Skip to content

Instantly share code, notes, and snippets.

@TalalMash

TalalMash/gist:caaae617e288e8a1c4a75a7a3b328556

Last active May 22, 2024 20:42
Show Gist options
  • Save TalalMash/caaae617e288e8a1c4a75a7a3b328556 to your computer and use it in GitHub Desktop.
Save TalalMash/caaae617e288e8a1c4a75a7a3b328556 to your computer and use it in GitHub Desktop.
Download ZIP
[OpenWRT 21] MPTCP over Wireguard with XRAY (TCP only for now)
Raw
gistfilemptcp.md

TODO:

  • Provide pre-compiled MPTCP 5.4 kernel
  • Add service for xray
  • Add Ubond for non-TCP aggregation (link quality monitor WIP)

Notes:

  • Direct MPTCP is not reliable even if the path is not filtered over the Internet
  • Using firewall markings to tunnel each Wireguard to it's respective WAN
  • ~700Mbit MPTCP aggregation (direct) tested on Pi 4 stock frequency with local 2 links
  • ~400Mbit with dokomo, ~150Mbit with shadowsocks
  • No UDP/others aggregation (yet)
  • No link quality monitoring to stop a bad link for taking down the aggregate performance
  • You can copy existing Wireguard keys ONLY when running over existing authenticated tunnel, else replace with your own.
  • Set a unique long password for Xray SOCKS proxy.
  • Only use for single socket bonding on quality/perfect internet connections
  • Replace required <> fields

Client:

openwrt/etc/rc.local

sh /root/proxyiptables.sh &
exit 0

openwrt/etc/firewall.user

sh /root/pbrwanmisc.sh
sleep 2
sh /root/proxyiptables.sh

openwrt/etc/sysctl.conf

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

openwrt/root/pbrwanmisc.sh

IF1="ISP1" # replace with your WAN ifname name
IF2="ISP2"
IP1="192.168.10.23"
IP2="192.168.11.23"
P1="192.168.10.1"
P2="192.168.11.1"
P1_NET="192.168.10.0/24"
P2_NET="192.168.11.0/24"
TBL1="ISP1"
TBL2="ISP2"
ip route add $P1_NET dev $IF1 src $IP1 table $TBL1
ip route add default via $P1 table $TBL1
ip route add $P2_NET dev $IF2 src $IP2 table $TBL2
ip route add default via $P2 table $TBL2
ip rule del from $P1_NET table $TBL1
ip rule add from $P1_NET table $TBL1
ip rule del from $P2_NET table $TBL2
ip rule add from $P2_NET table $TBL2
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2
ip rule add fwmark 0x20  table 102
ip rule add fwmark 0x10 table 101

ip link set dev "ISP1" multipath off
ip link set dev "ISP2" multipath off
ip link set dev "br-lan" multipath off
echo 0 > /proc/sys/net/mptcp/mptcp_checksum
echo "blest" > /proc/sys/net/mptcp/mptcp_scheduler

openwrt/root/proxyiptables.sh

#!/bin/sh
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p udp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

ip rule add fwmark 1 table 100

ip route add local default dev lo table 100

iptables -t mangle -N PROXY
# iptables -t mangle -A PROXY -d 10.200.200.1 -j RETURN

iptables -t mangle -A PROXY -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A PROXY -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A PROXY -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A PROXY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A PROXY -d 240.0.0.0/4 -j RETURN

iptables -t mangle -A PROXY -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 65531 --tproxy-mark 1
iptables -t mangle -A PROXY -p udp -j TPROXY --on-ip 127.0.0.1 --on-port 65531 --tproxy-mark 1

iptables -t mangle -A PREROUTING -j PROXY

iptables -t mangle -N PROXY_LOCAL
iptables -t mangle -A PROXY_LOCAL -d 10.200.200.1 -j RETURN

iptables -t mangle -A PROXY_LOCAL -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 240.0.0.0/4 -j RETURN

iptables -t mangle -A PROXY_LOCAL -p tcp -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -j PROXY_LOCAL

client/xray/config.json

{
  "inbounds": [
    {
      "port": 65531,
      "listen": "127.0.0.1",
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp",
        "followRedirect": true
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol":"socks",
      "settings": {
        "servers": [
          {
            "address": "10.200.200.1",
            "port": 65530,
            "users": [
              {
                "user": "user",
                "pass": "<PASSWORD>"
              }
            ]
          }
        ]
      }
    }
  ]
}

client/wg0.conf

 config interface 'wgisp1'
        option proto 'wireguard'
        option private_key 'aCHP6Kdwk/lIbmGBoqYLCaC50vKwpCP7NMmp/pWRcns='
        list addresses '10.200.200.2'
        option fwmark '0x10'

config wireguard_wgisp1
        option public_key 'TNcQRTFQKQpQKmjhEkK8HRh8sinMKJjKGZMKByYZTSQ='
        option route_allowed_ips '1'
        option endpoint_host '<SERVERIP>'
        option endpoint_port '443'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'

config interface 'wgisp2'
        option proto 'wireguard'
        option private_key 'kONpcUQP0Vyoi7OYhQBUY1jyVSuL2jFitw+DXYtPiWs='
        list addresses '10.200.200.3'
        option fwmark '0x20'

config wireguard_wgisp2
        option public_key 'TNcQRTFQKQpQKmjhEkK8HRh8sinMKJjKGZMKByYZTSQ='
        option route_allowed_ips '1'
        option endpoint_host '<SERVERIP>'
        option endpoint_port '443'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        
config route
	option interface 'ISP1'
	option target '162.159.200.123'

config route
    	option interface 'ISP2'
    	option target '194.0.5.123'

openwrt/etc/config/system (each server is on each WAN for cold-boot NTP multipath as shown above in routes, correct data/time is required for Wireguard) APPEND:

config timeserver 'ntp'
        list server '162.159.200.123'
        list server '194.0.5.123'

openwrt/etc/iproute2/rt_tables

#
# reserved values
#
128     prelocal
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep

101 ISP1
102 ISP2
103 ISP3
104 ISP4

VPS/usr/local/etc/v2ray/config.json

{
    "inbounds": [
        {
            "port": 65530,
            "protocol": "socks",
            "settings": {
                "auth": "password",
                "accounts": [
                {
                    "user": "user",
                    "pass": "<PASSWORD>"
                }
                ]
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "settings": {}
        }
    ]
}

VPS/etc/sysctl.conf

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
net.ipv4.ip_forward = 1

VPS/etc/wireguard/wg0.conf

[Interface]
Address = 10.200.200.1/24
SaveConfig = false
ListenPort = 443
PrivateKey = eOolw61PCEbLThhKuHppF9ao7V22VC3xCsJTc2/hB0o=
PostUp = iptables -t nat -A POSTROUTING -o <SERVERIFNAME> -j MASQUERADE

[Peer]
PublicKey = Rskd0AvlLT8mQjjHTv1en0ylWXcG5tmATHnwtpIMeEY=
AllowedIPs = 10.200.200.2/32

[Peer]
PublicKey = HTlLpQF+fm3ST3uVhy6/gxhKZExqRlPlZJBZlzOaImY=
AllowedIPs = 10.200.200.3/32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment