一、简介

随着v2ray的ws+tls+cdn成为标配,openwrt上对应的透明代理的配置一般有两种模式:

1.白名单代理模式。

优点是:网页加载速度较全局模式快

缺点是:不加入gfwlist且被墙的网站打不开,需要手动加白名单

2.境外全局代理模式。

优点是:所有被墙的网站都能打开,不用维护复杂的gfwlist

缺点是:网页加载速度较白名单代理模式慢一些


二、为什么要优化

所谓的优化配置,主要是解决几个问题:

1.简化v2ray的配置,尽量不使用sniffing嗅探、geoip、geosite等,一方面提升v2ray的速度和稳定性,一方面可以减少路由空间的占用(可以使用空库的geoip和geosite,只需共用chinadns的数据文件)

2.简化firewall规则配置,尽量减少ipset条目,不影响境内网站的访问速度,同时保证可以访问外网。

3.使用chinadns解决dns污染问题,保证ping外网的时候能正确获得ip,且利用apnic的网址列表来区分境内外。

4.通过自定义luci页面,实现全局和白名单模式灵活切换


三、怎么进行优化

下面以ws+tls+cdn为例:

1.v2ray服务器端配置参考:

配置

2.chinadns在openwrt的配置参考:

配置

3.v2ray在openwrt客户端的配置为:

{
    "inbounds": [
        {
            "protocol": "dokodemo-door",
            "port": 1060,
            "listen": "0.0.0.0",
            "sniffing": {
                "enabled": false,
                "destOverride": [
                    "http",
                    "tls"
                ]
            },
            "settings": {
                "network": "tcp,udp",
                "followRedirect": true
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "redirect"
                }
            }
        },
        {
            "protocol": "dokodemo-door",
            "listen": "127.0.0.1",
            "port": 5353,
            "settings": {
                "address": "8.8.8.8",
                "port": 53,
                "network": "udp",
                "timeout": 0,
                "followRedirect": false
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "vmess",
            "tag": "proxy",
            "settings": {
                "vnext": [
                    {
                        "address": "你的网址",
                        "port": 443,
                        "users": [
                            {
                                "id": "你的id",
                                "alterId": 64
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "ws",
                "security": "tls",
                "wsSettings": {
                    "path": "你的路径"
                }
            }
        }
    ]
}

4.新建luci菜单配置v2ray:

(1).新建/etc/config/advancedconfig,内容为:


config arguments

config rules
	option v2raymode 'gfwlist'

(2)新建/usr/lib/lua/luci/controller/advancedconfig.lua,内容为:


--/usr/lib/lua/luci/controller/advancedconfig.lua
module("luci.controller.advancedconfig", package.seeall)
function index()
        if not nixio.fs.access("/etc/config/advancedconfig") then
                return
        end
        entry({"admin", "services", "advancedconfig"}, cbi("advancedconfig"), _("高级设置")).dependent = true
end

(3).新建/usr/lib/lua/luci/model/cbi/advancedconfig.lua,内容为(需替换###p###为html新段落标记<p>):

######################################################################################################################################
--/usr/lib/lua/luci/model/cbi/advancedconfig.lua
local fs = require "nixio.fs"

m=Map("advancedconfig",translate("高级设置"), translate("各类服务内置脚本文档的直接编辑,除非你知道自己在干什么,否则请不要轻易修改这些配置文档"))
s=m:section(TypedSection,"arguments","")
s.addremove=false
s.anonymous=true



--配置1开始
if nixio.fs.access("/etc/dnsmasq.d/custom.conf") then
s:tab("config1", translate("编辑gfwlist自定义解析文件"),translate("###p###本页是编辑/etc/dnsmasq.d/custom.conf的内容,gfwlist中的固定网站已经添加,此文件是额外的自定义解析文件,示例:###p### 1.在gfwlist白名单模式下,如要添加xxx.com网站走代理,则增加两行:###p### server=/xxx.com/127.0.0.1#5353 ###p### ipset=/xxx.com/gfwlist ###p###(其中5353是chinadns上游服务器的监听端口)。###p### 2.在gfwlist白名单模式下,如果要添加333.com 直连不走代理,则增加一行:###p### server=/333.com/114.114.114.114 ###p###3.在任何一种模式下如需防止bbb.com的dns查询泄露,则增加一行:###p### server=/bbb.com/127.0.0.1#5353 ###p###(其中5353是chinadns上游服务器的监听端口)。###p### "))
view_cfg1 = s:taboption("config1", TextValue, "editconf1", nil, translate("每行开头的符号(#)被视为注释;删除(#)启用指定选项。"))

view_cfg1.rmempty = false
view_cfg1.rows = 30

function view_cfg1.cfgvalue(self, section)
    return nixio.fs.readfile("/etc/dnsmasq.d/custom.conf") or ""
end

function view_cfg1.write(self, section, value)
    if value then
        value = value:gsub("\r\n?", "\n")
	      local old_value = nixio.fs.readfile("/etc/dnsmasq.d/custom.conf")
	      if value ~= old_value then
		       nixio.fs.writefile("/etc/dnsmasq.d/custom.conf", value)
           luci.sys.call("/etc/init.d/dnsmasq restart >/dev/null")
        end
    end
end

end
--配置1结束



--配置2开始
if nixio.fs.access("/etc/config/v2ray.json") then
s:tab("config2", translate("编辑v2ray配置文件"),translate("###p###本页是编辑/etc/config/v2ray.json的内容。###p###"))

view_cfg2 = s:taboption("config2", TextValue, "editconf2", nil, translate("每行开头的符号(#)被视为注释;删除(#)启用指定选项。"))

view_cfg2.rmempty = false
view_cfg2.rows = 30


function view_cfg2.cfgvalue(self, section)
    return nixio.fs.readfile("/etc/config/v2ray.json") or ""
end

function view_cfg2.write(self, section, value)
    if value then
        value = value:gsub("\r\n?", "\n")
	      local old_value = nixio.fs.readfile("/etc/config/v2ray.json")
	      if value ~= old_value then
		       nixio.fs.writefile("/etc/config/v2ray.json", value)
           luci.sys.call("/etc/init.d/v2ray restart >/dev/null")
        end
    end
end

end
--配置2结束


s2=m:section(TypedSection,"rules","")
s2.addremove=false
s2.anonymous=true
s2:tab("config3", translate("编辑v2ray规则文件"),translate("###p###本页是编辑v2ray规则,支持两种模式:gfwlist白名单模式,境外全局代理模式。###p###"))
c = s2:taboption("config3", ListValue, "v2raymode",nil ,translate("v2ray代理模式,gfwlist模式速度较快,但未添加的网站打不开,境外全局代理模式速度较慢,但所有网站都能打开"))
c:value("gfwlist", translate("白名单模式"))
c:value("outlands", translate("境外全局模式"))
c.default = "gfwlist"

function c.write(self, section, value)   
    ListValue.write(self, section, value)
    luci.sys.call("/etc/init.d/v2ray start >/dev/null")
end


return m

######################################################################################################################################

重头戏来了~~~~

5.在openwrt上修改/etc/init.d/v2ray,内容为:


#!/bin/sh /etc/rc.common
#
# Copyright (C) 2020
#
# This is free software, licensed under the GNU General Public License v3.
# See /LICENSE for more information.
#

START=90

USE_PROCD=1
LimitNOFILE=1048576
LimitNPROC=512
##########################################################################################################
#境外全局代理防火墙配置

DOMAIN="你的v2ray服务器域名"
    
bypasscount=`ipset list bypasslist | wc -l`    

if [ $bypasscount -le 1 ]; then
    #create ipset list
    #创建一个bypasslist,在list中的ip段直连,不在ip段的网址挂v2ray代理
    ipset create bypasslist hash:net family inet hashsize 1024 maxelem 65535
    
    #add private address
    #在list中添加私有网地址段
    ipset add bypasslist 0.0.0.0/8
    ipset add bypasslist 10.0.0.0/8
    ipset add bypasslist 127.0.0.0/8
    ipset add bypasslist 169.254.0.0/16
    ipset add bypasslist 172.16.0.0/12
    ipset add bypasslist 192.168.0.0/16
    ipset add bypasslist 224.0.0.0/4
    ipset add bypasslist 240.0.0.0/4
    
    #add china ip list from apnic
    #在list中添加apnic给中国分配的地址段
    for line in $(cat /etc/chinadns_chnroute.txt)
    do
       ipset add bypasslist $line
    done
    
    #by pass server ip
    #在list中添加v2ray服务器端的ip,如果使用了cdn,则通过以下代码添加了对应cdn的ip
    sleep 20
    SIP=` ping ${DOMAIN} -c 1 |awk 'NR==2 {print $4}' |awk -F ':' '{print $1}'`
    if [ x"${SIP}" != x ]; then
        ipset add bypasslist ${SIP}
    fi
fi
##########################################################################################################
#gfwlist白名单防火墙配置

gfcount=`ipset list gfwlist | wc -l`    

if [ $gfcount -le 1 ]; then
   ipset -N gfwlist iphash
   
   #add telegram server
   #手动添加telegram服务器地址段
   ipset add gfwlist 93.119.240.0/24
   ipset add gfwlist 93.119.241.0/24
   ipset add gfwlist 93.119.242.0/24
   ipset add gfwlist 93.119.243.0/24
   ipset add gfwlist 93.119.244.0/24
   ipset add gfwlist 93.119.245.0/24
   ipset add gfwlist 93.119.246.0/24
   ipset add gfwlist 93.119.247.0/24
   ipset add gfwlist 93.119.248.0/24
   ipset add gfwlist 93.119.249.0/24
   ipset add gfwlist 93.119.250.0/24
   ipset add gfwlist 93.119.251.0/24
   ipset add gfwlist 93.119.252.0/24
   ipset add gfwlist 93.119.253.0/24
   ipset add gfwlist 93.119.254.0/24
   ipset add gfwlist 93.119.255.0/24
   ipset add gfwlist 149.154.172.0/22
   ipset add gfwlist 91.108.12.0/22
   ipset add gfwlist 149.154.160.0/20
   ipset add gfwlist 149.154.164.0/22
   ipset add gfwlist 91.108.4.0/22
   ipset add gfwlist 91.108.56.0/22
   ipset add gfwlist 91.108.8.0/22
  
fi
########################################################################################################
v2ray_mode=`uci get advancedconfig.@rules[0].v2raymode 2>/dev/null`
if [ "$v2ray_mode" = "gfwlist" ]; then
           echo "gfwlist mode" > /tmp/v2raymode.txt
           iptables -t nat -D PREROUTING -p tcp -m set ! --match-set bypasslist dst -j REDIRECT --to-port 1060
           iptables -t nat -D OUTPUT -p tcp -m set ! --match-set bypasslist dst -j REDIRECT --to-port 1060
           iptables -t nat -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1060
           iptables -t nat -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1060
else
           echo "outlands mode" > /tmp/v2raymode.txt
           SIP=` ping ${DOMAIN} -c 1 |awk 'NR==2 {print $4}' |awk -F ':' '{print $1}'`
           if [ x"${SIP}" != x ]; then
               ipset add bypasslist ${SIP}
           fi
           iptables -t nat -D PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1060
           iptables -t nat -D OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1060
           iptables -t nat -A PREROUTING -p tcp -m set ! --match-set bypasslist dst -j REDIRECT --to-port 1060
           iptables -t nat -A OUTPUT -p tcp -m set ! --match-set bypasslist dst -j REDIRECT --to-port 1060
fi


start_service()  {
        mkdir /var/log/v2ray > /dev/null 2>&1
        ulimit -n 99999
        procd_open_instance
        procd_set_param respawn
        procd_set_param command /usr/bin/v2ray -config /etc/config/v2ray.json
        procd_set_param file /etc/config/v2ray.json
        procd_set_param stdout 1
        procd_set_param stderr 1
        procd_set_param pidfile /var/run/v2ray.pid
        procd_close_instance
}

service_triggers() {
	procd_add_reload_trigger "advancedconfig"
}


两种模式都可以使用同一个v2ray的openwrt客户端配置,其中境外全局模式的防火墙配置非常简洁,看起来很舒服。。。

附:luci的效果图如下:

AltText