Configuring the Environment
openwrt12.09 stable Version
Based on AR71XX
Install Shadowsocks
Because Shadowsocks aes-256 encryption requires a high version of the Libpolarssl, but the 12.09 source of Libpolarssl is not the latest, although a soft link can also "cheat" shadowsocks, But for a severe obsessive-compulsive disorder patients must install the latest!!
Tested, the LIBPOLARSSL in the trunk source can be used in 12.09, SSH to the router and installed:
Cd/tmp
wget HTTP://DOWNLOADS.OPENWRT.ORG/SNAPSHOTS/TRUNK/AR71XX/PACKAGES/LIBPOLARSSL_1.3.7-1_AR71XX.IPK
Opkg Install LIBPOLARSSL_1.3.7-1_AR71XX.IPK
wget HTTP://LECTERLEE.COM/MYFILE/SHADOWSOCKS-LIBEV-POLARSSL_1.4.6_AR71XX.IPK #因为shadowsocks的下载地址被gfw屏蔽, So I saved a copy on the server.
Opkg Install SHADOWSOCKS-LIBEV-POLARSSL_1.4.6_AR71XX.IPK
So shadowsocks is done, shadowsocks the default startup is ss-local, but if you want to build a global agent need to use Ss-redir, so we need to modify the startup script:
Sed-i ' s/ss-local/ss-redir/g '/etc/init.d/shadowsocks
Modify configuration file/etc/shadowsocks.json:
{
"Server": "1.1.1.1",
"Server_port": 12121,
"Local_port": 1081,
"Password": "21212",
"Method": "AES-256-CFB",
"Timeout": 600
}
To start and set up boot:
/etc/init.d/shadowsocks start
/etc/init.d/shadowsocks Enable
Using iptables REDIRECT Traffic
After the previous step, has been able to conduct scientific internet, but all traffic will go through the VPN, we need to use iptables to redirect traffic, I am using a relatively brain-free except Asia all redirect rules, here https://gist.github.com/ reee/fe174cfd8985273bc478, according to their own situation to modify the operation, you need to install Iptables-mod-nat-extra:
OPKG Update
Opkg Install Iptables-mod-nat-extra
The advantage of this is not frequent changes to the iptables rules, but GFW will also block some of Taiwan's IP section, if necessary, can modify their own, after a Google, found that the North Division door man is another way, that is, the default of all traffic to go local, Need to use the address of the proxy through the dig and apnic whois tools to obtain its IP segment, and the use of iptables redirect traffic, this method is more intelligent, but for lazy people is unbearable, here I also put the method posted out for everyone to choose:
Iptables-t nat-n shadowlocks create shadowlocks chain
Iptables-t nat-a shadowsocks-p tcp-d 74.125.0.0/16-j REDIRECT--to-ports 1081
Iptables-t nat-a shadowlocks-p tcp-d 173.194.0.0/16-j redirect -- to ports 1081. Some IP segments of Google are redirected to port 1081 (shadowlocks s-listening port)
Iptables-t nat-a shadowlocks-p tcp-j return ා ignore other TCP requests
Iptables-t nat-a prerouting-p tcp-j shadowlocks - use the shadowlocks chain before routing
The above is an example of use, just listing the way to use Google, if you encounter the need to use the address of the agent, only in the Shadowsocks chain to add the corresponding redirect rules can be, but it should be noted that the addition to use-I rather than-A, Because using-a will cause the newly added rule to be at the bottom of the chai n, and because there is a return rule that makes the new rule not effective, make sure that the last rule in the Shadowsocks chain is the return rule
Querying DNS using the TCP protocol
Follow the steps above, you will find that Google has access to, but some sites like Facebook or not access, this is because GFW to 53 ports using the UDP protocol DNS pollution, you are querying the wrong IP, we use dnsmasq+ PDNSD to avoid DNS pollution
DNSMASQ in OpenWrt belong to the default installation software, just install PDNSD can
OPKG Update
Opkg Install PDNSD
After the installation is complete, modify the/etc/pdnsd.conf file to:
Global {
# debug = on;
perm_cache=1024;
Cache_dir= "/VAR/PDNSD";
Run_as= "Nobody";
Server port = 1053; specify 1053 port, avoiding conflicts with dnsmasq ports
SERVER_IP = 127.0.0.1;
Status_ctl = on;
Query method = TCP only; only use TCP query
Min_ttl=15m;
Max_ttl=1w;
Timeout=10;
}
Server {
Label= "Mydns";
IP = 8.8.8.8; upstream DNS address, you must support TCP queries
Root_server = on;.
Uptest = none;
}
Start PDNSD and set to boot:
/ETC/INIT.D/PDNSD start
/ETC/INIT.D/PDNSD Enable
Create a new DNSMASQ configuration folder and add a rule:
Mkdir/etc/dnsmasq.d
Cat >>/etc/dnsmasq.d/fuckgfw.conf << EOF
#Google and Youtube
server=/.google.com/127.0.0.1#1053
server=/.google.com.hk/127.0.0.1#1053
server=/.gstatic.com/127.0.0.1#1053
server=/.ggpht.com/127.0.0.1#1053
server=/.googleusercontent.com/127.0.0.1#1053
server=/.appspot.com/127.0.0.1#1053
server=/.googlecode.com/127.0.0.1#1053
server=/.googleapis.com/127.0.0.1#1053
server=/.gmail.com/127.0.0.1#1053
server=/.google-analytics.com/127.0.0.1#1053
server=/.youtube.com/127.0.0.1#1053
server=/.googlevideo.com/127.0.0.1#1053
server=/.youtube-nocookie.com/127.0.0.1#1053
server=/.ytimg.com/127.0.0.1#1053
server=/.blogspot.com/127.0.0.1#1053
server=/.blogger.com/127.0.0.1#1053
#FaceBook
server=/.facebook.com/127.0.0.1#1053
server=/.thefacebook.com/127.0.0.1#1053
server=/.facebook.net/127.0.0.1#1053
server=/.fbcdn.net/127.0.0.1#1053
server=/.akamaihd.net/127.0.0.1#1053
#Twitter
server=/.twitter.com/127.0.0.1#1053
server=/.t.co/127.0.0.1#1053
server=/.bitly.com/127.0.0.1#1053
server=/.twimg.com/127.0.0.1#1053
server=/.tinypic.com/127.0.0.1#1053
server=/.yfrog.com/127.0.0.1#1053
Eof
The domain name in the configuration file is forwarded to the PDNSD for TCP query, here directly using the North Division door Man's profile, listing the commonly used contaminated domain names, you can add according to their own needs
Modify the DNSMASQ profile so that it recognizes our newly created directory, just append it to the last line in/etc/dnsmasq.conf:
Conf-dir=/etc/dnsmasq.d
In this way, the intelligent agent based on OpenWrt is implemented, and all connections to this router can be scientifically online without configuration
However, I found that Google's 8.8.8.8 public DNS server in my packet dropped to 75%, the initiation of the idea of building their own DNS, but bind9 default priority to use UDP, did not find the method set to enforce TCP, after a Google, Finally, in Malash, we found a solution.
The first is to have a server outside the wall (before the Shadowsocks server can), download and extract bind9
wget Http://www.isc.org/downloads/file/bind-9-10-0b1-2/?version=tar.gz-O bind-9.10.0-p2.tar.gz
Tar XF bind-9.10.0-p2.tar.gz
CD BIND-9.10.0-P2
Modify the bind9 source file lib/dns/resolver.c, about 1445 lines
Will query->options = options; Modified to Query->options = Options | DNS_FETCHOPT_TCP;
Compiling and installing BIND9
./configure--prefix=/usr/local/named--enable-threads--enable-largefile
Make && make install
Build configuration file
/usr/local/named/sbin/rndc-confgen >/usr/local/named/etc/rndc.conf
tail-n10/usr/local/named/etc/rndc.conf | Head-n9 | Sed-e s/#\//g >/usr/local/named/etc/named.conf
To modify the named.conf file, append:
Options {
Forward only;
Forwarders {
8.8.8.8;
8.8.4.4;
};
Allow-query {
Any
};
};
Upstream DNS server for Google, only as forwarding, set up after debugging Bind9
/usr/local/named/sbin/named-uroot-g-D 9
Bind can be started after no errors
/usr/local/named/sbin/named-uroot
Open TCP's 53 port and set the PDNSD on the router
Iptables-i input-p TCP--dport 53-j ACCEPT