v2ray在openwrt下的安装部署
从本月开始,ss扶墙的服务器全灭,最夸张的是新建一个灭一个,活不过2小时。不得不寻找新的解决方案,终于,花了几天时间搞定了。那就是迁移到v2ray。
一、性能
v2ray比ss强大很多,但是对路由的性能要求高很多,经过测试,发现如果要完整安装v2ray-core,路由本身至少需要256M ROM,32M RAM,这样的话,市面大多数跑得动ss路由都被淘汰了,目前mips路由,我只在MT7621AT上测试成功,使用的是联想newifi3 d2,但是想跑满带宽还是建议使用x86软路由,100M vmess跑满的话,i3 4代大约占用13~24%。
二、安装
1.服务器端
1).首先是找一台墙外的vps,linux就行,推荐debian和ubuntu,根据v2ray官方文档,命令行执行:
bash <(curl -L -s https://install.direct/go.sh)
2).配置服务器端配置文件/etc/v2ray/config.json (v2ray安装完成后此文件就已经存在了,保留id,编辑其他部分):
{
"inbound": {
"port": 11111,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "你的ID",
"level": 1,
"alterId": 64
}
],
"detour":{
"to":"dynamicPort"
}
},
"streamSettings":{
"network":"kcp"
}
},
"inboundDetour":[
{
"protocol": "vmess",
"port": "10000-50000",
"tag": "dynamicPort",
"settings": {
"default": {
"level": 1,
"alterId": 64
}
},
"allocate": {
"strategy": "random",
"concurrency": 4,
"refresh": 300
},
"streamSettings": {
"network": "kcp"
}
}
],
"outbound": {
"protocol": "freedom",
"settings": {}
},
"outboundDetour": [
{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}
],
"transport":{
"kcpSettings":{
"mtu":1350,
"tti":50,
"uplinkCapacity":100,
"downlinkCapacity":200,
"congestion":true,
"readBufferSize":2,
"writeBufferSize":2,
"header":{
"type":"wechat-video"
}
}
}
}
3).运行:
service v2ray restart
ps查看进程如果出现
/usr/bin/v2ray -config /etc/v2ray/config.json
即成功了。
2.本地路由安装
1).校准时间
由于v2ray dynamic port对时间要求很高,所以,首先是校准时间,可以在启动项里面添加
sleep 10
ntpd -q -n -d -p 1.openwrt.pool.ntp.org
ntpd -q -n -d -p ntp1.aliyun.com
计划任务里面添加
10 * * * * ntpd -q -n -d -p 1.openwrt.pool.ntp.org
10 * * * * ntpd -q -n -d -p ntp1.aliyun.com
2).安装v2ray-core, kuoruan 大神的github仓库里面有release的版本,可以直接去下载合适的架构,我这里下载的是:
https://github.com/kuoruan/openwrt-v2ray/releases/download/v4.19.1-2/v2ray-core_4.19.1-2_x86_64.ipk
尝试自己编译了一下,报错了没有成功,就用了现成的。
ps:其实x86的openwrt装v2ray linux x64原版的也行,直接解压拷贝到openwrt某个目录下chmod就行了,这2个版本都要求装ca-certificates。
opkg直接安装,建议先opkg update一下,如果有关联的package就一起装了。
3)配置v2ray,可以放在/etc/config/v2ray.json
{
"outbound": {
"protocol": "vmess",
"tag": "proxy",
"settings": {
"vnext": [
{
"address": "VPS的ip地址",
"port": 11111,
"users": [
{
"id": "你的id",
"level": 1,
"alterId": 64
}
]
}
]
},
"streamSettings": {
"network": "kcp"
},
"mux": {
#不建议打开,否则会断流
"enabled": false
}
},
"outboundDetour": [
{
"protocol": "freedom",
"settings": {},
"tag": "direct"
}
],
"inbound": {
"protocol": "dokodemo-door",
"listen":"127.0.0.1",
"port": 5353,
"settings": {
"address": "8.8.8.8",
"port": 53,
"network": "udp",
"timeout": 0,
"followRedirect": false
}
},
"inboundDetour": [
{
#如果使用chinadns,这个参数可以不要
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"protocol": "dokodemo-door",
"listen":"网关的lan ip例如192.168.1.1,如果不指定仅监听lan,会有安全性问题",
"port": 1060,
"settings": {
"network": "tcp",
"timeout": 30,
"followRedirect": true
}
}
],
"dns": {
"servers": [
"localhost",
"8.8.8.8",
"1.1.1.1"
]
},
"routing": {
"strategy": "rules",
"settings": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": [
"8.8.8.8/32",
"8.8.4.4/32",
"91.108.56.0/22",
"91.108.4.0/22",
"109.239.140.0/24",
"149.154.164.0/22",
"91.108.56.0/23",
"67.198.55.0/24",
"149.154.168.0/22",
"149.154.172.0/22"
],
"outboundTag": "proxy"
},
{
"type": "field",
"domain": [
"googleapis.cn",
"google.cn",
"googleapis",
"google",
"facebook",
"youtube",
"twitter",
"instagram",
"gmail",
"domain:twimg.com",
"domain:t.co"
],
"outboundTag": "proxy"
},
{
"type": "field",
"domain": [
"geosite:cn"
],
"outboundTag": "direct"
},
{
"type": "field",
"port": "1-21",
"outboundTag": "direct"
},
{
"type": "field",
"port": "54-79",
"outboundTag": "direct"
},
{
"type": "field",
"port": "81-442",
"outboundTag": "direct"
},
{
"type": "field",
"port": "444-3999",
"outboundTag": "direct"
},
{
"type": "field",
"port": "4001-65535",
"outboundTag": "direct"
},
{
"domain": [
"vultr.com"
],
"type": "field",
"outboundTag": "direct"
},
{
"type": "chinasites",
"outboundTag": "direct"
},
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "direct"
},
{
"type": "chinaip",
"outboundTag": "direct"
}
]
}
},
"transport": {
"tcpSettings": {
"connectionReuse": true
},
"kcpSettings": {
"mtu": 1350,
"tti": 50,
"uplinkCapacity": 100,
"downlinkCapacity": 200,
"congestion": true,
"readBufferSize": 2,
"writeBufferSize": 2,
"header": {
"type": "wechat-video"
}
}
}
}
4)添加文件/etc/init.d/v2ray,填写如下内容:
#!/bin/sh /etc/rc.common
#
# Copyright (C) 2017 Ian Li <OpenSource@ianli.xyz>
#
# This is free software, licensed under the GNU General Public License v3.
# See /LICENSE for more information.
#
START=90
USE_PROCD=1
LimitNOFILE=1048576
LimitNPROC=512
start_service() {
mkdir /var/log/v2ray > /dev/null 2>&1
ulimit -n 99999
procd_open_instance
procd_set_param respawn
procd_set_param command /usr/bin/v2ray -config /etc/config/v2ray.json
procd_set_param file /etc/config/v2ray.json
procd_set_param stdout 1
procd_set_param stderr 1
procd_set_param pidfile /var/run/v2ray.pid
procd_close_instance
}
5)添加服务,开机自动运行,并运行:
chmod +x /etc/init.d/v2ray
/etc/init.d/v2ray enable
service v2ray start
ps查看进程,如果存在,即正常启动。
6)两种模式,任选一种:
a) 境外全局模式,所有境外网站均挂代理
添加防火墙规则(直接添加到/etc/firewall.user 或者luci界面 网络->防火墙 编辑):
iptables -t nat -N V2RAY
iptables -t nat -A V2RAY -d VPS地址 -j RETURN
iptables -t nat -A V2RAY -d 0.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 10.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 127.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 169.254.0.0/16 -j RETURN
iptables -t nat -A V2RAY -d 172.16.0.0/12 -j RETURN
iptables -t nat -A V2RAY -d 192.168.0.0/16 -j RETURN
iptables -t nat -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t nat -A V2RAY -d 240.0.0.0/4 -j RETURN
iptables -t nat -A V2RAY -s 内网ip段,例如192.168.1.0/24 -p tcp -j REDIRECT --to-ports 1060
iptables -t nat -A PREROUTING -p tcp -j V2RAY
iptables -t nat -A OUTPUT -p tcp -j V2RAY
b) gwflist模式,仅对gfwlist挂代理,此方法可以提升路由国内网站访问性能(建议删除v2ray配置文件中的 “routing”路由部分)还能避免p2p下载时影响路由性能
先安装dnsmasq_full
opkg update
opkg install dnsmasq_full
opkg remove dnsmasq
添加防火墙规则(直接添加到/etc/firewall.user 或者luci界面 网络->防火墙 编辑):
ipset -N gfwlist iphash
iptables -t nat -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1060
iptables -t nat -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1060
#add telegram server
ipset add gfwlist 93.119.240.0/24
ipset add gfwlist 93.119.241.0/24
ipset add gfwlist 93.119.242.0/24
ipset add gfwlist 93.119.243.0/24
ipset add gfwlist 93.119.244.0/24
ipset add gfwlist 93.119.245.0/24
ipset add gfwlist 93.119.246.0/24
ipset add gfwlist 93.119.247.0/24
ipset add gfwlist 93.119.248.0/24
ipset add gfwlist 93.119.249.0/24
ipset add gfwlist 93.119.250.0/24
ipset add gfwlist 93.119.251.0/24
ipset add gfwlist 93.119.252.0/24
ipset add gfwlist 93.119.253.0/24
ipset add gfwlist 93.119.254.0/24
ipset add gfwlist 93.119.255.0/24
ipset add gfwlist 149.154.172.0/22
ipset add gfwlist 91.108.12.0/22
ipset add gfwlist 149.154.160.0/20
ipset add gfwlist 149.154.164.0/22
ipset add gfwlist 91.108.4.0/22
ipset add gfwlist 91.108.56.0/22
ipset add gfwlist 91.108.8.0/22
编辑/etc/dnsmasq.conf,github上有很多脚本自动将gfwlist转换为dnsmasq.conf,也可以下个现成的,例如:
https://cokebar.github.io/gfwlist2dnsmasq/dnsmasq_gfwlist_ipset.conf
其中部分内容(规则)为:
server=/030buy.com/127.0.0.1#5353
ipset=/030buy.com/gfwlist
server=/0rz.tw/127.0.0.1#5353
ipset=/0rz.tw/gfwlist
……
7)配置/etc/dnsmasq.conf,防止dns查询泄露:
server=/google.com/127.0.0.1#5353
server=/google.com.hk/127.0.0.1#5353
server=/google.com.tw/127.0.0.1#5353
server=/google.com.sg/127.0.0.1#5353
server=/google.co.jp/127.0.0.1#5353
server=/google.co.kr/127.0.0.1#5353
server=/freeweibo.com/127.0.0.1#5353
server=/twitter.com/127.0.0.1#5353
server=/facebook.com/127.0.0.1#5353
server=/instagram.com/127.0.0.1#5353
运行:
/etc/init.d/dnsmasq restart
8)安装和配置chinadns
虽然v2ray也有dns配置,但:
a.不支持固定端口的dns国内外分流(domainoverride或sniffing确实可以防止污染,但是偶尔会有reset的问题)
b.ip地址库过于庞大
c.被墙网站能上但ping不通(对于dns污染的网址,子网拿不到真实ip)
因此还是使用chinadns。
首先安装chinadns (直接去github下载对应安装包):
opkg update
opkg install chinadns
其次登陆luci界面:
a.服务->chinadns设置
‘启用压缩指针’勾打上,
‘启用双向过滤’勾去掉,
‘上游服务器’改成114.114.114.114,127.0.0.1:5353,
注:5353也可以改成dns forward监听端口,这样走tcp查dns
chinadns的监听端口为5454,打勾启用
监听地址为127.0.0.1
b.网络->dhcp/dns设置
基本设置->dns转发 里面设置为
127.0.0.1#5454
127.0.0.1#5454
127.0.0.1#5454
127.0.0.1#5454
填4个是为了保证稳定性,否则经常会出现解析失败导致网页无法打开
c.基本设置->host和解析文件
忽略解析文件 打钩
忽略HOSTS文件 打钩
9)重启防火墙/路由即可
注意:如果之前配置过ss+dnsforwarder+chinadns,建议重新刷机或者删除所有配置后重新配置,否则会有冲突。 另外建议在/etc/sysctl.conf增加:
fs.file-max=90000
之前貌似运行时间一久,会出现 too many open files 的提示,用上述办法(包括/etc/init.d/v2ray 的参数/命令设置)后没有出现此类问题。
此外国内部分运营商对kcp有qos,症状是每隔一段时间,会出现断流,也就是十几或几十分钟后,间歇出现不能上外网的情况。。。这一点已经验证。解决方案是——用v2ray负载均衡,但不能完全解决。。。换运营商是王道。。。
参考资料:
1).https://blog.dreamtobe.cn/r7800-openwrt-v2ray/