17
2019
03
02:54:03

openwrt



推荐点击下面图片,通过本站淘宝优惠价购买:

image.png

http://blog.sina.com.cn/s/blog_6988402a0102vuwb.html

改中文:

opkg update
opkg install luci-i18n-base-zh-cn


一些插件:
opkg install ip-full coreutils-base64 kmod-ipt-ipset wget diffutils
说明:
ip-full是strongswan使用
kmod-ipt-ipset是shadowsocks使用
coreutils-base64 wget diffutils是我的dnsmasq脚本使用


安装DDNS
opkg install luci-app-ddns ddns-scripts 


安装U盘识别
opkg install kmod-usb-storage block-mount kmod-fs-ext4 kmod-usb2


安装DNSMASQ-FULL
opkg remove dnsmasq
opkg install dnsmasq-full


安装OPENVPN
opkg install openvpn-openssl openvpn-easy-rsa


安装STRONGSWAN
opkg install strongswan
opkg install strongswan-mod-kernel-libipsec kmod-tun
opkg install ipset iptables-mod-filter iptables-mod-nat-extra ppp-mod-pppoe
看情况安装更多需要的mod


添加openwrt-dist源(才可以opkg安装CHINADNS、SHADOWSOCKS):
主页


.添加源openwrt-dist
vi /etc/opkg.conf
src/gz openwrt_dist_luci http://openwrt-dist.sourceforge.net/releases/luci/packages


.安装CHINADNS
opkg install ChinaDNS
opkg install luci-app-chinadns


.安装SHADOWSOCKS(非原版)
opkg install shadowsocks-libev-spec
opkg install luci-app-shadowsocks-spec


.安装SHADOWSOCKS原版
opkg install iptables-mod-nat-extra ipset libopenssl
opkg install shadowsocks-libev
5.05源签名错误,安装方法:
cd /tmp
opkg install shadowsocks-libev_2.4.1-1_brcm47xx.ipk


安装DNSCRYPT
opkg install dnscrypt-proxy


安装SYNCY
Configuring libpolarssl.
Configuring libcurl.
Configuring kmod-nls-utf8.
Configuring python-curl.
Configuring SyncY-Python-luci.


安装GOAGENT
opkg install python libopenssl 
gevent_0.13.8-1_brcm47xx.ipk
libevent2_2.0.16-1_brcm47xx.ipk
libevent2-core_2.0.16-1_brcm47xx.ipk
libevent2-extra_2.0.16-1_brcm47xx.ipk
libevent2-openssl_2.0.16-1_brcm47xx.ipk
libevent2-pthreads_2.0.16-1_brcm47xx.ipk
python-greenlet_0.4.0-1_brcm47xx.ipk



------------------------------------------------------------

 

DDNS配置:


LUCI:
服务>动态DNS,
Basic Settings:
启用
IPv4
3322.org
mooncake.3322.org
mooncake
密码

 

高级:
IP address source:接口
pppoe-wan


Timer Settings:
Check Interval:60


配置文件:
vi /etc/config/ddns 
################在LUCI配置出来
config service 'myddns'
    option interface 'wan'
    option use_syslog '1'
    option use_https '0'
    option force_interval '72'
    option force_unit 'hours'
    option check_unit 'minutes'
    option retry_interval '60'
    option retry_unit 'seconds'
    option enabled '1'
    option service_name '3322.org'
    option domain 'mooncake.3322.org'
    option username 'mooncake'
    option password 'getout'
    option ip_source 'interface'
    option ip_interface 'pppoe-wan'
    option check_interval '15'
################


.配置远程管理:


..设定2345端口用于sshv2登录
LUCI:
系统>管理权:
端口2345
密码验证
root权限登录
网关端口


配置文件:
vi /etc/config/dropbear
################在LUCI配置出来
config dropbear
option PasswordAuth 'on'
option GatewayPorts 'on'
option Port '2345'
################



..开放2345端口:
LUCI:
网络>防火墙>通信规则:
Open ports on router: SSHv2345,tcp,2345,添加。


配置文件:
vi /etc/config/firewall
################在LUCI配置出来
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option name 'SSHv2345'
option dest_port '2345'
################


..TCP 8765转发到80,用于远程访问8765端口转到openwrt 80管理页:
网络>防火墙>端口转发:
new port forward:TCP8765>80,tcp,wan,8765,lan,192.168.1.11,80,添加。


配置文件:
################在LUCI配置出来
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.1.11'
option dest_port '80'
option name 'TCP8765>80'
option src_dport '8765'
################




U盘挂载点配置


LUCI:
系统>挂载点:
挂载点 点添加
基本设置:
启用挂载点
UUID 选/dev/sda1
挂载点 选自定义 填/mnt/app
高级设置:
文件系统:ext4


再添加:
基本设置:
启用挂载点
UUID 选/dev/sda2
挂载点 选自定义 填/mnt/data
高级设置:
文件系统:ext4


配置文件:
vi /etc/config/fstab
################在LUCI配置出来
config global
option anon_swap '0'
option anon_mount '0'
option auto_swap '1'
option auto_mount '1'
option delay_root '5'
option check_fs '0'

config mount
option enabled '1'
option device '/dev/sda'
option fstype 'ext4'
option target '/mnt'

config mount
option enabled '1'
option device '/dev/sda1'
option target '/mnt/app'
option fstype 'ext4'

config mount
option enabled '1'
option device '/dev/sda2'
option target '/mnt/data'
option fstype 'ext4'
################


.设置U盘安装路径:


vi /etc/opkg.conf
在dest root /下一行添加:
dest usb /mnt/sda1/app


vi /etc/profile
粗体为增加部分:
export LD_LIBRARY_PATH="/mnt/sda1/app/usr/lib:/mnt/sda1/app/lib"
export PATH=/usr/bin:/usr/sbin:/bin:/sbin:/mnt/sda1/app/usr/bin:/mnt/sda1/app/usr/sbin


输入:
source /etc/profile


使用方法:
安装的时候加选项-d usb
opkg install XXX -d usb




DNSMASQ配置:
vi /etc/dnsmasq.conf
################
##增加
conf-file=/mnt/app/dns/dnsmasq.conf.ipset
################
vi /etc/config/dhcp
################自行按需要添加
config dnsmasq
##增加
    option cachesize '4096'
################
/mnt/app/dns/dnsmasq.conf.ipset内容:
################
no-poll
log-facility=/tmp/dnsmasq.log
addn-hosts=mnt/app/dns/myhosts.conf
addn-hosts=mnt/app/dns/googlehosts.conf
conf-file=/mnt/app/dns/dnsmasq.myurl.conf
conf-file=/mnt/app/dns/dnsmasq.gfwlist.conf
conf-file=/mnt/app/dns/dnsmasq.temp.conf
server=202.96.134.133
server=202.96.128.166
################
OPENVPN配置:
vi /etc/config/openvpn
################
config openvpn 'client_tun0'
    option config '/etc/openvpn/openvpn.ovpn'
################
vi /etc/config/network
################可在LUCI配置
config interface 'tun0'
    option ifname 'tun0'
    option proto 'none'
################
vi /etc/config/firewall
################可在LUCI配置
config zone
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option network 'tun0'
    option name 'ovpn'

config forwarding
    option dest 'wan'
    option src 'ovpn'
################
vi /etc/openvpn/openvpn.ovpn
################
client
dev tun
proto udp
remote fail.vpn.com 53
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
--auth-user-pass /etc/openvpn/passwd
ns-cert-type server
comp-lzo
verb 3
reneg-sec 0
setenv CLIENT_CERT 0
log /tmp/openvpn.log
#auth-nocache
tls-client
#tls-auth
ping 15
ping-restart 180
route-nopull
route-noexec
################
STRONGSWAN配置:
vi /etc/ipsec.conf
################
conn ?fault
keyexchange=ikev2
keyingtries=30
closeaction=restart
dpdaction=restart
dpddelay=1200s
ikelifetime=24h
reauth=no
ike=3des-sha1-md5-modp1024
mobike=yes
eap_identity=username
left=?faultroute
leftsourceip=%config
leftcert=/etc/ipsec.d/certs/ca.crt.pem
leftauth=eap
leftsubnet=10.1.2.0/24

conn vpn1
leftupdown=/etc/ipsec_updown
right=ikev2.vpn.com
rightid=%ikev2.vpn.com
rightsubnet=0.0.0.0/0
auto=start
conn vpn2
leftupdown=/etc/strongswan.d/vpn2updown.sh
right=ikev2.vpn2.com
rightid=%ikev2.vpn2.com
rightsubnet=0.0.0.0/0
auto=start
################
vi /etc/strongswan.conf
charon的内容: 
################
    dos_protection = no
    retry_initiate_interval = 50
    charon.retransmit_tries= 3
    routing_table = 254
    routing_table_prio = 254
    install_routes = no
################
strongswan的updown.sh
################
echo "RUNNING SCRIPT......"
sleep 4
ip route del 0.0.0.0/0 dev ipsec0

#ip route replace 208.117.228.218 dev ipsec0
ip route replace 216.58.221.86 dev ipsec0
ip route replace 8.8.8.8 dev ipsec0
ip route replace 8.8.4.4 dev ipsec0
ip route replace 208.67.222.222 dev ipsec0
ip route replace 208.67.220.220 dev ipsec0

ip route add default dev ipsec0 table 3
################
vi /etc/config/firewall
################连不上再根据情况配置
config rule
option 'src' 'wan'
option 'proto' 'esp'
option 'target' 'ACCEPT'

config rule
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '500'
option 'target' 'ACCEPT'

config rule
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '4500'
option 'target' 'ACCEPT'

config rule
option 'src' 'wan'
option 'proto' 'ah'
option 'target' 'ACCEPT'
################
SHADOWSOCKS配置:
1、配置/etc/shadowsocks.json,填写帐号信息。
2、修改/etc/init.d/shadowsocks,去掉注释/usr/bin/ss-redir
DNSMASQ+IPSET配合SHADOWSOCKS(跑TCP fq)+#已取消STRONGSWAN(跑UDP,ICMP,DNS):
vi /etc/rc.local
################
###ipset
ipset create vpngo hash:ip

ipset create ssgo hash:ip
ipset add ssgo 74.125.239.114
ipset add ssgo 216.58.221.86

###local-to-remote-before-routing
#vpn用 iptables -t mangle -A OUTPUT -p udp -m set --match-set ssgo dst -j MARK --set-mark 3
#vpn用 iptables -t mangle -A OUTPUT -p icmp -m set --match-set ssgo dst -j MARK --set-mark 3
iptables -t nat -A OUTPUT -p tcp -m set --match-set ssgo dst -j REDIRECT --to-port 1080

###remote-to-remote-before-routing
iptables -t mangle -A PREROUTING -p tcp -m set --match-set vpngo dst -j MARK --set-mark 3
#vpn用 iptables -t mangle -A PREROUTING -p udp -m set --match-set ssgo dst -j MARK --set-mark 3
#vpn用 iptables -t mangle -A PREROUTING -p icmp -m set --match-set ssgo dst -j MARK --set-mark 3
iptables -t nat -A PREROUTING -p tcp -m set --match-set ssgo dst -j REDIRECT --to-port 1080

###*after-routing
#strongswan用 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ipsec0 -j MASQUERADE
#openvpn用 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE

###ip-rule
ip rule add fwmark 3 table 3 pref 253
################
shadowsocks的/hotplug.d
################
vi /etc/hotplug.d/iface/25-shadowsocks
#!/bin/sh

if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then
/etc/init.d/shadowsocks restart
fi
################
DNSCRYPT配置
vi /etc/config/dnscrypt-proxy
################配置原封不动不用改
config dnscrypt-proxy
        option address '127.0.0.1'
        option port '5353'
#      option resolver 'opendns'
#      option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
################
mkdir -p /etc/ssl/certs/
wget -P /etc/ssl/certs/ http://curl.haxx.se/ca/cacert.pem
/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start
配套设置,dnsmasq配置文件设定需要使用dnscrypt解析的网站转发到127.0.0.1:53,例:
server=/fq.com/127.0.0.1#5353
################
dnsmasq自动下载并添加fq列表的gfwlist脚本:
vi /mnt/app/dns/sh.sh
################
 if [ ! -f /mnt/app/dns/gfwlist.base64.txt.old ]; then
  cp -p /mnt/app/dns/gfwlist.base64.txt /mnt/app/dns/gfwlist.base64.txt.old
 fi
 if [ ! -f /mnt/app/dns/gfwlist.ok.txt.old ]; then
  cp -p /mnt/app/dns/gfwlist.ok.txt /mnt/app/dns/gfwlist.ok.txt.old
 fi
  gfwurl="https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt"
  wgetgfwfile="wget --no-check-certificate -t 5 -T 5 --bind-address=192.168.1.11 $gfwurl"
# size1=$($wgetgfwfile --spider --server-response -O - 2>&1 | sed -ne '/Content-Length/{s/.*: //;p}')
  size1=$(wget --no-check-certificate -t 5 -T 5 --bind-address=192.168.1.11 \
          https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt \
          --spider --server-response -O - 2>&1 | sed -ne '/Content-Length/{s/.*: //;p}')
  size2=$(ls -l /mnt/app/dns/gfwlist.base64.txt.old | awk '{ print $5}')
  if [ "$size1" -ne "$size2" ]; then
    echo "[o]downloading gfwlist"
    logger "[o]downloading gfwlist" 
    $wgetgfwfile -q -O /mnt/app/dns/gfwlist.base64.txt
    cat /mnt/app/dns/gfwlist.base64.txt \
    | base64 -d \
    | grep -v \
      -e '^\s*$' \
      -e '^[\[!]' \
    | sed \
      -e s'/^|*//'g \
      -e s'/^http[s]*:\/\///'g \
      -e s'/\/.*$//'g \
      -e s'/\*.*$//'g \
      -e s'/^\s*//'g \
      -e s'/\s*$//'g \
      -e s'/^\.//'g 2>/dev/null \
    | grep \
      -e '\.' \
    | grep -v \
      -e '^\s*$' \
      -e '^!' \
      -e '^@' \
    | grep -v % \
    | sort -u \
     > gfwlist.ok.txt
    diff -u gfwlist.ok.txt.old gfwlist.ok.txt | grep + | grep -v @ | grep -v ' ' | sed s/+//g | sort -u > gfwlist.add.txt
    sed -i '1s/^.*/# Updated: '`date +%Y-%m-%d`' #/' /mnt/app/dns/dnsmasq.gfwlist.conf
    echo "# `date +%Y-%m-%d` #" >>dnsmasq.gfwlist.conf
    for line in `cat /mnt/app/dns/gfwlist.add.txt`
      do
        printf "server=/$line/127.0.0.1#5353\nipset=/$line/ssgo\n" >> /mnt/app/dns/dnsmasq.gfwlist.conf
    done
    cp -p /mnt/app/dns/gfwlist.base64.txt /mnt/app/dns/gfwlist.base64.txt.old
    cp -p /mnt/app/dns/gfwlist.ok.txt /mnt/app/dns/gfwlist.ok.txt.old
    /etc/init.d/dnsmasq restart
    echo "updated@`date +%Y-%m-%d`"
    logger "updated@`date +%Y-%m-%d`"
  else
    checkgfwlistnew=`ls -l /mnt/app/dns/dnsmasq.gfwlist.conf  | awk '{ print $5}'`
    checkgfwlistold=`cat /mnt/app/dns/dnsmasq.size.gfwlist.conf`                                                 
    checkmyurlnew=`ls -l /mnt/app/dns/dnsmasq.myurl.conf  | awk '{ print $5}'` 
    checkmyurlold=`cat /mnt/app/dns/dnsmasq.size.myurl.conf`                                           
    if [ $checkgfwlistnew != $checkgfwlistold ] || [ $checkmyurlnew != $checkmyurlold ]; then                  
      sed -i "1s/^.*/$checkgfwlistnew/g" /mnt/app/dns/dnsmasq.size.gfwlist.conf                                   
      sed -i "1s/^.*/$checkmyurlnew/g" /mnt/app/dns/dnsmasq.size.myurl.conf
      /etc/init.d/dnsmasq restart
      echo "same size:$size1 $size2 ,restarted dnsmasq"
      logger "same size:$size1 $size2 ,restarted dnsmasq" 
    else
      echo "same size:$size1 $size2,unchanged"
      logger "same size:$size1 $size2,unchanged"
    fi
  fi
else
  echo "no 5 day"
fi
################
创建名为gfwlist的luci界面,用于维护dnsmasq列表
vi /usr/lib/lua/luci/model/cbi/gfwlist.lua 
################
root@OpenWrt:/mnt/app/dns# cat /usr/lib/lua/luci/model/cbi/gfwlist.lua

 

m = Map("gfwlist", translate("GFW List Tailor"))
function m.on_after_commit() 
     luci.sys.exec("sh /mnt/app/dns/sh.sh")
end
s = m:section(TypedSection, "gfwlist", "GFW List Tailor")
s.anonymous = true

 

s:tab("template", translate("Custom GFWList"))
s:tab("template2", translate("Collected GFWList"))

 

tmpl = s:taboption("template", Value, "_tmpl",
        translate("Edit with DNSMASQ format"),
        translate("This is the content of the file '/mnt/app/dns/dnsmasq.myurl.conf'. " .. "
" ..
                "Basic format:" .. "
" .. 
                "     server=/url(/url2/url3/.../urlX)/pure-dns-ip" .. "
" ..
                "     ipset=/url(/url2/url3/.../urlX)/ipset-name" .. "
" .. 
                "Example:".. "
" ..
                "     server=/http404.com/8.8.8.8".. "
" ..
                "     ipset=/http404.com/ssgo ".. "
" ..   
                "More detail:".. "
" .. 
                "     http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html"))
tmpl.template = "cbi/tvalue"
tmpl.rows = 20
function tmpl.cfgvalue(self, section)
        return nixio.fs.readfile("/mnt/app/dns/dnsmasq.myurl.conf")
end
function tmpl.write(self, section, value)
        value = value:gsub("\r\n?", "\n")
        nixio.fs.writefile("//mnt/app/dns/dnsmasq.myurl.conf", value)
end
tmpl2 = s:taboption("template2", Value, "_tmpl2",
        translate("Generate from GFWList website"),
        translate("This is the content of the file '/mnt/app/dns/dnsmasq.gfwlist.conf'. " .. "
" ..
                "Update from: ".. "
" ..   
                "     http://autoproxy-gfwlist.googlecode.com/svn/trunk/gfwlist.txt".. "
" ..   
                "Editable,the formats are all the same." ))
tmpl2.template = "cbi/tvalue"
tmpl2.rows = 25
function tmpl2.cfgvalue(self, section)
        return nixio.fs.readfile("/mnt/app/dns/dnsmasq.gfwlist.conf")
end
function tmpl2.write(self, section, value)
        value = value:gsub("\r\n?", "\n")
        nixio.fs.writefile("//mnt/app/dns/dnsmasq.gfwlist.conf", value)
end

 

return m
################
vi /overlay/usr/lib/lua/luci/controller/gfwlist.lua 
################
root@OpenWrt:/mnt/app/dns# cat /overlay/usr/lib/lua/luci/controller/gfwlist.lua

 

module("luci.controller.gfwlist", package.seeall)
function index()
        if not nixio.fs.access("/etc/config/gfwlist") then
                return
        end
        local page
        page = entry({"admin", "services", "gfwlist"}, cbi("gfwlist"), _("GFW List Tailor"))
        page.dependent = true
end
################
vi /etc/config/gfwlis
改中文:
opkg update
opkg install luci-i18n-base-zh-cn


一些插件:
opkg install ip-full coreutils-base64 kmod-ipt-ipset wget diffutils
说明:
ip-full是strongswan使用
kmod-ipt-ipset是shadowsocks使用
coreutils-base64 wget diffutils是我的dnsmasq脚本使用


安装DDNS
opkg install luci-app-ddns ddns-scripts 


安装U盘识别
opkg install kmod-usb-storage block-mount kmod-fs-ext4 kmod-usb2


安装DNSMASQ-FULL
opkg remove dnsmasq
opkg install dnsmasq-full


安装OPENVPN
opkg install openvpn-openssl openvpn-easy-rsa


安装STRONGSWAN
opkg install strongswan
opkg install strongswan-mod-kernel-libipsec kmod-tun
opkg install ipset iptables-mod-filter iptables-mod-nat-extra ppp-mod-pppoe
看情况安装更多需要的mod


添加openwrt-dist源(才可以opkg安装CHINADNS、SHADOWSOCKS):
主页


.添加源openwrt-dist
vi /etc/opkg.conf
src/gz openwrt_dist_luci http://openwrt-dist.sourceforge.net/releases/luci/packages


.安装CHINADNS
opkg install ChinaDNS
opkg install luci-app-chinadns


.安装SHADOWSOCKS(非原版)
opkg install shadowsocks-libev-spec
opkg install luci-app-shadowsocks-spec


.安装SHADOWSOCKS原版
opkg install iptables-mod-nat-extra ipset libopenssl
opkg install shadowsocks-libev
5.05源签名错误,安装方法:
cd /tmp
opkg install shadowsocks-libev_2.4.1-1_brcm47xx.ipk


安装DNSCRYPT
opkg install dnscrypt-proxy


安装SYNCY
Configuring libpolarssl.
Configuring libcurl.
Configuring kmod-nls-utf8.
Configuring python-curl.
Configuring SyncY-Python-luci.


安装GOAGENT
opkg install python libopenssl 
gevent_0.13.8-1_brcm47xx.ipk
libevent2_2.0.16-1_brcm47xx.ipk
libevent2-core_2.0.16-1_brcm47xx.ipk
libevent2-extra_2.0.16-1_brcm47xx.ipk
libevent2-openssl_2.0.16-1_brcm47xx.ipk
libevent2-pthreads_2.0.16-1_brcm47xx.ipk
python-greenlet_0.4.0-1_brcm47xx.ipk



------------------------------------------------------------

 

DDNS配置:


LUCI:
服务>动态DNS,
Basic Settings:
启用
IPv4
3322.org
mooncake.3322.org
mooncake
密码

 

高级:
IP address source:接口
pppoe-wan


Timer Settings:
Check Interval:60


配置文件:
vi /etc/config/ddns 
################在LUCI配置出来
config service 'myddns'
    option interface 'wan'
    option use_syslog '1'
    option use_https '0'
    option force_interval '72'
    option force_unit 'hours'
    option check_unit 'minutes'
    option retry_interval '60'
    option retry_unit 'seconds'
    option enabled '1'
    option service_name '3322.org'
    option domain 'mooncake.3322.org'
    option username 'mooncake'
    option password 'getout'
    option ip_source 'interface'
    option ip_interface 'pppoe-wan'
    option check_interval '15'
################


.配置远程管理:


..设定2345端口用于sshv2登录
LUCI:
系统>管理权:
端口2345
密码验证
root权限登录
网关端口


配置文件:
vi /etc/config/dropbear
################在LUCI配置出来
config dropbear
option PasswordAuth 'on'
option GatewayPorts 'on'
option Port '2345'
################



..开放2345端口:
LUCI:
网络>防火墙>通信规则:
Open ports on router: SSHv2345,tcp,2345,添加。


配置文件:
vi /etc/config/firewall
################在LUCI配置出来
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option name 'SSHv2345'
option dest_port '2345'
################


..TCP 8765转发到80,用于远程访问8765端口转到openwrt 80管理页:
网络>防火墙>端口转发:
new port forward:TCP8765>80,tcp,wan,8765,lan,192.168.1.11,80,添加。


配置文件:
################在LUCI配置出来
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.1.11'
option dest_port '80'
option name 'TCP8765>80'
option src_dport '8765'
################




U盘挂载点配置


LUCI:
系统>挂载点:
挂载点 点添加
基本设置:
启用挂载点
UUID 选/dev/sda1
挂载点 选自定义 填/mnt/app
高级设置:
文件系统:ext4


再添加:
基本设置:
启用挂载点
UUID 选/dev/sda2
挂载点 选自定义 填/mnt/data
高级设置:
文件系统:ext4


配置文件:
vi /etc/config/fstab
################在LUCI配置出来
config global
option anon_swap '0'
option anon_mount '0'
option auto_swap '1'
option auto_mount '1'
option delay_root '5'
option check_fs '0'

config mount
option enabled '1'
option device '/dev/sda'
option fstype 'ext4'
option target '/mnt'

config mount
option enabled '1'
option device '/dev/sda1'
option target '/mnt/app'
option fstype 'ext4'

config mount
option enabled '1'
option device '/dev/sda2'
option target '/mnt/data'
option fstype 'ext4'
################


.设置U盘安装路径:


vi /etc/opkg.conf
在dest root /下一行添加:
dest usb /mnt/sda1/app


vi /etc/profile
粗体为增加部分:
export LD_LIBRARY_PATH="/mnt/sda1/app/usr/lib:/mnt/sda1/app/lib"
export PATH=/usr/bin:/usr/sbin:/bin:/sbin:/mnt/sda1/app/usr/bin:/mnt/sda1/app/usr/sbin


输入:
source /etc/profile


使用方法:
安装的时候加选项-d usb
opkg install XXX -d usb




DNSMASQ配置:
vi /etc/dnsmasq.conf
################
##增加
conf-file=/mnt/app/dns/dnsmasq.conf.ipset
################
vi /etc/config/dhcp
################自行按需要添加
config dnsmasq
##增加
    option cachesize '4096'
################
/mnt/app/dns/dnsmasq.conf.ipset内容:
################
no-poll
log-facility=/tmp/dnsmasq.log
addn-hosts=mnt/app/dns/myhosts.conf
addn-hosts=mnt/app/dns/googlehosts.conf
conf-file=/mnt/app/dns/dnsmasq.myurl.conf
conf-file=/mnt/app/dns/dnsmasq.gfwlist.conf
conf-file=/mnt/app/dns/dnsmasq.temp.conf
server=202.96.134.133
server=202.96.128.166
################
OPENVPN配置:
vi /etc/config/openvpn
################
config openvpn 'client_tun0'
    option config '/etc/openvpn/openvpn.ovpn'
################
vi /etc/config/network
################可在LUCI配置
config interface 'tun0'
    option ifname 'tun0'
    option proto 'none'
################
vi /etc/config/firewall
################可在LUCI配置
config zone
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option network 'tun0'
    option name 'ovpn'

config forwarding
    option dest 'wan'
    option src 'ovpn'
################
vi /etc/openvpn/openvpn.ovpn
################
client
dev tun
proto udp
remote fail.vpn.com 53
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
--auth-user-pass /etc/openvpn/passwd
ns-cert-type server
comp-lzo
verb 3
reneg-sec 0
setenv CLIENT_CERT 0
log /tmp/openvpn.log
#auth-nocache
tls-client
#tls-auth
ping 15
ping-restart 180
route-nopull
route-noexec
################
STRONGSWAN配置:
vi /etc/ipsec.conf
################
conn ?fault
keyexchange=ikev2
keyingtries=30
closeaction=restart
dpdaction=restart
dpddelay=1200s
ikelifetime=24h
reauth=no
ike=3des-sha1-md5-modp1024
mobike=yes
eap_identity=username
left=?faultroute
leftsourceip=%config
leftcert=/etc/ipsec.d/certs/ca.crt.pem
leftauth=eap
leftsubnet=10.1.2.0/24

conn vpn1
leftupdown=/etc/ipsec_updown
right=ikev2.vpn.com
rightid=%ikev2.vpn.com
rightsubnet=0.0.0.0/0
auto=start
conn vpn2
leftupdown=/etc/strongswan.d/vpn2updown.sh
right=ikev2.vpn2.com
rightid=%ikev2.vpn2.com
rightsubnet=0.0.0.0/0
auto=start
################
vi /etc/strongswan.conf
charon的内容: 
################
    dos_protection = no
    retry_initiate_interval = 50
    charon.retransmit_tries= 3
    routing_table = 254
    routing_table_prio = 254
    install_routes = no
################
strongswan的updown.sh
################
echo "RUNNING SCRIPT......"
sleep 4
ip route del 0.0.0.0/0 dev ipsec0

#ip route replace 208.117.228.218 dev ipsec0
ip route replace 216.58.221.86 dev ipsec0
ip route replace 8.8.8.8 dev ipsec0
ip route replace 8.8.4.4 dev ipsec0
ip route replace 208.67.222.222 dev ipsec0
ip route replace 208.67.220.220 dev ipsec0

ip route add default dev ipsec0 table 3
################
vi /etc/config/firewall
################连不上再根据情况配置
config rule
option 'src' 'wan'
option 'proto' 'esp'
option 'target' 'ACCEPT'

config rule
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '500'
option 'target' 'ACCEPT'

config rule
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '4500'
option 'target' 'ACCEPT'

config rule
option 'src' 'wan'
option 'proto' 'ah'
option 'target' 'ACCEPT'
################
SHADOWSOCKS配置:
1、配置/etc/shadowsocks.json,填写帐号信息。
2、修改/etc/init.d/shadowsocks,去掉注释/usr/bin/ss-redir
DNSMASQ+IPSET配合SHADOWSOCKS(跑TCP fq)+#已取消STRONGSWAN(跑UDP,ICMP,DNS):
vi /etc/rc.local
################
###ipset
ipset create vpngo hash:ip

ipset create ssgo hash:ip
ipset add ssgo 74.125.239.114
ipset add ssgo 216.58.221.86

###local-to-remote-before-routing
#vpn用 iptables -t mangle -A OUTPUT -p udp -m set --match-set ssgo dst -j MARK --set-mark 3
#vpn用 iptables -t mangle -A OUTPUT -p icmp -m set --match-set ssgo dst -j MARK --set-mark 3
iptables -t nat -A OUTPUT -p tcp -m set --match-set ssgo dst -j REDIRECT --to-port 1080

###remote-to-remote-before-routing
iptables -t mangle -A PREROUTING -p tcp -m set --match-set vpngo dst -j MARK --set-mark 3
#vpn用 iptables -t mangle -A PREROUTING -p udp -m set --match-set ssgo dst -j MARK --set-mark 3
#vpn用 iptables -t mangle -A PREROUTING -p icmp -m set --match-set ssgo dst -j MARK --set-mark 3
iptables -t nat -A PREROUTING -p tcp -m set --match-set ssgo dst -j REDIRECT --to-port 1080

###*after-routing
#strongswan用 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ipsec0 -j MASQUERADE
#openvpn用 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE

###ip-rule
ip rule add fwmark 3 table 3 pref 253
################
shadowsocks的/hotplug.d
################
vi /etc/hotplug.d/iface/25-shadowsocks
#!/bin/sh

if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then
/etc/init.d/shadowsocks restart
fi
################
DNSCRYPT配置
vi /etc/config/dnscrypt-proxy
################配置原封不动不用改
config dnscrypt-proxy
        option address '127.0.0.1'
        option port '5353'
#      option resolver 'opendns'
#      option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
################
mkdir -p /etc/ssl/certs/
wget -P /etc/ssl/certs/ http://curl.haxx.se/ca/cacert.pem
/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start
配套设置,dnsmasq配置文件设定需要使用dnscrypt解析的网站转发到127.0.0.1:53,例:
server=/fq.com/127.0.0.1#5353
################
dnsmasq自动下载并添加fq列表的gfwlist脚本:
vi /mnt/app/dns/sh.sh
################
 if [ ! -f /mnt/app/dns/gfwlist.base64.txt.old ]; then
  cp -p /mnt/app/dns/gfwlist.base64.txt /mnt/app/dns/gfwlist.base64.txt.old
 fi
 if [ ! -f /mnt/app/dns/gfwlist.ok.txt.old ]; then
  cp -p /mnt/app/dns/gfwlist.ok.txt /mnt/app/dns/gfwlist.ok.txt.old
 fi
  gfwurl="https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt"
  wgetgfwfile="wget --no-check-certificate -t 5 -T 5 --bind-address=192.168.1.11 $gfwurl"
# size1=$($wgetgfwfile --spider --server-response -O - 2>&1 | sed -ne '/Content-Length/{s/.*: //;p}')
  size1=$(wget --no-check-certificate -t 5 -T 5 --bind-address=192.168.1.11 \
          https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt \
          --spider --server-response -O - 2>&1 | sed -ne '/Content-Length/{s/.*: //;p}')
  size2=$(ls -l /mnt/app/dns/gfwlist.base64.txt.old | awk '{ print $5}')
  if [ "$size1" -ne "$size2" ]; then
    echo "[o]downloading gfwlist"
    logger "[o]downloading gfwlist" 
    $wgetgfwfile -q -O /mnt/app/dns/gfwlist.base64.txt
    cat /mnt/app/dns/gfwlist.base64.txt \
    | base64 -d \
    | grep -v \
      -e '^\s*$' \
      -e '^[\[!]' \
    | sed \
      -e s'/^|*//'g \
      -e s'/^http[s]*:\/\///'g \
      -e s'/\/.*$//'g \
      -e s'/\*.*$//'g \
      -e s'/^\s*//'g \
      -e s'/\s*$//'g \
      -e s'/^\.//'g 2>/dev/null \
    | grep \
      -e '\.' \
    | grep -v \
      -e '^\s*$' \
      -e '^!' \
      -e '^@' \
    | grep -v % \
    | sort -u \
     > gfwlist.ok.txt
    diff -u gfwlist.ok.txt.old gfwlist.ok.txt | grep + | grep -v @ | grep -v ' ' | sed s/+//g | sort -u > gfwlist.add.txt
    sed -i '1s/^.*/# Updated: '`date +%Y-%m-%d`' #/' /mnt/app/dns/dnsmasq.gfwlist.conf
    echo "# `date +%Y-%m-%d` #" >>dnsmasq.gfwlist.conf
    for line in `cat /mnt/app/dns/gfwlist.add.txt`
      do
        printf "server=/$line/127.0.0.1#5353\nipset=/$line/ssgo\n" >> /mnt/app/dns/dnsmasq.gfwlist.conf
    done
    cp -p /mnt/app/dns/gfwlist.base64.txt /mnt/app/dns/gfwlist.base64.txt.old
    cp -p /mnt/app/dns/gfwlist.ok.txt /mnt/app/dns/gfwlist.ok.txt.old
    /etc/init.d/dnsmasq restart
    echo "updated@`date +%Y-%m-%d`"
    logger "updated@`date +%Y-%m-%d`"
  else
    checkgfwlistnew=`ls -l /mnt/app/dns/dnsmasq.gfwlist.conf  | awk '{ print $5}'`
    checkgfwlistold=`cat /mnt/app/dns/dnsmasq.size.gfwlist.conf`                                                 
    checkmyurlnew=`ls -l /mnt/app/dns/dnsmasq.myurl.conf  | awk '{ print $5}'` 
    checkmyurlold=`cat /mnt/app/dns/dnsmasq.size.myurl.conf`                                           
    if [ $checkgfwlistnew != $checkgfwlistold ] || [ $checkmyurlnew != $checkmyurlold ]; then                  
      sed -i "1s/^.*/$checkgfwlistnew/g" /mnt/app/dns/dnsmasq.size.gfwlist.conf                                   
      sed -i "1s/^.*/$checkmyurlnew/g" /mnt/app/dns/dnsmasq.size.myurl.conf
      /etc/init.d/dnsmasq restart
      echo "same size:$size1 $size2 ,restarted dnsmasq"
      logger "same size:$size1 $size2 ,restarted dnsmasq" 
    else
      echo "same size:$size1 $size2,unchanged"
      logger "same size:$size1 $size2,unchanged"
    fi
  fi
else
  echo "no 5 day"
fi
################
创建名为gfwlist的luci界面,用于维护dnsmasq列表
vi /usr/lib/lua/luci/model/cbi/gfwlist.lua 
################
root@OpenWrt:/mnt/app/dns# cat /usr/lib/lua/luci/model/cbi/gfwlist.lua

 

m = Map("gfwlist", translate("GFW List Tailor"))
function m.on_after_commit() 
     luci.sys.exec("sh /mnt/app/dns/sh.sh")
end
s = m:section(TypedSection, "gfwlist", "GFW List Tailor")
s.anonymous = true

 

s:tab("template", translate("Custom GFWList"))
s:tab("template2", translate("Collected GFWList"))

 

tmpl = s:taboption("template", Value, "_tmpl",
        translate("Edit with DNSMASQ format"),
        translate("This is the content of the file '/mnt/app/dns/dnsmasq.myurl.conf'. " .. "
" ..
                "Basic format:" .. "
" .. 
                "     server=/url(/url2/url3/.../urlX)/pure-dns-ip" .. "
" ..
                "     ipset=/url(/url2/url3/.../urlX)/ipset-name" .. "
" .. 
                "Example:".. "
" ..
                "     server=/http404.com/8.8.8.8".. "
" ..
                "     ipset=/http404.com/ssgo ".. "
" ..   
                "More detail:".. "
" .. 
                "     http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html"))
tmpl.template = "cbi/tvalue"
tmpl.rows = 20
function tmpl.cfgvalue(self, section)
        return nixio.fs.readfile("/mnt/app/dns/dnsmasq.myurl.conf")
end
function tmpl.write(self, section, value)
        value = value:gsub("\r\n?", "\n")
        nixio.fs.writefile("//mnt/app/dns/dnsmasq.myurl.conf", value)
end
tmpl2 = s:taboption("template2", Value, "_tmpl2",
        translate("Generate from GFWList website"),
        translate("This is the content of the file '/mnt/app/dns/dnsmasq.gfwlist.conf'. " .. "
" ..
                "Update from: ".. "
" ..   
                "     http://autoproxy-gfwlist.googlecode.com/svn/trunk/gfwlist.txt".. "
" ..   
                "Editable,the formats are all the same." ))
tmpl2.template = "cbi/tvalue"
tmpl2.rows = 25
function tmpl2.cfgvalue(self, section)
        return nixio.fs.readfile("/mnt/app/dns/dnsmasq.gfwlist.conf")
end
function tmpl2.write(self, section, value)
        value = value:gsub("\r\n?", "\n")
        nixio.fs.writefile("//mnt/app/dns/dnsmasq.gfwlist.conf", value)
end

 

return m
################
vi /overlay/usr/lib/lua/luci/controller/gfwlist.lua 
################
root@OpenWrt:/mnt/app/dns# cat /overlay/usr/lib/lua/luci/controller/gfwlist.lua

 

module("luci.controller.gfwlist", package.seeall)
function index()
        if not nixio.fs.access("/etc/config/gfwlist") then
                return
        end
        local page
        page = entry({"admin", "services", "gfwlist"}, cbi("gfwlist"), _("GFW List Tailor"))
        page.dependent = true
end
################
vi /etc/config/gfwlis


本文链接:https://hqyman.cn/post/373.html 非本站原创文章欢迎转载,原创文章需保留本站地址!

分享到:





休息一下,本站随机推荐观看栏目:


作者:hqy | 分类:技术文章 | 浏览:2916 | 评论:0
« 上一篇 下一篇 »

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

您的IP地址是: