设置openwrt透明翻墙

- 目的:

设置路由器,使内网机器,包括无线手机等设备,不做代理设置,透明翻墙.

- 环境:

宽带: 歌华cable modem.

路由器: TPlink WR720N

OS: openwrt

- 步骤1 歌华上网, 设置笔记本上网

用网线直连cable modem

reset modem

笔记本lan口获得地址192.168.100.2, 访问http://192.168.100.1,得到modem状态信息

稍候,笔记本可访问internet,同时无法访问http://192.168.100.1

- 步骤2 设置路由器上网

WR720N => 8M flash + 64M RAM

刷机 openwrt:

如果第一次刷openwrt:

http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/openwrt-ar71xx-generic-tl-wr720n-v3-squashfs-factory.bin

如果已经是openwrt:

http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/openwrt-ar71xx-generic-tl-wr720n-v3-squashfs-sysupgrade.bin

拿到手已通过taobao刷成openwrt预发版, 所以更新为正式版:

/sbin/sysupgrade openwrt-ar71xx-generic-tl-wr720n-v3-squashfs-sysupgrade.bin

设置路由器:

访问http://192.168.1.1/ 获得路由器状态设置, 打开wifi,设置密码等.

验证:

笔记本上,chrome访问baidu.com成功.

拓展学习:

bridge原理

- 步骤3 设置路由器上的ssh代理翻墙服务

opkg update

cd /usr/bin

rm ssh

rm scp

opkg install openssh-client openssh-keygen

ssh -D 0.0.0.0:7070 jackchen@s06.publicssh.org -qTfnN

验证:

笔记本上,chrome设置socks5代理为192.168.1.1:7070,访问twitter.com成功.

拓展学习:

自动ssh密码登陆, 设置为开机服务:

sshpass -p XXXXXX ssh -D 0.0.0.0:7070 jackchen@s06.publicssh.org -qTfnN

ssh tunnel原理

opkg 用法:

opkg list-installed 这个子命令可以列出所有安装的软件

opkg files dnsmasq-full

- 步骤4 设置透明翻墙

1) ipset

opkg install ipset

opkg install iptables-mod-nat-extra

ipset -N GFW iphash

2) pdnsd

root@OpenWrt:/ # cat /etc/pdnsd.conf

global {

perm_cache=2048;

cache_dir="/var/pdnsd";

# pid_file = /var/run/pdnsd.pid;

run_as="nobody";

server_ip = any; # Use eth0 here if you want to allow other

# machines on your network to query pdnsd.

server_port = 443;

status_ctl = on;

paranoid=on; # This option reduces the chance of cache poisoning

# but may make pdnsd less efficient, unfortunately.

query_method=tcp_only;

min_ttl=15m; # Retain cached entries at least 15 minutes.

max_ttl=1w; # One week.

timeout=10; # Global timeout option (10 seconds).

neg_domain_pol=on;

udpbufsize=1024;

}

# This section is meant for resolving from root servers.

server {

label = "root-servers";

root_server = on; # Query the name servers listed below

# to obtain a full list of root servers.

randomize_servers = on; # Give every root server an equal chance

# of being queried.

ip = 208.67.222.222,

208.67.220.220;

# 8.8.4.4;

port = 443; #因为opendns的端口是443

timeout = 5;

uptest = query; # Test availability using empty DNS queries.

# query_test_name = .; # To be used if remote servers ignore empty queries.

interval = 30m; # Test every half hour.

ping_timeout = 300; # Test should time out after 30 seconds.

purge_cache = off;

# edns_query = yes; # Use EDNS for outgoing queries to allow UDP messages

# larger than 512 bytes. May cause trouble with some

# legacy systems.

exclude = .localdomain;

policy = included;

preset = off;

}

http://members.home.nl/p.a.rombouts/pdnsd/doc.html

3) dnsmasq + GFW.list

opkg remove dnsmasq

opkg install dnsmasq-full # dnsmasq-full support ipset

- 设置 dnsmasq 对GFW list使用opendns进行解析:

vi /etc/dnsmasq.conf

conf-dir=/etc/dnsmasq.d

mkdir /etc/dnsmasq.d

mv GFW.conf /etc/dnsmasq.d

GFW.conf的格式

server=/.twitter.com/127.0.0.1#443

ipset=/.twitter.com/GFW

Note:

指定匹配域名的dns服务器信息, 本例用本机提供pdnsd服务,端口443;

将匹配域名解析的ip放入GFW ipset, 后面要对这个GFW ipset作iptable rules 转发.

GFW数据来源:

- 来源: https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt

- 解码脚本: gen_gfwlist_for_dnsmasq.py

重启dnsmasq服务

etc/init.d/dnsmasq restart

检查ipset内容

ipset list GFW

Note: 需要先dig下GFW中某条域名, 否则列表为空, 因为没有解析过程, 也就没有匹配打GFW标签.

dig @127.0.0.1 twitter.com

/* 此处要用缺省地址/端口的dns服务, 也就是dnsmasq提供的dns服务 */

dig @208.67.220.220 -p443 www.twitter.com /* 用opendns的443 udp查询 */

dig @208.67.220.220 -p443 +tcp www.twitter.com /* 用opendns的443 tcp查询 */

dig @127.0.0.1 -p443 twitter.com /* 用本机的pdnsd 443 查询 */

对比下污染的dns:

至此, 已解决DNS污染的问题. 总结思路:

- dnsmasq(转发pdnsd, 打标签)

- pdnsd(通过tcp转发到opendns DNS)

- 现在能解决的UDP dns解析污染的问题, 如果opendns被墙,则考虑将opendns IP手动加入ipset GFW.

References:

- https://use.opendns.com/ Put in the OpenDNS server addresses, 208.67.222.222 and 208.67.220.220, as your DNS server settings and save/apply.

- http://www.jianshu.com/p/8b130d8ca804 ShadowSocks搭配pdnsd与DNSmasq科学上网

拓展学习:

ipset

DNSCrypt? https://www.opendns.com/about/innovations/dnscrypt/

4) redsocks

用过squid的读者应该知道，用squid和iptables来实现上面的需求很简单，首先在服务端squid.conf中的port选项后增加“transparent”字段，然后将相应请求用iptables redirect到端口即可。

iptables -t nat -A PREROUTING -p tcp --dport 80 -d xx.xx.xx.xx -j REDIRECT --to-port 3128

但SSH建立的socks代理不具备这样的功能，只能通过第三方的软件来扩展。redsocks是我目前发现在这方面最好的软件。

redsocks的官方说明:

This tool allows you to redirect any TCP connection to SOCKS or HTTPS proxy using your firewall, so redirection is system-wide.

vi /etc/redsocks.conf

redsocks {

local_ip = 0.0.0.0;

local_port = 12345;

ip = 127.0.0.1;

port = 7070;

type = socks5;

}

iptables -t nat -N REDSOCKS

iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN

iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

#iptables -t nat -A OUTPUT -p tcp -j REDSOCKS

iptables -t nat -A OUTPUT -p tcp -m set --match-set GFW dst -j REDIRECT --to-port 12345

5) iptables设置自动转发到redsocks:

iptables -t nat -A PREROUTING -p tcp -m set --match-set GFW dst -j REDIRECT --to-port 12345

拓展学习:

iptables

- 转发?

- PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

- filter, nat, mangle, raw

iptables -t nat -F //清空nat表所有规则

透明代理:

- shodowsocks

- redsocks

- squid

- 调试

拓展学习:

tcpdump

netcat/socat

ngrep

References:

http://wiki.openwrt.org/doc/devel/debugging OpenWRT Debugging

- References:

http://www.router008.com/OpenWrt-SSH.html翻WALL篇（三）OpenWrt SSH代理配置

http://www.router008.com/OpenWrt-shadowsocks.html?page=3 OpenWrt配置ShadowSocks(更新）

http://107.191.119.228/blog/?p=304基于SSH Tunnel的科学上网思路

True life

Thursday, February 4, 2016

- 目的:

- 环境:

- 步骤1 歌华上网, 设置笔记本上网

- 步骤2 设置路由器上网

- 步骤3 设置路由器上的ssh代理翻墙服务

- 步骤4 设置透明翻墙

1) ipset

2) pdnsd

3) dnsmasq + GFW.list

4) redsocks

5) iptables设置自动转发到redsocks:

- 调试

- References:

No comments:

Post a Comment