说明

把出园的流量和园内的流量分开，只有需要出园的流量才经过v2r。

运行机制：

• 设置一组园外域名
• 设置dnsmasq将园外域名解析后的ip地址自动加入指定ipset
• v2r开启dokodemo端口
• iptables将匹配指定ipset的包转发给v2r的dokodemo端口

需要用dnsmasq-full替换dnsmasq才能支持ipset.

安装配置

开机自动创建ipset和iptables规则

如果没有ipset命令, 需要先通过opkg install ipset安装一下
编辑 /etc/rc.local, 添加

# 创建ipset 名称为outsideipset create outside hash:ip# 将匹配这个ipset的包都转发给1090端口iptables -t nat -I PREROUTING -p tcp -m set --match-set outside dst -j REDIRECT --to-port 1090iptables -t nat -I PREROUTING -p udp -m set --match-set outside dst -j REDIRECT --to-port 1090

可以通过以下命令查看ipset中的内容

ipset listipset list outside

安装dnsmasq-full

通过dnsmasq -v 查看当前主机的dnsmasq是否添加了ipset支持, 如果在Compile time option中有ipset就是支持的. 如果没有就要另外安装.注意: 安装与卸载应该同步进行, 否则卸载完就无法安装了

# 更新并确认dnsmasq-full存在opkg updateopkg find dnsmasq-full# 然后同时进行卸载+安装opkg remove dnsmasq && opkg install dnsmasq-full

安装过程会提示/etc/config/dhcp配置已经存在, 新配置文件另写为/etc/config/dhcp-xxx, 经对比原配置文件可以继续使用, 将新产生的配置文件删掉即可.

修改/etc/config/dhcp, 在config dnsmasq下添加一项配置, 这个配置会在机器生成的dnsmasq配置文件中, 添加conf-dir配置. 默认是/tmp/dnsmasq.d, 这个是内存中的目录不能持久化保存.

config dnsmasq...option confdir '/etc/dnsmasq.d'

然后, 创建 /etc/dnsmasq.d目录, 并创建配置文件 /etc/dnsmasq.d/outside_domains.conf , 内容如下自己调整. 这些域名, 是需要通过8888解析并且要加到outside这个ipset里的

server=/google.com/8.8.8.8server=/googleapis.cn/8.8.8.8server=/googleapis.com/8.8.8.8server=/googleapps.com/8.8.8.8server=/googlearth.com/8.8.8.8server=/googleartproject.com/8.8.8.8server=/googleblog.com/8.8.8.8server=/googlebot.com/8.8.8.8server=/googlechinawebmaster.com/8.8.8.8server=/googlecode.com/8.8.8.8server=/googlecommerce.com/8.8.8.8server=/googledomains.com/8.8.8.8server=/googledrive.com/8.8.8.8server=/googleearth.com/8.8.8.8server=/googlegroups.com/8.8.8.8server=/googlehosted.com/8.8.8.8server=/googleideas.com/8.8.8.8server=/googleinsidesearch.com/8.8.8.8server=/googlelabs.com/8.8.8.8server=/googlemail.com/8.8.8.8server=/googlemashups.com/8.8.8.8server=/googlepagecreator.com/8.8.8.8server=/googleplay.com/8.8.8.8server=/googleplus.com/8.8.8.8server=/googlescholar.com/8.8.8.8server=/googlesile.com/8.8.8.8server=/googlesource.com/8.8.8.8server=/googleusercontent.com/8.8.8.8server=/googlevideo.com/8.8.8.8server=/googleweblight.com/8.8.8.8server=/googlezip.net/8.8.8.8server=/gstatic.com/8.8.8.8server=/youtube.com/8.8.8.8server=/ytimg.com/8.8.8.8server=/googlevideo.com/8.8.8.8server=/ggpht.com/8.8.8.8ipset=/google.com/outsideipset=/googleapis.cn/outsideipset=/googleapis.com/outsideipset=/googleapps.com/outsideipset=/googlearth.com/outsideipset=/googleartproject.com/outsideipset=/googleblog.com/outsideipset=/googlebot.com/outsideipset=/googlechinawebmaster.com/outsideipset=/googlecode.com/outsideipset=/googlecommerce.com/outsideipset=/googledomains.com/outsideipset=/googledrive.com/outsideipset=/googleearth.com/outsideipset=/googlegroups.com/outsideipset=/googlehosted.com/outsideipset=/googleideas.com/outsideipset=/googleinsidesearch.com/outsideipset=/googlelabs.com/outsideipset=/googlemail.com/outsideipset=/googlemashups.com/outsideipset=/googlepagecreator.com/outsideipset=/googleplay.com/outsideipset=/googleplus.com/outsideipset=/googlescholar.com/outsideipset=/googlesile.com/outsideipset=/googlesource.com/outsideipset=/googleusercontent.com/outsideipset=/googlevideo.com/outsideipset=/googleweblight.com/outsideipset=/googlezip.net/outsideipset=/gstatic.com/outsideipset=/youtube.com/outsideipset=/ytimg.com/outsideipset=/googlevideo.com/outsideipset=/ggpht.com/outside

dnsmasq配置不正确可能会导致无法上网, 修改完可以用下面的命令测试一下

dnsmasq --test

下载安装v2r

这里有个坑, 从OpenWrt官方下载的xxx-squashfs-sysupgrade.bin, 编译时是没有打开浮点的, 所以从v2r官方下载的程序无法直接运行(相比较而言clash就比较友好, 留了个softfloat的版本可以直接用). 这时候要么自己编译固件, 要么自己编译v2r. 都是费时费力的大坑. 幸好可以下载现成的, 地址在这里 https://github.com/kuoruan/openwrt-v2r
这里的v2r可以直接读取json格式配置文件, 并且mini版是已经经过upx压缩的, 体积很小.
如果不知道自己要下哪个, 可以通过查看 /etc/openwrt_release 文件里的DISTRIB_ARCH

DISTRIB_ID='OpenWrt'DISTRIB_RELEASE='19.07.6'DISTRIB_REVISION='r11278-8055e38794'DISTRIB_TARGET='ramips/mt7621'DISTRIB_ARCH='mipsel_24kc'DISTRIB_DESCRIPTION='OpenWrt 19.07.6 r11278-8055e38794'DISTRIB_TAINTS=''

下载后用winscp上载到设备的/tmp目录, 通过opkg安装

opkg updateopkg install ca-certificatesopkg install v2r-core-mini_4.34.0-1_mipsel_24kc.ipk

创建配置文件 /etc/v2r/config.json, inbound需要包含dokodemo配置, 创建好之后可以直接命令行v2r -c /etc/v2r/config.json测试一下.

"inbounds": [{"tag": "proxy",...},{"port": 1090,"protocol": "dokodemo-door","sniffing": {"enabled": true,"destOverride": ["http", "tls"]},"settings": {"network": "tcp,udp","followRedirect": true}}],

创建服务文件 /etc/init.d/v2r

#!/bin/sh /etc/rc.commonSTART=99STOP=10USE_PROCD=1start_service() {procd_open_instanceprocd_set_param command /usr/bin/v2r -c /etc/v2r/config.jsonprocd_set_param respawnprocd_set_param stdout 1 # forward stdout of the command to logdprocd_set_param stderr 1 # same for stderrprocd_close_instance}reload_service() {procd_send_signal v2r}

添加到系统启动

/etc/init.d/v2r enable

到这一步, v2r启动后, 连接到这个OpenWrt的设备就可以直接访问这两个园外网站了.