Skip to content

Instantly share code, notes, and snippets.

@pwrliang
Last active December 9, 2021 04:45
Show Gist options
  • Save pwrliang/2e4643c9a7fee3261c0e8b4c7eac19c5 to your computer and use it in GitHub Desktop.
Save pwrliang/2e4643c9a7fee3261c0e8b4c7eac19c5 to your computer and use it in GitHub Desktop.
V2Ray on Router
# TCP
iptables -t nat -N V2RAY
iptables -t nat -A V2RAY -d 0.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 127.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 192.168.8.0/24 -j RETURN
# From lans redirect to Dokodemo-door's local port
iptables -t nat -A V2RAY -s 192.168.8.0/24 -p tcp -j REDIRECT --to-ports 12345
iptables -t nat -A PREROUTING -p tcp -j V2RAY
iptables -t nat -A OUTPUT -p tcp -j V2RAY
# UDP
ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N V2RAY_MASK
iptables -t mangle -A V2RAY_MASK -d 192.168.8.0/24 -j RETURN
iptables -t mangle -A V2RAY_MASK -s 192.168.8.0/24 -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
iptables -t mangle -A PREROUTING -p udp -j V2RAY_MASK
----- Router -----
{
"log": {
"access": "/var/log/access.log",
"error": "/var/log/error.log",
"loglevel": "warning"
},
"dns": {
"servers": [
"8.8.8.8",
{
"address": "114.114.114.114",
"port": 53,
"domains": [
"geosite:cn"
]
},
"localhost"
]
},
"inbounds": [
{
"port": 12345,
"protocol": "dokodemo-door",
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"settings": {
"network": "tcp",
"timeout": 30,
"followRedirect": true
}
}
],
"outbounds": [
// If routing no match, use first outbound
{
"tag": "ss",
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"address": "example.com",
"method": "chacha20-ietf-poly1305",
"ota": true,
"password": "PASSWORD",
"port": 443
}
]
}
},
{
"tag": "linode",
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "linode.example.com",
"port": 11696,
"users": [
{
"id": "----------------",
"alterId": 64
}
]
}
]
}
},
{
"tag": "protocol_layer",
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"method": "chacha20-ietf-poly1305",
"port": 9015,
"password": "PASSWORD",
"address": "ws.example.com"
}
]
},
"proxySettings": {
"tag": "transport_layer"
}
},
{
"tag": "transport_layer",
"protocol": "freedom",
"settings": {
"redirect": "ws.example.com:443"
},
"streamSettings": {
"network": "ws",
"security": "tls",
"wsSettings": {
"path": "/example/"
},
"tlsSettings": {
"serverName": "ws.example.com", // Required, Nginx needs this to redirect your connection to a proper `port number`.
"allowInsecure": false // Optional, `true` if you don't care about MITM Attack.
}
},
"mux": {
"enabled": true
}
},
{
"protocol": "dns",
},
{
"protocol": "freedom",
"settings": {},
"tag": "direct"
},
{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}
],
"routing": {
"domainStrategy": "IPOnDemand",
"rules": [
{
"type": "field",
"inboundTag": ["dns-in"],
"outboundTag": "dns-out"
},
{
"type": "field",
"outboundTag": "direct",
"domain": ["geosite:cn"] // 中国大陆主流网站的域名
},
{
"type": "field",
"outboundTag": "direct",
"ip": [
"geoip:cn", // 中国大陆的 IP
"geoip:private" // 私有地址 IP,如路由器等
]
}
]
}
}
----------SERVER--------------
{
"log": {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "info"
},
"inbounds": [
{
"port": "11696", /* this is the server port for client */
"listen": "127.0.0.1",
"protocol": "dokodemo-door",
"tag": "wsdoko",
"settings": {
"address": "v1.mux.cool",
"followRedirect": false,
"network": "tcp"
},
"streamSettings": {
"network": "ws", /* same as v2ray-plugin */
"wsSettings": {
"path": "/v2ray"
}
}
},
{
"port": 9015, /* this port is not used, but you need to specific */
"protocol": "shadowsocks",
"settings": {
"method": "chacha20-poly1305",
"ota": false,
"password": "PASSWORD",
"network": "tcp,udp"
},
"streamSettings": {
"network": "domainsocket"
}
},
{
"port":3389,
"protocol":"shadowsocks",
"settings":{
"method":"chacha20-poly1305",
"ota":false,
"password":"PASSWORD"
}
}
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
},
{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
},
{
"protocol": "freedom",
"tag": "ssmux",
"streamSettings": {
"network": "domainsocket"
}
}
],
"transport": {
"dsSettings": {
"path": "/var/run/ss-loop.sock" /* the directory must exist before v2ray starts */
}
},
"routing": {
"rules": [
{
"type": "field",
"inboundTag": [
"wsdoko"
],
"outboundTag": "ssmux"
},
{
"type": "field",
"ip": [
"geoip:private"
],
"outboundTag": "blocked"
}
]
}
}
-----APACHE ws.example.com-le-ssl.conf-----
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName ws.example.com
ServerAlias ws.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/ws.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ws.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!aNULL
<LocationMatch "/example/">
ProxyPass ws://127.0.0.1:11696/v2ray upgrade=WebSocket
ProxyAddHeaders Off
ProxyPreserveHost On
RequestHeader set Host %{HTTP_HOST}s
RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
</LocationMatch>
</VirtualHost>
</IfModule>
@pwrliang
Copy link
Author

pwrliang commented Jun 6, 2019

Enable apache2 deps:

sudo a2enmod ssl
sudo a2enmod proxy
sudo a2enmod proxy_wstunnel
sudo a2enmod proxy_http
sudo a2enmod rewrite
sudo a2enmod headers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment