Shadowsocks + Chnroute to realize OpenWrt router automatic wall-turn configuration

This article describes the method based on aa65535 Shadowsocks-spec for OpenWrt, describes how to configure the automatic wall under OpenWrt, the new version of the support under the Luci graphical configuration, greatly simplifies the configuration process. After the configuration is complete, the router itself gets the ability to automatically flip the wall, and all the devices connected to the route can access the site that is being accessed by the wall. is a transparent proxy running on the router.

The scheme is based on IP to determine whether the agent, domestic IP agent, foreign IP agent. Agent through the shadowsocks with Ss-redir TCP forwarding implementation, at home and abroad IP through the domestic IP segment list file Chnroute to distinguish, and handled separately through the Iptables rules (these functions have all been integrated into the SHADOWSOCKS-SPEC without additional configuration). Due to the decision based on IP, it is necessary to solve the problem of DNS pollution, so the use of chinadns to solve.

As long as foreign IP agent, rather than by the wall to go agent, then the advantages and disadvantages of this scheme is very obvious.

Advantages: Basic will not have slipped through the wall to ensure that all the site can visit, to some extent to improve domestic access to some foreign websites slow problem, if your server speed is good, then even can play a role in speeding up foreign site access.

Disadvantage: If the server speed is general, access to some Web sites will even slow down, some restrictions on IP sites and software applications can cause trouble. In conclusion, please choose as appropriate.

First, shadowsocks installation

First installation, first install the necessary packages to ensure that routers are networked, first update the package list (download the problem please manually to openwrt.org download all the required packages and upload to the router using opkg install XXX.IPK command):

OPKG Update
Shadowsocks has OpenSSL (filename is shadowsocks-libev-spec-x.xx.ipk) and Polarssl (file name is SHADOWSOCKS-LIBEV-SPEC-POLARSSL-X.XX.IPK) Two versions selected, ROM If the space is tight, choose the latter.

Install the necessary packages first, if you want to use the Polarssl version of the shadowsocks (Polarssl smaller):

opkg Install Ipset Libpolarssl resolveip iptables-mod-tproxy

If you want to use the normal version (OpenSSL) shadowsocks, then (OpenSSL compatibility is better):

opkg Install Ipset Libopenssl resolveip iptables-mod-tproxy

You may experience error prompts that are similar to the following:

Kmod:failed to Insert/lib/modules/3.10.44/ip_set.ko
Kmod:failed to Insert/lib/modules/3.10.44/ip_set_bitmap_ip.ko
Kmod:failed to Insert/lib/modules/3.10.44/ip_set_bitmap_ipmac.ko
...
It doesn't matter, because we need to reboot after installing the Ipset package, we restart the router at this time.

Then download the following four packages, the first two IPK packages need to choose from their own CPU model:

The downloaded package is then uploaded to the router's/tmp directory via tools such as WINSCP.

Then install Shadowsocks and Chinadns, step by step:

Cd/tmp
Opkg Install SHADOWSOCKS-LIBEV-SPEC_X.X.X-X_AR71XX.IPK
Opkg Install CHINADNS_X.X.X-X_AR71XX.IPK
Opkg Install LUCI-APP-CHINADNS_X.X.X-X_ALL.IPK
Opkg Install LUCI-APP-SHADOWSOCKS-SPEC_X.X.X-X_ALL.IPK

Special reminder: 2015.1.8, because Chinadns-c renamed to Chinadns, so the package name changes, previously installed chinadns-c, need to manually uninstall and reinstall the new version.

After the installation is complete, shadowsocks and Chinadns should be configured to boot up, if found not effective, run:

/etc/init.d/shadowsocks Enable
/etc/init.d/chinadns Enable

Second, shadowsocks configuration

We landed Luci, pointing to "service", should be able to see Shadowsocks and Chinadns.

Click Shadowsocks, uncheck "Use Profile", the new option comes out, we fill in the server information, proxy mode select "Ignore List", then the following UDP forwarding function off, and then save and apply (option do not leave blank). Server address please fill in IP as far as possible, otherwise prone to problems! When all is done, refresh the page to make sure that the shadowsocks is in the started state. Otherwise, check the configuration.

Of course, you can continue to use Config.json to configure the following format:

1 2 3 4 5 6 7

{ "Server": "x.x.x.x", "Server_port": "443", "Password": "Password", "Local_port": "1080", "Method": "Rc4-md5" }

Finally remember to fill in the Luci with the "use profile" tick, and then fill in the profile location ( do not leave blank ):

Then look at the Chinadns configuration interface, at this time you can follow the default configuration to ensure that Chinadns can start normally, you can also refer to the following:

To make a note:

Chinadns parameter Description

The code is as follows	Copy Code

Then, switch to the "network"-"Dhcp/dns" setting in Luci, and in the following figure, fill in the 127.0.0.1#5353 in DNS forwarding

Of these, 5353 is the Chinadns port, if you have changed the interface before, remember not to fill in the wrong.

Then cut to the hosts and Parse Files tab, check "Ignore parsing file"

The next steps will be different, through chinadns to prevent DNS pollution and optimize the results of the resolution, the program has three:

1, for Shadowsocks is built with their own server, recommend a scheme, in their own server to build DNS services;

2, if not this condition, but the server supports UDP forwarding (newer version shadowsocks are supported), then scenario two;

3, if the server shadowsocks version of the old, do not support UDP forwarding, then the available solution III, required version >=1.2.0;

4, if the scheme three is not easy to use, you can consider using the scheme four: TCP query to solve the problem of DNS pollution

The first two scenarios, currently there is absolutely no DNS pollution, at this time the role of Chinadns is entirely for the foreign site to do the resolution optimization, because DNS query by proxy server forwarding, DNS query initiator equivalent to proxy server, the result of the resolution is nearest to the proxy server , and the three will face the DNS pollution, at this time Chinadns's pollution-proof functions play a role, at the same time, program three can not do the results of foreign web site optimization, because the IP is the closest to your location. Scheme Four can effectively avoid the foreign DNS pollution, but also can not do the results of the optimization of foreign web site resolution.

PS1:ignore.list regularly updated to match the latest IP segment allocation, long time does not update may lead to some domestic IP agents or foreign agents do not go, you can use the following command:

wget-o-' Http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest ' | awk-f\| '/cn\|ipv4/{printf ("%s/%d\n", $, 32-log ($)/log (2))} ' >/etc/shadowsocks/ignore.list
Or:

Curl ' Http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest ' | awk-f\| '/cn\|ipv4/{printf ("%s/%d\n", $, 32-log ($)/log (2))} ' >/etc/shadowsocks/ignore.list
Of course, you can also download the new version of the Shadowsocks reinstall. Chinadns also need to be updated, the long time does not update may cause the resolution of some addresses failed, the default location is/etc/chinadns_chnroute.txt

Ps2:chinadns's chinadns_chnroute.txt and shadowsocks ignore.list are repetitive, and you just need Luci to Chinadns configuration interface Chnroute Shadowsocks/ignore.list on the line, Chinadns_chnroute.txt can also be deleted, which saves a bit of space, and eliminates the need to update two files at the same time trouble.

PS3: If you encounter another wall site no problem but YouTube, Facebook, Twitter is not open, should be the result of DNS pollution, please use the dig command to troubleshoot, and try to replace the DNS forwarding scheme. Scheme I and Scheme II can cooperate with this DNSMASQ configuration file to use better: dnsmasq_list.conf, the specific use I do not say, in short, remove ipset=/.../... Line, and then change the 127.0.0.1#5353 to your corresponding address.