本教程前提是需要有一个ShadowSocks账号或安装ShadowSocks服务的VPS(墙外的)

一、安装 OpenWrt 并配置上网

1. telnet 192.168.1.1 至 Openwrt 并修改 root 密码

1
telnet 192.168.1.1

2. 配置上网参数

1
2
3
4
uci set network.wan.proto=pppoe
uci set network.wan.username=name
uci set network.wan.password=123456
uci commit network ifup wan

3. 安装 luci 界面,并配置开机启动

1
2
3
4
opkg update
opkg install luci
/etc/init.d/uhttpd start
/etc/init.d/uhttpd enable

4. 修改 luci 界面端口号

1
vim /etc/config/uhttpd

5. 修改 ssh 默认的 22 端口号

1
vim /etc/config/dropbear

6. 自定义 DNS

  1. 创建 /etc/config/sec_resolv.conf

    1
    2
    3
    4
    vim /etc/config/sec_resolv.conf
    nameserver 8.8.8.8
    nameserver 8.8.4.4
    nameserver 208.67.222.222

  2. 编辑 /etc/config/dhcp
    找到option resolvfile选项,替换 /tmp/resolv.conf.auto/etc/config/sec_resolv.conf

二、软件包安装

执行命令:

1
opkg update

shadowsocks-libev 下载

必须包安装:

polarssl 版本的 shadowsocks(polarssl 体积更小):

1
opkg install iptables-mod-nat-extra ipset libpolarssl

普通版本(openssl)的 shadowsocks,那么(openssl兼容性更好):

1
opkg install iptables-mod-nat-extra ipset libopenssl

卸载 dnsmasq 并安装 dnsmasq-full 以及相应的扩展包(dnsmasq 没有 ipset 功能)

1
2
3
opkg remove dnsmasq && opkg install dnsmasq-full
cd /tmp
opkg install shadowsocks-libev_x.x.x-x_ar71xx.ipk

三、配置

a. 配置 /etc/shadowsocks.json

1
2
3
4
5
6
7
{
	"server": "X.X.X.X",
	"server_port": "443",
	"password": "password",
	"local_port": "1080",
	"method": "aes-256-cfb"
}

b. 修改 /etc/init.d/shadowsocks ,其实就是把 Client Mode 注释掉再把Proxy Mode 的注释去掉

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/bin/sh /etc/rc.common

	START=95
	
	SERVICE_USE_PID=1
	SERVICE_WRITE_PID=1
	SERVICE_DAEMONIZE=1
	SERVICE_PID_FILE=/var/run/shadowsocks.pid
	CONFIG=/etc/shadowsocks.json
	
	start() {
		# Client Mode
		#service_start /usr/bin/ss-local -c $CONFIG -f $SERVICE_PID_FILE
		# Proxy Mode
		service_start /usr/bin/ss-redir -c $CONFIG -f $SERVICE_PID_FILE
	}
	
	stop() {
		# Client Mode
		#service_stop /usr/bin/ss-local
		# Proxy Mode
		service_stop /usr/bin/ss-redir
	}

c. 启动 Shadowsocks,并设置开机运行:

1
2
/etc/init.d/shadowsocks enable
/etc/init.d/shadowsocks start

四、配置 dnsmasqipset

a.iptables 规则加入防火墙中(添加至 /etc/rc.local 可开机启动)

1
2
3
ipset -N gfwlist iphash
iptables -t nat -A PREROUTING -p tcp -m set -–match-set gfwlist dst -j REDIRECT --to-port 1080
iptables -t nat -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1080

b. 修改 /etc/dnsmasq.conf,在最后加入 conf-dir=/etc/dnsmasq.d ,新建并进入目录 /etc/dnsmasq.d ,并将 my_dnsmasq.conf放入该目录。

my_dnsmasq.conf 具体格式如下:

1
2
3
4
#使用不受污染干扰的DNS解析该域名 可以将此IP改为自己使用的DNS服务器
server=/google.com/208.67.222.222#443
#将解析出来的IP保存到名为gfwlist的ipset表中
ipset=/google.com/gfwlist

五、ss-tunnel 转发 UDP 的 DNS 的请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/bin/sh /etc/rc.common

START=95

SERVICE_USE_PID=1
SERVICE_WRITE_PID=1
SERVICE_DAEMONIZE=1
SERVICE_PID_FILE=/var/run/shadowsocks.pid
CONFIG=/etc/shadowsocks.json
DNS=8.8.8.8:53
TUNNEL_PORT=5353

start() {
	# Client Mode
	#service_start /usr/bin/ss-local -c $CONFIG -f $SERVICE_PID_FILE
	# Proxy Mode
	service_start /usr/bin/ss-redir -c $CONFIG -f $SERVICE_PID_FILE
	# Tunnel
	service_start /usr/bin/ss-tunnel -c $CONFIG -u -l $TUNNEL_PORT -L $DNS
}

stop() {
	# Client Mode
	#service_stop /usr/bin/ss-local
	# Proxy Mode
	service_stop /usr/bin/ss-redir
	# Tunnel
	service_stop /usr/bin/ss-tunnel
}

:至此路由器已经 my_dnsmasq.conf 里面的域名已经会自动使用ss科学上网

六、恢复出厂设置

1
2
3
firstboot

reboot