Scripts for OpenWrt to bypass the gfw in mainland china, using ipset for gfwlist and geoip for ips outside specified region. (two ss-redir instances)

check_shadowsocks.sh

# FILE_LOCATION: /usr/bin/check_shadowsocks.sh
# DESCRIPTION: Script for checking whether shadowsocks-libev is running, and if not, restart it.
# <!-- ORIGINAL_CONTENTS_BELOW -->

#!/bin/sh
ss_pid_path="/var/run/ss-redir.pid"
ss_port={SS1_PORT}
ss2_pid_path="/var/run/ss-redir-whitelist.pid"
ss2_port={SS2_PORT}
if [ -f $ss_pid_path ] && [ -f $ss2_pid_path ]; then
    ss_pid_real=`{ pgrep -f "ss-redir.*-l.$ss_port"; pgrep -f "ss-redir.*-l.$ss2_port"; } | sed ":a;N;s/\n//;ba"`
    ss_pid_expected=`cat $ss_pid_path $ss2_pid_path`
    # if [ -z "`ps -ef | grep $ss_pid | grep -v grep`" ]; then
    if [ -n "$ss_pid_real" ] && [ $ss_pid_real -eq $ss_pid_expected ]; then
        logger -t shadowsocks-libev "ss-redir is running with pid $ss_pid_real."
    else
        logger -t shadowsocks-libev "ss-redir is not running or malfunctioning, restarting..."
        /etc/init.d/shadowsocks restart
        /etc/init.d/shadowsocks-whitelist start
    fi
fi

crontab

# FILE_LOCATION: /etc/crontabs/root
# DESCRIPTION: Scheduled task

*/5 * * * * /usr/bin/check_shadowsocks.sh
0 0 * * 0 /usr/bin/update_dnsmasq_conf.sh

firewall.shadowsocks-customize

# FILE_LOCATION: /etc/firewall.shadowsocks-customize
# DESCRIPTION: Customize firewall (re)startup script

logger -t fw3 "inserting ss-redir routing rules due to restarting of firewall..."
# Common
iptables -t nat -N SHADOWSOCKS
iptables -t nat -A PREROUTING -j SHADOWSOCKS
iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 100.64.0.0/10 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.0.0.0/24 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.0.2.0/24 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.31.196.0/24 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.52.193.0/24 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.88.99.0/24 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.175.48.0/24 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 198.18.0.0/15 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 198.51.100.0/24 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 203.0.113.0/24 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 255.255.255.255/32 -j RETURN
# IPSet - GFWList routing
logger -t fw3 "inserting ipset-SHADOWSOCKS redirect rules..."
iptables -t nat -A SHADOWSOCKS -p tcp -m set --match-set SHADOWSOCKS dst -j REDIRECT --to-port 10800
# GeoIP - Whitelist routing
logger -t fw3 "inserting geoip-CN_WHITELIST redirect rules..."
iptables -t nat -A SHADOWSOCKS -p tcp -m geoip ! --dst-cc CN,HK,TW,JP,KR -j REDIRECT --to-port 10801

rc.local

# FILE_LOCATION: /etc/rc.local
# DESCRIPTION: Autostartup script
# <!-- ORIGINAL_CONTENTS_BELOW -->

# IPSet - GFWList routing
ipset -N SHADOWSOCKS iphash

exit 0

related_commands

# Firewall auto reload include path
uci set firewall.shadowsocks_customize=include
uci set firewall.shadowsocks_customize.type=script
uci set firewall.shadowsocks_customize.path=/etc/firewall.shadowsocks-customize
uci set firewall.shadowsocks_customize.reload=1
uci commit firewall

shadowsocks-whitelist

# FILE_LOCATION: /etc/init.d/shadowsocks-whitelist
# DESCRIPTION: Service script for customized shadowsocks-whitelist
#!/bin/sh /etc/rc.common
#
# Copyright (C) 2014-2017 Jian Chang <[email protected]>
#
# This is free software, licensed under the GNU General Public License v3.
# See /LICENSE for more information.
#

START=90
STOP=15

NAME=shadowsocks
CONFIG_FILE=/var/etc/$NAME-whitelist.json

uci_get_by_name() {
        local ret=$(uci get $NAME.$1.$2 2>/dev/null)
        echo ${ret:=$3}
}

uci_get_by_type() {
        local ret=$(uci get $NAME.@$1[0].$2 2>/dev/null)
        echo ${ret:=$3}
}

uci_bool_by_name() {
        case "$(uci_get_by_name $1 $2)" in
                1|on|true|yes|enabled) return 0;;
        esac
        return 1
}

valid_server() {
        [ "$(uci get $NAME.$1 2>/dev/null)" = "servers" ]
}

get_arg_ota() {
        uci_bool_by_name $1 auth && echo "-A"
}

get_plugin_config() {
        local plugin=$(uci_get_by_name $1 plugin)
        local plugin_opts=$(uci_get_by_name $1 plugin_opts)
        [ -n "$plugin" -a -n "$plugin_opts" ] && echo "
    \"plugin\": \"$plugin\",
    \"plugin_opts\": \"$plugin_opts\","
}

gen_config_file() {
        cat <<-EOF >$CONFIG_FILE
                {
                    "server": "$(uci_get_by_name $1 server)",
                    "server_port": $(uci_get_by_name $1 server_port),
                    "local_address": "0.0.0.0",$(get_plugin_config $1)
                    "password": "$(uci_get_by_name $1 password)",
                    "timeout": $(uci_get_by_name $1 timeout 60),
                    "method": "$(uci_get_by_name $1 encrypt_method)"
                }
EOF
}

start_redir() {
        valid_server $1 || return 1
        gen_config_file $1
        ss-redir -c $CONFIG_FILE $2 $(get_arg_ota $1) \
                -l $(($(uci_get_by_type transparent_proxy local_port 1234) + 1)) \
                -f /var/run/ss-redir$3.pid
}

start() {
        mkdir -p /var/run /var/etc
        start_redir "@servers[1]" -u "-whitelist"
        rm -f $CONFIG_FILE
}

delay_start() {
        (sleep $1 && start >/dev/null 2>&1) &
}

boot() {
        local delay=$(uci_get_by_type general startup_delay 0)
        if [ "$delay" -gt 0 ]; then
                delay_start $delay
        else
                start
        fi
        return 0
}

kill_all() {
        kill $(pidof $@) >/dev/null 2>&1
}

stop() {
        kill_all ss-redir
}

update_dnsmasq_conf.sh

# FILE_LOCATION: /usr/bin/update_dnsmasq_conf.sh
# DESCRIPTION: Script for updating dnsmasq's additional records which makes it easier to bypass the gfw in mainland china.

#!/bin/bash
locale="/etc/dnsmasq.d/"
dns_server="119.29.29.29"
dns_server_without_pollution="127.0.0.1:5353"
ipset_name="SHADOWSOCKS"

# Accelerate Domain List
echo "Updating accelerated-domains..."
if ad_list=$(curl https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf); then
    echo "Download success. Replacing DNS to $dns_server and saving to $locale..."
    echo "$ad_list" | sed "s/114.114.114.114/$dns_server/g" > $locale/accelerated-domains.china.conf
fi

# Bogus NXDomain List
echo "Updating bogus-nxdomains..."
if nx_list=$(curl https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/bogus-nxdomain.china.conf); then
    echo "Download success. Saving to $locale..."
    echo "$nx_list" > $locale/bogus-nxdomain.china.conf
fi

# GFWList
echo "Updating gfwlist from g2w.online..."
if gfw_list=$(curl https://g2w.online/ipset/$ipset_name,$dns_server_without_pollution); then
    echo "Download success. IPSet name: $ipset_name, with DNS: $dns_server_without_pollution. Saving to $locale..."
    echo "$gfw_list" > $locale/gfwlist.conf
fi

echo "Rebooting Dnsmasq..."
/etc/init.d/dnsmasq restart
logger -t dnsmasq "rule has been updated."