diff --git a/README.md b/README.md index db50987..893bedc 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,9 @@ Install 1. Drop the files onto OpenWRT (22.03 and higher) router 2. Run `install_xray.sh`: `chmod +x /root/install_xray.sh && /root/install_xray.sh` 3. Configure this installation: -- Edit this rule in `configure_xray_startup.sh`: `iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN` to match your public static IP address +- Edit this rule in `/etc/xray/startup.sh`: `iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN` to match your public static IP address - In `/root/xray_config/04_outbounds.json` add your connection details +- You can optionally add excluding/blocking rules to `startup.sh`, see possible additions in `fwd_functions.sh` beside it. 4. Enable the `xray` service in LuCI (System -> Startup, it should be at the end of the list) and reboot your router. (In case it fails to work, you may disable the service and reboot the router again to revert the effects) diff --git a/etc/config/xray b/etc/config/xray index 39cda27..9ed5c65 100644 --- a/etc/config/xray +++ b/etc/config/xray @@ -3,7 +3,7 @@ config xray 'enabled' option enabled '1' config xray 'config' - option confdir '/root/xray_config' + option confdir '/etc/xray/config' option datadir '/usr/share/xray' option dialer '' option format 'json' diff --git a/etc/init.d/xray b/etc/init.d/xray index 118a238..2db57cb 100644 --- a/etc/init.d/xray +++ b/etc/init.d/xray @@ -26,7 +26,7 @@ start_service() { config_get format "config" "format" "json" # runs iptables setup - /root/configure_xray_startup.sh + /etc/xray/startup.sh procd_open_instance "$CONF" procd_set_param command "$PROG" run diff --git a/etc/xray/config/01_log.json b/etc/xray/config/01_log.json new file mode 100644 index 0000000..fcc1b18 --- /dev/null +++ b/etc/xray/config/01_log.json @@ -0,0 +1,9 @@ +{ + "log": + { + "access": "/etc/xray/log/access.log", + "dnsLog": false, + "error": "/etc/xray/log/error.log", + "loglevel": "none" + } +} \ No newline at end of file diff --git a/etc/xray/config/02_transport.json b/etc/xray/config/02_transport.json new file mode 100644 index 0000000..8ace9a8 --- /dev/null +++ b/etc/xray/config/02_transport.json @@ -0,0 +1,24 @@ +{ + "transport": + { + "domainStrategy": "IPIfNonMatch", + "grpcSettings": + { + "health_check_timeout": 20, + "idle_timeout": 60, + "initial_windows_size": 35536, + "permit_without_stream": true + }, + "httpSettings": + { + "health_check_timeout": 15, + "read_idle_timeout": 10 + }, + "sockopt": + { + "tcpFastOpen": true, + "tcpMptcp": true, + "tcpNoDelay": true + } + } +} \ No newline at end of file diff --git a/root/xray_config/03_inbounds.json b/etc/xray/config/03_inbounds.json similarity index 75% rename from root/xray_config/03_inbounds.json rename to etc/xray/config/03_inbounds.json index 9054312..9e1ec7e 100644 --- a/root/xray_config/03_inbounds.json +++ b/etc/xray/config/03_inbounds.json @@ -2,13 +2,23 @@ "inbounds": [ { - "tag": "tproxy", "port": 61219, "protocol": "dokodemo-door", "settings": { - "network": "tcp,udp", - "followRedirect": true + "followRedirect": true, + "network": "tcp,udp" + }, + "sniffing": + { + "destOverride": + [ + "http", + "tls", + "quic" + ], + "enabled": true, + "routeOnly": true }, "streamSettings": { @@ -17,18 +27,7 @@ "tproxy": "tproxy" } }, - "sniffing": - { - "routeOnly": true, - "enabled": true, - "destOverride": - [ - "http", - "tls", - "quic" - ] - } + "tag": "tproxy" } - ] } \ No newline at end of file diff --git a/root/xray_config/04_outbounds.json b/etc/xray/config/04_outbounds.json similarity index 99% rename from root/xray_config/04_outbounds.json rename to etc/xray/config/04_outbounds.json index 812fa4a..783cefd 100644 --- a/root/xray_config/04_outbounds.json +++ b/etc/xray/config/04_outbounds.json @@ -57,4 +57,4 @@ "tag": "dns" } ] -} +} \ No newline at end of file diff --git a/root/xray_config/05_routing.json b/etc/xray/config/05_routing.json similarity index 100% rename from root/xray_config/05_routing.json rename to etc/xray/config/05_routing.json diff --git a/etc/xray/config/06_policy.json b/etc/xray/config/06_policy.json new file mode 100644 index 0000000..7cebfcc --- /dev/null +++ b/etc/xray/config/06_policy.json @@ -0,0 +1,13 @@ +{ + "policy": + { + "levels": + { + "0": + { + // If you have issues with SSH connections, it's recommended to increase this value. See the docs + "connIdle": 30 + } + } + } +} \ No newline at end of file diff --git a/etc/xray/fwd_functions.sh b/etc/xray/fwd_functions.sh new file mode 100644 index 0000000..2f768e1 --- /dev/null +++ b/etc/xray/fwd_functions.sh @@ -0,0 +1,63 @@ +#!/bin/sh + +# Function to add iptables rules for a specific IP and port +direct_port_for_ip() { + ip=$1 + port=$2 + + iptables -t mangle -A XRAY -d "$ip"/32 -p tcp --dport "$port" -j RETURN + iptables -t mangle -A XRAY -d "$ip"/32 -p udp --dport "$port" -j RETURN + iptables -t mangle -A XRAY -s "$ip"/32 -p tcp --sport "$port" -j RETURN + iptables -t mangle -A XRAY -s "$ip"/32 -p udp --sport "$port" -j RETURN +} + +# Function to add iptables rules for a single port without specifying IP +direct_port() { + port=$1 + + iptables -t mangle -A XRAY -p tcp --dport "$port" -j RETURN + iptables -t mangle -A XRAY -p udp --dport "$port" -j RETURN + iptables -t mangle -A XRAY -p tcp --sport "$port" -j RETURN + iptables -t mangle -A XRAY -p udp --sport "$port" -j RETURN +} + +# Function to add iptables rules for a range of ports for a specific IP +direct_port_range_for_ip() { + ip=$1 + start_port=$2 + end_port=$3 + + port=$start_port + while [ "$port" -le "$end_port" ]; do + direct_port_for_ip "$ip" "$port" + port=$((port + 1)) + done +} + +# Function to add iptables rules for a range of ports without specifying IP +direct_port_range() { + start_port=$1 + end_port=$2 + + port=$start_port + while [ "$port" -le "$end_port" ]; do + direct_port "$port" + port=$((port + 1)) + done +} + +# Function to add iptables rules for an IP without specifying ports +direct_ip() { + ip=$1 + + iptables -t mangle -A XRAY -d "$ip"/32 -j RETURN + iptables -t mangle -A XRAY -s "$ip"/32 -j RETURN +} + +# Function to add iptables rules for blocking IP +block_ip() { + ip=$1 + + iptables -I FORWARD 1 -d "$ip"/32 -j DROP + iptables -I FORWARD 1 -s "$ip"/32 -j DROP +} diff --git a/root/configure_xray_startup.sh b/etc/xray/startup.sh similarity index 66% rename from root/configure_xray_startup.sh rename to etc/xray/startup.sh index 6070f09..e04ad57 100644 --- a/root/configure_xray_startup.sh +++ b/etc/xray/startup.sh @@ -1,12 +1,15 @@ #!/bin/sh # Ensure this script runs only once per boot -if [ -f /tmp/configure_xray_startup_executed ]; then +if [ -f /tmp/xray_startup_executed ]; then # The file exists, so do not run the script echo "This script was executed already. To revert the results, reboot the device" exit 0 fi +# Source the function definitions +. /etc/xray/fwd_functions.sh + # create chain ip rule add fwmark 1 table 100 ip route add local 0.0.0.0/0 dev lo table 100 @@ -28,17 +31,19 @@ iptables -t mangle -A XRAY -d 198.51.100.0/24 -j RETURN iptables -t mangle -A XRAY -d 203.0.113.0/24 -j RETURN iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN + + +# !!! PROVIDE YOUR OWN IP HERE !!! iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN -# exclude forwarding to and from 10.241.1.3 on ports 80 and 443 -iptables -t mangle -A XRAY -d 10.241.1.3/32 -p tcp --dport 80 -j RETURN -iptables -t mangle -A XRAY -d 10.241.1.3/32 -p tcp --dport 443 -j RETURN -iptables -t mangle -A XRAY -d 10.241.1.3/32 -p udp --dport 80 -j RETURN -iptables -t mangle -A XRAY -d 10.241.1.3/32 -p udp --dport 443 -j RETURN -iptables -t mangle -A XRAY -s 10.241.1.3/32 -p tcp --sport 80 -j RETURN -iptables -t mangle -A XRAY -s 10.241.1.3/32 -p tcp --sport 443 -j RETURN -iptables -t mangle -A XRAY -s 10.241.1.3/32 -p udp --sport 80 -j RETURN -iptables -t mangle -A XRAY -s 10.241.1.3/32 -p udp --sport 443 -j RETURN + + +# exclude from Xray the following: +# SAMPLE - you can test the rules using /root/fwd_manual.sh script +# traefik HTTP+HTTPS +#direct_port_range_for_ip "10.241.1.165" 80 443 + + # add forwarding rule iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 61219 --tproxy-mark 1 @@ -46,4 +51,4 @@ iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 61219 --tproxy-mark 1 iptables -t mangle -A PREROUTING -j XRAY # required for check above -touch /tmp/configure_xray_startup_executed \ No newline at end of file +touch /tmp/xray_startup_executed \ No newline at end of file diff --git a/root/fwd_manual.sh b/root/fwd_manual.sh new file mode 100644 index 0000000..f81d477 --- /dev/null +++ b/root/fwd_manual.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +# Source the function definitions +. /etc/xray/fwd_functions.sh + +direct_ip "10.241.1.3" \ No newline at end of file diff --git a/root/install_xray.sh b/root/install_xray.sh index 73ef979..7ee9d8e 100644 --- a/root/install_xray.sh +++ b/root/install_xray.sh @@ -1,39 +1,42 @@ -#!/bin/sh -opkg update - -opkg install xray-core -# i don't actually know which ones are required for nftables cmds to work... -opkg install iptables-mod-conntrack-extra -opkg install iptables-mod-ipopt -opkg install iptables-mod-socket -opkg install iptables-mod-tproxy -opkg install iptables-zz-legacy -opkg install kmod-ipt-compat-xtables -opkg install kmod-ipt-conntrack -opkg install kmod-ipt-conntrack-extra -opkg install kmod-ipt-core -opkg install kmod-ipt-ipopt -opkg install kmod-ipt-socket -opkg install kmod-ipt-tproxy -opkg install kmod-nf-conncount -opkg install kmod-nf-conntrack -opkg install kmod-nf-conntrack6 -opkg install kmod-nf-flow -opkg install kmod-nf-ipt -opkg install kmod-nf-ipt6 -opkg install kmod-nf-log -opkg install kmod-nf-log6 -opkg install kmod-nf-nat -opkg install kmod-nf-reject -opkg install kmod-nf-reject6 -opkg install kmod-nf-socket -opkg install kmod-nf-tproxy -opkg install kmod-nfnetlink -opkg install kmod-nft-core -opkg install kmod-nft-fib -opkg install kmod-nft-nat -opkg install kmod-nft-offload -opkg install kmod-nft-tproxy - -chmod +x /root/configure_xray_startup.sh -chmod +x /etc/init.d/xray \ No newline at end of file +#!/bin/sh +opkg update + +opkg install xray-core +# i don't actually know which ones are required for nftables cmds to work... +opkg install iptables-mod-conntrack-extra +opkg install iptables-mod-ipopt +opkg install iptables-mod-socket +opkg install iptables-mod-tproxy +opkg install iptables-zz-legacy +opkg install kmod-ipt-compat-xtables +opkg install kmod-ipt-conntrack +opkg install kmod-ipt-conntrack-extra +opkg install kmod-ipt-core +opkg install kmod-ipt-ipopt +opkg install kmod-ipt-socket +opkg install kmod-ipt-tproxy +opkg install kmod-nf-conncount +opkg install kmod-nf-conntrack +opkg install kmod-nf-conntrack6 +opkg install kmod-nf-flow +opkg install kmod-nf-ipt +opkg install kmod-nf-ipt6 +opkg install kmod-nf-log +opkg install kmod-nf-log6 +opkg install kmod-nf-nat +opkg install kmod-nf-reject +opkg install kmod-nf-reject6 +opkg install kmod-nf-socket +opkg install kmod-nf-tproxy +opkg install kmod-nfnetlink +opkg install kmod-nft-core +opkg install kmod-nft-fib +opkg install kmod-nft-nat +opkg install kmod-nft-offload +opkg install kmod-nft-tproxy + +chmod +x /etc/xray/fwd_functions.sh +chmod +x /etc/xray/startup.sh +chmod +x /etc/init.d/xray +chmod +x /root/restart_xray.sh +chmod +x /root/fwd_manual.sh \ No newline at end of file diff --git a/root/restart_xray.sh b/root/restart_xray.sh new file mode 100644 index 0000000..f7a864b --- /dev/null +++ b/root/restart_xray.sh @@ -0,0 +1,2 @@ +#!/bin/sh +/etc/init.d/xray restart diff --git a/root/xray_config/01_log.json b/root/xray_config/01_log.json deleted file mode 100644 index adbb351..0000000 --- a/root/xray_config/01_log.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "log": - { - "access": "", - "error": "", - "loglevel": "none", - "dnsLog": false - } -} diff --git a/root/xray_config/02_transport.json b/root/xray_config/02_transport.json deleted file mode 100644 index 464dd9c..0000000 --- a/root/xray_config/02_transport.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "transport": { - "domainStrategy": "IPIfNonMatch", - "httpSettings": { - "read_idle_timeout": 10, - "health_check_timeout": 15 - }, - "grpcSettings": { - "idle_timeout": 60, - "health_check_timeout": 20, - "permit_without_stream": true, - "initial_windows_size": 35536 - }, - "sockopt": { - "tcpMptcp": true, - "tcpFastOpen": true, - "tcpNoDelay": true - } - } -} \ No newline at end of file diff --git a/root/xray_config/06_policy.json b/root/xray_config/06_policy.json deleted file mode 100644 index 567a299..0000000 --- a/root/xray_config/06_policy.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "policy": { - "levels": { - "0": { - "connIdle": 30 - } - } - } -} \ No newline at end of file