2, OpenWRT固件下载地址:
http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/nand/openwrt-ar71xx-nand-wndr4300-ubi-factory.img
3, 网线连接路由器的下行接口和电脑的有线网卡之后网卡,然后进WNDR4300的管理界面(http://192.168.1.1)直接升级固件。
(注意:管理界面在有代理的时候是访问不了的)
4, 固件升级后,再访问http://192.168.1.1就是OpenWRT的管理界面了,设置root用户的密码后ssh会默认开启。
5, 检查5G频段是否正常。
$ ssh 192.168.1.1
root@OpenWrt:~# devmem 0x180600b0
0x002F055A
6, 配置广域网接口, Network -> Interface -> WAN -> Edit -> General Setup里设置PPPoE。
7, 配置无线局域网,Network -> Wireless.
8, 安装dnsmasq-full
需要dnsmasq支持ipset (可用dnsmasq -v来检查是否支持, dnsmasq-full在dnsmasq的基础上增加了对ipset的支持)。
http://sourceforge.net/projects/openwrt-dist/files/dnsmasq
http://sourceforge.net/projects/openwrt-dist/files/depends-libs
dnsmasq -v 查看dnsmasq是否支持ipset
opkg remove dnsmasq
opkg install /tmp/libgmp_6.0.0-1_ar71xx.ipk
opkg install /tmp/libnettle_2.7.1-1_ar71xx.ipk
opkg install /tmp/dnsmasq-full_2.72-4_ar71xx.ipk
opkg install ipset iptables-mod-nat-extra
9, 安装shadowsocks
opkg install ipset libpolarssl resolveip
(遇到这问题“kmod: failed to insert /lib/modules/3.10.49/ip_set.ko”是因为安装了ipset需要重启路由器)
opkg install iptables-mod-geoip iptables-mod-nat-extra kmod-ipt-geoip kmod-ipt-nat kmod-ipt-nat-extra kmod-ipt-nathelper
在http://sourceforge.net/projects/openwrt-dist/files/shadowsocks-libev/根据CPU型号选择下载不带spec的包,然后scp拷贝到路由器上安装
scp shadowsocks-libev_2.1.4-1_ar71xx.ipk root@192.168.1.1:/tmp/*.ipk
opkg install /tmp/shadowsocks-libev_2.1.4-1_ar71xx.ipk
10, 配置shadowsocks
对于路由器我们最好使用透明代理,这样可以避免客户机还要配置代理。对于shadowsocks应该更新/etc/init.d/shadowsocks使用ss-redir而不是ss-local(注意:ss-redir与ss-local同时启动时需将默认配置文件/etc/shadowsocks.json中的端口改成不一样的)。另外,下面的配置中的method参数的值应该是小写。
root@OpenWrt:~# cat /etc/shadowsocks.json
{
"server": "<shadowsocks_server>",
"server_port": 26062,
"local_port": 7070,
"password": "shadowsocks_password",
"timeout": 600,
"method": "aes-128-cfb"
}
重启shdowsocks, /etc/init.d/shadowsocks restart
11, 安装配置pdnsd来抗dns污染
pdnsd的配置文件(/etc/pdnsd.conf)要确保使用tcp查询(query_method=tcp_only)。
安装pdnsd, opkg install pdnsd
重启pdnsd, /etc/init.d/shadowsocks restart
root@OpenWrt:~# cat /etc/pdnsd.conf
# http://members.home.nl/p.a.rombouts/pdnsd/doc.html
global {
#debug = on; # debug mode, log will be writed in /var/pdnsd/pdnsd.debug
perm_cache=4096; # increase or decrease the perm_cache, change min_ttl & max_ttl
cache_dir="/var/pdnsd";
run_as="nobody";
server_port = 1053;
server_ip = 0.0.0.0;
status_ctl = on;
query_method=tcp_only;
min_ttl=1d;
max_ttl=1w;
timeout=10;
}
# Add the upstream dns servers, the servers are queried in the order of their appearance
# (or parallel to a limited extend). If one fails, the next one is taken and so on.
server {
label= "Google Public Dns";
ip = 8.8.4.4,4.2.2.2;
#root_server = on;
uptest = none;
exclude=".cn",".baidu.com",".qq.com",".csdn.net",".163.com";
}
server {
label= "114 DNS";
ip = 114.114.114.114;
}
12, dnsmasq设置,确保在/etc/dnsmasq.conf有如下两行。
conf-dir=/etc/dnsmasq.d
#dnssec
这样可以将想要翻墙的域名按如下格式填加到/etc/dnsmasq.d/gfwdomains.conf文件里后重启dnsmasq(/etc/init.d/dnsmasq restart),以google.com为例说明,其余请自行添加:
ipset=/google.com/fuckgfw
server=/google.com/127.0.0.1#1053
ipset=/googlehosted.com/fuckgfw
server=/googlehosted.com/127.0.0.1#1053
ipset=/co.jp/fuckgfw
server=/co.jp/127.0.0.1#1053
ipset=/google.com.hk/fuckgfw
server=/google.com.hk/127.0.0.1#1053
ipset=/google.com.tw/fuckgfw
server=/google.com.tw/127.0.0.1#1053
ipset=/google.com.jp/fuckgfw
server=/google.com.jp/127.0.0.1#1053
ipset=/gstatic.com/fuckgfw
server=/gstatic.com/127.0.0.1#1053
ipset=/googleusercontent.com/fuckgfw
server=/googleusercontent.com/127.0.0.1#1053
ipset=/appspot.com/fuckgfw
server=/appspot.com/127.0.0.1#1053
ipset=/googlecode.com/fuckgfw
server=/googlecode.com/127.0.0.1#1053
ipset=/googleapis.com/fuckgfw
server=/googleapis.com/127.0.0.1#1053
ipset=/gmail.com/fuckgfw
server=/gmail.com/127.0.0.1#1053
ipset=/google-analytics.com/fuckgfw
server=/google-analytics.com/127.0.0.1#1053
ipset=/youtube.com/fuckgfw
server=/youtube.com/127.0.0.1#1053
ipset=/blogspot.com/fuckgfw
server=/blogspot.com/127.0.0.1#1053
ipset=/blogger.com/fuckgfw
server=/blogger.com/127.0.0.1#1053
ipset=/ggpht.com/fuckgfw
server=/ggpht.com/127.0.0.1#1053
ipset=/useso.com/fuckgfw
server=/useso.com/127.0.0.1#1053
ipset=/googlevideo.com/fuckgfw
server=/googlevideo.com/127.0.0.1#1053
ipset=/youtube-nocookie.com/fuckgfw
server=/youtube-nocookie.com/127.0.0.1#1053
13, 防火墙配置,配置后重启/etc/init.d/firewall restart
root@OpenWrt:~# cat /etc/firewall.user
ipset create fuckgfw iphash --exist
iptables -t nat -A PREROUTING -p tcp -m set --match-set fuckgfw dst -j REDIRECT --to-port 7070
iptables -t nat -A PREROUTING -p udp -m set --match-set fuckgfw dst -j REDIRECT --to-port 7070
14, 客户端配置, 确保在/etc/resolv.conf中添加(nameserver 192.168.1.1)确保dns使用的是路由器的dnsmasq服务提供的dns服务即可。