Last active
December 9, 2021 04:45
-
-
Save pwrliang/2e4643c9a7fee3261c0e8b4c7eac19c5 to your computer and use it in GitHub Desktop.
V2Ray on Router
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # TCP | |
| iptables -t nat -N V2RAY | |
| iptables -t nat -A V2RAY -d 0.0.0.0/8 -j RETURN | |
| iptables -t nat -A V2RAY -d 127.0.0.0/8 -j RETURN | |
| iptables -t nat -A V2RAY -d 192.168.8.0/24 -j RETURN | |
| # From lans redirect to Dokodemo-door's local port | |
| iptables -t nat -A V2RAY -s 192.168.8.0/24 -p tcp -j REDIRECT --to-ports 12345 | |
| iptables -t nat -A PREROUTING -p tcp -j V2RAY | |
| iptables -t nat -A OUTPUT -p tcp -j V2RAY | |
| # UDP | |
| ip rule add fwmark 1 table 100 | |
| ip route add local 0.0.0.0/0 dev lo table 100 | |
| iptables -t mangle -N V2RAY_MASK | |
| iptables -t mangle -A V2RAY_MASK -d 192.168.8.0/24 -j RETURN | |
| iptables -t mangle -A V2RAY_MASK -s 192.168.8.0/24 -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 | |
| iptables -t mangle -A PREROUTING -p udp -j V2RAY_MASK | |
| ----- Router ----- | |
| { | |
| "log": { | |
| "access": "/var/log/access.log", | |
| "error": "/var/log/error.log", | |
| "loglevel": "warning" | |
| }, | |
| "dns": { | |
| "servers": [ | |
| "8.8.8.8", | |
| { | |
| "address": "114.114.114.114", | |
| "port": 53, | |
| "domains": [ | |
| "geosite:cn" | |
| ] | |
| }, | |
| "localhost" | |
| ] | |
| }, | |
| "inbounds": [ | |
| { | |
| "port": 12345, | |
| "protocol": "dokodemo-door", | |
| "sniffing": { | |
| "enabled": true, | |
| "destOverride": ["http", "tls"] | |
| }, | |
| "settings": { | |
| "network": "tcp", | |
| "timeout": 30, | |
| "followRedirect": true | |
| } | |
| } | |
| ], | |
| "outbounds": [ | |
| // If routing no match, use first outbound | |
| { | |
| "tag": "ss", | |
| "protocol": "shadowsocks", | |
| "settings": { | |
| "servers": [ | |
| { | |
| "address": "example.com", | |
| "method": "chacha20-ietf-poly1305", | |
| "ota": true, | |
| "password": "PASSWORD", | |
| "port": 443 | |
| } | |
| ] | |
| } | |
| }, | |
| { | |
| "tag": "linode", | |
| "protocol": "vmess", | |
| "settings": { | |
| "vnext": [ | |
| { | |
| "address": "linode.example.com", | |
| "port": 11696, | |
| "users": [ | |
| { | |
| "id": "----------------", | |
| "alterId": 64 | |
| } | |
| ] | |
| } | |
| ] | |
| } | |
| }, | |
| { | |
| "tag": "protocol_layer", | |
| "protocol": "shadowsocks", | |
| "settings": { | |
| "servers": [ | |
| { | |
| "method": "chacha20-ietf-poly1305", | |
| "port": 9015, | |
| "password": "PASSWORD", | |
| "address": "ws.example.com" | |
| } | |
| ] | |
| }, | |
| "proxySettings": { | |
| "tag": "transport_layer" | |
| } | |
| }, | |
| { | |
| "tag": "transport_layer", | |
| "protocol": "freedom", | |
| "settings": { | |
| "redirect": "ws.example.com:443" | |
| }, | |
| "streamSettings": { | |
| "network": "ws", | |
| "security": "tls", | |
| "wsSettings": { | |
| "path": "/example/" | |
| }, | |
| "tlsSettings": { | |
| "serverName": "ws.example.com", // Required, Nginx needs this to redirect your connection to a proper `port number`. | |
| "allowInsecure": false // Optional, `true` if you don't care about MITM Attack. | |
| } | |
| }, | |
| "mux": { | |
| "enabled": true | |
| } | |
| }, | |
| { | |
| "protocol": "dns", | |
| }, | |
| { | |
| "protocol": "freedom", | |
| "settings": {}, | |
| "tag": "direct" | |
| }, | |
| { | |
| "protocol": "blackhole", | |
| "settings": {}, | |
| "tag": "blocked" | |
| } | |
| ], | |
| "routing": { | |
| "domainStrategy": "IPOnDemand", | |
| "rules": [ | |
| { | |
| "type": "field", | |
| "inboundTag": ["dns-in"], | |
| "outboundTag": "dns-out" | |
| }, | |
| { | |
| "type": "field", | |
| "outboundTag": "direct", | |
| "domain": ["geosite:cn"] // 中国大陆主流网站的域名 | |
| }, | |
| { | |
| "type": "field", | |
| "outboundTag": "direct", | |
| "ip": [ | |
| "geoip:cn", // 中国大陆的 IP | |
| "geoip:private" // 私有地址 IP,如路由器等 | |
| ] | |
| } | |
| ] | |
| } | |
| } | |
| ----------SERVER-------------- | |
| { | |
| "log": { | |
| "access": "/var/log/v2ray/access.log", | |
| "error": "/var/log/v2ray/error.log", | |
| "loglevel": "info" | |
| }, | |
| "inbounds": [ | |
| { | |
| "port": "11696", /* this is the server port for client */ | |
| "listen": "127.0.0.1", | |
| "protocol": "dokodemo-door", | |
| "tag": "wsdoko", | |
| "settings": { | |
| "address": "v1.mux.cool", | |
| "followRedirect": false, | |
| "network": "tcp" | |
| }, | |
| "streamSettings": { | |
| "network": "ws", /* same as v2ray-plugin */ | |
| "wsSettings": { | |
| "path": "/v2ray" | |
| } | |
| } | |
| }, | |
| { | |
| "port": 9015, /* this port is not used, but you need to specific */ | |
| "protocol": "shadowsocks", | |
| "settings": { | |
| "method": "chacha20-poly1305", | |
| "ota": false, | |
| "password": "PASSWORD", | |
| "network": "tcp,udp" | |
| }, | |
| "streamSettings": { | |
| "network": "domainsocket" | |
| } | |
| }, | |
| { | |
| "port":3389, | |
| "protocol":"shadowsocks", | |
| "settings":{ | |
| "method":"chacha20-poly1305", | |
| "ota":false, | |
| "password":"PASSWORD" | |
| } | |
| } | |
| ], | |
| "outbounds": [ | |
| { | |
| "protocol": "freedom", | |
| "settings": {} | |
| }, | |
| { | |
| "protocol": "blackhole", | |
| "settings": {}, | |
| "tag": "blocked" | |
| }, | |
| { | |
| "protocol": "freedom", | |
| "tag": "ssmux", | |
| "streamSettings": { | |
| "network": "domainsocket" | |
| } | |
| } | |
| ], | |
| "transport": { | |
| "dsSettings": { | |
| "path": "/var/run/ss-loop.sock" /* the directory must exist before v2ray starts */ | |
| } | |
| }, | |
| "routing": { | |
| "rules": [ | |
| { | |
| "type": "field", | |
| "inboundTag": [ | |
| "wsdoko" | |
| ], | |
| "outboundTag": "ssmux" | |
| }, | |
| { | |
| "type": "field", | |
| "ip": [ | |
| "geoip:private" | |
| ], | |
| "outboundTag": "blocked" | |
| } | |
| ] | |
| } | |
| } | |
| -----APACHE ws.example.com-le-ssl.conf----- | |
| <IfModule mod_ssl.c> | |
| <VirtualHost *:443> | |
| # The ServerName directive sets the request scheme, hostname and port that | |
| # the server uses to identify itself. This is used when creating | |
| # redirection URLs. In the context of virtual hosts, the ServerName | |
| # specifies what hostname must appear in the request's Host: header to | |
| # match this virtual host. For the default virtual host (this file) this | |
| # value is not decisive as it is used as a last resort host regardless. | |
| # However, you must set it for any further virtual host explicitly. | |
| ServerName ws.example.com | |
| ServerAlias ws.example.com | |
| ServerAdmin webmaster@localhost | |
| DocumentRoot /var/www/html | |
| # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, | |
| # error, crit, alert, emerg. | |
| # It is also possible to configure the loglevel for particular | |
| # modules, e.g. | |
| #LogLevel info ssl:warn | |
| ErrorLog ${APACHE_LOG_DIR}/error.log | |
| CustomLog ${APACHE_LOG_DIR}/access.log combined | |
| # For most configuration files from conf-available/, which are | |
| # enabled or disabled at a global level, it is possible to | |
| # include a line for only one particular virtual host. For example the | |
| # following line enables the CGI configuration for this host only | |
| # after it has been globally disabled with "a2disconf". | |
| #Include conf-available/serve-cgi-bin.conf | |
| SSLCertificateFile /etc/letsencrypt/live/ws.example.com/fullchain.pem | |
| SSLCertificateKeyFile /etc/letsencrypt/live/ws.example.com/privkey.pem | |
| Include /etc/letsencrypt/options-ssl-apache.conf | |
| SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 | |
| SSLCipherSuite HIGH:!aNULL | |
| <LocationMatch "/example/"> | |
| ProxyPass ws://127.0.0.1:11696/v2ray upgrade=WebSocket | |
| ProxyAddHeaders Off | |
| ProxyPreserveHost On | |
| RequestHeader set Host %{HTTP_HOST}s | |
| RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s | |
| </LocationMatch> | |
| </VirtualHost> | |
| </IfModule> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Enable apache2 deps:
sudo a2enmod ssl
sudo a2enmod proxy
sudo a2enmod proxy_wstunnel
sudo a2enmod proxy_http
sudo a2enmod rewrite
sudo a2enmod headers