mostm
/
openwrt-xray
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cleaned up root, + added fwd functions for excluding/blocking

This commit is contained in:
Levent Duivel 2025-02-02 22:56:59 +05:00
parent a9f869a9c0
commit 381c5c1442
17 changed files with 194 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -6,8 +6,9 @@ Install
1. Drop the files onto OpenWRT (22.03 and higher) router 1. Drop the files onto OpenWRT (22.03 and higher) router
2. Run `install_xray.sh`: `chmod +x /root/install_xray.sh && /root/install_xray.sh` 2. Run `install_xray.sh`: `chmod +x /root/install_xray.sh && /root/install_xray.sh`
3. Configure this installation: 3. Configure this installation:
- Edit this rule in `configure_xray_startup.sh`: `iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN` to match your public static IP address - Edit this rule in `/etc/xray/startup.sh`: `iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN` to match your public static IP address
- In `/root/xray_config/04_outbounds.json` add your connection details - In `/root/xray_config/04_outbounds.json` add your connection details
- You can optionally add excluding/blocking rules to `startup.sh`, see possible additions in `fwd_functions.sh` beside it.
4. Enable the `xray` service in LuCI (System -> Startup, it should be at the end of the list) and reboot your router. 4. Enable the `xray` service in LuCI (System -> Startup, it should be at the end of the list) and reboot your router.
(In case it fails to work, you may disable the service and reboot the router again to revert the effects) (In case it fails to work, you may disable the service and reboot the router again to revert the effects)

2
etc/config/xray
View File

@ -3,7 +3,7 @@ config xray 'enabled'
option enabled '1' option enabled '1'
config xray 'config' config xray 'config'
option confdir '/root/xray_config' option confdir '/etc/xray/config'
option datadir '/usr/share/xray' option datadir '/usr/share/xray'
option dialer '' option dialer ''
option format 'json' option format 'json'

2
etc/init.d/xray
View File

@ -26,7 +26,7 @@ start_service() {
config_get format "config" "format" "json" config_get format "config" "format" "json"
# runs iptables setup # runs iptables setup
/root/configure_xray_startup.sh /etc/xray/startup.sh
procd_open_instance "$CONF" procd_open_instance "$CONF"
procd_set_param command "$PROG" run procd_set_param command "$PROG" run

9
etc/xray/config/01_log.json Normal file
View File

@ -0,0 +1,9 @@
{
"log":
{
"access": "/etc/xray/log/access.log",
"dnsLog": false,
"error": "/etc/xray/log/error.log",
"loglevel": "none"
}
}

24
etc/xray/config/02_transport.json Normal file
View File

@ -0,0 +1,24 @@
{
"transport":
{
"domainStrategy": "IPIfNonMatch",
"grpcSettings":
{
"health_check_timeout": 20,
"idle_timeout": 60,
"initial_windows_size": 35536,
"permit_without_stream": true
},
"httpSettings":
{
"health_check_timeout": 15,
"read_idle_timeout": 10
},
"sockopt":
{
"tcpFastOpen": true,
"tcpMptcp": true,
"tcpNoDelay": true
}
}
}

31
root/xray_config/03_inbounds.json → etc/xray/config/03_inbounds.json
View File

@ -2,13 +2,23 @@
"inbounds": "inbounds":
[ [
{ {
"tag": "tproxy",
"port": 61219, "port": 61219,
"protocol": "dokodemo-door", "protocol": "dokodemo-door",
"settings": "settings":
{ {
"network": "tcp,udp", "followRedirect": true,
"followRedirect": true "network": "tcp,udp"
},
"sniffing":
{
"destOverride":
[
"http",
"tls",
"quic"
],
"enabled": true,
"routeOnly": true
}, },
"streamSettings": "streamSettings":
{ {
@ -17,18 +27,7 @@
"tproxy": "tproxy" "tproxy": "tproxy"
} }
}, },
"sniffing": "tag": "tproxy"
{ }
"routeOnly": true,
"enabled": true,
"destOverride":
[
"http",
"tls",
"quic"
]
}
}
] ]
} }

0
root/xray_config/04_outbounds.json → etc/xray/config/04_outbounds.json
View File

0
root/xray_config/05_routing.json → etc/xray/config/05_routing.json
View File

13
etc/xray/config/06_policy.json Normal file
View File

@ -0,0 +1,13 @@
{
"policy":
{
"levels":
{
"0":
{
// If you have issues with SSH connections, it's recommended to increase this value. See the docs
"connIdle": 30
}
}
}
}

63
etc/xray/fwd_functions.sh Normal file
View File

@ -0,0 +1,63 @@
#!/bin/sh
# Function to add iptables rules for a specific IP and port
direct_port_for_ip() {
ip=$1
port=$2
iptables -t mangle -A XRAY -d "$ip"/32 -p tcp --dport "$port" -j RETURN
iptables -t mangle -A XRAY -d "$ip"/32 -p udp --dport "$port" -j RETURN
iptables -t mangle -A XRAY -s "$ip"/32 -p tcp --sport "$port" -j RETURN
iptables -t mangle -A XRAY -s "$ip"/32 -p udp --sport "$port" -j RETURN
}
# Function to add iptables rules for a single port without specifying IP
direct_port() {
port=$1
iptables -t mangle -A XRAY -p tcp --dport "$port" -j RETURN
iptables -t mangle -A XRAY -p udp --dport "$port" -j RETURN
iptables -t mangle -A XRAY -p tcp --sport "$port" -j RETURN
iptables -t mangle -A XRAY -p udp --sport "$port" -j RETURN
}
# Function to add iptables rules for a range of ports for a specific IP
direct_port_range_for_ip() {
ip=$1
start_port=$2
end_port=$3
port=$start_port
while [ "$port" -le "$end_port" ]; do
direct_port_for_ip "$ip" "$port"
port=$((port + 1))
done
}
# Function to add iptables rules for a range of ports without specifying IP
direct_port_range() {
start_port=$1
end_port=$2
port=$start_port
while [ "$port" -le "$end_port" ]; do
direct_port "$port"
port=$((port + 1))
done
}
# Function to add iptables rules for an IP without specifying ports
direct_ip() {
ip=$1
iptables -t mangle -A XRAY -d "$ip"/32 -j RETURN
iptables -t mangle -A XRAY -s "$ip"/32 -j RETURN
}
# Function to add iptables rules for blocking IP
block_ip() {
ip=$1
iptables -I FORWARD 1 -d "$ip"/32 -j DROP
iptables -I FORWARD 1 -s "$ip"/32 -j DROP
}

27
root/configure_xray_startup.sh → etc/xray/startup.sh
View File

@ -1,12 +1,15 @@
#!/bin/sh #!/bin/sh
# Ensure this script runs only once per boot # Ensure this script runs only once per boot
if [ -f /tmp/configure_xray_startup_executed ]; then if [ -f /tmp/xray_startup_executed ]; then
# The file exists, so do not run the script # The file exists, so do not run the script
echo "This script was executed already. To revert the results, reboot the device" echo "This script was executed already. To revert the results, reboot the device"
exit 0 exit 0
fi fi
# Source the function definitions
. /etc/xray/fwd_functions.sh
# create chain # create chain
ip rule add fwmark 1 table 100 ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100 ip route add local 0.0.0.0/0 dev lo table 100
@ -28,17 +31,19 @@ iptables -t mangle -A XRAY -d 198.51.100.0/24 -j RETURN
iptables -t mangle -A XRAY -d 203.0.113.0/24 -j RETURN iptables -t mangle -A XRAY -d 203.0.113.0/24 -j RETURN
iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN
# !!! PROVIDE YOUR OWN IP HERE !!!
iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN
# exclude forwarding to and from 10.241.1.3 on ports 80 and 443
iptables -t mangle -A XRAY -d 10.241.1.3/32 -p tcp --dport 80 -j RETURN
iptables -t mangle -A XRAY -d 10.241.1.3/32 -p tcp --dport 443 -j RETURN # exclude from Xray the following:
iptables -t mangle -A XRAY -d 10.241.1.3/32 -p udp --dport 80 -j RETURN # SAMPLE - you can test the rules using /root/fwd_manual.sh script
iptables -t mangle -A XRAY -d 10.241.1.3/32 -p udp --dport 443 -j RETURN # traefik HTTP+HTTPS
iptables -t mangle -A XRAY -s 10.241.1.3/32 -p tcp --sport 80 -j RETURN #direct_port_range_for_ip "10.241.1.165" 80 443
iptables -t mangle -A XRAY -s 10.241.1.3/32 -p tcp --sport 443 -j RETURN
iptables -t mangle -A XRAY -s 10.241.1.3/32 -p udp --sport 80 -j RETURN
iptables -t mangle -A XRAY -s 10.241.1.3/32 -p udp --sport 443 -j RETURN
# add forwarding rule # add forwarding rule
iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 61219 --tproxy-mark 1 iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 61219 --tproxy-mark 1
@ -46,4 +51,4 @@ iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 61219 --tproxy-mark 1
iptables -t mangle -A PREROUTING -j XRAY iptables -t mangle -A PREROUTING -j XRAY
# required for check above # required for check above
touch /tmp/configure_xray_startup_executed touch /tmp/xray_startup_executed

6
root/fwd_manual.sh Normal file
View File

@ -0,0 +1,6 @@
#!/bin/sh
# Source the function definitions
. /etc/xray/fwd_functions.sh
direct_ip "10.241.1.3"

5
root/install_xray.sh
View File

@ -35,5 +35,8 @@ opkg install kmod-nft-nat
opkg install kmod-nft-offload opkg install kmod-nft-offload
opkg install kmod-nft-tproxy opkg install kmod-nft-tproxy
chmod +x /root/configure_xray_startup.sh chmod +x /etc/xray/fwd_functions.sh
chmod +x /etc/xray/startup.sh
chmod +x /etc/init.d/xray chmod +x /etc/init.d/xray
chmod +x /root/restart_xray.sh
chmod +x /root/fwd_manual.sh

2
root/restart_xray.sh Normal file
View File

@ -0,0 +1,2 @@
#!/bin/sh
/etc/init.d/xray restart

9
root/xray_config/01_log.json
View File

@ -1,9 +0,0 @@
{
"log":
{
"access": "",
"error": "",
"loglevel": "none",
"dnsLog": false
}
}

20
root/xray_config/02_transport.json
View File

@ -1,20 +0,0 @@
{
"transport": {
"domainStrategy": "IPIfNonMatch",
"httpSettings": {
"read_idle_timeout": 10,
"health_check_timeout": 15
},
"grpcSettings": {
"idle_timeout": 60,
"health_check_timeout": 20,
"permit_without_stream": true,
"initial_windows_size": 35536
},
"sockopt": {
"tcpMptcp": true,
"tcpFastOpen": true,
"tcpNoDelay": true
}
}
}

9
root/xray_config/06_policy.json
View File

@ -1,9 +0,0 @@
{
"policy": {
"levels": {
"0": {
"connIdle": 30
}
}
}
}