1. 前言
最近重装软路由的系统,把openwrt从21升到了最新的23.05。很多脚本需要更新,例如iptables升级到了nftables。
同时最近阿里云和腾讯云不约而同的推出了200M不限流量的轻量云服务器,所以Server部分也需要重装。
重装过程发现很多细节都忘了,果然好记性不如烂笔头。还是搞文档体系的记录一下。
2. Server Part
2.1 DD重装系统
系统选择Debian12,使用一键DD脚本,这里推荐萌咖。
bash <(wget --no-check-certificate -qO- 'https://raw.githubusercontent.com/MoeClub/Note/refs/heads/master/InstallNET.sh') -d 12 -v 64 -aFor 腾讯轻量云:
- 需要注意的是,腾讯轻量云一些系统可能提示
Error! Not Found grub.,建议用Ubutun22.04运行脚本,等个10分钟左右就好了,腾讯云有VNC可以看进度。默认密码MoeClub.org,登录第一件事先执行passwd root更改密码。- 如果开通了 ipv6,并且在新系统上继续用,则建议在原系统上通过
ip addr\ip route记录下地址、路由表,dd后还原。ip addr add x:x:x:x:x:x:x:x/x dev ens3 ip route add / append xxx- 使用腾讯云内网 dns,ping google.com等网站的延迟均在 1ms 左右,使用8.8.8.8,延迟则变为 20多ms,还在研究原理。阿里云就没有这个现象。内网 dns 可参考官方文档内网服务。 安装了 openresolv,则编辑
/etc/resolvconf.conf,添加一行配置:name_servers="183.60.83.19 183.60.82.98"执行
resolvconf -l,发现openresolv除了读取配置文件,还会检查/etc/network/interfaces的接口 dns 配置,把需要把以下内容删掉。# dns-* options are implemented by the resolvconf package, if installed dns-nameservers 8.8.8.8 dns-search debian执行
resolvconf -u使配置生效。
2.2 配置wireguard
先安装一些依赖。
apt update
apt install wireguard openresolv wget unzip dnsmasq在/etc/wireguard/下创建wireguard配置文件wg0.conf。
[Interface]
PrivateKey = {$ServerPrivateKey}
Address = 10.0.0.1/24
ListenPort = {$WGLocalPort}
# suggest use system dns settings, consider some cloud platform may have a different performance by dns settings.
# DNS = 8.8.8.8
MTU = 1400
[Peer]
PublicKey = {$PeerPublickKey}
AllowedIPs = 10.0.0.2/32设置wireguard开机启动
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0开启ipv4内核转发, 编辑/etc/sysctl.conf, 把net.ipv4.ip_forward=1的注释去掉,执行sysctl -p生效。
For MTU:
WireGuard MTU = Interface MTU – IPv4 header (20 bytes) – TCP header (20 bytes) – WireGuard overhead (32 bytes) 对于mtu 1500的以太网接口,最大设置1408。如果路由侧是PPPOE拨号,则再减去8 bytes,mtu设置为1400。
For 腾讯云:
以太网接口实测最大1468,mtu大于这个数则会触发分包,这个分包应该是机房架构内某个网关处理的,phantun / hysteria 都没法兼容这种分包的情况。 所以需要在前面的算法上再减去 32bytes。
ip link set dev ens3 mtu 1468
2.3 配置Phantun
下载最新的包,版本phantun_x86_64-unknown-linux-gnu.zip。
wget 'https://github.com/dndx/phantun/releases/download/v0.7.0/phantun_x86_64-unknown-linux-gnu.zip'
unzip phantun_x86_64-unknown-linux-gnu.zip启动phantun
RUST_LOG=info nohup ./phantun_server --tun-local 192.168.201.1 --tun-peer 192.168.201.2 -l {$PhantunPort} -r 127.0.0.1:{$WGLocalPort} -4 > /tmp/phantun.log 2>&1 &2.4 配置nftables
配置文件参考了wireguard-vpn-on-debian。 主要是流量放行和IP转换。
#!/usr/sbin/nft -f
flush ruleset
# wireguard related defines
define WAN_IFC = {$WanIFC}
define VPN_IFC = wg0
define VPN_NET = 10.0.0.1/24
table inet filter {
chain input {
type filter hook input priority filter;
# Wireguard VPN
udp dport {$WGLocalPort} counter accept comment "Allow VPN"
iifname $VPN_IFC udp dport 53 ip saddr $VPN_NET counter accept comment "Allow DNS for VPN"
# Allow VPN clients to communicate with each other.
# iifname $vpn oifname $vpn ct state new accept
}
chain forward {
type filter hook forward priority filter;
# forward WireGuard traffic, allowing it to access internet via WAN
iifname $VPN_IFC oifname $WAN_IFC ct state new counter accept
}
chain output {
type filter hook output priority filter;
}
}
table inet nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
# phantun
iif $WAN_IFC tcp dport {$PhantunPort} dnat ip to 192.168.201.2
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
# masquerade wireguard traffic
# make wireguard traffic look like it comes from the server itself
oifname $WAN_IFC ip saddr $VPN_NET counter masquerade comment "Masquerade VPN traffic"
}
}设置nftables开机默认启动
systemctl enable nftables.service
systemctl start nftables.service2.5 配置 Dnsmasq
# /etc/dnsmasq.d/defaut_dns.conf
server=183.60.83.19
server=183.60.82.98
no-resolv
systemctl enable dnsmasq.service
systemctl start dnsmasq.service3. Router Part
3.1 DD装系统
openwrt 把内存(tmpfs)挂载在了/tmp目录,固件存在/tmp再写其他硬盘是安全的。
用 dd 命令写盘,然后reboot重启。
dd if=/tmp/openwrt-24.10.0-x86-64-generic-ext4-combined-efi.img of=/dev/nvme0n1如果是新装,建议用开源免费的BalenaEtcher把 openwrt img 写入U盘,从U盘引导进入系统进行上述 dd 操作。
3.2 Wireguard配置
WIP
# create wireguard interface
ip link del dev wg0
ip link add dev wg0 type wireguard
ip address add dev wg0 192.168.201.2
ip address add dev wg0 fd23:23:23::2
wg set wg0 private-key $tmpfile peer $peer_public_key allowed-ips 0.0.0.0/0,::/0 endpoint 127.0.0.1:$wg_tun_port persistent-keepalive 25
ip link set dev wg0 mtu $mtu
ip link set up dev wg0nft todo optimize
# masquerade
nft 'add chain inet fw4 nat_postrouting { type nat hook postrouting priority srcnat; policy accept; }'
add_nftables_rule "inet fw4" nat_postrouting "meta nfproto { ipv4, ipv6 } oifname \"$wg_device\" masquerade" "vpn traffic masquerade $wg_device"
# forward
add_nftables_rule "inet fw4" forward "oifname \"$wg_device\" accept" "vpn traffic accept $wg_device" insert
# mtu
add_nftables_rule "inet fw4" mangle_forward "iifname \"$wg_device\" tcp flags syn tcp option maxseg size set rt mtu" "vpn in traffic mtu $wg_device"
add_nftables_rule "inet fw4" mangle_forward "oifname \"$wg_device\" tcp flags syn tcp option maxseg size set rt mtu" "vpn out traffic mtu $wg_device"todo optimize
# ip rule & route
wg_table="wg_table_"$wg_device
add_rt_tables $wg_table
ip rule show | grep -Fq "from all fwmark $traffic_mark lookup $wg_table" || ip rule add fwmark $traffic_mark table $wg_table
ip -6 rule show | grep -Fq "from all fwmark $traffic_mark lookup $wg_table" || ip -6 rule add fwmark $traffic_mark table $wg_table
ip route add default dev $wg_device table $wg_table
ip -6 route add default dev $wg_device table $wg_table3.3 Phantun配置
WIP
3.4 IP分流
WIP
3.5 DNS分流
脚本
# use 8.8.8.8 by default
cat > /tmp/dnsmasq.d/default_dns.conf << 'EOF'
server=8.8.8.8
no-resolv
EOF
/etc/init.d/dnsmasq restart
# Configuration variables
script_dir="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" # Get script's absolute path
backup_dir="${script_dir}"
app_dir="/tmp/dnsmasq.d"
interface="wg0"
# Process single file
# Arguments:
# $1 - target filename
# $2 - source URL
process_file() {
local filename=$1
local url=$2
local temp_file=$(mktemp)
# Try to download file
if curl --max-time 10 --interface "$interface" -SfL "$url" -o "$temp_file"; then
# Success: update both application and backup directories
cp -f "$temp_file" "$app_dir/$filename"
cp -f "$temp_file" "$backup_dir/$filename"
printf "[%s] Update successful, synced latest version\\n" "$filename"
else
# Handle errors: attempt to restore from backup
if cp -f "$backup_dir/$filename" "$app_dir/$filename"; then
printf "[%s] Update failed, fallback to backup version\\n" "$filename"
else
printf "[%s] Critical error: Both download and backup recovery failed!\\n" "$filename" >&2
return 1
fi
fi
# Cleanup temporary file
rm -f "$temp_file"
}
# Main execution
process_file "accelerated-domains.china.conf" "https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/refs/heads/master/accelerated-domains.china.conf"
process_file "apple.china.conf" "https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/refs/heads/master/apple.china.conf"
/etc/init.d/dnsmasq restart3.6 策略路由
WIP
3.7 局域网白名单
WIP
3.8 事件监听
3.9 关于Openwrt NAT66 的性能问题
https://github.com/openwrt/openwrt/issues/15857 GRO有bug,建议关闭。
4. 锦上添花-其他有趣的东西
4.1 光猫改桥接
4.2 IPTV
4.3 AdGuardHome
Dnsmasq端口改成54
安装 opkg install AdGuardHome
访问 192.168.1.1:3000 初始化 AdGuardHome, dns端口设置53
Network->Interfaces->lan->DHCP Server->Advance Settings->DHCP Options新增6,192.168.1.1
整体感觉一般般吧,体验没什么变化。可以通过设置最小DNS TTL来延长缓存,增加点缓存命中率。其余广告过滤规则之类的,只能说聊胜于无。效果和浏览器插件比不了。
Hysteria2
Cloudflare 双栈
Cloudflare WARP 教程:给 VPS 额外添加“原生” IPv4/IPv6 双栈网络出口