mostm
/
openwrt-xray
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rework into using nftables, along with proper Xray DNS configuration

This commit is contained in:
Levent Duivel 2025-04-13 13:41:16 +05:00
parent a5c8961d78
commit f9645b0ef6
17 changed files with 249 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -1,17 +1,21 @@
openwrt-xray openwrt-xray
------------ ------------
Requirements
------------
- OpenWRT 22.03 and higher
- Router should be in 192.168.0.0/16 subnet (default rules operate on that)
Install Install
------- -------
1. Drop the files onto OpenWRT (22.03 and higher) router 1. Drop the files onto OpenWRT (22.03 and higher) router
2. Run `install_xray.sh`: `chmod +x /root/install_xray.sh && /root/install_xray.sh` 2. Run `install_xray.sh`: `chmod +x /root/install_xray.sh && /root/install_xray.sh`
3. Configure this installation: 3. Configure this installation:
- Edit this rule in `/etc/xray/startup.sh`: `iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN` to match your public static IP address - In `/etc/xray/config/outbounds.jsonc` add your connection details (but be carefult with specified streamSettings->sockOpt, these are required)
- In `/root/xray_config/04_outbounds.json` add your connection details - You can optionally add excluding/blocking rules to `/etc/xray/custom_rules.sh`, see possible additions in `fwd_functions.sh` beside it.
- You can optionally add excluding/blocking rules to `startup.sh`, see possible additions in `fwd_functions.sh` beside it.
4. Enable the `xray` service in LuCI (System -> Startup, it should be at the end of the list) and reboot your router. 4. Enable the `xray` service in LuCI (System -> Startup, it should be at the end of the list) and reboot your router.
(In case it fails to work, you may disable the service and reboot the router again to revert the effects) (In case it fails to work, you may disable the service and reboot the router again to revert the effects, or use `/etc/xray/revert.sh`)
crontab crontab
------- -------

2
etc/init.d/xray
View File

@ -25,7 +25,7 @@ start_service() {
config_get dialer "config" "dialer" config_get dialer "config" "dialer"
config_get format "config" "format" "json" config_get format "config" "format" "json"
# runs iptables setup # runs nftables setup
/etc/xray/startup.sh /etc/xray/startup.sh
procd_open_instance "$CONF" procd_open_instance "$CONF"

9
etc/xray/config/01_log.json
View File

@ -1,9 +0,0 @@
{
"log":
{
"access": "/etc/xray/log/access.log",
"dnsLog": false,
"error": "/etc/xray/log/error.log",
"loglevel": "none"
}
}

24
etc/xray/config/02_transport.json
View File

@ -1,24 +0,0 @@
{
"transport":
{
"domainStrategy": "IPIfNonMatch",
"grpcSettings":
{
"health_check_timeout": 20,
"idle_timeout": 60,
"initial_windows_size": 35536,
"permit_without_stream": true
},
"httpSettings":
{
"health_check_timeout": 15,
"read_idle_timeout": 10
},
"sockopt":
{
"tcpFastOpen": true,
"tcpMptcp": true,
"tcpNoDelay": true
}
}
}

13
etc/xray/config/06_policy.json
View File

@ -1,13 +0,0 @@
{
"policy":
{
"levels":
{
"0":
{
// If you have issues with SSH connections, it's recommended to increase this value. See the docs
"connIdle": 30
}
}
}
}

19
etc/xray/config/dns.jsonc Normal file
View File

@ -0,0 +1,19 @@
{
"dns": {
"tag": "dns-in",
"hosts": {
"dns.google": "8.8.8.8"
},
"servers": [
"https://dns.google/dns-query",
{
"address": "localhost",
"disableFallback": true,
"domains": [
"regexp:.*\\.lan"
]
}
],
"queryStrategy": "UseIPv4"
}
}

18
etc/xray/config/03_inbounds.json → etc/xray/config/inbounds.jsonc
View File

@ -1,18 +1,14 @@
{ {
"inbounds": "inbounds": [
[
{ {
"port": 61219, "port": 61219,
"protocol": "dokodemo-door", "protocol": "dokodemo-door",
"settings": "settings": {
{
"followRedirect": true, "followRedirect": true,
"network": "tcp,udp" "network": "tcp,udp"
}, },
"sniffing": "sniffing": {
{ "destOverride": [
"destOverride":
[
"http", "http",
"tls", "tls",
"quic" "quic"
@ -20,10 +16,8 @@
"enabled": true, "enabled": true,
"routeOnly": true "routeOnly": true
}, },
"streamSettings": "streamSettings": {
{ "sockopt": {
"sockopt":
{
"tproxy": "tproxy" "tproxy": "tproxy"
} }
}, },

8
etc/xray/config/log.jsonc Normal file
View File

@ -0,0 +1,8 @@
{
"log": {
// "access": "/etc/xray/log/access.log",
// "error": "/etc/xray/log/error.log",
"loglevel": "none",
"dnsLog": true
}
}

68
etc/xray/config/04_outbounds.json → etc/xray/config/outbounds.jsonc
View File

@ -1,17 +1,14 @@
{ {
"outbounds": "outbounds": [
[
{ {
"tag": "vless-reality",
"protocol": "vless", "protocol": "vless",
"settings": "settings": {
{ "vnext": [
"vnext":
[
{ {
"address": "1.1.1.1", "address": "1.1.1.1",
"port": 443, "port": 443,
"users": "users": [
[
{ {
"encryption": "none", "encryption": "none",
"flow": "xtls-rprx-vision", "flow": "xtls-rprx-vision",
@ -22,39 +19,52 @@
} }
] ]
}, },
"streamSettings": "streamSettings": {
{
"network": "tcp", "network": "tcp",
"realitySettings": "realitySettings": {
{
"fingerprint": "chrome", "fingerprint": "chrome",
"publicKey": "", "publicKey": "",
"serverName": "", "serverName": "",
"shortId": "", "shortId": "",
"spiderX": "/" "spiderX": "/"
}, },
"security": "reality" "security": "reality",
}, // Important: This is required for rules to work correctly!
"tag": "vless-reality" "sockopt": {
}, "domainStrategy": "UseIP",
{ "mark": 2
"protocol": "freedom", }
"tag": "direct"
},
{
"protocol": "blackhole",
"settings":
{
"response":
{
"type": "http"
} }
}, },
"tag": "block" {
"tag": "direct",
"protocol": "freedom",
"streamSettings": {
"sockopt": {
"mark": 2
}
},
"settings": {
"domainStrategy": "UseIP"
}
}, },
{ {
"tag": "block",
"protocol": "blackhole",
"settings": {
"response": {
"type": "http"
}
}
},
{
"tag": "dns-out",
"protocol": "dns", "protocol": "dns",
"tag": "dns" "streamSettings": {
"sockopt": {
"mark": 2
}
}
} }
] ]
} }

10
etc/xray/config/policy.jsonc Normal file
View File

@ -0,0 +1,10 @@
{
"policy": {
"levels": {
"0": {
// If you have issues with SSH connections, it's recommended to increase this value. See the docs
"connIdle": 30
}
}
}
}

58
etc/xray/config/05_routing.json → etc/xray/config/routing.jsonc
View File

@ -1,25 +1,31 @@
{ {
"routing": { "routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [ "rules": [
// Capture DNS // Capture DNS
{ {
"inboundTag": ["redirect", "tproxy"], "inboundTag": "tproxy",
"outboundTag": "dns", "outboundTag": "dns-out",
"type": "field",
"port": 53 "port": 53
}, },
// Block QUIC // Block QUIC
{ {
"inboundTag": ["redirect", "tproxy"], "inboundTag": "tproxy",
"outboundTag": "block", "outboundTag": "block",
"type": "field", "protocol": [
"protocol": ["quic"] "quic"
]
},
// Force DNS to go through direct
// If needed, you can force DNS to go through other outbound using tags for specific servers in dns.jsonc
{
"inboundTag": "dns-in",
"outboundTag": "direct"
}, },
// Force specific source IPs to go direct // Force specific source IPs to go direct
{ {
"inboundTag": ["redirect", "tproxy"], "inboundTag": "tproxy",
"outboundTag": "direct", "outboundTag": "direct",
"type": "field",
"source": [ "source": [
"192.168.2.255", "192.168.2.255",
"192.168.2.254" "192.168.2.254"
@ -27,9 +33,8 @@
}, },
// Block common ads and other stuff // Block common ads and other stuff
{ {
"inboundTag": ["redirect", "tproxy"], "inboundTag": "tproxy",
"outboundTag": "block", "outboundTag": "block",
"type": "field",
"domain": [ "domain": [
"geosite:category-ads-all", "geosite:category-ads-all",
"google-analytics", "google-analytics",
@ -42,19 +47,17 @@
}, },
// Force BitTorrent to go through direct // Force BitTorrent to go through direct
{ {
"inboundTag": ["redirect", "tproxy"], "inboundTag": "tproxy",
"outboundTag": "direct", "outboundTag": "direct",
"type": "field", "protocol": "bittorrent"
"protocol": ["bittorrent"]
}, },
// Explicitly force direct // Explicitly force direct (domains)
{ {
"inboundTag": ["redirect", "tproxy"], "inboundTag": "tproxy",
"outboundTag": "direct", "outboundTag": "direct",
"type": "field",
"domain": [ "domain": [
"regexp:^([\\w\\-\\.]+\\.)ru$", // .ru "regexp:^([\\w\\-\\.]+\\.)ru$", // .ru
"regexp:^([\\w\\-\\.]+\\.)su$", // .su // "regexp:^([\\w\\-\\.]+\\.)su$", // .su
"regexp:^([\\w\\-\\.]+\\.)xn--p1ai$", // .рф "regexp:^([\\w\\-\\.]+\\.)xn--p1ai$", // .рф
"regexp:^([\\w\\-\\.]+\\.)xn--p1acf$", // .рус "regexp:^([\\w\\-\\.]+\\.)xn--p1acf$", // .рус
"regexp:^([\\w\\-\\.]+\\.)xn--80asehdb$", // .онлайн "regexp:^([\\w\\-\\.]+\\.)xn--80asehdb$", // .онлайн
@ -70,11 +73,10 @@
"geosite:steam", "geosite:steam",
"geosite:vk", "geosite:vk",
"geosite:category-gov-ru", "geosite:category-gov-ru",
"regexp:^assets(\\d*?)\\.xboxlive\\.com$", // "regexp:^assets(\\d*?)\\.xboxlive\\.com$",
"domain:rt.ru", "domain:rt.ru",
"domain:ngenix.net", "domain:ngenix.net",
"domain:plex.tv", "domain:plex.tv",
"geoip:ru",
"domain:kaspersky.com", "domain:kaspersky.com",
"domain:koronapay.com", "domain:koronapay.com",
"domain:binance.com", "domain:binance.com",
@ -87,12 +89,22 @@
"domain:veesp.com" "domain:veesp.com"
] ]
}, },
// Explicitly force direct (IPs)
{
"inboundTag": "tproxy",
"outboundTag": "direct",
"ip": [
"geoip:ru",
"geoip:am"
]
},
// No rules found? Go vless-reality // No rules found? Go vless-reality
{ {
"inboundTag": ["redirect", "tproxy"], "inboundTag": [
"outboundTag": "vless-reality", "tproxy",
"type": "field" "dns-in"
],
"outboundTag": "vless-reality"
} }
] ]
} }

9
etc/xray/custom_rules.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/sh
# Source the function definitions
. /etc/xray/fwd_functions.sh
# Add your custom rules here
# See the fwd_functions.sh for the available functions
# Example: Exclude traefik HTTP+HTTPS
# direct_port_range_for_ip "192.168.1.165" 80 443

62
etc/xray/fwd_functions.sh
View File

@ -1,63 +1,69 @@
#!/bin/sh #!/bin/sh
# Function to add iptables rules for a specific IP and port # Function to add nftables rules for a specific IP and port
direct_port_for_ip() { direct_port_for_ip() {
ip=$1 ip=$1
port=$2 port=$2
iptables -t mangle -A XRAY -d "$ip"/32 -p tcp --dport "$port" -j RETURN nft insert rule ip xray prerouting ip daddr "$ip" tcp dport "$port" counter return
iptables -t mangle -A XRAY -d "$ip"/32 -p udp --dport "$port" -j RETURN nft insert rule ip xray prerouting ip daddr "$ip" udp dport "$port" counter return
iptables -t mangle -A XRAY -s "$ip"/32 -p tcp --sport "$port" -j RETURN nft insert rule ip xray output ip daddr "$ip" tcp dport "$port" counter return
iptables -t mangle -A XRAY -s "$ip"/32 -p udp --sport "$port" -j RETURN nft insert rule ip xray output ip daddr "$ip" udp dport "$port" counter return
} }
# Function to add iptables rules for a single port without specifying IP # Function to add nftables rules for a single port without specifying IP
direct_port() { direct_port() {
port=$1 port=$1
iptables -t mangle -A XRAY -p tcp --dport "$port" -j RETURN nft insert rule ip xray prerouting tcp dport "$port" counter return
iptables -t mangle -A XRAY -p udp --dport "$port" -j RETURN nft insert rule ip xray prerouting udp dport "$port" counter return
iptables -t mangle -A XRAY -p tcp --sport "$port" -j RETURN nft insert rule ip xray output tcp dport "$port" counter return
iptables -t mangle -A XRAY -p udp --sport "$port" -j RETURN nft insert rule ip xray output udp dport "$port" counter return
} }
# Function to add iptables rules for a range of ports for a specific IP # Function to add nftables rules for a range of ports for a specific IP
direct_port_range_for_ip() { direct_port_range_for_ip() {
ip=$1 ip=$1
start_port=$2 start_port=$2
end_port=$3 end_port=$3
port=$start_port nft insert rule ip xray prerouting ip daddr "$ip" tcp dport { "$start_port"-"$end_port" } counter return
while [ "$port" -le "$end_port" ]; do nft insert rule ip xray prerouting ip daddr "$ip" udp dport { "$start_port"-"$end_port" } counter return
direct_port_for_ip "$ip" "$port" nft insert rule ip xray output ip daddr "$ip" tcp dport { "$start_port"-"$end_port" } counter return
port=$((port + 1)) nft insert rule ip xray output ip daddr "$ip" udp dport { "$start_port"-"$end_port" } counter return
done
} }
# Function to add iptables rules for a range of ports without specifying IP # Function to add nftables rules for a range of ports without specifying IP
direct_port_range() { direct_port_range() {
start_port=$1 start_port=$1
end_port=$2 end_port=$2
port=$start_port nft insert rule ip xray prerouting tcp dport { "$start_port"-"$end_port" } counter return
while [ "$port" -le "$end_port" ]; do nft insert rule ip xray prerouting udp dport { "$start_port"-"$end_port" } counter return
direct_port "$port" nft insert rule ip xray output tcp dport { "$start_port"-"$end_port" } counter return
port=$((port + 1)) nft insert rule ip xray output udp dport { "$start_port"-"$end_port" } counter return
done
} }
# Function to add iptables rules for an IP without specifying ports # Function to add nftables rules for an IP without specifying ports
direct_ip() { direct_ip() {
ip=$1 ip=$1
iptables -t mangle -A XRAY -d "$ip"/32 -j RETURN nft insert rule ip xray prerouting ip saddr "$ip" counter return
iptables -t mangle -A XRAY -s "$ip"/32 -j RETURN nft insert rule ip xray output ip saddr "$ip" counter return
nft insert rule ip xray prerouting ip daddr "$ip" counter return
nft insert rule ip xray output ip daddr "$ip" counter return
} }
# Function to add iptables rules for blocking IP # Function to add nftables rules for blocking IP
block_ip() { block_ip() {
ip=$1 ip=$1
iptables -I FORWARD 1 -d "$ip"/32 -j DROP # Block in prerouting chain
iptables -I FORWARD 1 -s "$ip"/32 -j DROP nft insert rule ip xray prerouting ip daddr "$ip" counter drop
nft insert rule ip xray prerouting ip saddr "$ip" counter drop
# Block in output chain
nft insert rule ip xray output ip daddr "$ip" counter drop
nft insert rule ip xray output ip saddr "$ip" counter drop
} }

33
etc/xray/nft.conf Normal file
View File

@ -0,0 +1,33 @@
#!/usr/sbin/nft -f
define RESERVED_IP = {
10.0.0.0/8,
100.64.0.0/10,
127.0.0.0/8,
169.254.0.0/16,
172.16.0.0/12,
192.0.0.0/24,
224.0.0.0/4,
240.0.0.0/4,
255.255.255.255/32
}
table ip xray {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr $RESERVED_IP return
ip daddr 192.168.0.0/16 tcp dport != 53 return
ip daddr 192.168.0.0/16 udp dport != 53 return
ip protocol tcp tproxy to 127.0.0.1:61219 meta mark set 1
ip protocol udp tproxy to 127.0.0.1:61219 meta mark set 1
}
chain output {
type route hook output priority mangle; policy accept;
ip daddr $RESERVED_IP return
ip daddr 192.168.0.0/16 tcp dport != 53 return
ip daddr 192.168.0.0/16 udp dport != 53 return
meta mark 2 return
ip protocol tcp meta mark set 1
ip protocol udp meta mark set 1
}
}

6
etc/xray/revert.sh Normal file
View File

@ -0,0 +1,6 @@
#!/bin/sh
nft delete table ip xray
ip route del local default dev lo table 100
ip rule del table 100
rm -f /tmp/xray_startup_executed

75
etc/xray/startup.sh
View File

@ -1,54 +1,43 @@
#!/bin/sh #!/bin/sh
# Ensure this script runs only once per boot
if [ -f /tmp/xray_startup_executed ]; then
# The file exists, so do not run the script
echo "This script was executed already. To revert the results, reboot the device"
exit 0
fi
# Source the function definitions
. /etc/xray/fwd_functions.sh . /etc/xray/fwd_functions.sh
# create chain # Get WAN device name first
WAN_DEVICE=$(uci get network.wan.device)
if [ -z "$WAN_DEVICE" ]; then
echo "Error: Could not determine WAN device"
exit 1
fi
# Get WAN interface IP address using the device name, excluding localhost and private IPs
# Comment this out, if it doesn't work for you
WAN_IP=$(ip addr show $WAN_DEVICE | grep 'inet ' | awk '{print $2}' | cut -d/ -f1 | grep -v '^127\.' | grep -v '^192\.168\.')
# WAN_IP="1.1.1.1"
if [ -z "$WAN_IP" ]; then
echo "Error: Could not determine WAN IP address for device $WAN_DEVICE"
exit 1
fi
if [ -f /tmp/xray_startup_executed ]; then
sh /etc/xray/revert.sh
fi
# Create routing table and rules
ip route add local default dev lo table 100
ip rule add fwmark 1 table 100 ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N XRAY
# exclude private ipv4 # Load nftables rules from nft.conf
iptables -t mangle -A XRAY -d 255.255.255.255/32 -j RETURN nft -f /etc/xray/nft.conf
iptables -t mangle -A XRAY -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A XRAY -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A XRAY -d 100.64.0.0/10 -j RETURN
iptables -t mangle -A XRAY -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A XRAY -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A XRAY -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A XRAY -d 192.0.0.0/24 -j RETURN
iptables -t mangle -A XRAY -d 192.0.2.0/24 -j RETURN
iptables -t mangle -A XRAY -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A XRAY -d 198.18.0.0/15 -j RETURN
iptables -t mangle -A XRAY -d 198.51.100.0/24 -j RETURN
iptables -t mangle -A XRAY -d 203.0.113.0/24 -j RETURN
iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN
# Execute custom rules if they exist
if [ -f /etc/xray/custom_rules.sh ]; then
sh /etc/xray/custom_rules.sh
fi
# !!! PROVIDE YOUR OWN IP HERE !!! # Add rules to bypass the firewall for the WAN IP
iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN direct_ip "$WAN_IP"
# exclude from Xray the following:
# SAMPLE - you can test the rules using /root/fwd_manual.sh script
# traefik HTTP+HTTPS
#direct_port_range_for_ip "10.241.1.165" 80 443
# add forwarding rule
iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 61219 --tproxy-mark 1
iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 61219 --tproxy-mark 1
iptables -t mangle -A PREROUTING -j XRAY
# required for check above # required for check above
touch /tmp/xray_startup_executed touch /tmp/xray_startup_executed

2
root/fwd_manual.sh
View File

@ -3,4 +3,4 @@
# Source the function definitions # Source the function definitions
. /etc/xray/fwd_functions.sh . /etc/xray/fwd_functions.sh
direct_ip "10.241.1.3" direct_ip "192.168.1.3"