Add files via upload

etc/config/xray

@@ -0,0 +1,10 @@
+
+config xray 'enabled'
+	option enabled '1'
+
+config xray 'config'
+	option confdir '/root/xray_config'
+	option datadir '/usr/share/xray'
+	option dialer ''
+	option format 'json'
+

etc/init.d/xray

@@ -0,0 +1,61 @@
+#!/bin/sh /etc/rc.common
+
+USE_PROCD=1
+START=99
+
+CONF="xray"
+PROG="/usr/bin/xray"
+
+start_service() {
+	config_load "$CONF"
+
+	local enabled
+	config_get_bool enabled "enabled" "enabled" "0"
+	[ "$enabled" -eq "1" ] || return 1
+
+	local confdir
+	local conffiles
+	local datadir
+	local dialer
+	local format
+
+	config_get confdir "config" "confdir"
+	config_get conffiles "config" "conffiles"
+	config_get datadir "config" "datadir" "/usr/share/xray"
+	config_get dialer "config" "dialer"
+	config_get format "config" "format" "json"
+
+	# runs iptables setup
+    /root/configure_xray_startup.sh
+
+	procd_open_instance "$CONF"
+	procd_set_param command "$PROG" run
+	[ -n "$confdir" ] && procd_append_param command -confdir "$confdir"
+	[ -n "$conffiles" ] && {
+		for i in $conffiles
+		do
+			procd_append_param command -config "$i"
+		done
+	}
+	[ -n "$format" ] && procd_append_param command -format "$format"
+	[ -n "$dialer" ] && procd_set_param env XRAY_BROWSER_DIALER="$dialer"
+	procd_set_param env XRAY_LOCATION_ASSET="$datadir"
+	procd_set_param file $conffiles
+
+	procd_set_param limits core="unlimited"
+	procd_set_param limits nofile="1000000 1000000"
+	procd_set_param stdout 1
+	procd_set_param stderr 1
+	procd_set_param respawn
+
+	procd_close_instance
+}
+
+reload_service() {
+	stop
+	start
+}
+
+service_triggers() {
+	procd_add_reload_trigger "$CONF"
+}

root/configure_xray_startup.sh

@@ -0,0 +1,49 @@
+#!/bin/sh
+
+# Ensure this script runs only once per boot
+if [ -f /tmp/configure_xray_startup_executed ]; then
+  # The file exists, so do not run the script
+  echo "This script was executed already. To revert the results, reboot the device"
+  exit 0
+fi
+
+# create chain
+ip rule add fwmark 1 table 100
+ip route add local 0.0.0.0/0 dev lo table 100
+iptables -t mangle -N XRAY
+
+# exclude private ipv4
+iptables -t mangle -A XRAY -d 255.255.255.255/32 -j RETURN
+iptables -t mangle -A XRAY -d 0.0.0.0/8 -j RETURN
+iptables -t mangle -A XRAY -d 10.0.0.0/8 -j RETURN
+iptables -t mangle -A XRAY -d 100.64.0.0/10 -j RETURN
+iptables -t mangle -A XRAY -d 127.0.0.0/8 -j RETURN
+iptables -t mangle -A XRAY -d 169.254.0.0/16 -j RETURN
+iptables -t mangle -A XRAY -d 172.16.0.0/12 -j RETURN
+iptables -t mangle -A XRAY -d 192.0.0.0/24 -j RETURN
+iptables -t mangle -A XRAY -d 192.0.2.0/24 -j RETURN
+iptables -t mangle -A XRAY -d 192.168.0.0/16 -j RETURN
+iptables -t mangle -A XRAY -d 198.18.0.0/15 -j RETURN
+iptables -t mangle -A XRAY -d 198.51.100.0/24 -j RETURN
+iptables -t mangle -A XRAY -d 203.0.113.0/24 -j RETURN
+iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN
+iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN
+iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN
+
+# exclude forwarding to and from 10.241.1.3 on ports 80 and 443
+iptables -t mangle -A XRAY -d 10.241.1.3/32 -p tcp --dport 80 -j RETURN
+iptables -t mangle -A XRAY -d 10.241.1.3/32 -p tcp --dport 443 -j RETURN
+iptables -t mangle -A XRAY -d 10.241.1.3/32 -p udp --dport 80 -j RETURN
+iptables -t mangle -A XRAY -d 10.241.1.3/32 -p udp --dport 443 -j RETURN
+iptables -t mangle -A XRAY -s 10.241.1.3/32 -p tcp --sport 80 -j RETURN
+iptables -t mangle -A XRAY -s 10.241.1.3/32 -p tcp --sport 443 -j RETURN
+iptables -t mangle -A XRAY -s 10.241.1.3/32 -p udp --sport 80 -j RETURN
+iptables -t mangle -A XRAY -s 10.241.1.3/32 -p udp --sport 443 -j RETURN
+
+# add forwarding rule
+iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 61219 --tproxy-mark 1
+iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 61219 --tproxy-mark 1
+iptables -t mangle -A PREROUTING -j XRAY
+
+# required for check above
+touch /tmp/configure_xray_startup_executed

root/install_xray.sh

@@ -0,0 +1,39 @@
+#!/bin/sh
+opkg update
+
+opkg install xray-core
+# i don't actually know which ones are required for nftables cmds to work...
+opkg install iptables-mod-conntrack-extra
+opkg install iptables-mod-ipopt
+opkg install iptables-mod-socket
+opkg install iptables-mod-tproxy
+opkg install iptables-zz-legacy
+opkg install kmod-ipt-compat-xtables
+opkg install kmod-ipt-conntrack
+opkg install kmod-ipt-conntrack-extra
+opkg install kmod-ipt-core
+opkg install kmod-ipt-ipopt
+opkg install kmod-ipt-socket
+opkg install kmod-ipt-tproxy
+opkg install kmod-nf-conncount
+opkg install kmod-nf-conntrack
+opkg install kmod-nf-conntrack6
+opkg install kmod-nf-flow
+opkg install kmod-nf-ipt
+opkg install kmod-nf-ipt6
+opkg install kmod-nf-log
+opkg install kmod-nf-log6
+opkg install kmod-nf-nat
+opkg install kmod-nf-reject
+opkg install kmod-nf-reject6
+opkg install kmod-nf-socket
+opkg install kmod-nf-tproxy
+opkg install kmod-nfnetlink
+opkg install kmod-nft-core
+opkg install kmod-nft-fib
+opkg install kmod-nft-nat
+opkg install kmod-nft-offload
+opkg install kmod-nft-tproxy
+
+chmod +x /root/configure_xray_startup.sh
+chmod +x /etc/init.d/xray

root/xray_config/01_log.json

@@ -0,0 +1,9 @@
+{
+	"log": 
+		{
+			"access": "",
+			"error": "",
+			"loglevel": "none",
+			"dnsLog": false
+		}
+}

root/xray_config/02_transport.json

@@ -0,0 +1,20 @@
+{
+	"transport": {
+		"domainStrategy": "IPIfNonMatch",
+		"httpSettings": {
+			"read_idle_timeout": 10,
+			"health_check_timeout": 15
+		},
+		"grpcSettings": {
+			"idle_timeout": 60,
+			"health_check_timeout": 20,
+			"permit_without_stream": true,
+			"initial_windows_size": 35536
+		},
+		"sockopt": {
+			"tcpMptcp": true,
+			"tcpFastOpen": true,
+			"tcpNoDelay": true
+		}
+	}
+}

root/xray_config/03_inbounds.json

@@ -0,0 +1,34 @@
+{
+    "inbounds":
+    [
+        {
+            "tag": "tproxy",
+            "port": 61219,
+            "protocol": "dokodemo-door",
+            "settings":
+            {
+                "network": "tcp,udp",
+                "followRedirect": true
+            },
+            "streamSettings":
+            {
+                "sockopt":
+                {
+                    "tproxy": "tproxy"
+                }
+            },
+            "sniffing":
+            {
+                "routeOnly": true,
+                "enabled": true,
+                "destOverride":
+                [
+                    "http",
+                    "tls",
+                    "quic"
+                ]
+            }
+        }
+
+    ]
+}

root/xray_config/04_outbounds.json

@@ -0,0 +1,60 @@
+{
+    "outbounds":
+    [
+        {
+            "protocol": "vless",
+            "settings":
+            {
+                "vnext":
+                [
+                    {
+                        "address": "1.1.1.1",
+                        "port": 443,
+                        "users":
+                        [
+                            {
+                                "encryption": "none",
+                                "flow": "xtls-rprx-vision",
+                                "id": "00000000-0000-0000-0000-000000000000",
+                                "level": 0
+                            }
+                        ]
+                    }
+                ]
+            },
+            "streamSettings":
+            {
+                "network": "tcp",
+                "realitySettings":
+                {
+                    "fingerprint": "chrome",
+                    "publicKey": "",
+                    "serverName": "",
+                    "shortId": "",
+                    "spiderX": "/"
+                },
+                "security": "reality"
+            },
+            "tag": "vless-reality"
+        },
+        {
+            "protocol": "freedom",
+            "tag": "direct"
+        },
+        {
+            "protocol": "blackhole",
+            "settings":
+            {
+                "response":
+                {
+                    "type": "http"
+                }
+            },
+            "tag": "block"
+        },
+        {
+            "protocol": "dns",
+            "tag": "dns"
+        }
+    ]
+}

root/xray_config/05_routing.json

@@ -0,0 +1,99 @@
+{
+  "routing": {
+    "rules": [
+      // Capture DNS
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "dns",
+        "type": "field",
+        "port": 53
+      },
+      // Block QUIC
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "block",
+        "type": "field",
+        "protocol": ["quic"]
+      },
+      // Force specific source IPs to go direct
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "direct",
+        "type": "field",
+        "source": [
+          "192.168.2.255",
+          "192.168.2.254"
+        ]
+      },
+      // Block common ads and other stuff
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "block",
+        "type": "field",
+        "domain": [
+          "geosite:category-ads-all",
+          "google-analytics",
+          "analytics.yandex",
+          "appcenter.ms",
+          "app-measurement.com",
+          "firebase.io",
+          "crashlytics.com"
+        ]
+      },
+      // Force BitTorrent to go through direct
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "direct",
+        "type": "field",
+        "protocol": ["bittorrent"]
+      },     
+      // Explicitly force direct
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "direct",
+        "type": "field",
+        "domain": [
+          "regexp:^([\\w\\-\\.]+\\.)ru$",  // .ru
+          "regexp:^([\\w\\-\\.]+\\.)su$",  // .su
+          "regexp:^([\\w\\-\\.]+\\.)xn--p1ai$",  // .рф
+          "regexp:^([\\w\\-\\.]+\\.)xn--p1acf$",  // .рус
+          "regexp:^([\\w\\-\\.]+\\.)xn--80asehdb$",  // .онлайн
+          "regexp:^([\\w\\-\\.]+\\.)xn--c1avg$", // .орг
+          "regexp:^([\\w\\-\\.]+\\.)xn--80aswg$",  // .сайт
+          "regexp:^([\\w\\-\\.]+\\.)xn--80adxhks$",  // .москва
+          "regexp:^([\\w\\-\\.]+\\.)moscow$",  //  .moscow
+          "regexp:^([\\w\\-\\.]+\\.)xn--d1acj3b$",  // .дети
+          "regexp:^([\\w\\-\\.]+\\.)yandex$",  // .yandex
+          "geosite:category-ru",
+          "geosite:category-gov-ru",
+          "geosite:yandex",
+          "geosite:steam",
+          "geosite:vk",
+          "geosite:category-gov-ru",
+          "regexp:^assets(\\d*?)\\.xboxlive\\.com$",
+          "domain:rt.ru",
+          "domain:ngenix.net",
+          "domain:plex.tv",
+          "geoip:ru",
+          "domain:kaspersky.com",
+          "domain:koronapay.com",
+          "domain:binance.com",
+          "domain:raiffeisen.ru",
+          "geosite:xiaomi",
+          "geosite:mihoyo",
+          "domain:xsolla.com",
+          "domain:download.developer.apple.com",
+          // "domain:aeza.net",
+          "domain:veesp.com"
+        ]
+      },
+
+      // No rules found? Go vless-reality
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "vless-reality",
+        "type": "field"
+      }
+    ]
+  }
+}

root/xray_config/06_policy.json

@@ -0,0 +1,9 @@
+{
+  "policy": {
+    "levels": {
+      "0": {
+        "connIdle": 30
+      }
+    }
+  }
+}