TODO:
- Provide pre-compiled MPTCP 5.4 kernel
- Add service for xray
- Add Ubond for non-TCP aggregation (link quality monitor WIP)
Notes:
- Direct MPTCP is not reliable even if the path is not filtered over the Internet
- Using firewall markings to tunnel each Wireguard to it's respective WAN
- ~700Mbit MPTCP aggregation (direct) tested on Pi 4 stock frequency with local 2 links
- ~400Mbit with dokomo, ~150Mbit with shadowsocks
- No UDP/others aggregation (yet)
- No link quality monitoring to stop a bad link for taking down the aggregate performance
- You can copy existing Wireguard keys ONLY when running over existing authenticated tunnel, else replace with your own.
- Set a unique long password for Xray SOCKS proxy.
- Only use for single socket bonding on quality/perfect internet connections
- Replace required <> fields
Client:
openwrt/etc/rc.local
sh /root/proxyiptables.sh &
exit 0
openwrt/etc/firewall.user
sh /root/pbrwanmisc.sh
sleep 2
sh /root/proxyiptables.sh
openwrt/etc/sysctl.conf
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
openwrt/root/pbrwanmisc.sh
IF1="ISP1" # replace with your WAN ifname name
IF2="ISP2"
IP1="192.168.10.23"
IP2="192.168.11.23"
P1="192.168.10.1"
P2="192.168.11.1"
P1_NET="192.168.10.0/24"
P2_NET="192.168.11.0/24"
TBL1="ISP1"
TBL2="ISP2"
ip route add $P1_NET dev $IF1 src $IP1 table $TBL1
ip route add default via $P1 table $TBL1
ip route add $P2_NET dev $IF2 src $IP2 table $TBL2
ip route add default via $P2 table $TBL2
ip rule del from $P1_NET table $TBL1
ip rule add from $P1_NET table $TBL1
ip rule del from $P2_NET table $TBL2
ip rule add from $P2_NET table $TBL2
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2
ip rule add fwmark 0x20 table 102
ip rule add fwmark 0x10 table 101
ip link set dev "ISP1" multipath off
ip link set dev "ISP2" multipath off
ip link set dev "br-lan" multipath off
echo 0 > /proc/sys/net/mptcp/mptcp_checksum
echo "blest" > /proc/sys/net/mptcp/mptcp_scheduler
openwrt/root/proxyiptables.sh
#!/bin/sh
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p udp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 table 100
ip route add local default dev lo table 100
iptables -t mangle -N PROXY
# iptables -t mangle -A PROXY -d 10.200.200.1 -j RETURN
iptables -t mangle -A PROXY -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A PROXY -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A PROXY -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A PROXY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A PROXY -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A PROXY -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 65531 --tproxy-mark 1
iptables -t mangle -A PROXY -p udp -j TPROXY --on-ip 127.0.0.1 --on-port 65531 --tproxy-mark 1
iptables -t mangle -A PREROUTING -j PROXY
iptables -t mangle -N PROXY_LOCAL
iptables -t mangle -A PROXY_LOCAL -d 10.200.200.1 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A PROXY_LOCAL -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A PROXY_LOCAL -p tcp -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -j PROXY_LOCAL
client/xray/config.json
{
"inbounds": [
{
"port": 65531,
"listen": "127.0.0.1",
"protocol": "dokodemo-door",
"settings": {
"network": "tcp",
"followRedirect": true
},
"streamSettings": {
"sockopt": {
"tproxy": "tproxy"
}
}
}
],
"outbounds": [
{
"protocol":"socks",
"settings": {
"servers": [
{
"address": "10.200.200.1",
"port": 65530,
"users": [
{
"user": "user",
"pass": "<PASSWORD>"
}
]
}
]
}
}
]
}
client/wg0.conf
config interface 'wgisp1'
option proto 'wireguard'
option private_key 'aCHP6Kdwk/lIbmGBoqYLCaC50vKwpCP7NMmp/pWRcns='
list addresses '10.200.200.2'
option fwmark '0x10'
config wireguard_wgisp1
option public_key 'TNcQRTFQKQpQKmjhEkK8HRh8sinMKJjKGZMKByYZTSQ='
option route_allowed_ips '1'
option endpoint_host '<SERVERIP>'
option endpoint_port '443'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
config interface 'wgisp2'
option proto 'wireguard'
option private_key 'kONpcUQP0Vyoi7OYhQBUY1jyVSuL2jFitw+DXYtPiWs='
list addresses '10.200.200.3'
option fwmark '0x20'
config wireguard_wgisp2
option public_key 'TNcQRTFQKQpQKmjhEkK8HRh8sinMKJjKGZMKByYZTSQ='
option route_allowed_ips '1'
option endpoint_host '<SERVERIP>'
option endpoint_port '443'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
config route
option interface 'ISP1'
option target '162.159.200.123'
config route
option interface 'ISP2'
option target '194.0.5.123'
openwrt/etc/config/system (each server is on each WAN for cold-boot NTP multipath as shown above in routes, correct data/time is required for Wireguard) APPEND:
config timeserver 'ntp'
list server '162.159.200.123'
list server '194.0.5.123'
openwrt/etc/iproute2/rt_tables
#
# reserved values
#
128 prelocal
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
101 ISP1
102 ISP2
103 ISP3
104 ISP4
VPS/usr/local/etc/v2ray/config.json
{
"inbounds": [
{
"port": 65530,
"protocol": "socks",
"settings": {
"auth": "password",
"accounts": [
{
"user": "user",
"pass": "<PASSWORD>"
}
]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
}
]
}
VPS/etc/sysctl.conf
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
net.ipv4.ip_forward = 1
VPS/etc/wireguard/wg0.conf
[Interface]
Address = 10.200.200.1/24
SaveConfig = false
ListenPort = 443
PrivateKey = eOolw61PCEbLThhKuHppF9ao7V22VC3xCsJTc2/hB0o=
PostUp = iptables -t nat -A POSTROUTING -o <SERVERIFNAME> -j MASQUERADE
[Peer]
PublicKey = Rskd0AvlLT8mQjjHTv1en0ylWXcG5tmATHnwtpIMeEY=
AllowedIPs = 10.200.200.2/32
[Peer]
PublicKey = HTlLpQF+fm3ST3uVhy6/gxhKZExqRlPlZJBZlzOaImY=
AllowedIPs = 10.200.200.3/32