Openwrt配置Fastd VPN透明代理(科学翻墙)

fastd同shadowsocks的比较

目的

配置类似于基于shadowsocks的透明代理; 对于国内IP不走代理。

前提条件

配置步骤

1. 准备fastd密匙对

需要为服务器和客户端各生成一对密匙

fastd --generate-key #for server
fastd --generate-key #for client

2. 服务器端安装和配置 (ubuntu 14.04)

echo "deb https://repo.universe-factory.net/debian/ sid main" > /etc/apt/sources.list.d/fastd.list
apt-get update
apt-get install fastd
mkdir -pv /etc/fastd/vpn/peers
touch /etc/fastd/vpn/fastd.conf
touch /etc/fastd/vpn/peers/client
2.1 配置/etc/fastd/vpn/fastd.conf
log level warn;
log to syslog level debug;

# 这个服务器配置了4个端口
bind any:1755;
bind any:11756;
bind any:21757;
bind any:31758;
method "salsa2012+umac";
mtu 1426;

# tap模式
mode tap;
interface "tapvpn";
forward no;

secret "###在这里替换成之前生成的服务器Private key###";
include peers from "peers";

on up "
ip link set up tapvpn;
ip addr add 192.168.50.1/24 dev tapvpn;
sysctl -w net.ipv4.ip_forward=1;
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o eth1 -j MASQUERADE
";

on down "
iptables -t nat -D POSTROUTING -s 192.168.50.0/24 -o eth1 -j MASQUERADE
";
2.2 配置/etc/fastd/vpn/peers/client
key "###在这里替换成之前生成的客户端Public key###";

如果需要配置多个客户端,创建并配置多个peers/client1,vpn/peers/client2…就可以了。

最后在服务器端启动/etc/init.d/fastd start

如果需要安装并配置多个服务器,重复该步骤即可。

3: OpenWrt客户端安装和配置

3.1 安装软件包
opkg update
opkg install fastd ip ipset
3.2 创建脚本文件/root/update_chnroute.sh,并执行
#!/bin/sh

## 中国的ip不走代理
SRC='http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'
DEST='/root/chnroute.txt'
wget -O- $SRC | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > $DEST

## 其他不需要走代理的ip,按需修改
## IMPORTANT: xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy is your remote servers
echo "127.0.0.0/8
255.255.255.255
0.0.0.0/8
192.168.100.0/24
192.168.10.0/24
192.168.80.0/24
192.168.1.0/24
192.0.0.0/24
192.88.99.0/24
192.0.2.0/24
198.18.0.0/15
198.51.100.0/24
169.254.0.0/16
10.0.0.0/8
100.64.0.0/10
172.16.0.0/12
224.0.0.0/4
240.0.0.0/4
203.0.113.0/24
xxx.xxx.xxx.xxx
yyy.yyy.yyy.yyy" >> $DEST
3.3 创建启动脚本/root/tapvpn-up.sh
#!/bin/sh

## sleep is the workaroud
sleep 2
ip link set up tapvpn;
## IMPORTANT: change this IP, for newly added client
sleep 2
ip addr add 192.168.50.2/24 dev tapvpn

ipset -! -R <<-EOF || return 1
create chnroute hash:net
$(sed -e "s/^/add chnroute /" /root/chnroute.txt)
EOF

##配置路由表
ip rule add from all fwmark 0x5 prio 33 table 200
ip route add 192.168.50.1 dev tapvpn table 200
ip route add default via 192.168.50.1 dev tapvpn table 200
ip route show table 200

##配置策略路由,国内IP不走VPN
iptables -t mangle -N crossfgw
iptables -t mangle -A OUTPUT -j crossfgw
iptables -t mangle -A PREROUTING -i br-lan -j crossfgw
iptables -t mangle -A crossfgw -m set ! --match-set chnroute dst -j  MARK --set-mark 0x5
3.4 创建停止脚本/root/tapvpn-down.sh
#!/bin/sh

ip rule del fwmark 0x5 table 200 >/dev/null 2>&1
ip route del 192.168.50.1 table 200 >/dev/null 2>&1
ip route del default table 200 >/dev/null 2>&1

iptables -t mangle -D crossfgw -m set ! --match-set chnroute dst -j  MARK --set-mark 0x5 >/dev/null 2>&1
iptables -t mangle -D PREROUTING -i br-lan -j crossfgw >/dev/null 2>&1
iptables -t mangle -D OUTPUT -j crossfgw >/dev/null 2>&1

ipset destroy chnroute > /dev/null 2>&1
3.5 配置/etc/config/fastd
package fastd

config fastd tapvpn_config
	option enabled 1
	option syslog_level 'debug'
	list method 'salsa2012+umac'
	option mode 'tap'
	option interface 'tapvpn'
	option mtu 1426
	# Enables direct forwaring of packets between peers
	# WARNING: Only enable this if you know what you are doing, as this can lead to forwarding loops!
	option forward 0
	option peer_limit 5
	option secret '###在这里替换成之前生成的客户端Private key###'
	option up '/root/tapvpn-down.sh; /root/tapvpn-up.sh'
	option down '/root/tapvpn-down.sh'

config peer tapvpn_peer
	option enabled 1
	option net 'tapvpn_config'
	# The peer's public key
	option key '###在这里替换成之前生成的服务器端Public key###'
	# 这里配置服务器地址,多个
	list remote 'xxx.xxx.xxx.xxx:31758'
	list remote 'yyy.yyy.yyy.yyy:31758'
	list remote 'xxx.xxx.xxx.xxx:21757'
	list remote 'yyy.yyy.yyy.yyy:21757'
3.6 配置/etc/config/network
## adding this section
config interface 'tapvpn'
        option proto 'none'
        option ifname 'tapvpn'
        
3.7 配置/etc/config/firewall
config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 tapvpn'  ## this is the changed line
3.8 配置/etc/config/dhcp
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option rebind_protection '0'
	list server '8.8.8.8'
	option noresolv '1'
	option nohosts '1'

Reboot router & enjoy!

ref