WNDR4300配合Shadowsocks及ChinaDNS科学上网

in Shares with 23 comments

前言

之前一直在用WR703N作为路由器,但是由于性能瓶颈,很多功能在WR703N上无法实现,寝室一群基友凑钱买了个WNDR4300.于是有了这篇文章.
这篇文章介绍的方法基于aa65535的shadowsocks-spec for openwrt,介绍了如何在OpenWRT下配置自动翻墙,新版本支持在Luci下图形化配置,大大简化了配置过程。配置完成后,路由器本身获得自动翻墙能力,所有连入该路由的设备都可无障碍访问被墙的站点。是运行于路由器的透明代理。

方案根据IP判断是否代理,国内IP不代理,国外IP走代理。代理通过shadowsocks所带ss-redir做TCP转发实现,分国内外IP通过国内IP段列表文件chnroute来区别,并通过iptables规则分别处理(这些功能已经全部集成到shadowsocks-spec里了无需额外配置)。由于是基于IP的判定,故需要解决DNS污染的问题,故搭配使用ChinaDNS来解决。

由于只要国外IP均走代理,而不是被墙才走代理,那么本方案的优缺点也就很明显了。

优点:基本不会有漏网之鱼,保证所有被墙站点能访问;能够一定程度改善国内访问一些国外网站缓慢的问题,如果你的服务器速度很好,那么甚至可以起到加速国外站点访问的作用。

缺点:如果服务器速度一般,访问一些网站甚至会减速;对一些限制IP的站点和软件应用可能会造成麻烦。总之,请酌情选择。

本方案主要涉及到的开源项目
https://github.com/aa65535/openwrt-shadowsocks
https://github.com/aa65535/openwrt-chinadns
https://github.com/aa65535/openwrt-dist-luci
https://github.com/aa65535/openwrt-redsocks2
https://github.com/madeye/shadowsocks-libev
https://github.com/clowwindy/ChinaDNS

准备工作

文章中所需要的所有包都已经打包上传,包括本人使用的4300的OP固件. 链接:http://pan.baidu.com/s/1bnsBLqZ 密码:bp1o 如果您还不会刷Openwrt,请务必谷歌一下或百毒一下,熟悉刷Openwrt以及4300救砖操作后再来看本文章.

安装Shadowsocks以及ChinaDNS

首先opkg update更新一下软件包列表. 我们使用的是 shadowsocks-libev-spec_2.1.4-1_ar71xx.ipk 需要安装必要的依赖包. opkg install ipset libopenssl resolveip 安装后请重启路由器. 将刚刚下载的全部软件包上传至/tmp目录,一路疯狂安装. opkg install shadowsocks-libev-spec_2.1.4-1_ar71xx.ipk opkg install ChinaDNS_1.3.1-1_ar71xx.ipk opkg install luci-app-shadowsocks-spec_1.3.1-1_all.ipk opkg install luci-app-chinadns_1.3.1-1_all.ipk Shadowsocks以及ChinaDNS默认开机启动,平时不要对人家乱动手动脚.

Shadowsocks ChinaDNS DHCP/DNS的配置

我们登陆Luci管理界面,指向服务,已经能够看到Shadowsocks和ChinaDNS安静地躺在那等着我们调戏了. Shadowsocks 我这里使用的是配置文件config.json,格式如下:
{
        "server": "X.X.X.X",
        "server_port": "443",
        "password": "password",
        "local_port": "1080",
        "method": "rc4-md5"
}
习惯问题,也可以选择直接在Luci填写,不多赘述. ChinaDNS ChinaDNS也没有特别需要注意的,上游服务器一般填写自己服务商提供的DNS,但是后一个必须要是纯净的DNS服务器. 在这里我使用的是自己在VPS上用Pdnsd搭建的服务器,教程见pdnsd搭建DNS服务器简易教程(需X墙) 设置好ChinaDNS后在Luci管理界面切换至"网络"-"DHCP/DNS"按下图配置:

补充及参考

如果出现无法访问自己VPS的情况,请把VPS的IP加入shadowsocks的ignore.list内. dnsmasq参考了A大的教程,在这里放出,供大家参考: 需先安装完整版的dnsmasq,在打包中找既可.
# Configuration file for dnsmasq.

# Setting this flag forces dnsmasq to send all queries to
# all available servers. The reply from the server which
# answers first will be returned to the original requester.
all-servers

#Disable read or dectect the file resolv.conf
no-poll
no-resolv

# Set a minimum TTL value for entries in the cache.
# For example min-cache-ttl=1800 (ie: 5 minutes).
min-cache-ttl=1800

# Set the size of dnsmasq's cache.
# The default is 150 names,
# Setting the cache size to zero disables caching.
cache-size=5000

# Specify ip address of upstream servers directly.
#server=8.8.8.8
server=127.0.0.1#5353
server=108.61.xx.xx#xxxx

#Define own conf file
conf-dir=/etc/dnsmasq.d

注意dnsmasq.d文件夹是要自己单独建立的,目的是为了方便管理DNSMASQ的自定义规则.

#Fouces Google To Forign IP
server=/.google-analytics.com/108.61.250.x#port
server=/.googletagmanager.com/108.61.250.x#port
server=/google.com/108.61.250.x#port
server=/.gstatic.com/108.61.250.x#port
server=/.googleusercontent.com/108.61.250.x#port
server=/.gvt1.com/108.61.250.x#port
server=/.gvt2.com/108.61.250.x#port
server=/.gvt3.com/108.61.250.x#port
server=/.googleapis.com/108.61.250.x#port
server=/.doubleclick.net/108.61.250.x#port
server=/.doubleclick.com/108.61.250.x#port
server=/.ggpht.com/108.61.250.x#port
server=/.blogspot.com/108.61.250.x#port
server=/.android.com/108.61.250.x#port
server=/.googlecode.com/108.61.250.x#port
server=/.google.com.hk/108.61.250.x#port
server=/.google.com.tw/108.61.250.x#port
server=/.google.com.sg/108.61.250.x#port
server=/.google.co.jp/108.61.250.x#port
server=/.googlelabs.com/108.61.250.x#port
server=/chrome.com/108.61.250.x#port
server=/wikipedia.org/108.61.250.x#port
server=/.gravatar.com/108.61.250.x#port
server=/dropbox.com/108.61.250.x#port
server=/github.com/108.61.250.x#port
server=/github.io/108.61.250.x#port
server=/feedly.com/108.61.250.x#port
server=/.twimg.com/108.61.250.x#port
server=/.twitpic.com/108.61.250.x#port
server=/.tinypic.com/108.61.250.x#port
server=/facebook.com/108.61.250.x#port
server=/youtube.com/108.61.250.x#port
server=/.googlevideo.com/108.61.250.x#port
server=/.googleadservices.com/108.61.250.x#port
server=/.staticflickr.com/108.61.250.x#port

#Heiybb
server=/.v2ex.com/127.0.0.1#5353
server=/.heiybb.com/114.114.114.114
server=/.levtu.com/114.114.114.114
server=/gravatar.eqoe.cn/114.114.114.114
server=/.tfboys.us/108.61.250.x#port
server=/.csdn.net/108.61.250.x#port

#Bilibili
server=/bilibili.com/114.114.114.114
server=/bilibili.tv/114.114.114.114
server=/hdslb.net/114.114.114.114
server=/hdslb.com/114.114.114.114
server=/acgvideo.com/114.114.114.114
server=/acg.tv/114.114.114.114
# Dnsmasq will ignore DNS replies with these ip.
ignore-address=2.1.1.2
ignore-address=4.193.80.0
ignore-address=4.36.66.178
ignore-address=8.105.84.0
ignore-address=8.7.198.45
ignore-address=12.87.133.0
ignore-address=14.102.249.18
ignore-address=16.63.155.0
ignore-address=20.139.56.0
ignore-address=23.89.5.60
ignore-address=24.51.184.0
ignore-address=28.121.126.139
ignore-address=28.13.216.0
ignore-address=37.61.54.158
ignore-address=46.20.126.252
ignore-address=46.38.24.209
ignore-address=46.82.174.68
ignore-address=49.2.123.56
ignore-address=54.76.135.1
ignore-address=59.24.3.173
ignore-address=61.54.28.6
ignore-address=64.33.88.161
ignore-address=64.33.99.47
ignore-address=64.66.163.251
ignore-address=65.104.202.252
ignore-address=65.160.219.113
ignore-address=66.206.11.194
ignore-address=66.45.252.237
ignore-address=72.14.205.104
ignore-address=72.14.205.99
ignore-address=74.117.57.138
ignore-address=74.125.127.102
ignore-address=74.125.155.102
ignore-address=74.125.39.102
ignore-address=74.125.39.113
ignore-address=77.4.7.92
ignore-address=78.16.49.15
ignore-address=89.31.55.106
ignore-address=93.46.8.89
ignore-address=113.11.194.190
ignore-address=118.5.49.6
ignore-address=122.218.101.190
ignore-address=123.126.249.238
ignore-address=123.50.49.171
ignore-address=125.230.148.48
ignore-address=127.0.0.2
ignore-address=128.121.126.139
ignore-address=159.106.121.75
ignore-address=169.132.13.103
ignore-address=173.201.216.6
ignore-address=188.5.4.96
ignore-address=189.163.17.5
ignore-address=192.67.198.6
ignore-address=197.4.4.12
ignore-address=202.106.1.2
ignore-address=202.181.7.85
ignore-address=203.161.230.171
ignore-address=203.199.57.81
ignore-address=203.98.7.65
ignore-address=207.12.88.98
ignore-address=208.109.138.55
ignore-address=208.56.31.43
ignore-address=209.145.54.50
ignore-address=209.220.30.174
ignore-address=209.36.73.33
ignore-address=209.85.229.138
ignore-address=211.5.133.18
ignore-address=211.8.69.27
ignore-address=211.94.66.147
ignore-address=213.169.251.35
ignore-address=213.186.33.5
ignore-address=216.139.213.144
ignore-address=216.221.188.182
ignore-address=216.234.179.13
ignore-address=221.8.69.27
ignore-address=243.185.187.30
ignore-address=243.185.187.39
ignore-address=249.129.46.48
ignore-address=253.157.14.165

本文参考了飞羽博客的文章,在此表示对作者以及各开源项目人员的感谢.
毕竟只用了一个下午来写这篇文章,如有纰漏,请大家指出.我会尽快修改.

Responses
  1. WOW just what I was searching for. Came here by searching for
    科学上网

    Reply
  2. Thanks for sharing your thoughts about 科学上网.
    Regards

    Reply
  3. Thanks for sharing your thoughts on 科学上网. Regards

    Reply
  4. bruce

    所有版本跟楼主一样,ChinaDNS is not running,楼主能出来帮忙解决下吗?

    Reply
    1. @bruce

      在终端运行ChinaDNS,根据返回的错误信息来更正,今天停电了没法用电脑=.=

      Reply
  5. test

    完全按楼主的方法,结果还是不能FQ

    Reply
  6. 游客

    我按照飞羽的方法1配置后,网速大大降低,怎么解决?

    Reply
    1. @游客

      从来没听说过有个状况,方法1也同样只有国外的IP才走代理莫非你设置错了全部都走了代理?

      Reply