertificates,run"
certbotrenew"
2016-10-1122:22:43,605:INFO:certbot.reporter:Reportingtouser:Ifyoulik
eCertbot,pleaseconsidersupportingourworkby:
DonatingtoISRG/Let'sEncrypt:https://letsencrypt.org/donate
DonatingtoEFF:https://eff.org/donate-le
IMPORTANTNOTES:
-Congratulations!Yourcertificateandchainhavebeensavedat
/etc/letsencrypt/live/outwall.com-0001/fullchain.pem.Yourcertwill
expireon2017-01-09.Toobtainanewortweakedversionofthis
certificateinthefuture,simplyruncertbotagain.To
non-interactivelyrenew*all*ofyourcertificates,run"certbot
renew"
-IfyoulikeCertbot,pleaseconsidersupportingourworkby:
DonatingtoISRG/Let'sEncrypt:https://letsencrypt.org/donate
DonatingtoEFF:https://eff.org/donate-le
[email protected]/etc/letsencrypt/live/outwall.com
#certbotcertonly--standalone--emailbob@outwall.com-doutwall.com--us
er-agent""--agree-tos--noninteractive--text--verbose--debug
2016-10-1122:24:13,758:INFO:certbot.main:Savingdebuglogto/var/log/lets
encrypt/letsencrypt.log
2016-10-1122:24:14,621:INFO:requests.packages.urllib3.connectionpool:Start
ingnewHTTPSconnection(1):acme-v01.api.letsencrypt.org
2016-10-1122:24:14,736:INFO:certbot.renewal:Certnotyetdueforrenewal
---------------------------------------------------------------------------
----
Certificatenotyetdueforrenewal;noactiontaken.
---------------------------------------------------------------------------
----
#tree.
HOW:ocserv
124
.
├──accounts
│├──acme-staging.api.letsencrypt.org
││└──directory
││└──d219a4834295b92c10b2c1525ca086b3
││├──meta.json
││├──private_key.json
││└──regr.json
│└──acme-v01.api.letsencrypt.org
│└──directory
│└──3b24e8b936a74588021d76401ee376cd
│├──meta.json
│├──private_key.json
│└──regr.json
├──archive
│├──outwall.com-0001
││├──cert1.pem
││├──chain1.pem
││├──fullchain1.pem
││└──privkey1.pem
│└──outwall.com.bak
│├──cert1.pem
│├──chain1.pem
│├──fullchain1.pem
│└──privkey1.pem
├──csr
│├──0000_csr-certbot.pem
│├──0001_csr-certbot.pem
│├──0002_csr-certbot.pem
│└──0003_csr-certbot.pem
├──keys
│├──0000_key-certbot.pem
│├──0001_key-certbot.pem
│├──0002_key-certbot.pem
│└──0003_key-certbot.pem
├──live
│├──outwall.com
││└──root
│└──outwall.com-0001
│├──cert.pem->../../archive/outwall.com-0001/cert1.pem
│├──chain.pem->../../archive/outwall.com-0001/chain1.pem
│├──fullchain.pem->../../archive/outwall.com-0001/fullchain1.pem
HOW:ocserv
125
│└──privkey.pem->../../archive/outwall.com-0001/privkey1.pem
└──renewal
├──outwall.com-0001.conf
└──outwall.com.conf.bak
16directories,29files
crontabhttps://calomel.org/lets_encrypt_client.html
HOW:ocserv
126
#!/bin/sh
#
#CheckifanSSLcertificatewillexpireinlessthen30days.
#https://calomel.org/lets_encrypt_client.html
#
#remotessldomaintomonitor
HostName="example.org"
#certificateexpiration,remotecheck
CertificateExpireDate=`echo|openssls_client-connect$HostName:4432>/de
v/null|opensslx509-noout-enddate|sed's/notAfter=//'`
#certificateexpiration,converttounixtime
UnixCertExpireDate=`date-d"$CertificateExpireDate"+"%s"`
#currentdateinunixtime
UnixCurrentDate=`date+%s`
#differenceoftheexpirationdateandthecurrentdate
UnixTimeDiff=`expr$UnixCertExpireDate-$UnixCurrentDate`
#Ifcertificateexpireinlessthen30days(2592000seconds)sendnotific
ation
if[$UnixTimeDiff-lt2592000];then
echo"NOTICE:$HostNamesslcertificatewillexpireinlessthen30days
."|mail-s"$HostNamesslcertificatewillexpireinlessthen30days"u
fi
使用 certtool查看cert( -i参数)和privatekey( -k参数)信息:
mancerttool
-i,--certificate-infoPrintinformationonthegivencertificate.
-k,--key-infoPrintinformationonaprivatekey.
查看证书信息:
HOW:ocserv
127
#certtool--infile=ca.crt-i
X.509CertificateInformation:
Version:3
SerialNumber(hex):01
Issuer:CN=outwall,O=outwallclub
Validity:
NotBefore:SatOct0812:54:14UTC2016
NotAfter:TueOct0612:54:14UTC2026
Subject:CN=outwall,O=outwallclub
SubjectPublicKeyAlgorithm:RSA
AlgorithmSecurityLevel:Medium(2048bits)
查看私钥信息:
#certtool--infile=ca-key.pem-k
PublicKeyInfo:
PublicKeyAlgorithm:RSA
KeySecurityLevel:Medium(2048bits)
HOW:ocserv
128
#diff-yocserv.confocserv.conf.0.11.5|egrep-iw'[|<]'
#auth="pam"|auth="pam
"
auth="certificate"|#auth="ce
rtificate"
try-mtu-discovery=true|try-mtu-dis
covery=false
server-cert=/etc/letsencrypt/live/beta.outman.im/fullchain.|server-cert
=/etc/pki/ocserv/public/server.crt
server-key=/etc/letsencrypt/live/beta.outman.im/privkey.pem|server-key
=/etc/pki/ocserv/private/server.key
ca-cert=/etc/ocserv/certs/ca.crt|ca-cert=/
etc/pki/ocserv/cacerts/ca.crt
cert-group-oid=2.5.4.11|#cert-group
-oid=2.5.4.11
default-domain=beta.outman.im|default-dom
ain=example.com
ipv4-network=192.168.123.0|#ipv4-netwo
rk=192.168.1.0
ipv4-netmask=255.255.255.0|#ipv4-netma
sk=255.255.255.0
dns=8.8.8.8|#dns=192.
168.1.2
dns=8.8.4.4<
HOW:ocserv
129
openwrt
opkg
root@LEDE:~#opkginstallip
Installingip-full(4.4.0-9)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/base/ip-full_4.4.0-9_mipsel_24kc.ipk
Configuringip-full.
root@LEDE:~#opkglist-Aip-*
ip-bridge-4.4.0-9-Bridgeconfigurationutilityfromiproute2
ip-full-4.4.0-9-Routingcontrolutility(Full)
ip-tiny-4.4.0-9-Routingcontrolutility(Minimal)
root@LEDE:~#opkglistip-*
ip-bridge-4.4.0-9-Bridgeconfigurationutilityfromiproute2
ip-full-4.4.0-9-Routingcontrolutility(Full)
ip-tiny-4.4.0-9-Routingcontrolutility(Minimal)
root@LEDE:~#opkgfindip-*
ip-bridge-4.4.0-9-Bridgeconfigurationutilityfromiproute2
ip-full-4.4.0-9-Routingcontrolutility(Full)
ip-tiny-4.4.0-9-Routingcontrolutility(Minimal)
root@LEDE:~#opkginfoip-full
Package:ip-full
Version:4.4.0-9
Depends:libc,libnl-tiny
Provides:ip
Status:installuserinstalled
Section:net
Architecture:mipsel_24kc
Size:112843
Filename:ip-full_4.4.0-9_mipsel_24kc.ipk
Description:Routingcontrolutility(Full)
Installed-Time:1506002529
HOW:openwrt
130
root@LEDE:~#opkgfilesip
Packageip-full(4.4.0-9)isinstalledonrootandhasthefollowingfiles:
/usr/sbin/ip
root@LEDE:~#opkgfilesip-full
Packageip-full(4.4.0-9)isinstalledonrootandhasthefollowingfiles:
/usr/sbin/ip
root@LEDE:~#opkgfilesshadowsocks-libev
Packageshadowsocks-libev(3.1.0-1)isinstalledonrootandhasthefollow
ingfiles:
/usr/bin/ss-local
/usr/bin/ss-redir
/usr/bin/ss-tunnel
root@LEDE:~#opkgsearch/usr/bin/ss-redir
shadowsocks-libev-3.1.0-1
TPLinkWR703NTPLinkWR703N刷好openwrt需要配置:
默认没有启用无线WIFI默认为AP模式需要改为路由模式
failsafe开机等待指示灯开始闪烁(大约通电后 10s)立即按住reset键 3s指示灯变为快速闪烁
default设置root密码:
HOW:openwrt
131
$telnet192.168.1.1
Trying192.168.1.1...
Connectedto192.168.1.1.
Escapecharacteris'^]'.
===IMPORTANT============================
Use'passwd'tosetyourloginpassword
thiswilldisabletelnetandenableSSH
------------------------------------------
BusyBoxv1.23.2(2016-01-0218:01:44CET)built-inshell(ash)
_________________
||.-----.-----.-----.||||.----.||_
|-||_|-__|||||||_||_|
|_______||__|_____|__|__||________||__||____|
|__|WIRELESSFREEDOM
-----------------------------------------------------
CHAOSCALMER(15.05.1,r48532)
-----------------------------------------------------
*11/2ozGinShakewithaglassful
*1/4ozTripleSecofbrokeniceandpour
*3/4ozLimeJuiceunstrainedintoagoblet.
*11/2ozOrangeJuice
*1tsp.GrenadineSyrup
-----------------------------------------------------
root@OpenWrt:/#passwd
Changingpasswordforroot
Newpassword:
Retypepassword:
Passwordforrootchangedbyroot
默认ROM占用:
HOW:openwrt
132
root@OpenWrt:/#df-hT
FilesystemTypeSizeUsedAvailableUse%Mounted
on
rootfsrootfs12.5M472.0K12.0M4%/
/dev/rootsquashfs2.3M2.3M0100%/rom
tmpfstmpfs29.8M300.0K29.5M1%/tmp
tmpfstmpfs29.8M44.0K29.8M0%/tmp/roo
t
tmpfstmpfs512.0K0512.0K0%/dev
/dev/mtdblock3jffs212.5M472.0K12.0M4%/overlay
overlayfs:/overlayoverlay12.5M472.0K12.0M4%/
init配置WIFI无线
删除网桥添加WAN
wireless
WIFI默认配置:
root@OpenWrt:/#ucishowwireless
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='11'
wireless.radio0.hwmode='11g'
wireless.radio0.path='platform/ar933x_wmac'
wireless.radio0.htmode='HT20'
wireless.radio0.disabled='1'
wireless.@wifi-iface[0]=wifi-iface
wireless.@wifi-iface[0].device='radio0'
wireless.@wifi-iface[0].network='lan'
wireless.@wifi-iface[0].mode='ap'
wireless.@wifi-iface[0].ssid='OpenWrt'
wireless.@wifi-iface[0].encryption='none'
root@OpenWrt:/#cat/etc/config/wireless
configwifi-deviceradio0
HOW:openwrt
133
optiontypemac80211
optionchannel11
optionhwmode11g
optionpath'platform/ar933x_wmac'
optionhtmodeHT20
#REMOVETHISLINETOENABLEWIFI:
optiondisabled1
configwifi-iface
optiondeviceradio0
optionnetworklan
optionmodeap
optionssidOpenWrt
optionencryptionnone
root@OpenWrt:/#wifi
'radio0'isdisabled
'radio0'isdisabled
root@OpenWrt:/#wifistatus
{
"radio0":{
"up":false,
"pending":false,
"autostart":true,
"disabled":true,
"config":{
"channel":"11",
"hwmode":"11g",
"path":"platform\/ar933x_wmac",
"htmode":"HT20",
"disabled":true
},
"interfaces":[
{
"section":"@wifi-iface[0]",
"config":{
"mode":"ap",
"ssid":"OpenWrt",
"encryption":"none",
"network":[
"lan"
HOW:openwrt
134
],
"mode":"ap"
}
}
]
}
}
UCI配置WIFI命令:
##wireless
ucisetwireless.@wifi-iface[0].ssid=FUCK_GFW
ucisetwireless.@wifi-iface[0].encryption=psk2
ucisetwireless.@wifi-iface[0].key=v_v.fuckgfw
ucisetwireless.radio0.disabled=0
ucichanges
ucicommit
实例:
HOW:openwrt
135
root@OpenWrt:/#ucisetwireless.@wifi-iface[0].ssid=FUCK_GFW
root@OpenWrt:/#ucisetwireless.@wifi-iface[0].encryption=psk2
root@OpenWrt:/#ucisetwireless.@wifi-iface[0].key=v_v.fuckgfw
root@OpenWrt:/#ucisetwireless.radio0.disabled=0
root@OpenWrt:/#ucichanges
wireless.cfg033579.ssid='FUCK_GFW'
wireless.cfg033579.encryption='psk2'
wireless.cfg033579.key='v_v.fuckgfw'
wireless.radio0.disabled='0'
root@OpenWrt:/#ucicommit
root@OpenWrt:/#ucichanges
root@OpenWrt:/#cat/etc/config/wireless
configwifi-device'radio0'
optiontype'mac80211'
optionchannel'11'
optionhwmode'11g'
optionpath'platform/ar933x_wmac'
optionhtmode'HT20'
optiondisabled'0'
configwifi-iface
optiondevice'radio0'
optionnetwork'lan'
optionmode'ap'
optionssid'FUCK_GFW'
optionencryption'psk2'
optionkey'v_v.fuckgfw'
使用 wifi命令启用WIFI:
HOW:openwrt
136
root@OpenWrt:/#wifi
root@OpenWrt:/#wifistatus
{
"radio0":{
"up":true,
"pending":false,
"autostart":true,
"disabled":false,
"config":{
"channel":"11",
"hwmode":"11g",
"path":"platform\/ar933x_wmac",
"htmode":"HT20",
"disabled":false
},
"interfaces":[
{
"section":"@wifi-iface[0]",
"ifname":"wlan0",
"config":{
"mode":"ap",
"ssid":"FUCK_GFW",
"encryption":"psk2",
"key":"v_v.fuckgfw",
"network":[
"lan"
],
"mode":"ap"
}
}
]
}
}
https://wiki.openwrt.org/zh-cn/doc/uci/wireless
Openwrt使用 wifi命令启用、重启、关闭无线接口:
启动WIFI不带参数,直接运行 wifi命令
修改无线配置重启WIFI使配置生效,同样也是不带参数,直接运行 wifi命令
HOW:openwrt
137
关闭WIFI加上 down参数使用 wifidown
network桥接默认配置:
root@OpenWrt:~#brctlshow
bridgenamebridgeidSTPenabledinterfaces
br-lan7fff.c8e7d8d4b54enoeth0
wlan0
root@OpenWrt:~#ifconfig
br-lanLinkencap:EthernetHWaddrC8:E7:D8:D4:B5:4E
inetaddr:192.168.1.1Bcast:192.168.1.255Mask:255.255.255.0
inet6addr:fe80::cae7:d8ff:fed4:b54e/64Scope:Link
inet6addr:fdd9:add4:d5f5::1/60Scope:Global
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:345errors:0dropped:0overruns:0frame:0
TXpackets:327errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:0
RXbytes:37843(36.9KiB)TXbytes:31467(30.7KiB)
eth0Linkencap:EthernetHWaddrC8:E7:D8:D4:B5:4E
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:0errors:0dropped:0overruns:0frame:0
TXpackets:28errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:1000
RXbytes:0(0.0B)TXbytes:3678(3.5KiB)
Interrupt:4
loLinkencap:LocalLoopback
inetaddr:127.0.0.1Mask:255.0.0.0
inet6addr:::1/128Scope:Host
UPLOOPBACKRUNNINGMTU:65536Metric:1
RXpackets:48errors:0dropped:0overruns:0frame:0
TXpackets:48errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:0
RXbytes:3264(3.1KiB)TXbytes:3264(3.1KiB)
wlan0Linkencap:EthernetHWaddrC8:E7:D8:D4:B5:4E
inet6addr:fe80::cae7:d8ff:fed4:b54e/64Scope:Link
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
HOW:openwrt
138
RXpackets:344errors:0dropped:0overruns:0frame:0
TXpackets:343errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:1000
RXbytes:42653(41.6KiB)TXbytes:40587(39.6KiB)
root@OpenWrt:/#cat/etc/config/network
configinterface'loopback'
optionifname'lo'
optionproto'static'
optionipaddr'127.0.0.1'
optionnetmask'255.0.0.0'
configglobals'globals'
optionula_prefix'fdf5:87ce:25a3::/48'
configinterface'lan'
optionifname'eth0'
optionforce_link'1'
optiontype'bridge'
optionproto'static'
optionipaddr'192.168.1.1'
optionnetmask'255.255.255.0'
optionip6assign'60'
由AP模式改为路由模式:删除网桥添加WAN设备
HOW:openwrt
139
##unbridgeLAN
ucideletenetwork.lan.type
ucideletenetwork.lan.ifname
ucisetnetwork.lan._orig_bridge=false
ucisetnetwork.lan._orig_ifname=eth0
ucisetnetwork.lan.ipaddr=192.168.12.1
ucisetdhcp.lan.ra_management=1
##createWAN
ucisetnetwork.wan=interface
ucisetnetwork.wan.ifname=eth0
ucisetnetwork.wan.proto=dhcp
ucisetnetwork.wan.peerdns=0##NOTuseupstreamDNSas/etc/res
olv.conf
实例:
root@OpenWrt:/#ucideletenetwork.lan.type
root@OpenWrt:/#ucideletenetwork.lan.ifname
root@OpenWrt:/#ucisetnetwork.lan._orig_bridge=false
root@OpenWrt:/#ucisetnetwork.lan._orig_ifname=eth0
root@OpenWrt:/#ucisetnetwork.lan.ipaddr=192.168.12.1
root@OpenWrt:/#
root@OpenWrt:/#ucisetdhcp.lan.ra_management=1
root@OpenWrt:/#ucisetnetwork.wan=interface
root@OpenWrt:/#ucisetnetwork.wan.ifname=eth0
root@OpenWrt:/#ucisetnetwork.wan.proto=dhcp
root@OpenWrt:/#ucisetnetwork.wan.peerdns=0
root@OpenWrt:/#ucichanges
dhcp.lan.ra_management='1'
-network.lan.type
-network.lan.ifname
network.lan._orig_bridge='false'
network.lan._orig_ifname='eth0'
network.lan.ipaddr='192.168.12.1'
network.wan='interface'
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wan.peerdns='0'
HOW:openwrt
140
https://wiki.openwrt.org/doc/techref/odhcpd
ra_managementRAmanagementmode
value mean0 noM-FlagbutA-Flag
1 bothMandA
2 MbutnotA
重启网络服务
root@OpenWrt:/#/etc/init.d/networkrestart
连接WIFI使用新IP登录: [email protected]
HOW:openwrt
141
root@OpenWrt:~#brctlshow
bridgenamebridgeidSTPenabledinterfaces
root@OpenWrt:~#ifconfig
eth0Linkencap:EthernetHWaddrC8:E7:D8:D4:B5:4E
inetaddr:192.168.8.178Bcast:192.168.8.255Mask:255.255.255.0
inet6addr:fe80::cae7:d8ff:fed4:b54e/64Scope:Link
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:257errors:0dropped:0overruns:0frame:0
TXpackets:220errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:1000
RXbytes:43320(42.3KiB)TXbytes:32401(31.6KiB)
Interrupt:4
loLinkencap:LocalLoopback
inetaddr:127.0.0.1Mask:255.0.0.0
inet6addr:::1/128Scope:Host
UPLOOPBACKRUNNINGMTU:65536Metric:1
RXpackets:17errors:0dropped:0overruns:0frame:0
TXpackets:17errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:0
RXbytes:3511(3.4KiB)TXbytes:3511(3.4KiB)
wlan0Linkencap:EthernetHWaddrC8:E7:D8:D4:B5:4E
inetaddr:192.168.12.1Bcast:192.168.12.255Mask:255.255.255.0
inet6addr:fe80::cae7:d8ff:fed4:b54e/64Scope:Link
inet6addr:fdd9:add4:d5f5::1/60Scope:Global
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:261errors:0dropped:0overruns:0frame:0
TXpackets:250errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:1000
RXbytes:38999(38.0KiB)TXbytes:51107(49.9KiB)
DHCPDHCP默认配置(后续配置ChinaDNS时再修改DHCP配置):
root@OpenWrt:/#ucishowdhcp
dhcp.@dnsmasq[0]=dnsmasq
HOW:openwrt
142
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
root@OpenWrt:/#cat/etc/config/dhcp
configdnsmasq
optiondomainneeded'1'
optionboguspriv'1'
optionfilterwin2k'0'
optionlocalise_queries'1'
optionrebind_protection'1'
optionrebind_localhost'1'
optionlocal'/lan/'
optiondomain'lan'
optionexpandhosts'1'
HOW:openwrt
143
optionnonegcache'0'
optionauthoritative'1'
optionreadethers'1'
optionleasefile'/tmp/dhcp.leases'
optionresolvfile'/tmp/resolv.conf.auto'
optionlocalservice'1'
configdhcp'lan'
optioninterface'lan'
optionstart'100'
optionlimit'150'
optionleasetime'12h'
optiondhcpv6'server'
optionra'server'
configdhcp'wan'
optioninterface'wan'
optionignore'1'
configodhcpd'odhcpd'
optionmaindhcp'0'
optionleasefile'/tmp/hosts/odhcpd'
optionleasetrigger'/usr/sbin/odhcpd-update'
root@OpenWrt:/#cat/var/etc/dnsmasq.conf
#auto-generatedconfigfilefrom/etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
stop-dns-rebind
rebind-localhost-ok
HOW:openwrt
144
dhcp-broadcast=tag:needs-broadcast
dhcp-range=lan,192.168.1.100,192.168.1.249,255.255.255.0,12h
ImageGeneratorImageBuilderCreatecustomImageswithoutcompilinginthebuildsystem
https://wiki.openwrt.org/doc/howto/obtain.firmware.generate
https://wiki.openwrt.org/zh-cn/doc/howto/obtain.firmware.generate
如果不想要下载一个预编译好的镜像文件,或者想要尝试整个编译过程,替代方案是使用镜像生成器(ImageGenerator)(以前被叫做ImageBuilder)。这是一个预编译好的OpenWrt编译环境,适用于在无需编译的条件下创建自定义镜像。
OpenWrtbuildsystem–Usagehttps://wiki.openwrt.org/doc/howto/build
Doeverythingasnon-rootuser
参考:
使用ImageBuilder编译自动翻墙OpenWrt固件
https://softwaredownload.gitbooks.io/openwrt-fanqiang/content/ebook/04.3.html
https://github.com/softwaredownload/openwrt-fanqiang
https://github.com/softwaredownload/openwrt-fanqiang/blob/master/openwrt/default/etc/uci-defaults/defaults
download下载TPLinkWR703N对应的ImageBuilder打包文件:
https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/
HOW:openwrt
145
mkdir-pv~/openwrt
cd~/openwrt
$timewget-nvhttps://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/g
eneric/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_64.tar.bz2
2017-08-2720:23:34URL:https://downloads.openwrt.org/chaos_calmer/15.05.1/
ar71xx/generic/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_64.tar
.bz2
[143921369/143921369]->"OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux
-x86_64.tar.bz2"[1]
real0m7.381s
user0m0.379s
sys0m2.345s
$timetarxfOpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_64.tar.
bz2
real0m24.645s
user0m22.718s
sys0m1.357s
$ll
total138M
-rw-r--r--1ii138M|2016-03-1601:48|OpenWrt-ImageBuilder-15.05
.1-ar71xx-generic.Linux-x86_64.tar.bz2
drwxr-xr-x8ii4.0K|2016-02-0101:45|OpenWrt-ImageBuilder-15.05
.1-ar71xx-generic.Linux-x86_64/
config配置软件源:修改 repositories.conf文件,增加openwrt-dist(shadowsocks)源
HOW:openwrt
146
$catrepositories.conf
##Placeyourcustomrepositorieshere,theymustmatchthearchitecturean
dversion.
#src/gzchaos_calmerhttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar7
1xx/generic/packages
#srccustomfile:///usr/src/openwrt/bin/ar71xx/packages
##Remotepackagerepositories
src/gzchaos_calmer_basehttp://downloads.openwrt.org/chaos_calmer/15.05.1/
ar71xx/generic/packages/base
src/gzchaos_calmer_lucihttp://downloads.openwrt.org/chaos_calmer/15.05.1/
ar71xx/generic/packages/luci
src/gzchaos_calmer_packageshttp://downloads.openwrt.org/chaos_calmer/15.0
5.1/ar71xx/generic/packages/packages
src/gzchaos_calmer_routinghttp://downloads.openwrt.org/chaos_calmer/15.05
.1/ar71xx/generic/packages/routing
src/gzchaos_calmer_telephonyhttp://downloads.openwrt.org/chaos_calmer/15.
05.1/ar71xx/generic/packages/telephony
src/gzchaos_calmer_managementhttp://downloads.openwrt.org/chaos_calmer/15
.05.1/ar71xx/generic/packages/management
##openwrt-distforshadowsocks
src/gzopenwrt_disthttp://openwrt-dist.sourceforge.net/packages/OpenWrt/ba
se/ar71xx
src/gzopenwrt_dist_lucihttp://openwrt-dist.sourceforge.net/packages/OpenW
rt/luci
##Thisisthelocalpackagerepository,donotremove!
srcimagebuilderfile:packages
移除软件包:
upnpd
ipv6
ppp*
luci*
uhttpd
files
HOW:openwrt
147
/etc/uci-defaults//etc/uci-defaults/目录下的脚本用于openwrt固件初始化
openwrtnetwork初始化2014-11-12
/bin/config_generate
Openwrt14.07中在 /etc/init.d/boot脚本会在开机时逐一执行 /etc/uci-deafults/目录下的脚本,执行完之后再删除它。这就保证了该目录下的脚本只会被执行一次,以后再重
启也不会执行到了。除非恢复初厂设置
对应脚本执行代码:
#grep-A7uci-defaults/etc/init.d/boot
cd/etc/uci-defaults||return0
files="$(ls)"
[-z"$files"]&&return0
mkdir-p/tmp/.uci
forfilein$files;do
(."./$(basename$file)")&&rm-f"$file"
done
ucicommit
示例:https://github.com/softwaredownload/openwrt-fanqiang/blob/master/openwrt/wndr4300/etc/uci-defaults/defaults
HOW:openwrt
148
ucisetnetwork.wan.proto='pppoe'
ucisetnetwork.wan.username='wan-username'
ucisetnetwork.wan.password='wan-password'
ucisetnetwork.wan.peerdns=0
ucicommitnetwork
ucisetwireless.@wifi-device[0].channel=11
ucisetwireless.@wifi-device[0].txpower=17
ucisetwireless.@wifi-device[0].disabled=0
ucisetwireless.@wifi-device[0].country='CN'
ucisetwireless.@wifi-iface[0].mode='ap'
ucisetwireless.@wifi-iface[0].ssid='eastking-fanqiang'
ucisetwireless.@wifi-iface[0].encryption='psk2'
ucisetwireless.@wifi-iface[0].key='icanfly9876'
ucicommitwireless
wifi
ucisetdropbear.@dropbear[0].GatewayPorts='on'
ucicommitdropbear
/etc/init.d/dropbearrestart
ucisetsystem.@system[0].hostname='eastking'#设置主机名
ucisetsystem.@system[0].zonename='Asia/Shanghai'
ucisetsystem.@system[0].timezone='CST-8'
ucicommitsystem
/etc/init.d/systemrestart
#changerootpassword
echo-e"fanqiang\nfanqiang"|(passwd$USER)
/etc/init.d/shadowsocksenable
/etc/init.d/networkrestart
TPLinkWR703N/etc/uci-defaults/defaults初始化脚本:
##WIFI
ucisetwireless.@wifi-device[0].disabled='0'
ucisetwireless.@wifi-device[0].country='CN'
HOW:openwrt
149
ucisetwireless.@wifi-device[0].channel='auto'
ucisetwireless.@wifi-device[0].txpower='17'
ucisetwireless.@wifi-iface[0]='wifi-iface'
ucisetwireless.@wifi-iface[0].device='radio0'
ucisetwireless.@wifi-iface[0].network='lan'
ucisetwireless.@wifi-iface[0].mode='ap'
ucisetwireless.@wifi-iface[0].ssid='703'
ucisetwireless.@wifi-iface[0].encryption='psk2'
ucisetwireless.@wifi-iface[0].key='v_v.fuckgfw'
ucisetwireless.@wifi-iface[0].hidden='0'
ucicommitwireless
##startWIFI
wifi
##unbridgeLAN
ucideletenetwork.lan.type
ucideletenetwork.lan.ifname
ucisetnetwork.lan._orig_bridge='false'
ucisetnetwork.lan._orig_ifname='eth0'
ucisetnetwork.lan.ipaddr='192.168.3.1'
##createWAN
ucisetnetwork.wan='interface'
ucisetnetwork.wan.ifname='eth0'
ucisetnetwork.wan.proto='dhcp'
ucicommitnetwork
ucisetdhcp.lan.ra_management='1'
ucisetdhcp.@dnsmasq[0].nohosts='1'
ucisetdhcp.@dnsmasq[0].noresolv='1'
ucisetdhcp.@dnsmasq[0].local='127.0.0.1#5353'
ucicommitdhcp
##restart'network'and'DNSmasq'service
/etc/init.d/networkrestart
/etc/init.d/dnsmasqrestart
ucisetsystem.@system[0].hostname='wr703n'
ucisetsystem.@system[0].zonename='Asia/Shanghai'
ucisetsystem.@system[0].timezone='CST-8'
ucicommitsystem
HOW:openwrt
150
/etc/init.d/systemrestart
ucisetdropbear.@dropbear[0].GatewayPorts='on'
ucisetdropbear.@dropbear[0].Port='2222'
ucicommitdropbear
/etc/init.d/dropbearrestart
##changerootpasswd
echo-e"V_VL.Fuck.GFW\nV_VL.Fuck.GFW"|(passwd$USER)
##SS
ucisetshadowsocks.@general[0]=general
ucisetshadowsocks.@general[0].startup_delay='0'
ucisetshadowsocks.@servers[0]=servers
ucisetshadowsocks.@servers[0].alias='sample'
ucisetshadowsocks.@servers[0].fast_open='0'
ucisetshadowsocks.@servers[0].timeout='60'
ucisetshadowsocks.@servers[0].encrypt_method='rc4-md5'
ucisetshadowsocks.@servers[0].server='45.67.89.10'
ucisetshadowsocks.@servers[0].server_port='12345'
ucisetshadowsocks.@servers[0].password='SS_SRV_PASS'
ucisetshadowsocks.@transparent_proxy[0]=transparent_proxy
ucisetshadowsocks.@transparent_proxy[0].udp_relay_server='nil'
ucisetshadowsocks.@transparent_proxy[0].local_port='1234'
SS_CFGID=$(ucishowshadowsocks.@servers[0].alias|awk-F'.''{print$2}')
ucisetshadowsocks.@transparent_proxy[0].main_server="$SS_CFGID"
ucisetshadowsocks.@socks5_proxy[0]=socks5_proxy
ucisetshadowsocks.@socks5_proxy[0].server='nil'
ucisetshadowsocks.@socks5_proxy[0].local_port='1080'
ucisetshadowsocks.@port_forward[0]=port_forward
ucisetshadowsocks.@port_forward[0].server='nil'
ucisetshadowsocks.@port_forward[0].local_port='5300'
ucisetshadowsocks.@port_forward[0].destination='8.8.4.4:53'
ucisetshadowsocks.@access_control[0]=access_control
ucisetshadowsocks.@access_control[0].self_proxy='1'
ucisetshadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
HOW:openwrt
151
ucisetshadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.
txt'
ucicommitshadowsocks
/etc/init.d/shadowsocksenable
/etc/init.d/shadowsocksstart
ucisetdns-forwarder.@dns-forwarder[0]=dns-forwarder
ucisetdns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
ucisetdns-forwarder.@dns-forwarder[0].listen_port='5300'
ucisetdns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
ucisetdns-forwarder.@dns-forwarder[0].enable='1'
ucicommitdns-forwarder
/etc/init.d/dns-forwarderenable
/etc/init.d/dns-forwarderstart
ucisetchinadns.@chinadns[0]=chinadns
ucisetchinadns.@chinadns[0].bidirectional='0'
ucisetchinadns.@chinadns[0].chnroute='/etc/chinadns_chnroute.txt'
ucisetchinadns.@chinadns[0].port='5353'
ucisetchinadns.@chinadns[0].enable='1'
ucisetchinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'
ucicommitchinadns
/etc/init.d/chinadnsenable
/etc/init.d/chinadnsstart
https://wiki.openwrt.org/doc/uci
Sectionsnaming
Sectionsdeservesomeextraexplanationinregardstonaming.Asectioncanbenamedorunnamed.UnnamedsectionswillgetanautogeneratedID/CFGID(like cfg073777)andbepresentedwithananonymous-name(like @switch[0])
HOW:openwrt
152
#ucishowwireless.@wifi-device[0]
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='11'
wireless.radio0.hwmode='11g'
wireless.radio0.path='platform/ar933x_wmac'
wireless.radio0.htmode='HT20'
wireless.radio0.disabled='0'
wireless.radio0.txpower='18'
wireless.radio0.country='CN'
openwrt-dist源中的shadowsocks-libev软件包只有`/bin
$gitclonehttps://github.com/shadowsocks/luci-app-shadowsocks.git
Cloninginto'luci-app-shadowsocks'...
remote:Countingobjects:1086,done.
remote:Total1086(delta0),reused0(delta0),pack-reused1086
Receivingobjects:100%(1086/1086),262.73KiB|0bytes/s,done.
Resolvingdeltas:100%(402/402),done.
$treeluci-app-shadowsocks/files/root/
luci-app-shadowsocks/files/root/
├──etc
│├──config
││└──shadowsocks
│├──init.d
││└──shadowsocks
│└──uci-defaults
│└──luci-shadowsocks
└──usr
└──bin
├──ss-rules
└──ss-rules-without-ipset
6directories,5files
$rsync-avPluci-app-shadowsocks/files/root/
sendingincrementalfilelist
drwxrwxr-x40962017/08/2900:03:54.
drwxrwxr-x40962017/08/2900:03:54etc
HOW:openwrt
153
drwxrwxr-x40962017/08/2900:03:54etc/config
-rw-rw-r--5562017/08/2900:03:54etc/config/shadowsocks
drwxrwxr-x40962017/08/2900:03:54etc/init.d
-rw-rw-r--50622017/08/2900:03:54etc/init.d/shadowsocks
drwxrwxr-x40962017/08/2900:03:54etc/uci-defaults
-rw-rw-r--9622017/08/2900:03:54etc/uci-defaults/luci-shadowsock
s
drwxrwxr-x40962017/08/2900:03:54usr
drwxrwxr-x40962017/08/2900:03:54usr/bin
-rw-rw-r--66992017/08/2900:03:54usr/bin/ss-rules
-rw-rw-r--61012017/08/2900:03:54usr/bin/ss-rules-without-ipset
$catluci-app-shadowsocks/files/root/etc/uci-defaults/luci-shadowsocks
#!/bin/sh
ucigetshadowsocks.@general[-1]>/dev/null2>&1||\
uciaddshadowsocksgeneral>/dev/null2>&1
ucigetshadowsocks.@transparent_proxy[-1]>/dev/null2>&1||\
uciaddshadowsockstransparent_proxy>/dev/null2>&1
ucigetshadowsocks.@socks5_proxy[-1]>/dev/null2>&1||\
uciaddshadowsockssocks5_proxy>/dev/null2>&1
ucigetshadowsocks.@port_forward[-1]>/dev/null2>&1||\
uciaddshadowsocksport_forward>/dev/null2>&1
ucigetshadowsocks.@access_control[-1]>/dev/null2>&1||\
uciaddshadowsocksaccess_control>/dev/null2>&1
ucicommitshadowsocks
uci-qbatch<<-EOF>/dev/null
deleteucitrack.@shadowsocks[-1]
adducitrackshadowsocks
setucitrack.@shadowsocks[-1].init=shadowsocks
commitucitrack
deletefirewall.shadowsocks
setfirewall.shadowsocks=include
setfirewall.shadowsocks.type=script
setfirewall.shadowsocks.path=/var/etc/shadowsocks.include
setfirewall.shadowsocks.reload=1
commitfirewall
EOF
exit0
sent268bytesreceived18bytes572.00bytes/sec
totalsizeis19380speedupis67.76
HOW:openwrt
154
$rsync-avP--exclude=uci-defaultsluci-app-shadowsocks/files/root/
sendingincrementalfilelist
drwxrwxr-x40962017/08/2900:03:54.
drwxrwxr-x40962017/08/2900:03:54etc
drwxrwxr-x40962017/08/2900:03:54etc/config
-rw-rw-r--5562017/08/2900:03:54etc/config/shadowsocks
drwxrwxr-x40962017/08/2900:03:54etc/init.d
-rw-rw-r--50622017/08/2900:03:54etc/init.d/shadowsocks
drwxrwxr-x40962017/08/2900:03:54usr
drwxrwxr-x40962017/08/2900:03:54usr/bin
-rw-rw-r--66992017/08/2900:03:54usr/bin/ss-rules
-rw-rw-r--61012017/08/2900:03:54usr/bin/ss-rules-without-ipset
sent211bytesreceived17bytes456.00bytes/sec
totalsizeis18418speedupis80.78
$rsync-avP--exclude=uci-defaultsluci-app-shadowsocks/files/root/~/open
wrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_64/files/
sendingincrementalfilelist
./
etc/
etc/config/
etc/config/shadowsocks
556100%0.00kB/s0:00:00(xfer#1,to-check=4/10)
etc/init.d/
etc/init.d/shadowsocks
5062100%4.83MB/s0:00:00(xfer#2,to-check=3/10)
usr/
usr/bin/
usr/bin/ss-rules
6699100%6.39MB/s0:00:00(xfer#3,to-check=1/10)
usr/bin/ss-rules-without-ipset
6101100%5.82MB/s0:00:00(xfer#4,to-check=0/10)
sent18819bytesreceived111bytes37860.00bytes/sec
totalsizeis18418speedupis0.97
$tree~/openwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_64/f
iles/
/home/i/openwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_64/fi
les/
├──etc
HOW:openwrt
155
│├──config
││└──shadowsocks
│├──init.d
││└──shadowsocks
│├──opkg.conf
│└──uci-defaults
│└──defaults
└──usr
└──bin
├──ss-rules
└──ss-rules-without-ipset
6directories,6files
$chmod755files/usr/bin/*files/etc/init.d/*
$llfiles/usr/bin/*files/etc/init.d/*
-rwxr-xr-x1ii6.6K|2017-08-2900:03|files/usr/bin/ss-rules*
-rwxr-xr-x1ii6.0K|2017-08-2900:03|files/usr/bin/ss-rules-without-i
pset*
-rwxr-xr-x1ii5.0K|2017-08-2900:03|files/etc/init.d/shadowsocks*
PROFILE配置:
$makeinfo|grep-C1WR703N
TLWR703:
TP-LINKTL-WR703N
Packages:kmod-usb-corekmod-usb2
PACkAGES软件包:
timemakeimagePROFILE=TLWR703FILES=files/PACKAGES="ChinaDNSdns-forward
ershadowsocks-libevipipsetiptables-mod-tproxy-kmod-ipv6-libip6tc-odh
cp6c-ip6tables-kmod-ip6tables-kmod-nf-ipt6-kmod-nf-conntrack6-ppp-ppp
-mod-pppoe-kmod-ppp-kmod-pppoe-kmod-pppox-luci*"
real1m28.885s
user0m15.822s
sys0m16.358s
HOW:openwrt
156
没有集成 bind-dig不然ROM会超过 4M打包失败:
[-f/home/i/openwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_
64/build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/tl-wr703
n-v1-kernel.bin-a-f/home/i/openwrt/OpenWrt-ImageBuilder-15.0
5.1-ar71xx-generic.Linux-x86_64/build_dir/target-mips_34kc_uClibc-0.9.33.2/
linux-ar71xx_generic/root.squashfs]
ddif=/home/i/openwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86
_64/build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/root.sq
uashfs>>/home/i/openwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-
generic.Linux-x86_64/build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71x
x_generic/tmp/openwrt-15.05.1-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgra
de.bin
7526+1recordsin
7526+1recordsout
3853562bytes(3.9MB)copied,0.0327387s,118MB/s
/home/i/openwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_64/st
aging_dir/host/bin/mktplinkfw-H0x07030101-W0x1-F4Mlzma-NOpenWrt-V
r48532-k/home/i/openwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-g
eneric.Linux-x86_64/build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx
_generic/tl-wr703n-v1-kernel.bin-r/home/i/openwrt/OpenWrt-ImageBuilder-15
.05.1-ar71xx-generic.Linux-x86_64/build_dir/target-mips_34kc_uC
libc-0.9.33.2/linux-ar71xx_generic/tmp/openwrt-15.05.1-ar71xx-generic-tl-wr
703n-v1-squashfs-sysupgrade.bin-o/home/i/openwrt/OpenWrt-ImageBuilder-15.
05.1-ar71xx-generic.Linux-x86_64/build_dir/target-mips_34kc_uCl
ibc-0.9.33.2/linux-ar71xx_generic/tmp/openwrt-15.05.1-ar71xx-generic-tl-wr7
03n-v1-squashfs-sysupgrade.bin.new-j-X0x40000-a0x4-s&&mv/home/i/op
enwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_64/
build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/tmp/openwrt
-15.05.1-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgrade.bin.new/home/i/op
enwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_64/
build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/tmp/openwrt
-15.05.1-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgrade.bin||rm-f/home
/i/openwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x8
6_64/build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/tmp/op
enwrt-15.05.1-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgrade.bin
[mktplinkfw]kernellengthalignedto1176540
[mktplinkfw]***error:imagesaretoobig##<--
成功编译完成后:
HOW:openwrt
157
$ll/home/i/openwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_
64/bin/ar71xx/
total26M
-rw-rw-r--1ii960|2017-08-2801:16|md5sums
-rw-rw-r--1ii1.5K|2017-08-2801:16|sha256sums
-rw-rw-r--1ii3.8M|2017-08-2801:16|openwrt-15.05.1-ar71xx-generic-t
l-wr703n-v1-squashfs-factory.bin
-rw-rw-r--1ii3.4M|2017-08-2801:16|openwrt-15.05.1-ar71xx-generic-t
l-wr703n-v1-squashfs-sysupgrade.bin
-rw-rw-r--1ii1.6M|2017-08-2801:16|openwrt-15.05.1-ar71xx-generic-u
Image-gzip.bin
-rw-rw-r--1ii1.2M|2017-08-2801:16|openwrt-15.05.1-ar71xx-generic-u
Image-lzma.bin
-rwxr-xr-x1ii3.4M|2017-08-2801:16|openwrt-15.05.1-ar71xx-generic-v
mlinux.bin*
-rwxr-xr-x1ii3.4M|2017-08-2801:16|openwrt-15.05.1-ar71xx-generic-v
mlinux.elf*
-rwxr-xr-x1ii1.2M|2017-08-2801:16|openwrt-15.05.1-ar71xx-generic-v
mlinux-lzma.elf*
-rw-rw-r--1ii1.6M|2017-08-2801:16|openwrt-15.05.1-ar71xx-generic-v
mlinux.gz
-rw-rw-r--1ii1.2M|2017-08-2801:16|openwrt-15.05.1-ar71xx-generic-v
mlinux.lzma
-rw-rw-r--1ii2.4M|2017-08-2801:16|openwrt-15.05.1-ar71xx-generic-r
oot.squashfs
-rw-r--r--1ii2.3M|2017-08-2801:16|openwrt-15.05.1-ar71xx-generic-r
oot.squashfs-64k
默认openwrt安装软件包:
root@OpenWrt:/etc#opkglist-installed|awk'{print$1}'
ChinaDNS
base-files
bind-dig
bind-libs
busybox
curl
dns-forwarder
dnsmasq
dropbear
HOW:openwrt
158
firewall
fstools
hostapd-common
ip
ip6tables
ipset
iptables
iptables-mod-tproxy
iw
jshn
jsonfilter
kernel
kmod-ath
kmod-ath9k
kmod-ath9k-common
kmod-cfg80211
kmod-crypto-aes
kmod-crypto-arc4
kmod-crypto-core
kmod-gpio-button-hotplug
kmod-ip6tables
kmod-ipt-conntrack
kmod-ipt-core
kmod-ipt-ipset
kmod-ipt-nat
kmod-ipt-tproxy
kmod-ipv6
kmod-lib-crc-ccitt
kmod-mac80211
kmod-nf-conntrack
kmod-nf-conntrack6
kmod-nf-ipt
kmod-nf-ipt6
kmod-nf-nat
kmod-nf-nathelper
kmod-nfnetlink
kmod-nls-base
kmod-ppp
kmod-pppoe
kmod-pppox
kmod-slhc
kmod-usb-core
HOW:openwrt
159
kmod-usb2
libblobmsg-json
libc
libcurl
libev
libgcc
libip4tc
libip6tc
libiwinfo
libiwinfo-lua
libjson-c
libjson-script
liblua
libmbedtls
libmnl
libnl-tiny
libopenssl
libpcre
libpolarssl
libpthread
libsodium
libubox
libubus
libubus-lua
libuci
libuci-lua
libudns
libxtables
lua
luci
luci-app-chinadns
luci-app-dns-forwarder
luci-app-firewall
luci-app-shadowsocks
luci-base
luci-lib-ip
luci-lib-nixio
luci-mod-admin-full
luci-proto-ipv6
luci-proto-ppp
luci-theme-bootstrap
mtd
HOW:openwrt
160
netifd
odhcp6c
odhcpd
opkg
ppp
ppp-mod-pppoe
procd
rpcd
shadowsocks-libev
swconfig
uboot-envtools
ubox
ubus
ubusd
uci
uhttpd
uhttpd-mod-ubus
usign
wpad-mini
zlib
删除IPv6、PPP、LuCI相关软件包:
#opkglist-installed|awk'{print$1}'|grep6
ip6tables
kmod-ip6tables
kmod-ipv6
kmod-nf-conntrack6
kmod-nf-ipt6
libip6tc
luci-proto-ipv6
odhcp6c
root@OpenWrt:/etc#opkglist-installed|awk'{print$1}'|grepppp
kmod-ppp
kmod-pppoe
kmod-pppox
luci-proto-ppp
ppp
ppp-mod-pppoe
HOW:openwrt
161
root@OpenWrt:/etc#opkglist-installed|awk'{print$1}'|grepluci
luci
luci-app-chinadns
luci-app-dns-forwarder
luci-app-firewall
luci-app-shadowsocks
luci-base
luci-lib-ip
luci-lib-nixio
luci-mod-admin-full
luci-proto-ipv6
luci-proto-ppp
luci-theme-bootstrap
root@OpenWrt:/etc#opkgfindkmod-pppox
kmod-pppox-3.18.23-1-KernelhelpermoduleforPPPoEandPPTPsupport
root@OpenWrt:/etc#opkgfindkmod-nf-ipt6
kmod-nf-ipt6-3.18.23-1-Ip6tablescore
root@OpenWrt:/etc#opkgfindodhcp6c
odhcp6c-2015-07-13-024525798c5f6aba3af9b2ef7b3af2f3c14f1db8-EmbeddedDH
CPv6-clientforOpenWrt
-kmod-ipv6-libip6tc-odhcp6c-luci-proto-ipv6-ip6tables-kmod-ip6tables-
kmod-nf-ipt6-ppp-ppp-mod-pppoe-kmod-ppp-kmod-pppoe-kmod-pppox-luci-pr
oto-ppp
ADD'ipset'package
HOW:openwrt
162
$timemakeimagePROFILE=TLWR703FILES=files/PACKAGES="ChinaDNSdns-forwa
rdershadowsocks-libevipsetipiptables-mod-tproxy-kmod-ipv6-libip6tc-o
dhcp6c-ip6tables-kmod-ip6tables-kmod-nf-ipt6-kmod-nf-conntrack6-ppp-p
pp-mod-pppoe-kmod-ppp-kmod-pppoe-kmod-pppox-luci*"
$ll/home/i/openwrt/OpenWrt-ImageBuilder-15.05.1-ar71xx-generic.Linux-x86_
64/bin/ar71xx/total26M
-rw-rw-r--1ii960|2017-08-2900:45|md5sums
-rw-rw-r--1ii1.5K|2017-08-2900:45|sha256sums
-rw-rw-r--1ii3.8M|2017-08-2900:45|openwrt-15.05.1-ar71xx-generic-t
l-wr703n-v1-squashfs-factory.bin
-rw-rw-r--1ii3.6M|2017-08-2900:45|openwrt-15.05.1-ar71xx-generic-t
l-wr703n-v1-squashfs-sysupgrade.bin
-rw-rw-r--1ii1.6M|2017-08-2900:45|openwrt-15.05.1-ar71xx-generic-u
Image-gzip.bin
-rw-rw-r--1ii1.2M|2017-08-2900:45|openwrt-15.05.1-ar71xx-generic-u
Image-lzma.bin
-rwxr-xr-x1ii3.4M|2017-08-2900:45|openwrt-15.05.1-ar71xx-generic-v
mlinux.bin*
-rwxr-xr-x1ii3.4M|2017-08-2900:45|openwrt-15.05.1-ar71xx-generic-v
mlinux.elf*
-rwxr-xr-x1ii1.2M|2017-08-2900:45|openwrt-15.05.1-ar71xx-generic-v
mlinux-lzma.elf*
-rw-rw-r--1ii1.6M|2017-08-2900:45|openwrt-15.05.1-ar71xx-generic-v
mlinux.gz
-rw-rw-r--1ii1.2M|2017-08-2900:45|openwrt-15.05.1-ar71xx-generic-v
mlinux.lzma
-rw-rw-r--1ii2.7M|2017-08-2900:45|openwrt-15.05.1-ar71xx-generic-r
oot.squashfs
-rw-r--r--1ii2.4M|2017-08-2900:45|openwrt-15.05.1-ar71xx-generic-r
oot.squashfs-64k
$scpopenwrt-15.05.1-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgrade.binr
[email protected]:/tmp
root@wr703n:/tmp#sysupgrade-vopenwrt-15.05.1-ar71xx-generic-tl-wr703n-v1
-squashfs-sysupgrade.bin
reference
HOW:openwrt
163
使用ImageBuilder编译自动翻墙OpenWrt固件
OpenWrt固件安装的软件包:
conf_url=http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/config
echo$(wget-qO-"$conf_url"|sed-ne's/^CONFIG_PACKAGE_\([a-z0-9-]*\)=y
/\1/ip')
使用OpenWrtImageGenerator为WR703N路由器定制固件2015-11-05
有两个命令可以升级固件:
sysupgrade-n-v/tmp/firmware.bin
mtd-rwrite/tmp/firmware.binfirmware
-n不保存配置
-v输出详细信息
sourcebuild源码编译:
1. OpenWrt'sbuildsystem–About2. OpenWrtbuildsystem–Installation3. OpenWrtbuildsystem–Usage4. OpenWrtbuildsystem–Patches
编译集成了shadowsocks的openwrt固件
编译适用于8MFlash的固件,需修改 Makefile和 mktplinkfw.c文件
Network--->
<M>ipset
<M>ipset-dns
HOW:openwrt
164
UCIhttps://wiki.openwrt.org/doc/uci
https://wiki.openwrt.org/zh-cn/doc/uci
about[UCI]OpenWrt-uci命令系统:http://developer.t-firefly.com/forum.php?mod=viewthread&tid=1035
1. UCI命令
一个众所周知的原因,在Linux下各种软件包有各种不同的配置脚本,每个配置脚本的语法格式
和操作方式不同,这样的设计虽然可以体现出各软件包自身的优势,同时也增加了学习曲线。在
这一点上OpenWrt的UCI无疑处理的更胜一筹。UCI是集中式配置信息管理接口(UnifiedConfigurationInterface)的缩写,他是OpenWrt引进的一套配置参数管理系统。UCI管理了
OpenWrt下最主要的系统配置参数并且提供了简单、容易、标准化的人机交互接口。UCI中已
经包含了网络配置、无线配置、系统信息配置等作为基本路由器所需的主要配置参数。同时UCI也可以帮助开发人员快速的建立一套基于OpenWrt的智能路由产品控制界面。
1. UCI的文件和流程
UCI的配置文件全部存储在 /etc/config目录下
root@OpenWrt:~#ls/etc/config/
dhcpdropbearfirewallnetworksystemwireless
日前已有大量软件包支持UCI模式管理,但不是所有的软件包,支持的软件包是这样来完成启
动的(以samba举例):
1. 启动脚本 /etc/init.d/samba2. 启动脚本通过UCI分析库从 /etc/config/samba获得启动参数
3. 启动脚本完成正常启动
UCI
165
由于UCI的数据文件较为简单,并且具备了很nice的直接观感,所以配置文件既可以使用UCI命令进行修改,也可以使用VI编辑器直接修改文件。但如果两种方式都是用时需要注意UCI命令修改会产生缓存,每次修改好要尽快确认保存避免出现冲突。
最常见的几个UCI配置作用说明
文件 作用
/etc/config/dhcp DHCP服务配置,为LAN口提供IP
/etc/config/dropbear SSH服务配置
/etc/config/firewall 路由转发,端口转发,防火墙规则
/etc/config/network 自身网络接口配置
/etc/config/system 时间服务器时区配置
/etc/config/wireless 无线网络配置
syntax1. UCI的文件语法
keywordUCI文件语法举例
config'section-type''section'
option'key''value'
list'list_key''list_value'
关键字 含义
config 节点
section-type 节点类型
section 节点名称
UCI
166
config'example''test'
option'string''somevalue'
option'boolean''1'
list'collection''firstitem'
list'collection''seconditem'
Openwrt开发与Luci介绍
注意:UCI的文件名和标识符( optionexampletest中的 example即为标识
符, test为 option的值)可以使用 a-z, 0-9和下划线 _组合的任意字符串,不
允许使用横杠线 -,而 option的值可以使用任意字符
关键字 含义
option 选项(节点中的一个元素)
key 键
value 值
list 列表选项列表形式的一组参数
list_key 列表键
list_value 列表值
config节点语法格式
config'section-type''section'
config节点(后文统一称为节点)原则:
UCI允许只有节点类型的匿名节点存在
节点类型和名字建议使用单引号包含以免引起歧义
节点中可以包含多个 option选项或 list列表选项
节点遇到文件结束或遇到下一个节点代表完成
option选项语法格式:
option'key''value'
option选项(后文统一称为选项)原则:
UCI
167
选项的键与值建议使用单引号包含
避免相同的选项键存在于同一个节点,否则只有一个生效
list列表选项语法格式:
list'list_key''list_value'
list列表选项(后文统一称为列表)原则:
选项的键与值建议使用单引号包含
列表键的名字如果相同,则相同键的值将会被当作数组传递给相应软件
UCI的语法容错:
optionexamplevalue
option'example'value
optionexample"value"
option"example"'value'
option'example'"value"
UCI无法容忍的语法:
option'example""value'
optionexamplesomevaluewithspace
尽量使用常规字符去处理器UCI,特殊字符有可能会破坏数据结构的完整性
1. UCI命令读写配置
语法格式
uci[<options>]<command>[<arguments>]
读写规则
UCI读取总是先读取内存中的缓存,然后再读取文件中的
进行过增加,修改,删除操作后要执行生效指令,否则所做修改只存留在缓存中
UCI
168
read取得节点类型:
uciget<config>.<section>
取得一个值:
uciget<config>.<section>.<option>
显示全部UCI配置
ucishow
显示指定文件配置
ucishow<config>
显示指定节点名字配置
ucishow<config>.<section>
显示指定选项配置
ucishow<config>.<section>.<option>
显示尚未生效的修改记录
ucichanges<config>
匿名节点显示(如果所显示内容有匿名节点,使用 -X参数可以显示出匿名节点的 ID)
ucishow-X<config>.<section>.<option>
UCI
169
write增加一个匿名节点到文件
uciadd<config><section-type>
增加一个节点到文件中
uciset<config>.<section>=<section-type>
增加一个选项和值到节点中
uciset<config>.<section>.<option>=<value>
增加一个值到列表中
uciadd_list<config>.<section>.<option>=<value>
修改一个节点的类型
uciset<config>.<section>=<section-type>
修改一个选项的值
uciset<config>.<section>.<option>=<value>
删除指定名字的节点
ucidelete<config>.<section>
删除指定选项
ucidelete<config>.<section>.<option>
UCI
170
删除列表
ucidelete<config>.<section>.<list>
删除列表中一个值
ucidel_list<config>.<section>.<option>=<string>
生效修改(任何写入类的语法,最终都要执行生效修改,否则所做修改只在缓存中)
ucicommit<config>
example[UCI+入门]FireWRT新手教程uci设置网络命令:http://developer.t-firefly.com/forum.php?mod=viewthread&tid=1014
在我们将FireWRT固件刷上openwrt系统后,如果openwrt未安装WEB管理界面,所以我们
需要先通过SSH或者telnet对路由器进行网络设置,设置完成后可通过openwrt的软件包管理
opkg安装web设置界面Luci
设置LANIP(即访问路由的ip)
ucisetnetwork.lan.ipaddr=[LAN_IP]
使用pppoe设置
ucisetnetwork.wan.proto=pppoe//设置WAN口类型为pppoe
ucisetnetwork.wan.username=[USER]
ucisetnetwork.wan.password=[PASSWORD]//这两行设置pppoe用户名和密码
如果要挂在上级路由下面,就需要进行下面的设置
UCI
171
ucisetnetwork.wan.proto=none//关掉wan
ucisetnetwork.lan.gateway=[IP]//网关指向上级路由
ucisetnetwork.lan.dns=[IP]//DNS指向上级路由
ucisetdhcp.lan.ignore=1//关掉LAN的DHCP
最后对无线网络进行配置
ucisetwireless.@wifi-device[0].disabled=0//打开无线
ucisetwireless.@wifi-device[0].txpower=17//设置功率为17dbm太高
会烧无线模块
ucisetwireless.@wifi-device[0].channel=6//设置无线信道为6
ucisetwireless.@wifi-iface[0].mode=ap//设置无线模式为AP
ucisetwireless.@wifi-iface[0].ssid=[SSID]//设置无线SSID
ucisetwireless.@wifi-iface[0].network=lan//无线链接到LAN上
ucisetwireless.@wifi-iface[0].encryption=psk2//设置加密为WPA2-PSK
ucisetwireless.@wifi-iface[0].key=[password]//设置无线密码
提交应用配置
ucicommit//应用
/etc/init.d/networkrestart//重启网络服务
安装LUCI管理界面
opkgupdate//更新软件列表
opkglist-installed//查看已安装软件
opkginstallluci//安装LUCI
opkginstallluci-i18n-chinese//支持中文
即可完成LUCI的安装
输入以下命令开启支持web服务的uhttpd并设置其为自启动:
/etc/init.d/uhttpdenable
/etc/init.d/uhttpdstart
UCI
172
keeppractice
shadowsocksUCI使用手册:https://sourceforge.net/p/openwrt-dist/wiki/UCI/
查看当前的UCI配置文件
uciexportshadowsocks
修改/增加option
ucisetshadowsocks.@shadowsocks[-1].option='value'
删除option
ucideleteshadowsocks.@shadowsocks[-1].option
提交对UCI配置文件的修改,提交后配置才能生效
ucicommitshadowsocks
UCI
173
WHAT各个服务的依赖关系:
dns-forwarder通过TCP查询 8.8.8.8作为ChinaDNS的上游替代 ss-tunnel使用UDP查询 8.8.8.8的旧方案
GFW干扰UDP丢包较严重
repoOpenWrt-distisadepotofOpenWrt/LEDEdevice.
http://openwrt-dist.sourceforge.net/packages/
OpenWrt-dist提供 ChinaDNS、 dns-forwarder、 shadowsocks-libev、 simple-
obfs软件包
但http://openwrt-dist.sourceforge.net/被墙了,需要自建软件源:
ChinaDNS+Shadowsocks
174
1. 安装WEB服务 httpd软件包
2. 下载对应CPU架构的软件包
soeasy
VPS安装并启动 httpd服务:
yuminstall-yhttpd&&servicehttpdstart
查询路由器CPU架构:
root@OpenWrt:~#opkgprint-architecture
archall1
archnoarch1
archar71xx10
root@OpenWrt:~#opkgprint-architecture|tail-n1|awk'{print$2}'
ar71xx
下载openwrt对应CPU架构的源及公钥到 httpd目录下:
arch=ar71xx
opkg_key="http://openwrt-dist.sourceforge.net/packages/openwrt-dist.pub"
luci_repo="http://openwrt-dist.sourceforge.net/packages/OpenWrt/luci/"
base_repo="http://openwrt-dist.sourceforge.net/packages/OpenWrt/base/${arch
}/"
cd/var/www/html/
wget-c-m-np-nv-nH-erobots=off-Rhtml--reject-regex"\?.=.;.=.""$l
uci_repo"
wget-c-m-np-nv-nH-erobots=off-Rhtml--reject-regex"\?.=.;.=.""$b
ase_repo"
wget-c-nv"$opkg_key"-O/var/www/html/packages/openwrt-dist.pub
#du-sh/var/www/html/packages/
744K/var/www/html/packages/
#tree/var/www/html/packages/
/var/www/html/packages/
├──OpenWrt
ChinaDNS+Shadowsocks
175
│├──base
││└──ar71xx
││├──ChinaDNS_1.3.2-5_ar71xx.ipk
││├──dns-forwarder_1.2.1-1_ar71xx.ipk
││├──libmbedtls_2.5.1-2_ar71xx.ipk
││├──libsodium_1.0.12-1_ar71xx.ipk
││├──libudns_0.4-1_ar71xx.ipk
││├──Packages
││├──Packages.gz
││├──Packages.sig
││├──shadowsocks-libev_3.0.8-1_ar71xx.ipk
││├──shadowsocks-libev-server_3.0.8-1_ar71xx.ipk
││├──ShadowVPN_0.2.0-1_ar71xx.ipk
││├──simple-obfs_0.0.3-1_ar71xx.ipk
││└──simple-obfs-server_0.0.3-1_ar71xx.ipk
│└──luci
│├──luci-app-chinadns_1.6.1-1_all.ipk
│├──luci-app-dns-forwarder_1.6.1-1_all.ipk
│├──luci-app-shadowsocks_1.8.1-1_all.ipk
│├──luci-app-shadowsocks-without-ipset_1.8.1-1_all.ipk
│├──luci-app-shadowvpn_1.6.1-1_all.ipk
│├──Packages
│├──Packages.gz
│└──Packages.sig
└──openwrt-dist.pub
4directories,22files
下载LEDE对应CPU架构的源及公钥到 httpd目录下:
root@LEDE:~#arch=$(opkgprint-architecture|tail-n1|awk'{print$2}')
root@LEDE:~#echo$arch
mipsel_24kc
arch=mipsel_24kc
opkg_key="http://openwrt-dist.sourceforge.net/packages/openwrt-dist.pub"
luci_repo="http://openwrt-dist.sourceforge.net/packages/LEDE/luci/"
base_repo="http://openwrt-dist.sourceforge.net/packages/LEDE/base/${arch}/"
cd/var/www/html
wget-c-m-np-nv-nH-erobots=off-Rhtml--reject-regex"\?.=.;.=.""$l
ChinaDNS+Shadowsocks
176
uci_repo"
wget-c-m-np-nv-nH-erobots=off-Rhtml--reject-regex"\?.=.;.=.""$b
ase_repo"
wget-c-nv"$opkg_key"-O/var/www/html/packages/openwrt-dist.pub
#tree/var/www/html/packages/LEDE/
/var/www/html/packages/LEDE/
├──base
│└──mipsel_24kc
│├──ChinaDNS_1.3.2-5_mipsel_24kc.ipk
│├──dns-forwarder_1.2.1-1_mipsel_24kc.ipk
│├──libcares_1.13.0-1_mipsel_24kc.ipk
│├──libmbedtls_2.5.1-2_mipsel_24kc.ipk
│├──libsodium_1.0.12-1_mipsel_24kc.ipk
│├──libudns_0.4-1_mipsel_24kc.ipk
│├──Packages
│├──Packages.gz
│├──Packages.manifest
│├──Packages.sig
│├──shadowsocks-libev_3.1.0-1_mipsel_24kc.ipk
│├──shadowsocks-libev-server_3.1.0-1_mipsel_24kc.ipk
│├──ShadowVPN_0.2.0-1_mipsel_24kc.ipk
│├──simple-obfs_0.0.3-2_mipsel_24kc.ipk
│└──simple-obfs-server_0.0.3-2_mipsel_24kc.ipk
└──luci
├──luci-app-chinadns_1.6.1-1_all.ipk
├──luci-app-dns-forwarder_1.6.1-1_all.ipk
├──luci-app-shadowsocks_1.8.1-1_all.ipk
├──luci-app-shadowsocks-without-ipset_1.8.1-1_all.ipk
├──luci-app-shadowvpn_1.6.1-1_all.ipk
├──Packages
├──Packages.gz
├──Packages.manifest
└──Packages.sig
3directories,24files
TPLinkWR703N
ChinaDNS+Shadowsocks
177
opkg导入 openwrt-dist.pub公钥:
wgethttp://fuckgfw.com/packages/openwrt-dist.pub-O/tmp/openwrt-dist.pub
cat/tmp/openwrt-dist.pub
opkg-keyadd/tmp/openwrt-dist.pub
root@OpenWrt:/#wgethttp://fuckgfw.com/packages/openwrt-dist.pub-O/tmp/o
penwrt-dist.pub
Connectingtofuckgfw.com(45.67.89.10:80)
openwrt-dist.pub100%|****************************************|104
0:00:00ETA
root@OpenWrt:/#cat/tmp/openwrt-dist.pub
untrustedcomment:publickey5c42250627d305bc
RWRcQiUGJ9MFvK9/3ma8yAZebnrCfGvZJN/qbjaVozu6Ey9+Ihgnggae
root@OpenWrt:/#opkg-keyadd/tmp/openwrt-dist.pub
更新软件源:
root@OpenWrt:/tmp#cat/etc/opkg.conf
destroot/
destram/tmp
lists_dirext/var/opkg-lists
optionoverlay_root/overlay
optioncheck_signature1
src/gzopenwrt_disthttp://fuckgfw.com/packages/OpenWrt/base/ar71xx
src/gzopenwrt_dist_lucihttp://fuckgfw.com/packages/OpenWrt/luci
root@OpenWrt:~#opkgupdate
Downloadinghttp://fuckgfw.com/packages/OpenWrt/base/ar71xx/Packages.gz.
Updatedlistofavailablepackagesin/var/opkg-lists/openwrt_dist.
Downloadinghttp://fuckgfw.com/packages/OpenWrt/base/ar71xx/Packages.sig.
Signaturecheckpassed.
Downloadinghttp://fuckgfw.com/packages/OpenWrt/luci/Packages.gz.
Updatedlistofavailablepackagesin/var/opkg-lists/openwrt_dist_luci.
Downloadinghttp://fuckgfw.com/packages/OpenWrt/luci/Packages.sig.
Signaturecheckpassed.
ChinaDNS+Shadowsocks
178
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/Packages.gz.
Updatedlistofavailablepackagesin/var/opkg-lists/chaos_calmer_base.
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/Packages.sig.
Signaturecheckpassed.
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/luci/Packages.gz.
Updatedlistofavailablepackagesin/var/opkg-lists/chaos_calmer_luci.
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/luci/Packages.sig.
Signaturecheckpassed.
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/packages/Packages.gz.
Updatedlistofavailablepackagesin/var/opkg-lists/chaos_calmer_packages
.
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/packages/Packages.sig.
Signaturecheckpassed.
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/routing/Packages.gz.
Updatedlistofavailablepackagesin/var/opkg-lists/chaos_calmer_routing.
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/routing/Packages.sig.
Signaturecheckpassed.
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/telephony/Packages.gz.
Updatedlistofavailablepackagesin/var/opkg-lists/chaos_calmer_telephon
y.
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/telephony/Packages.sig.
Signaturecheckpassed.
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/management/Packages.gz.
Updatedlistofavailablepackagesin/var/opkg-lists/chaos_calmer_manageme
nt.
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/management/Packages.sig.
Signaturecheckpassed.
安装软件包:
ChinaDNS+Shadowsocks
179
root@OpenWrt:~#opkginstallcurlbind-digChinaDNSluci-app-chinadnsdns-f
orwarderluci-app-dns-forwardershadowsocks-libevluci-app-shadowsocks
Installingcurl(7.40.0-3)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/curl_7.40.0-3_ar71xx.ipk.
Installinglibcurl(7.40.0-3)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/libcurl_7.40.0-3_ar71xx.ipk.
Installinglibpolarssl(1.3.14-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/libpolarssl_1.3.14-1_ar71xx.ipk.
Installingbind-dig(9.9.8-P3-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/packages/bind-dig_9.9.8-P3-1_ar71xx.ipk.
Installingbind-libs(9.9.8-P3-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/packages/bind-libs_9.9.8-P3-1_ar71xx.ipk.
Installinglibopenssl(1.0.2g-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/libopenssl_1.0.2g-1_ar71xx.ipk.
Installingzlib(1.2.8-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/zlib_1.2.8-1_ar71xx.ipk.
InstallingChinaDNS(1.3.2-5)toroot...
Downloadinghttp://fuckgfw.com/packages/OpenWrt/base/ar71xx/ChinaDNS_1.3.2-
5_ar71xx.ipk.
Installingluci-app-chinadns(1.6.1-1)toroot...
Downloadinghttp://fuckgfw.com/packages/OpenWrt/luci/luci-app-chinadns_1.6.
1-1_all.ipk.
Installingdns-forwarder(1.2.1-1)toroot...
Downloadinghttp://fuckgfw.com/packages/OpenWrt/base/ar71xx/dns-forwarder_1
.2.1-1_ar71xx.ipk.
Installingluci-app-dns-forwarder(1.6.1-1)toroot...
Downloadinghttp://fuckgfw.com/packages/OpenWrt/luci/luci-app-dns-forwarder
_1.6.1-1_all.ipk.
Installingshadowsocks-libev(3.0.8-1)toroot...
Downloadinghttp://fuckgfw.com/packages/OpenWrt/base/ar71xx/shadowsocks-lib
ev_3.0.8-1_ar71xx.ipk.
Installinglibev(4.19-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/packages/libev_4.19-1_ar71xx.ipk.
ChinaDNS+Shadowsocks
180
Installinglibudns(0.4-1)toroot...
Downloadinghttp://fuckgfw.com/packages/OpenWrt/base/ar71xx/libudns_0.4-1_a
r71xx.ipk.
Installinglibpcre(8.38-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/packages/libpcre_8.38-1_ar71xx.ipk.
Installinglibpthread(0.9.33.2-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/libpthread_0.9.33.2-1_ar71xx.ipk.
Installinglibsodium(1.0.12-1)toroot...
Downloadinghttp://fuckgfw.com/packages/OpenWrt/base/ar71xx/libsodium_1.0.1
2-1_ar71xx.ipk.
Installinglibmbedtls(2.5.1-2)toroot...
Downloadinghttp://fuckgfw.com/packages/OpenWrt/base/ar71xx/libmbedtls_2.5.
1-2_ar71xx.ipk.
Installingluci-app-shadowsocks(1.8.1-1)toroot...
Downloadinghttp://fuckgfw.com/packages/OpenWrt/luci/luci-app-shadowsocks_1
.8.1-1_all.ipk.
Installingipset(6.24-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/ipset_6.24-1_ar71xx.ipk.
Installingkmod-ipt-ipset(3.18.23-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/kmod-ipt-ipset_3.18.23-1_ar71xx.ipk.
Installingkmod-nfnetlink(3.18.23-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/kmod-nfnetlink_3.18.23-1_ar71xx.ipk.
Installinglibmnl(1.0.3-2)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/libmnl_1.0.3-2_ar71xx.ipk.
Configuringzlib.
Configuringlibev.
Configuringlibudns.
Configuringlibpcre.
Configuringlibpthread.
Configuringlibsodium.
Configuringlibmbedtls.
Configuringshadowsocks-libev.
Configuringkmod-nfnetlink.
Configuringlibpolarssl.
Configuringlibcurl.
Configuringlibmnl.
ChinaDNS+Shadowsocks
181
ConfiguringChinaDNS.
Configuringluci-app-chinadns.
Configuringcurl.
Configuringdns-forwarder.
Configuringkmod-ipt-ipset.
Configuringipset.
Configuringlibopenssl.
Configuringbind-libs.
Configuringluci-app-dns-forwarder.
Configuringbind-dig.
Configuringluci-app-shadowsocks.
软件包占用大概 3M空间:
root@OpenWrt:~#df-hT
FilesystemTypeSizeUsedAvailableUse%Mounted
on
rootfsrootfs12.5M3.3M9.2M26%/
/dev/rootsquashfs2.3M2.3M0100%/rom
tmpfstmpfs29.8M664.0K29.2M2%/tmp
tmpfstmpfs29.8M44.0K29.8M0%/tmp/roo
t
tmpfstmpfs512.0K0512.0K0%/dev
/dev/mtdblock3jffs212.5M3.3M9.2M26%/overlay
overlayfs:/overlayoverlay12.5M3.3M9.2M26%/
ss-redir支持UDP代理依赖 ip和 iptables-mod-tproxy软件包:
ChinaDNS+Shadowsocks
182
root@OpenWrt:~#opkgfindip
ip-4.0.0-1-Routingcontrolutility(Minimal)
root@OpenWrt:~#opkgfindip-full
ip-full-4.0.0-1-Routingcontrolutility(Full)
root@OpenWrt:~#opkgfind*tproxy*
iptables-mod-tproxy-1.4.21-1-Transparentproxyiptablesextensions.
Matches:
-socket
Targets:
-TPROXY
kmod-ipt-tproxy-3.18.23-1-KernelmodulesforTransparentProxying
root@OpenWrt:~#opkginstallipiptables-mod-tproxy
Installingip(4.0.0-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/ip_4.0.0-1_ar71xx.ipk.
Installingiptables-mod-tproxy(1.4.21-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/iptables-mod-tproxy_1.4.21-1_ar71xx.ipk.
Installingkmod-ipt-tproxy(3.18.23-1)toroot...
Downloadinghttp://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generi
c/packages/base/kmod-ipt-tproxy_3.18.23-1_ar71xx.ipk.
Configuringip.
Configuringkmod-ipt-tproxy.
failedtofindamodulenamednf_tproxy_core
Configuringiptables-mod-tproxy.
config默认配置:
root@OpenWrt:~#ucishowdhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
ChinaDNS+Shadowsocks
183
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
root@OpenWrt:~#cat/etc/config/dhcp
configdnsmasq
optiondomainneeded'1'
optionboguspriv'1'
optionfilterwin2k'0'
optionlocalise_queries'1'
optionrebind_protection'1'
optionrebind_localhost'1'
optionlocal'/lan/'
optiondomain'lan'
optionexpandhosts'1'
ChinaDNS+Shadowsocks
184
optionnonegcache'0'
optionauthoritative'1'
optionreadethers'1'
optionleasefile'/tmp/dhcp.leases'
optionresolvfile'/tmp/resolv.conf.auto'
optionlocalservice'1'
configdhcp'lan'
optioninterface'lan'
optionstart'100'
optionlimit'150'
optionleasetime'12h'
optiondhcpv6'server'
optionra'server'
optionra_management'1'
configdhcp'wan'
optioninterface'wan'
optionignore'1'
configodhcpd'odhcpd'
optionmaindhcp'0'
optionleasefile'/tmp/hosts/odhcpd'
optionleasetrigger'/usr/sbin/odhcpd-update'
root@OpenWrt:/tmp#ucishowdns-forwarder
dns-forwarder.@dns-forwarder[0]=dns-forwarder
dns-forwarder.@dns-forwarder[0].enable='0'
dns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
dns-forwarder.@dns-forwarder[0].listen_port='5300'
dns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
root@OpenWrt:/tmp#ucishowchinadns
chinadns.@chinadns[0]=chinadns
chinadns.@chinadns[0].enable='0'
chinadns.@chinadns[0].bidirectional='0'
chinadns.@chinadns[0].chnroute='/etc/chinadns_chnroute.txt'
chinadns.@chinadns[0].port='5353'
chinadns.@chinadns[0].server='223.5.5.5,8.8.4.4'
root@OpenWrt:/tmp#ucishowshadowsocks
shadowsocks.@general[0]=general
ChinaDNS+Shadowsocks
185
shadowsocks.@general[0].startup_delay='0'
shadowsocks.@transparent_proxy[0]=transparent_proxy
shadowsocks.@transparent_proxy[0].main_server='nil'
shadowsocks.@transparent_proxy[0].udp_relay_server='nil'
shadowsocks.@transparent_proxy[0].local_port='1234'
shadowsocks.@socks5_proxy[0]=socks5_proxy
shadowsocks.@socks5_proxy[0].server='nil'
shadowsocks.@socks5_proxy[0].local_port='1080'
shadowsocks.@port_forward[0]=port_forward
shadowsocks.@port_forward[0].server='nil'
shadowsocks.@port_forward[0].local_port='5300'
shadowsocks.@port_forward[0].destination='8.8.4.4:53'
shadowsocks.@servers[0]=servers
shadowsocks.@servers[0].alias='sample'
shadowsocks.@servers[0].fast_open='0'
shadowsocks.@servers[0].server='127.0.0.1'
shadowsocks.@servers[0].server_port='8388'
shadowsocks.@servers[0].timeout='60'
shadowsocks.@servers[0].password='barfoo!'
shadowsocks.@servers[0].encrypt_method='rc4-md5'
shadowsocks.@access_control[0]=access_control
shadowsocks.@access_control[0].self_proxy='1'
root@OpenWrt:~#cat/etc/config/dns-forwarder
configdns-forwarder
optionenable'0'
optionlisten_addr'0.0.0.0'
optionlisten_port'5300'
optiondns_servers'8.8.8.8'
root@OpenWrt:~#cat/etc/config/chinadns
configchinadns
optionenable'0'
optionbidirectional'0'
optionchnroute'/etc/chinadns_chnroute.txt'
optionport'5353'
optionserver'223.5.5.5,8.8.4.4'
root@OpenWrt:~#cat/etc/config/shadowsocks
ChinaDNS+Shadowsocks
186
configgeneral
optionstartup_delay'0'
configtransparent_proxy
listmain_server'nil'
optionudp_relay_server'nil'
optionlocal_port'1234'
configsocks5_proxy
listserver'nil'
optionlocal_port'1080'
configport_forward
listserver'nil'
optionlocal_port'5300'
optiondestination'8.8.4.4:53'
configservers
optionalias'sample'
optionfast_open'0'
optionserver'127.0.0.1'
optionserver_port'8388'
optiontimeout'60'
optionpassword'barfoo!'
optionencrypt_method'rc4-md5'
configaccess_control
optionself_proxy'1'
配置DNSmasq服务:
ChinaDNS+Shadowsocks
187
ucisetdhcp.@dnsmasq[0].nohosts=1
ucisetdhcp.@dnsmasq[0].noresolv=1
ucisetdhcp.@dnsmasq[0].local=127.0.0.1#5353
ucichanges
ucicommit
root@OpenWrt:~#ucisetdhcp.@dnsmasq[0].nohosts=1
root@OpenWrt:~#ucisetdhcp.@dnsmasq[0].noresolv=1
root@OpenWrt:~#ucisetdhcp.@dnsmasq[0].local=127.0.0.1#5353
root@OpenWrt:~#ucichanges
dhcp.cfg02411c.nohosts='1'
dhcp.cfg02411c.noresolv='1'
dhcp.cfg02411c.local='127.0.0.1#5353'
root@OpenWrt:~#ucicommit
TODO:关闭「UseDNSserversadvertisedbypeer」避免WAN接口连接外网时被上层路由
器指定DNS服务器:
参考:OpenWrtRouter2017-02-17
ucisetnetwork.wan.peerdns=0
配置shadowsocks服务:
ChinaDNS+Shadowsocks
188
ucisetshadowsocks.@servers[0].server=45.67.89.10
ucisetshadowsocks.@servers[0].server_port=12345
ucisetshadowsocks.@servers[0].password=SS_SRV_PASS
ucisetshadowsocks.@servers[0].encrypt_method=rc4-md5
ucisetshadowsocks.@transparent_proxy[0].main_server=cfg0a4a8f
ucisetshadowsocks.@access_control[0].lan_target=SS_SPEC_WAN_AC
ucisetshadowsocks.@access_control[0].wan_bp_list=/etc/chinadns_chnroute.t
xt
ucichanges
ucicommit
root@OpenWrt:~#ucisetshadowsocks.@servers[0].server=45.67.89.10
root@OpenWrt:~#ucisetshadowsocks.@servers[0].server_port=12345
root@OpenWrt:~#ucisetshadowsocks.@servers[0].password=SS_SRV_PASS
root@OpenWrt:~#ucisetshadowsocks.@servers[0].encrypt_method=rc4-md5
root@OpenWrt:~#
root@OpenWrt:~#ucisetshadowsocks.@transparent_proxy[0].main_server=cfg0a
4a8f
root@OpenWrt:~#
root@OpenWrt:~#ucisetshadowsocks.@access_control[0].lan_target=SS_SPEC_W
AN_AC
root@OpenWrt:~#ucisetshadowsocks.@access_control[0].wan_bp_list=/etc/chi
nadns_chnroute.txt
root@OpenWrt:~#ucichanges
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='V_VL_Fuck_GFW'
shadowsocks.cfg043a58.main_server='cfg0a4a8f'
shadowsocks.cfg0c4417.lan_target='SS_SPEC_WAN_AC'
shadowsocks.cfg0c4417.wan_bp_list='/etc/chinadns_chnroute.txt'
root@OpenWrt:~#ucicommit
配置dns-forwarder服务:
ChinaDNS+Shadowsocks
189
ucisetdns-forwarder.@dns-forwarder[0].enable=1
ucisetdns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
ucisetdns-forwarder.@dns-forwarder[0].listen_port='5300'
ucisetdns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
ucichanges
ucicommit
root@OpenWrt:/tmp#ucisetdns-forwarder.@dns-forwarder[0].enable=1
root@OpenWrt:/tmp#ucichanges
dns-forwarder.cfg02e1e3.enable='1'
root@OpenWrt:/tmp#ucicommit
配置ChinaDNS服务:
ucisetchinadns.@chinadns[0].enable=1
ucisetchinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300'
ucichanges
ucicommit
root@OpenWrt:/tmp#ucisetchinadns.@chinadns[0].enable=1
root@OpenWrt:/tmp#ucisetchinadns.@chinadns[0].server='223.5.5.5,127.0.0.
1:5300'
root@OpenWrt:/tmp#ucichanges
chinadns.cfg0265ad.enable='1'
chinadns.cfg0265ad.server='223.5.5.5,127.0.0.1:5300'
root@OpenWrt:/tmp#ucicommit
启动shadowsocks服务:
ChinaDNS+Shadowsocks
190
/etc/init.d/shadowsocksenable
/etc/init.d/shadowsocksstart
pgrep-lfss
netstat-lntpu|grepss
root@OpenWrt:~#/etc/init.d/shadowsocksenable
root@OpenWrt:~#/etc/init.d/shadowsocksstart
2017-08-2702:14:01INFO:setMTUto1492
root@OpenWrt:~#pgrep-lfss
296ss-redir-c/var/etc/shadowsocks.cfg0a4a8f.json-l1234--mtu1492-f/
var/run/ss-redir-cfg0a4a8f.pid
root@OpenWrt:~#netstat-lntpu|grepss
ProtoRecv-QSend-QLocalAddressForeignAddressStatePID/Progr
amname
tcp000.0.0.0:12340.0.0.0:*LISTEN296/ss-re
dir
启动dns-forwarder服务:
/etc/init.d/dns-forwarderenable
/etc/init.d/dns-forwarderstart
pgrep-lfdns-forwarder
netstat-lntpu|grepdns-forwarder
root@OpenWrt:~#/etc/init.d/dns-forwarderenable
root@OpenWrt:~#/etc/init.d/dns-forwarderstart
root@OpenWrt:~#pgrep-lfdns-forwarder
3180/usr/bin/dns-forwarder-b0.0.0.0-p5300-s8.8.8.8
root@OpenWrt:~#netstat-lntpu|grepdns-for
ProtoRecv-QSend-QLocalAddressForeignAddressStatePID/Progr
amname
udp000.0.0.0:53000.0.0.0:*3180/dns-
forwarder
启动ChinaDNS服务:
ChinaDNS+Shadowsocks
191
/etc/init.d/chinadnsenable
/etc/init.d/chinadnsstart
pgrep-lfchinadns
netstat-lntpu|grepchinadns
root@OpenWrt:~#/etc/init.d/chinadnsenable
root@OpenWrt:~#/etc/init.d/chinadnsstart
root@OpenWrt:~#pgrep-lfchinadns
3241/usr/bin/chinadns-m-p5353-s223.5.5.5,127.0.0.1:5300-c/etc/china
dns_chnroute.txt
root@OpenWrt:~#netstat-lntpu|grepchinadns
ProtoRecv-QSend-QLocalAddressForeignAddressStatePID/Progr
amname
udp000.0.0.0:53530.0.0.0:*3241/chin
adns
测试DNS解析:
root@OpenWrt:~#[email protected]
8.7.198.45
root@OpenWrt:~#[email protected]
162.125.248.1
root@OpenWrt:~#[email protected]
162.125.248.1
root@OpenWrt:~#dig+shortdropbox.com
162.125.248.1
重启dnsmasq服务:
root@OpenWrt:~#cat/var/etc/dnsmasq.conf
#auto-generatedconfigfilefrom/etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
ChinaDNS+Shadowsocks
192
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
dhcp-range=lan,192.168.12.100,192.168.12.249,255.255.255.0,12h
no-dhcp-interface=eth0
root@OpenWrt:~#/etc/init.d/dnsmasqrestart
root@OpenWrt:~#cat/var/etc/dnsmasq.conf
#auto-generatedconfigfilefrom/etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
no-hosts
no-resolv
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=127.0.0.1#5353
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
dhcp-range=lan,192.168.12.100,192.168.12.249,255.255.255.0,12h
ChinaDNS+Shadowsocks
193
no-dhcp-interface=eth0
xiaominano
repo注意:网线插在LAN口才能SSH
BusyBoxv1.25.1()built-inshell(ash)
_________
//\__________
/LE/\|||__|\|__|
/DE/\||__|_|||)|_|
/________/LE\|____|___|___/|___|lede-project.o
rg
\\DE/
\LE\/--------------------------------------------------------
---
\DE\/Reboot(17.01.2,r3435-65eec8bd5f)
\________\/--------------------------------------------------------
---
===WARNING!=====================================
Thereisnorootpassworddefinedonthisdevice!
Usethe"passwd"commandtosetupanewpassword
inordertopreventunauthorizedSSHlogins.
--------------------------------------------------
root@LEDE:~#netstat-lntp
ActiveInternetconnections(onlyservers)
ProtoRecv-QSend-QLocalAddressForeignAddressState
PID/Programname
tcp000.0.0.0:800.0.0.0:*LISTEN
842/uhttpd
tcp000.0.0.0:530.0.0.0:*LISTEN
1005/dnsmasq
ChinaDNS+Shadowsocks
194
tcp000.0.0.0:220.0.0.0:*LISTEN
1027/dropbear
tcp00:::80:::*LISTEN
842/uhttpd
tcp00:::53:::*LISTEN
1005/dnsmasq
tcp00:::22:::*LISTEN
1027/dropbear
root@LEDE:~#df-hT
FilesystemTypeSizeUsedAvailableUse%Mounted
on
/dev/rootsquashfs2.3M2.3M0100%/rom
tmpfstmpfs29.8M428.0K29.4M1%/tmp
tmpfstmpfs29.8M52.0K29.8M0%/tmp/roo
t
tmpfstmpfs512.0K0512.0K0%/dev
/dev/mtdblock6jffs24.3M276.0K4.0M6%/overlay
overlayfs:/overlayoverlay4.3M276.0K4.0M6%/
安装软件包:
arch=mipsel_24kc
echo"src/gzopenwrt_disthttp://fuckgfw.com/packages/LEDE/base/${arch}
src/gzopenwrt_dist_lucihttp://fuckgfw.com/packages/LEDE/luci">>/etc/opk
g.conf
cat/etc/opkg.conf
root@LEDE:~#cat/etc/opkg.conf
destroot/
destram/tmp
lists_dirext/var/opkg-lists
optionoverlay_root/overlay
optioncheck_signature1
src/gzopenwrt_disthttp://fuckgfw.com/packages/LEDE/base/mipsel_24kc
src/gzopenwrt_dist_lucihttp://fuckgfw.com/packages/LEDE/luci
root@LEDE:~#wgethttp://fuckgfw.com/packages/openwrt-dist.pub-O/tmp/open
wrt-dist.pub
Downloading'http://fuckgfw.com/packages/openwrt-dist.pub'
Connectingto45.67.89.10:80
ChinaDNS+Shadowsocks
195
Writingto'/tmp/openwrt-dist.pub'
/tmp/openwrt-dist.pu100%|*******************************|1040:00:00
ETA
Downloadcompleted(104bytes)
root@LEDE:~#opkg-keyadd/tmp/openwrt-dist.pub
root@LEDE:~#opkgupdate
Downloadinghttp://fuckgfw.com/packages/LEDE/base/mipsel_24kc/Packages.gz
Updatedlistofavailablepackagesin/var/opkg-lists/openwrt_dist
Downloadinghttp://fuckgfw.com/packages/LEDE/base/mipsel_24kc/Packages.sig
Signaturecheckpassed.
Downloadinghttp://fuckgfw.com/packages/LEDE/luci/Packages.gz
Updatedlistofavailablepackagesin/var/opkg-lists/openwrt_dist_luci
Downloadinghttp://fuckgfw.com/packages/LEDE/luci/Packages.sig
Signaturecheckpassed.
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/targets/rami
ps/mt7628/packages/Packages.gz
Updatedlistofavailablepackagesin/var/opkg-lists/reboot_core
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/targets/rami
ps/mt7628/packages/Packages.sig
Signaturecheckpassed.
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/base/Packages.gz
Updatedlistofavailablepackagesin/var/opkg-lists/reboot_base
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/base/Packages.sig
Signaturecheckpassed.
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/luci/Packages.gz
Updatedlistofavailablepackagesin/var/opkg-lists/reboot_luci
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/luci/Packages.sig
Signaturecheckpassed.
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/packages/Packages.gz
Updatedlistofavailablepackagesin/var/opkg-lists/reboot_packages
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/packages/Packages.sig
Signaturecheckpassed.
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/routing/Packages.gz
ChinaDNS+Shadowsocks
196
Updatedlistofavailablepackagesin/var/opkg-lists/reboot_routing
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/routing/Packages.sig
Signaturecheckpassed.
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/telephony/Packages.gz
Updatedlistofavailablepackagesin/var/opkg-lists/reboot_telephony
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/telephony/Packages.sig
Signaturecheckpassed.
root@LEDE:~#opkginstallbind-digChinaDNSluci-app-chinadnsdns-forwarder
luci-app-dns-forwardershadowsocks-libevluci-app-shadowsockssimple-obfs
ip-fulliptables-mod-tproxy
Installingbind-dig(9.10.4-P5-1)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/packages/bind-dig_9.10.4-P5-1_mipsel_24kc.ipk
Installingzlib(1.2.11-1)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/base/zlib_1.2.11-1_mipsel_24kc.ipk
Installinglibopenssl(1.0.2k-1)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/base/libopenssl_1.0.2k-1_mipsel_24kc.ipk
Installingbind-libs(9.10.4-P5-1)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/packages/bind-libs_9.10.4-P5-1_mipsel_24kc.ipk
InstallingChinaDNS(1.3.2-5)toroot...
Downloadinghttp://fuckgfw.com/packages/LEDE/base/mipsel_24kc/ChinaDNS_1.3.
2-5_mipsel_24kc.ipk
Installingluci-app-chinadns(1.6.1-1)toroot...
Downloadinghttp://fuckgfw.com/packages/LEDE/luci/luci-app-chinadns_1.6.1-1
_all.ipk
Installingdns-forwarder(1.2.1-1)toroot...
Downloadinghttp://fuckgfw.com/packages/LEDE/base/mipsel_24kc/dns-forwarder
_1.2.1-1_mipsel_24kc.ipk
Installingluci-app-dns-forwarder(1.6.1-1)toroot...
Downloadinghttp://fuckgfw.com/packages/LEDE/luci/luci-app-dns-forwarder_1.
6.1-1_all.ipk
Installingshadowsocks-libev(3.1.0-1)toroot...
Downloadinghttp://fuckgfw.com/packages/LEDE/base/mipsel_24kc/shadowsocks-l
ibev_3.1.0-1_mipsel_24kc.ipk
Installinglibev(4.22-1)toroot...
ChinaDNS+Shadowsocks
197
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/packages/libev_4.22-1_mipsel_24kc.ipk
Installinglibcares(1.13.0-1)toroot...
Downloadinghttp://fuckgfw.com/packages/LEDE/base/mipsel_24kc/libcares_1.13
.0-1_mipsel_24kc.ipk
Installinglibpcre(8.41-2)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/packages/libpcre_8.41-2_mipsel_24kc.ipk
Installinglibsodium(1.0.12-1)toroot...
Downloadinghttp://fuckgfw.com/packages/LEDE/base/mipsel_24kc/libsodium_1.0
.12-1_mipsel_24kc.ipk
Installinglibmbedtls(2.5.1-2)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/base/libmbedtls_2.5.1-2_mipsel_24kc.ipk
Installingluci-app-shadowsocks(1.8.1-1)toroot...
Downloadinghttp://fuckgfw.com/packages/LEDE/luci/luci-app-shadowsocks_1.8.
1-1_all.ipk
Installingkmod-nfnetlink(4.4.71-1)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/targets/rami
ps/mt7628/packages/kmod-nfnetlink_4.4.71-1_mipsel_24kc.ipk
Installingkmod-ipt-ipset(4.4.71-1)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/targets/rami
ps/mt7628/packages/kmod-ipt-ipset_4.4.71-1_mipsel_24kc.ipk
Installinglibmnl(1.0.4-1)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/base/libmnl_1.0.4-1_mipsel_24kc.ipk
Installingipset(6.30-1)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/base/ipset_6.30-1_mipsel_24kc.ipk
Installingsimple-obfs(0.0.3-2)toroot...
Downloadinghttp://fuckgfw.com/packages/LEDE/base/mipsel_24kc/simple-obfs_0
.0.3-2_mipsel_24kc.ipk
Installingip-full(4.4.0-9)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/base/ip-full_4.4.0-9_mipsel_24kc.ipk
Installingiptables-mod-tproxy(1.4.21-2)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/packages/mip
sel_24kc/base/iptables-mod-tproxy_1.4.21-2_mipsel_24kc.ipk
Installingkmod-ipt-tproxy(4.4.71-1)toroot...
Downloadinghttp://downloads.lede-project.org/releases/17.01.2/targets/rami
ps/mt7628/packages/kmod-ipt-tproxy_4.4.71-1_mipsel_24kc.ipk
Configuringzlib.
ChinaDNS+Shadowsocks
198
Configuringlibev.
Configuringlibcares.
Configuringlibpcre.
Configuringlibsodium.
Configuringlibmbedtls.
Configuringshadowsocks-libev.
Configuringip-full.
Configuringkmod-nfnetlink.
Configuringkmod-ipt-tproxy.
Configuringlibmnl.
ConfiguringChinaDNS.
Configuringluci-app-chinadns.
Configuringdns-forwarder.
Configuringkmod-ipt-ipset.
Configuringipset.
Configuringiptables-mod-tproxy.
Configuringlibopenssl.
Configuringbind-libs.
Configuringsimple-obfs.
Configuringluci-app-dns-forwarder.
Configuringbind-dig.
Configuringluci-app-shadowsocks.
配置 shadowsocks-libev服务:
root@LEDE:~#ucisetshadowsocks.@servers[0]=servers
root@LEDE:~#ucisetshadowsocks.@servers[0].server='45.67.89.10'
root@LEDE:~#ucisetshadowsocks.@servers[0].server_port=12345
root@LEDE:~#ucisetshadowsocks.@servers[0].password=YOUR_SS_PASSWORD
root@LEDE:~#ucisetshadowsocks.@servers[0].encrypt_method='rc4-md5'
root@LEDE:~#ucichanges
shadowsocks.cfg0a4a8f='servers'
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='YOUR_SS_PASSWORD'
root@LEDE:~#SS_CFGID=$(ucishowshadowsocks.@servers[0].alias|awk-F'.''
{print$2}')
root@LEDE:~#ucisetshadowsocks.@transparent_proxy[0].main_server="$SS_CFG
ID"
ChinaDNS+Shadowsocks
199
root@LEDE:~#ucichanges
shadowsocks.cfg0a4a8f='servers'
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='YOUR_SS_PASSWORD'
shadowsocks.cfg043a58.main_server='cfg0a4a8f'
root@LEDE:~#ucisetshadowsocks.@access_control[0].lan_target='SS_SPEC_WAN
_AC'
root@LEDE:~#ucisetshadowsocks.@access_control[0].wan_bp_list='/etc/china
dns_chnroute.txt'
root@LEDE:~#ucichanges
shadowsocks.cfg0a4a8f='servers'
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.server_port='12345'
shadowsocks.cfg0a4a8f.password='YOUR_SS_PASSWORD'
shadowsocks.cfg043a58.main_server='cfg0a4a8f'
shadowsocks.cfg0c4417.lan_target='SS_SPEC_WAN_AC'
shadowsocks.cfg0c4417.wan_bp_list='/etc/chinadns_chnroute.txt'
root@LEDE:~#ucishowshadowsocks
shadowsocks.@general[0]=general
shadowsocks.@general[0].startup_delay='0'
shadowsocks.@transparent_proxy[0]=transparent_proxy
shadowsocks.@transparent_proxy[0].udp_relay_server='nil'
shadowsocks.@transparent_proxy[0].local_port='1234'
shadowsocks.@transparent_proxy[0].main_server='cfg0a4a8f'
shadowsocks.@socks5_proxy[0]=socks5_proxy
shadowsocks.@socks5_proxy[0].server='nil'
shadowsocks.@socks5_proxy[0].local_port='1080'
shadowsocks.@port_forward[0]=port_forward
shadowsocks.@port_forward[0].server='nil'
shadowsocks.@port_forward[0].local_port='5300'
shadowsocks.@port_forward[0].destination='8.8.4.4:53'
shadowsocks.@servers[0]=servers
shadowsocks.@servers[0].alias='sample'
shadowsocks.@servers[0].fast_open='0'
shadowsocks.@servers[0].timeout='60'
shadowsocks.@servers[0].encrypt_method='rc4-md5'
shadowsocks.@servers[0].server='45.67.89.10'
ChinaDNS+Shadowsocks
200
shadowsocks.@servers[0].server_port='12345'
shadowsocks.@servers[0].password='YOUR_SS_PASSWORD'
shadowsocks.@access_control[0]=access_control
shadowsocks.@access_control[0].self_proxy='1'
shadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
shadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.txt'
root@LEDE:~#/etc/init.d/shadowsocksenable
root@LEDE:~#/etc/init.d/shadowsocksstart
2017-09-2314:28:43INFO:setMTUto1492
root@LEDE:~#pgrep-lfss
379ss-redir-c/var/etc/shadowsocks.cfg0a4a8f.json-l1234--mtu1492-f/
var/run/ss-redir-cfg0a4a8f.pid
root@LEDE:~#netstat-lntpu|grepss
ProtoRecv-QSend-QLocalAddressForeignAddressState
PID/Programname
tcp000.0.0.0:12340.0.0.0:*LISTEN
379/ss-redir
配置 dns-forwarder服务:
ChinaDNS+Shadowsocks
201
root@LEDE:~#ucisetdns-forwarder.@dns-forwarder[0]=dns-forwarder
root@LEDE:~#ucisetdns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
root@LEDE:~#ucisetdns-forwarder.@dns-forwarder[0].listen_port='5300'
root@LEDE:~#ucisetdns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
root@LEDE:~#ucisetdns-forwarder.@dns-forwarder[0].enable='1'
root@LEDE:~#ucichanges
dns-forwarder.cfg02e1e3='dns-forwarder'
dns-forwarder.cfg02e1e3.enable='1'
root@LEDE:~#ucicommit
root@LEDE:~#ucishowdns-forwarder
dns-forwarder.@dns-forwarder[0]=dns-forwarder
dns-forwarder.@dns-forwarder[0].listen_addr='0.0.0.0'
dns-forwarder.@dns-forwarder[0].listen_port='5300'
dns-forwarder.@dns-forwarder[0].dns_servers='8.8.8.8'
dns-forwarder.@dns-forwarder[0].enable='1'
root@LEDE:~#/etc/init.d/dns-forwarderenable
root@LEDE:~#/etc/init.d/dns-forwarderstart
root@LEDE:~#pgrep-lfdns-for
3763/usr/bin/dns-forwarder-b0.0.0.0-p5300-s8.8.8.8
root@LEDE:~#netstat-lntpu|grepdns-for
udp000.0.0.0:53000.0.0.0:*
3763/dns-forwarder
配置 ChinaDNS服务:
ChinaDNS+Shadowsocks
202
root@LEDE:~#ucisetchinadns.@chinadns[0]=chinadns
root@LEDE:~#ucisetchinadns.@chinadns[0].bidirectional='0'
root@LEDE:~#ucisetchinadns.@chinadns[0].chnroute='/etc/chinadns_chnroute
.txt'
root@LEDE:~#ucisetchinadns.@chinadns[0].port='5353'
root@LEDE:~#ucisetchinadns.@chinadns[0].enable='1'
root@LEDE:~#ucisetchinadns.@chinadns[0].server='223.5.5.5,127.0.0.1:5300
'
root@LEDE:~#ucichanges
chinadns.cfg0265ad='chinadns'
chinadns.cfg0265ad.enable='1'
chinadns.cfg0265ad.server='223.5.5.5,127.0.0.1:5300'
root@LEDE:~#ucicommit
root@LEDE:~#/etc/init.d/chinadnsenable
root@LEDE:~#/etc/init.d/chinadnsstart
root@LEDE:~#pgrep-lfchinadns
3895/usr/bin/chinadns-m-p5353-s223.5.5.5,127.0.0.1:5300-c/etc/china
dns_chnroute.txt
root@LEDE:~#netstat-lntpu|grepchinadns
udp000.0.0.0:53530.0.0.0:*
3895/chinadns
配置WIFI:
ChinaDNS+Shadowsocks
203
ucisetwireless.@wifi-device[0].country='CN'
ucisetwireless.@wifi-device[0].disabled='0'
ucisetwireless.@wifi-device[0].txpower='17'
ucisetwireless.@wifi-iface[0].ssid='fuckgfw'
ucisetwireless.@wifi-iface[0].encryption='psk2'
ucisetwireless.@wifi-iface[0].key='YOUR_WIFI_PASSWORD'
root@LEDE:~#ucichanges
wireless.radio0.disabled='0'
wireless.radio0.country='CN'
wireless.radio0.txpower='17'
wireless.default_radio0.ssid='fuckgfw'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='YOUR_WIFI_PASSWORD'
root@LEDE:~#ucicommit
root@LEDE:~#ucishowwireless
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='11'
wireless.radio0.hwmode='11g'
wireless.radio0.path='platform/10300000.wmac'
wireless.radio0.htmode='HT20'
wireless.radio0.disabled='0'
wireless.radio0.country='CN'
wireless.radio0.txpower='17'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid='fuckgfw'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='YOUR_WIFI_PASSWORD'
使用 wifi命令启动无线:
root@LEDE:~#wifistatus
{
"radio0":{
ChinaDNS+Shadowsocks
204
"up":false,
"pending":false,
"autostart":true,
"disabled":true,
"retry_setup_failed":false,
"config":{
"channel":"11",
"hwmode":"11g",
"path":"platform\/10300000.wmac",
"htmode":"HT20",
"disabled":true
},
"interfaces":[
{
"section":"default_radio0",
"config":{
"mode":"ap",
"ssid":"LEDE",
"encryption":"none",
"network":[
"lan"
],
"mode":"ap"
}
}
]
}
}
root@LEDE:~#wifi
root@LEDE:~#wifistatus
{
"radio0":{
"up":true,
"pending":false,
"autostart":true,
"disabled":false,
"retry_setup_failed":false,
"config":{
"channel":"11",
"hwmode":"11g",
ChinaDNS+Shadowsocks
205
"path":"platform\/10300000.wmac",
"htmode":"HT20",
"country":"CN",
"disabled":false
},
"interfaces":[
{
"section":"default_radio0",
"ifname":"wlan0",
"config":{
"mode":"ap",
"ssid":"fuckgfw",
"encryption":"psk2",
"key":"YOUR_WIFI_PASSWORD",
"network":[
"lan"
],
"mode":"ap"
}
}
]
}
}
配置network:
root@LEDE:~#ucideletenetwork.globals.ula_prefix
root@LEDE:~#ucideletenetwork.wan6
root@LEDE:~#ucisetnetwork.wan.peerdns=0
root@LEDE:~#ucisetnetwork.lan.ipaddr='192.168.11.1'
root@LEDE:~#ucichanges
-network.globals.ula_prefix
-network.wan6
network.wan.peerdns='0'
network.lan.ipaddr='192.168.11.1'
root@LEDE:~#ucicommit
配置DNSmasq服务:
ChinaDNS+Shadowsocks
206
root@LEDE:~#pgrep-lfdnsmasq
1069/usr/sbin/dnsmasq-C/var/etc/dnsmasq.conf.cfg02411c-k-x/var/run/dn
smasq/dnsmasq.cfg02411c.pid
root@LEDE:~#cat/var/etc/dnsmasq.conf.cfg02411c|sed-e'/^#/d'-e'/^$/d'
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq
dhcp-range=lan,192.168.1.100,192.168.1.249,255.255.255.0,12h
no-dhcp-interface=eth0.2
ucisetdhcp.@dnsmasq[0].nohosts='1'
ucisetdhcp.@dnsmasq[0].noresolv='1'
ucisetdhcp.@dnsmasq[0].local='127.0.0.1#5353'
ucichanges
ucicommit
root@LEDE:~#ucisetdhcp.@dnsmasq[0].nohosts='1'
root@LEDE:~#ucisetdhcp.@dnsmasq[0].noresolv='1'
root@LEDE:~#ucisetdhcp.@dnsmasq[0].local='127.0.0.1#5353'
root@LEDE:~#ucichanges
dhcp.cfg02411c.nohosts='1'
dhcp.cfg02411c.noresolv='1'
dhcp.cfg02411c.local='127.0.0.1#5353'
ChinaDNS+Shadowsocks
207
root@LEDE:~#ucicommit
重启网络服务和DNSmasq服务(备份 history记录):
root@LEDE:~#/etc/init.d/networkrestart&&/etc/init.d/dnsmasqrestart
root@LEDE:~#cat/var/etc/dnsmasq.conf.cfg02411c|sed-e'/^#/d'-e'/^$/d'
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
no-hosts
no-resolv
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=127.0.0.1#5353
dhcp-leasefile=/tmp/dhcp.leases
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq
dhcp-range=lan,192.168.11.100,192.168.11.249,255.255.255.0,12h
root@LEDE:~#dig+shortdropbox.com
162.125.248.1
DNSmasq配置 no-resolv没有生效:
ChinaDNS+Shadowsocks
208
root@LEDE:~#cat/etc/resolv.conf
#Interfacewan
nameserver192.168.8.1
searchlan
#Interfacewan6
nameserverfe80::e695:6eff:fe40:6576%eth0.2
searchlan
root@LEDE:~#[email protected]
162.125.248.1
root@LEDE:~#dig+shortdropbox.com
243.185.187.39
需要:
禁用IPv6禁用上游DHCP分配的 nameserver
禁用IPv6
[OpenWrt-Users]howtoswitchoffIPV6completely[onaBB14.07(r42625)-finalrelease]
Isetthedhcpserveripv6settingsalltodisabledonbothwanandlan(i.e.RouterAdvertisement-Service->disabled,DHCPv6-Service->disabled,NDP-Proxy->disabled)
DisableIPv6withOpenWRT
Network>InterfacesblankouttheIPv6ULA-Prefixbox
清空IPv6ULA-Prefix:
root@LEDE:~#ucishownetwork.globals
network.globals=globals
network.globals.ula_prefix='fdd3:b9a9:2288::/48'
ucideletenetwork.globals.ula_prefix
删除 wan6网卡设备:
ChinaDNS+Shadowsocks
209
ucideletenetwork.wan6
禁用上游DHCP分配的 nameserver
ucisetnetwork.wan.peerdns=0
排障过程:
root@LEDE:~#ucisetnetwork.wan.peerdns=0
root@LEDE:~#ucichanges
network.wan.peerdns='0'
root@LEDE:~#cat/etc/resolv.conf
#Interfacewan
#Interfacewan6
nameserverfe80::e695:6eff:fe40:6576%eth0.2##
---+
searchlan
|
|
root@LEDE:~#digdropbox.com
|
|
;<<>>DiG9.10.4-P5<<>>dropbox.com
|
;;globaloptions:+cmd
|
;;Gotanswer:
|
;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:51090
|
;;flags:qrrdra;QUERY:1,ANSWER:1,AUTHORITY:0,ADDITIONAL:1
|
|
;;OPTPSEUDOSECTION:
|
ChinaDNS+Shadowsocks
210
;EDNS:version:0,flags:;udp:1280
|
;;QUESTIONSECTION:
|
;dropbox.com.INA
|
|
;;ANSWERSECTION:
|
dropbox.com.227INA243.185.187.39
|
|
;;Querytime:13msec
|
;;SERVER:fe80::e695:6eff:fe40:6576%6#53(fe80::e695:6eff:fe40:6576%6)##
---+上游IPv6DNS
;;WHEN:WedAug3000:38:57UTC2017
;;MSGSIZErcvd:56
root@LEDE:~#[email protected]
162.125.248.1
root@LEDE:~#dig+shortdropbox.com
243.185.187.39
root@LEDE:~#ucishownetwork.globals
network.globals=globals
network.globals.ula_prefix='fdd3:b9a9:2288::/48'
root@LEDE:~#ucideletenetwork.globals.ula_prefix
root@LEDE:~#ucideletenetwork.wan6
root@LEDE:~#ucichanges
-dhcp.lan.ra
-dhcp.lan.dhcpv6
-network.globals.ula_prefix
-network.wan6
root@LEDE:~#cat/etc/resolv.conf
#Interfacewan
ChinaDNS+Shadowsocks
211
root@LEDE:~#dig+shortdropbox.com
162.125.248.1
ChinaDNS
release datev1.3.2-5 2017-08-24
v1.3.2-4 2016-08-30
源码:https://github.com/aa65535/openwrt-chinadns/releases
下载:http://openwrt-dist.sourceforge.net/archives/ChinaDNS/1.3.2-5/
原理:
关于线路优化的问题#59
ChinaDNS需要设置两组上游DNS服务器:国内DNS和「国外DNS或者可信DNS」是否
是国内DNS是根据chnroute判断的。国内DNS通过当前ISP提供的流量解析(不经过代
理),如果返回的结果也是国内IP,则采用此结果,否则采用「国外DNS或者可信DNS」的解析结果。
国外DNS通过所使用的代理流量解析,而访问解析的目标站点也是提供代理流量。另外「国外
DNS或者可信DNS」的结果优先级是高于国内DNS的,所以一旦先返回的结果是「国外
DNS或者可信DNS」的,就直接采用了,导致国内DNS的解析结果被忽略,导致访问国内站
点速度变慢(因为是「国外DNS或者可信DNS」的解析结果),所以ChinaDNS上游服务器
是不能在本地做缓存的。
ChinaDNS默认是国内DNS比「国外DNS或者可信DNS」响应速度要快
ChinaDNS每次都会向所有上游DNS同时发送解析请求
使用pdnsd作为「国外DNS或者可信DNS」时,第一次请求的确是这样,这时ChinaDNS可以正确处理,但是当第二次请求时,因为pdnsd缓存的作用,pdnsd比国内DNS先响应,这
样的结果就是解析国内站点时也采用的是pdnsd的结果,可能会导致国内站点解析到国外影响访问速度。
一个域名解析请求会同时向国内DNS和国外DNS(ChinaDNS设置的上游DNS)发送,请求
的结果如果是国外DNS先返回,那么采用国外DNS的结果(你上面说国外DNS结果有优
先);请求的结果如果是国内DNS先返回,又分两种情况:1、如果国内DNS返回的结果是国
ChinaDNS+Shadowsocks
212
内的IP地址,那么采用;2、如果返回的是国外的地址,那么不采用国内DNS的结果而采用国
外DNS的结果。
pdnsd不适合做上游是因为有缓存,有缓存会出现上游设置的国外DNS(pdnsd)的返回结果速
度永远比国内DNS返回快
可信DNS比国内DNS先返回结果#48
不要在可信DNS上面使用缓存,应该在ChinaDNS下游使用缓存。
ChinaDNS不能使用国外IP#55
如果国内DNS返回的结果是国内的IP,且比国外DNS返回的要快,是会采用国内DNS的结
果,建议不要使用运营商提供的DNS服务器,改用114或者其他公共DNS
使用 -v调试:
root@OpenWrt:~#ps|awk'$5=="\/usr\/bin\/chinadns"{for(i=5;i<=NF;i++)pr
intf$i"";print"-v"}'
/usr/bin/chinadns-p5354-s223.5.5.5,127.0.0.1:5353-c/etc/shadowsocks/i
gnore.list-m-v
https://github.com/aa65535/openwrt-chinadns/releases/tag/v1.3.2-2
使用 #分开IP和port的DNS服务器即被认为是可信DNS,如:
-s223.5.5.5,127.0.0.1#5353
此处的 127.0.0.1即可信DNS服务器,当指定了可信DNS后其他国外IP的DNS将被忽
略,且压缩指针功能也不再生效(但是 -m参数依然需要加)
可信DNS服务器不论IP是否国外,一律被当做国外DNS处理
国外DNS和可信DNS至少指定一个
配置:
ChinaDNS+Shadowsocks
213
root@OpenWrt:~#opkgfilesChinaDNS
PackageChinaDNS(1.3.2-1)isinstalledonrootandhasthefollowingfiles
:
/etc/init.d/chinadns
/usr/bin/chinadns
/etc/config/chinadns
/etc/chinadns_chnroute.txt
root@OpenWrt:~#ucishowchinadns
chinadns.@chinadns[0]=chinadns
chinadns.@chinadns[0].enable=1
chinadns.@chinadns[0].compression=1
chinadns.@chinadns[0].bidirectional=0
chinadns.@chinadns[0].port=5354
chinadns.@chinadns[0].chnroute=/etc/shadowsocks/ignore.list
chinadns.@chinadns[0].server=223.5.5.5,127.0.0.1:5353
使用一段时间后只有国内DNS在工作#14
不需要使用ChinaDNS查询的域名可以在dnsmasq中设置
server=/.microsoft.com/223.5.5.5
国内小运营商网络访问cdn节点#42
没错,这小运营商的网络极不稳定,连baidu.com的延迟变化幅度极大。也就是说查询CDN节点时,国内DNS返回时间可能比国外要长,然后chinadns直接使用了先返回的国外节点。
OpenWRT自动翻墙路由器DNS解析的改善(旧)
https://github.com/felixonmars/dnsmasq-china-list
解析Google域名的问题#68
此应为ChinaDNS误判,是FAKEIP。在现在污染IP完全随机的情况下会有各种bug
注意:使用ChinaDNS做防污染并不是他主要的作用,并且在当前的环境下,尽量不要单纯使
用CHinaDNS作为防污染手段,一来有bug,二来DNS服务器是根据你的实际IP返回的解析
结果而不是根据代理服务器的IP这样造成解析出的IP可能离你的实际位置近但是离代理较远,
ChinaDNS+Shadowsocks
214
反而速度慢。比如说服务器在美国,但是单纯使用chinadns就可能造成解析google.com到香
港的情况。ChinaDNS的主要作用是优选解析结果,国外DNS一定要通过代理走;这样既杜绝
了污染也可以获取最佳的解析结果。
dns-forwarder是走TCP的吗?#4
向上游DNS查询时使用的是TCP。0.0.0.0:5300是内网的监听端口当然是UDP了,不然怎么
接受DNS查询。
DNS-Forwarder的作用就是将下游的UDP协议的DNS查询转换成TCP协议的DNS查询后发
送到上游服务器。
抛弃UDP,用TCP查询DNS我的DNS查询的流程就是:dnsmasq->ChinaDNS->DNS-Forwarder->SS(TCP)->国外DNS服务器(e.g:8.8.8.8)
shadowsocks-libev
release datev3.0.8 2017-07-27
源码:https://github.com/shadowsocks/openwrt-shadowsocks/releases
下载:http://openwrt-dist.sourceforge.net/archives/shadowsocks-libev/3.0.8/
crontab更新IP列表:
root@OpenWrt:~#crontab-l
05**1sh-x/root/update.apnic.ip.sh>/tmp/update.apinic.ip.log2>&1
更新脚本:
#!/bin/sh
apnic_url='http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'
#wget-c-O-"$apnic_url"|awk-F\|'/CN\|ipv4/{printf("%s/%d\n",$4,32-l
og($5)/log(2))}'>/etc/shadowsocks/ignore.list.new
ChinaDNS+Shadowsocks
215
curl-s"$apnic_url"|awk-F\|'/CN\|ipv4/{printf("%s/%d\n",$4,32-log($5)
/log(2))}'>/etc/shadowsocks/ignore.list.new
service_stop(){
echo"__STOP:$1---------------------------"
localservice="$1"
localcount=0
while[$count-le5]
do
ifpgrep-lf"$service"
then
[x"$service"=x'ss']&&service='shadowsocks'
echo"/etc/init.d/$servicestop"
/etc/init.d/$servicestop
sleep1s
count=`expr$count+1`
continue
else
break
fi
done
}
service_start(){
echo"__START:$1---------------------------"
localservice="$1"
localcount=0
while[$count-le5]
do
ifpgrep-lf"$service"
then
break
else
[x"$service"=x'ss']&&service='shadowsocks'
echo"/etc/init.d/$servicestart"
/etc/init.d/$servicestart
sleep1s
count=`expr$count+1`
continue
fi
done
}
ChinaDNS+Shadowsocks
216
pgrep-lf'dns|ss'
if[-s/etc/shadowsocks/ignore.list.new]
then
ls-l/etc/shadowsocks/ignore.list*
wc-l/etc/shadowsocks/ignore.list*
mv-f/etc/shadowsocks/ignore.list/etc/shadowsocks/ignore.list.bak
mv-f/etc/shadowsocks/ignore.list.new/etc/shadowsocks/ignore.list
service_stopdnsmasq
service_stopchinadns
service_stopss
sleep2s
service_startss
service_startchinadns
service_startdnsmasq
else
echo"__ERROR:downloadapnicIPlistFAILED"
fi
TODO:
curl下载优化
备份日期
ss黑名单(BypassedIP):
shadowsocks.cfg0c4417.wan_bp_ips+=45.67.89.10
用OpenWRT+Shadowsocks实现全自动爬梯子指南2015-11-08
分析 iptables+ ipset匹配规则
如何让路由器科学上网2016-11-25
ChinaDNS+Shadowsocks
217
Name:ss_spec_lan_no#局域网禁止访问的IP段集合
Name:ss_spec_lan_bp#局域网可以直连的IP段集合
Name:ss_spec_lan_fw#局域网需要转发的IP段集合
Name:ss_spec_wan_sp#局域网或者是shadowsocks服务器等IP段集合
Name:ss_spec_wan_bp#外网需要直连的IP段集合这个集合非常大
Name:ss_spec_wan_fw#外网需要转发的IP段集合
http://code.taobao.org/svn/luci-app-adbyby/
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_ar71xx.ipk为ar71
xx版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_arm.ipk为arm版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_armv7.ipk为armv7
版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_ralink.ipk为7620
A(N)和7621潘多拉专用版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_ramips_24kec.ipk
为7620A(N)和7621OPENWRT官版专用版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_x64.ipk为X64版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_x86.ipk为X86版
http://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_mipsel_24kec_dsp.
ipk为最新潘多拉专用版(2016.10之后)
http://code.taobao.org/svn/luci-app-adbyby/adbyby_mini_2.7-7.0_ralink.ipk
为7620A(N)和7621潘多拉小闪存专用版(每次开机时下载主程序到内存中运行)
http://code.taobao.org/svn/luci-app-adbyby/adbyby_mini_2.7-7.0_mipsel_24kec
_dsp.ipk为最新潘多拉小闪存专用版(2016.10之后)
opkginstallhttp://code.taobao.org/svn/luci-app-adbyby/adbyby_2.7-7.0_rali
nk.ipk
referenceopenwrt-dist项目介绍的防DNS劫持:https://sourceforge.net/p/openwrt-dist/wiki/DNS/
防DNS劫持-方案五(已过时,但原理一致):https://sourceforge.net/p/openwrt-dist/wiki/Plan5/
抛弃UDP用TCP查询DNS2017-05-17
ChinaDNS+Shadowsocks
218
DNS查询流程:DNSmasq->ChinaDNS->dns-forwarder->SS(TCP)->国外DNS服务器
(8.8.8.8)
通过抓包介绍DNS污染:科学上网的一些原理2015-02-08
x86_64服务器翻墙翻案:ss-redir透明代理2017-04-29
openwrt下shadowsocks+chinadns自动分流的补遗2015-01-10
目前污染源采用了随机污染的手段,将目标导引到随机的外国网站去(这是一种恐怖主义行为!
大炮)
当查询结果不是中国地址时,选择国际服务器的那个结果,但要求这个查询结果必须至少 0.3秒后才有效(防止污染)
对于SS中转DNS请求,这个想法很好,但是性能也堪忧。就算是亚太地区的SS服务器
100ms延迟总是有的,一个查询 0.1秒来再 0.1秒去,再加上SS服务器到DNS的时
间(双向),速度也几乎等同于直接连接 8.8.8.8
使用EdgeMax路由器自动翻墙2016-10-20
参数 含义
-d 双向过滤:默认开启
-m 启用压缩指针:默认开启
ChinaDNS+Shadowsocks
219
双向过滤:当国外DNS服务器返回的查询结果是国内IP,或者当国内DNS服务器返回的查询
结果是国外IP则过滤掉这个结果(较为严格的模式);去掉勾选的话只是过滤国内DNS的国
外IP结果
利用GFW遇到压缩指针时的一个bug来精确识别来自GFW的抢答污染,从而极大提高识别的
准确性和识别的效率,推荐启用,启用后IPList和等待时间将禁用(因为用不到了)
图文教程:
OpenWRT编译Shadowsocks实现透明代理2017-08-18
从头到尾,通过OpenWrt固件实现路由器智能代理及建立访客网络流量控制2017-05-20
ipset+iptables
root@LEDE:~#sysctlnet.ipv4.ip_forward
net.ipv4.ip_forward=1
root@LEDE:~#ipset-L|grepName
Name:ss_spec_src_ac
Name:ss_spec_src_bp
Name:ss_spec_src_fw
Name:ss_spec_dst_sp
Name:ss_spec_dst_bp
Name:ss_spec_dst_fw
root@LEDE:~#iptables-tnat-nvL
ChainPREROUTING(policyACCEPT17347packets,2136Kbytes)
pktsbytestargetprotoptinoutsourcedestina
tion
8042561KSS_SPEC_LAN_DGtcp--**0.0.0.0/0
0.0.0.0/0
173472136Kprerouting_ruleall--**0.0.0.0/0
0.0.0.0/0/*!fw3:userchainforprerouting*/
142441080Kzone_lan_preroutingall--br-lan*0.0.0.0/0
0.0.0.0/0/*!fw3*/
31031057Kzone_wan_preroutingall--eth0.2*0.0.0.0/0
0.0.0.0/0/*!fw3*/
ChainINPUT(policyACCEPT7919packets,577Kbytes)
ChinaDNS+Shadowsocks
220
pktsbytestargetprotoptinoutsourcedestina
tion
ChainOUTPUT(policyACCEPT17338packets,1106Kbytes)
pktsbytestargetprotoptinoutsourcedestina
tion
16216973KSS_SPEC_WAN_DGtcp--**0.0.0.0/00.
0.0.0/0
ChainPOSTROUTING(policyACCEPT13834packets,885Kbytes)
pktsbytestargetprotoptinoutsourcedestina
tion
305202059Kpostrouting_ruleall--**0.0.0.0/0
0.0.0.0/0/*!fw3:userchainforpostrouting*/
4811264zone_lan_postroutingall--*br-lan0.0.0.0/0
0.0.0.0/0/*!fw3*/
166861174Kzone_wan_postroutingall--*eth0.20.0.0.0/0
0.0.0.0/0/*!fw3*/
ChainSS_SPEC_LAN_AC(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
00RETURNall--**0.0.0.0/00.
0.0.0/0match-setss_spec_src_bpsrc
00SS_SPEC_WAN_FWall--**0.0.0.0/00.
0.0.0/0match-setss_spec_src_fwsrc
00SS_SPEC_WAN_ACall--**0.0.0.0/00.
0.0.0/0match-setss_spec_src_acsrc
7901552KSS_SPEC_WAN_ACall--**0.0.0.0/00.
0.0.0/0
ChainSS_SPEC_LAN_DG(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
1418554RETURNall--**0.0.0.0/00.
0.0.0/0match-setss_spec_dst_spdst
7901552KSS_SPEC_LAN_ACtcp--**0.0.0.0/00.
0.0.0/0
ChainSS_SPEC_WAN_AC(3references)
pktsbytestargetprotoptinoutsourcedestina
tion
ChinaDNS+Shadowsocks
221
00SS_SPEC_WAN_FWall--**0.0.0.0/00.
0.0.0/0match-setss_spec_dst_fwdst
4693302KRETURNall--**0.0.0.0/00.
0.0.0/0match-setss_spec_dst_bpdst
9925653KSS_SPEC_WAN_FWall--**0.0.0.0/00.
0.0.0/0
ChainSS_SPEC_WAN_DG(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
9499570KRETURNall--**0.0.0.0/00.
0.0.0/0match-setss_spec_dst_spdst
6717403KSS_SPEC_WAN_ACtcp--**0.0.0.0/00.
0.0.0/0
ChainSS_SPEC_WAN_FW(3references)
pktsbytestargetprotoptinoutsourcedestina
tion
9925653KREDIRECTtcp--**0.0.0.0/00.0.0.0
/0redirports1234
Chainpostrouting_lan_rule(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
Chainpostrouting_rule(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
Chainpostrouting_wan_rule(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
Chainprerouting_lan_rule(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
Chainprerouting_rule(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
Chainprerouting_wan_rule(1references)
ChinaDNS+Shadowsocks
222
pktsbytestargetprotoptinoutsourcedestina
tion
Chainzone_lan_postrouting(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
4811264postrouting_lan_ruleall--**0.0.0.0/0
0.0.0.0/0/*!fw3:userchainforpostrouting*/
Chainzone_lan_prerouting(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
142441080Kprerouting_lan_ruleall--**0.0.0.0/0
0.0.0.0/0/*!fw3:userchainforprerouting*/
Chainzone_wan_postrouting(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
166861174Kpostrouting_wan_ruleall--**0.0.0.0/0
0.0.0.0/0/*!fw3:userchainforpostrouting*/
166861174KMASQUERADEall--**0.0.0.0/0
0.0.0.0/0/*!fw3*/
Chainzone_wan_prerouting(1references)
pktsbytestargetprotoptinoutsourcedestina
tion
31031057Kprerouting_wan_ruleall--**0.0.0.0/0
0.0.0.0/0/*!fw3:userchainforprerouting*/
ChinaDNS+Shadowsocks
223
openwrtentware-ngisasoftwarerepositoryfornetworkattachedstorages,routersandotherembeddeddevices.
Browsethrough2000+packagesfordifferentplatforms:
arch URLarmv5 http://pkg.entware.net/binaries/armv5/Packages.html
armv7 http://pkg.entware.net/binaries/armv7/Packages.html
mipsel http://pkg.entware.net/binaries/mipsel/Packages.html
x86-32 http://pkg.entware.net/binaries/x86-32/Packages.html
x86-64 http://pkg.entware.net/binaries/x86-64/Packages.html
projectVillageTelco
TheVillageTelcoaimstoprovideaffordablevoiceanddataservicesforthebillionsofpeoplewhoarecurrentlyunconnectedtoeitheraphoneortheInternet.Byloweringthecostofentryforusers,italsoseekstomakecallingandaccesstotheInternetcheaperforexistingusers.Butitwillnotonlyofferaffordableaccessbutputthepowertoprovideitinthehandsoflocalcommunities,creatinganewgenerationofcommunicationsentrepreneursindevelopingcountries.
Router
UBNT就爱非主流,从MikroTik玩到UBNT入手EdgeMAXER-X2016-11-08
EdgeMax可玩性比Routerboard高多了。EdgeOS系统就是个Debian很主流的Linux发行
版,所以基本上电脑里的Debian能怎么玩它就能怎么玩
HOW:收集
224
UBNTER-X与MikrotikRB750Gr3纠结买哪个2016-11-24
功能的话是ROS会好一些,稳定性UBNT更好;ROS每次更新都有奇怪的问题;转发性能是
UBNT好,有硬件加速,ROS纯靠软件;如果你用ROS又希望瓶颈小一些,直接上X86的,
其它都是浮云。另:开启硬件加速后QOS防火墙什么的会失效,所以加速是有利有弊的。要性
能就没什么可玩性
ERX胜在稳定,资料是ROS的多
稳定性还是ER-X胜出
UbntUniFi产品开箱2017-04-30
VPN
shadowsocks地瓜SS
QuickTunQuickTunSimpleandsecureVPNsoftwarehttp://oss.ucis.nl/
https://github.com/UCIS/QuickTun
SigmaVPNSigmaVPNLight-weight,secureandmodularVPNsolution
https://github.com/neilalexander/sigmavpn
HOW:收集
225
推广赞助
想自己买VPS搭建ss服务的,可以使用我的推广链接注册:
VPS主机商 推广链接
DigitalOcean https://m.do.co/c/7556068f65ab
Vultr http://www.vultr.com/?ref=6849100
Linode https://www.linode.com/?r=bf1ac8d4f5d34c896881138bb556031fb396ff4d
搬瓦工(镜像) https://bwh1.net/aff.php?aff=8583
谢谢支持!
假如你真的要给我钱
打开微信
点击扫一扫
扫描下面的二维码
HOW:赞助
226
HOW:赞助
227
