切勿用作非法用途,国法无情,勿以身试法。
这里只记录一些细节,相关链接见文章末尾,转载请注明出处
0x01.编译
1.编译系统及应用:
$ git clone git://github.com/grugq/portal.git $ git clone https://github.com/shadowsocks/openwrt-shadowsocks.git $ git clone git://git.openwrt.org/15.05/openwrt.git openwrt $ cd openwrt $ cp -r ../portal/feeds/packages/net/tor-alpha/ package/feeds/packages/ $ cp -r ../openwrt-shadowsocks/ ./package/ $ ./scripts/feeds update -a $ ./scripts/feeds install -a $ make menuconfig
2.选择如下:
Target System->X86 Tartget Images->ext4 & Build VMware image files (VMDK) Network->shadowsocks-libev Network->tor Network->tor-alpha Network->tor-alpha-fw-helper Network->tor-alpha-geoip
3.更新&&安装包
$ scripts/feeds update -a$ scripts/feeds install -a
4.开始编译
make V=99
编译完成后,挂载…ext4.vmdk到vmware并检查是否安装了以下软件包(直接opkg install PACKNAME即可)
libevent2-openssl libevent2 libminiupnpc libnatpmp tor-alpha tor-alpha-fw-helper tor-alpha-geoip
0x02.配置
1.vmware网卡的配置:
共三块虚拟网卡,拓扑:
网络适配器:LAN区段1:非TOR内网:192.168.6.1 网络适配器2:WAN:DHCP客户端 网络适配器3:LAN区段2:TOR内网:172.16.1.1
配置:
$ vi /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.6.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'tor'
option ifname 'eth2'
option proto 'static'
option ipaddr '172.16.1.1
option netmask '255.255.255.0'
2.DHCP
$ vi /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp 'tor'
option interface 'tor'
option start '100'
option limit '150'
option leasetime '1h'
option ra 'server
3.firewall
$ vi /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config zone
option name 'tor'
option network 'tor'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option conntrack '1'
config rule
option name 'Allow-Tor-DHCP'
option src 'tor'
option proto 'udp'
option dest_port '67'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Tor-DNS'
option src 'tor'
option proto 'udp'
option dest_port '9053'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Tor-Transparent'
option src 'tor'
option proto 'tcp'
option dest_port '9040'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Tor-SOCKS'
option src 'tor'
option proto 'tcp'
option dest_port '9050'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config forwarding
option dest 'wan'
option src 'lan'
config include
option path '/etc/firewall.user'
config include 'shadowsocks'
option type 'script'
option path '/var/etc/shadowsocks.include'
option reload '1'
4.增加firewall规则
$ vi /etc/firewall.user
#在最后增加
enable_transparent_tor() {
iptables -t nat -A PREROUTING -i eth2 p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A PREROUTING -i eth2 -p tcp --syn -j REDIRECT --to-ports 9040
}
enable_transparent_tor
5.修改shadowsocks配置
$ vi shadowsocks.json
{
"server": "SERVER_IP",
"server_port": SERVER_PORT,
"local_port": 1080,
"password": "SERVER_PASS",
"timeout": 60,
"method": "aes-256-cfb"
"fast_open": true
}
6.修改tor配置
$ vi /etc/tor/torrc # 在最后增加 User tor VirtualAddrNetwork 10.192.0.0/10 TransPort 9040 TransListenAddress 172.16.1.1 DNSPort 9053 DNSListenAddress 172.16.1.1 Socks5Proxy 127.0.0.11080 #这里是shadowsocks创建的socks5代理,用来穿过GFW链接TOR
7.重启
$ reboot
8.验证
LAN区段1 用于正常上网,可以管理路由器
LAN区段2 用于匿名上网,不可管理路由器,TOR或SS断线后断开网络连接
0x03.相关链接
openwrt编译相关:
ipk安装包的编译步骤参考这里: