Code Blog

Displaying 1-1 of 1 result.
2016/03/30 VPN,OpenWRT

Useful commands from ssh terminal

/etc/init.d/shadowsocks enable
/etc/init.d/shadowsocks start
/etc/init.d/ChinaDNS enable
/etc/init.d/ChinaDNS start
killall dnsmasq 
/etc/init.d/dnsmasq start
iptables -L -n -v
iptables -L OUTPUT -n -v iptables -L FORWARD -n -v cat /proc/meminfo cat /proc/cpuinfo netstat -tulpn

Note: dropbear is the ssh-server included in OpenWRT. Its a lightweight ssh-server.

shadowsocks-libev vs shadowsocks-libev-spec

shadowsocks-libev includes ss-{local,redir,tunnel}. Default config is running ss-local creating a local SOCKS proxy. shadowsocks-libev-spec is a special version for OpenWrt, that includes ss-{redir,rules,tunnel}. ss-redir will create the transparent proxy. ss-rules generates the proxy rules. ss-tunnel provide UDP transmission. Starting from v1.5.2 it uses the LuCI interface.

PandoraBox

PandoraBox is a router firmware fork of OpenWRT, made by the Chinese OpenWRT community. The Intellectual Property and copyright laws must be different in China, since the source code contain Mediatek copyrighted material, which is clearly not allowed in the standard version of OpenWRT. Basically PandoraBox added wifi-support for routers still not supported in OpenWRT, but the source code cannot be added to the OpenWRT distribution for copyright reasons. If OpenWRT lack support for a router it is possible PandoraBox may support it instead.

GFWList - Sites blocked in China

We have already set up the China accelerated list in my previous OpenWRT post. However there is also the foreign_list.conf (GFWList) that can be added to dnsmasq.

In this way the logic will be:

  1. Check China accelerated list: Directly resolve IP if match is found, otherwise continue
  2. Check China blocked list: Directly resolve IP if match is found, otherwise continue 
  3. Use ChinaDNS for all remaining DNS requests. ChinaDNS will decide if it will use China DNS server or tunnel to DNS server outside of China. ChinaDNS uses the /etc/chinadns_chnroute.txt file to determine if an IP is in China or not.

Traffic statistics

vnStat

vnStati - provides image output support for statistics collected using vnstat

collectd

Good list of different software for bandwidth monitoring: https://wiki.openwrt.org/doc/howto/wrtbwmon

Update: vnStat worked but did not have a lot of options to configure. I wanted to see amount of traffic going through Shadowsocks tunnel but this didnt seem possible with vnStat.

OpenWRT Ad-blocker - Privoxy

The privoxy package is designed to filter out traffic going to known ad-site servers. I could not find a package build in the stable Chaos Chamber repository, but there is a package build available in the snapshot/trunk repository, see:

http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/packages/

Snapshots are automatically built every 1-2 days from the SVN trunk (development) repository sources by the buildbot. They are untested and might not work properly.

opkg update
opkg list | grep privoxy
opkg install privoxy
opkg install luci-app-privoxy

Update: Seems I had some problem to get this package to work well with Redsocks2/Shadowsocks/ChinaDNS so I removed privoxy and vnstat and the router was working well again. To remove packages from OpenWRT run "opkg remove packagename".

Alternative to ChinaDNS - DNSCrypt

DNSCrypt uses strong encryption for DNS traffic.There's an updated list of public servers DNSCrypt can use. For more information see https://dnscrypt.org/ 

For OpenWRT one need to install the package "dnscrypt-proxy".

/etc/dnsmasq.conf configuration file example: 

# Ignore the resolve file /etc/resolv.conf
no-resolv
no-poll
# Use DNSCrypt as upstream DNS server 
server=127.0.0.1#5301
# Turn off DHCP for the network interface 
no-dhcp-interface=eth0
# Local hosts file 
addn-hosts=/etc/dns/hosts

Alternative to Shadowsocks - obfsproxy

Shadowsocks may not be enough because of deep packet inspection used by the GFW. One alternative is using an obfuscated SSH tunnel, based on Tor's obfsproxy.

DNS cache: pdnsd

pdnsd is a DNS server designed for local caching of DNS information. Correctly configured, it can significantly increase browsing speed on a broadband connection. Compared to BIND or dnsmasq it can remember its cache after a reboot; "p" stands for persistent.

I can't find a package to install for my version of OpenWRT, might need to build from source code.

dnsmasq -> ChinaDNS -> If China: 114.114.114.114 / If outside China -> pdnsd -> ss-tunnel -> 8.8.8.8

Other notes & links to websites

There is a shadowsocks version using polarssl, so I quick check online revealed the following:

mbed TLS (previously PolarSSL) is an implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required.
Its a light-weight open source cryptographic and SSL/TLS library written in C with small memory footprint.

Then there is another package available called ShadowVPN, which seems to offer similiar functionality as Shadowsocks+Redsocks2 but maybe faster and more lightweight, see link:

https://github.com/clowwindy/ShadowVPN/wiki/Compared-to-Shadowsocks-and-OpenVPN
ShadowVPN is a fast, safe VPN based on libsodium 

Both ShadowVPN and PolarSSL might be interesting to test out. I'm not really sure how to set up a ShadowVPN server that the OpenWRT can tunnel to though but maybe there is more information available if I would actually install the package.  

I found a lot of good and helpful information (in Chinese) at
https://cokebar.info/archives/978
https://cokebar.info/archives/948  
For example the tester script I have copied from cokebar.info

Now here's a story, the guy that developed shadowsocks (clowwindy) is Chinese, and run into some trouble last year:

On August 22 2015, an open source project called ShadowSocks was removed from GitHub. According to the project’s author, the police contacted him and asked him to stop working on the tool and to remove all of the code from GitHub. He later removed the reference of the police, presumably under the pressure of the police.

I guess he mentioned the police in the first readme notice as the source code was taken down. Now the "readme.md" file at github reads "Removed according to regulations.". That's just insane. China plays by other rules.

More tips

Speed up Apple downloads:

Create the file /etc/dnsmasq.d/apple.conf and add the line below to it:
server=/.apple.com/199.91.73.222

I read online that:

"shadowsocks-libev has ss-redir which works as a transparent proxy, so redsocks is not needed"

Not sure about this, will need to try it myself