ERLite配合群晖Docker做路由器梯子
本文发布于 ,内容可能和实际情况存在出入。如果文章存在错误欢迎指正,我会根据情况对文章进行修改或做隐藏处理
注意:本文仅用做技术交流,任何因尝试本文内步骤所导致的法律后果由您自行承担
局域网网段:192.168.1.0/24 网关192.168.1.254
群晖网段:192.168.0.0/24 网关192.168.0.254
由于家里群晖是单网口的版本,本次采用Docker的macvlan功能来为容器分配独立的IP
配置使用V2Ray的sniffing功能,故无需配置无污染DNS
本文部分配置参考于 新 V2Ray 白话文指南
路由器配置(EdgeRouter Lite)
configure
set firewall group network-group CNIP network 1.0.1.0/24
set firewall group network-group CNIP network 1.0.2.0/23
set firewall group network-group CNIP network 1.0.8.0/21
set firewall group network-group CNIP network 1.0.32.0/19
set firewall group network-group CNIP network 1.1.0.0/24
set firewall group network-group CNIP network 1.1.2.0/23
set firewall group network-group CNIP network 1.1.4.0/22
set firewall group network-group CNIP network 1.1.8.0/21
……
#配置大陆IP段的network-group
#相关信息来自IPIP.net的china_ip_list
commit #跑了差不多半个小时
save #保存以防出意外再跑半个小时
set protocols static table 10 route 0.0.0.0/0 next-hop 192.168.0.2 #设置转发路由表
set firewall modify CNIP rule 10 action accept
set firewall modify CNIP rule 10 protocol tcp
set firewall modify CNIP rule 10 source address 192.168.0.0/24 #设置跳过群晖的规则
set firewall modify CNIP rule 20 action accept
set firewall modify CNIP rule 20 protocol tcp
set firewall modify CNIP rule 20 destination group network-group CNIP #设置跳过大陆IP段
set firewall modify CNIP rule 99 action modify
set firewall modify CNIP rule 99 protocol tcp
set firewall modify CNIP rule 99 modify table 10 #其余流量走路由表10
set interfaces ethernet eth0 firewall in modify CNIP #在局域网接口in方向调用modify规则
commit
save群晖配置
在控制面板的网络界面中打开Open vSwitch
Dockerfile
FROM v2fly/v2fly-core:v4.34.0
RUN echo 'http://mirrors.aliyun.com/alpine/latest-stable/community/'>/etc/apk/repositories && echo 'http://mirrors.aliyun.com/alpine/latest-stable/main/'>>/etc/apk/repositories && apk add --no-cache iptables
RUN echo -ne "#!/bin/sh\niptables -t nat -N V2RAY\niptables -t nat -A V2RAY -d 192.168.0.0/16 -j RETURN\niptables -t nat -A V2RAY -p tcp -j REDIRECT --to-ports 12345\niptables -t nat -A PREROUTING -p tcp -j V2RAY\n/usr/bin/v2ray -config /etc/v2ray/config.json" > /opt/setiptables.sh && chmod +x /opt/setiptables.sh && cat /opt/setiptables.sh
CMD ["/bin/sh","/opt/setiptables.sh"]cd V2Ray/docker #进入Dockerfile所在目录
sudo docker build . -t mom0a/v2ray_iptables
sudo docker network create -d macvlan --subnet=192.168.0.0/24 --gateway=192.168.0.254 -o parent=ovs_eth0 Router #创建macvlan网络
sudo docker run -itd --network=Router --ip 192.168.0.2 --name v2ray_iptables mom0a/v2ray_iptables #运行并指定容器IP然后进入容器的编辑界面,勾选「使用高权限执行容器」,并映射v2ray的配置文件到/etc/v2ray/config.json即可
配置文件参考(GeoSite规则来自 @Loyalsoldier/v2ray-rules-dat):
{
"inbounds": [
{
"port": 12345,
"protocol": "dokodemo-door",
"settings": {
"network": "tcp",
"followRedirect": true
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"streamSettings": {
"sockopt": {
"tproxy": "redirect"
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
},
{
"protocol": "blackhole",
"settings": {
"response": {
"type": "http"
}
},
"tag": "block"
},
{
"tag": "proxy",
"protocol": "trojan",
"settings": {
"servers": [
{
"address": "???.???.???.???",
"port": ?????,
"password": "????????-????-????-????-????????????"
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "??????????",
"allowInsecure": false,
"alpn": [
"http/1.1"
]
}
}
}
],
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"outboundTag": "block",
"protocol": ["bittorrent"]
},
{
"type": "field",
"outboundTag": "block",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.88.99.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"224.0.0.0/4",
"240.0.0.0/4",
"255.255.255.255/32",
"::/128",
"::1/128",
"100::/64",
"64:ff9b::/96",
"fc00::/7",
"fe80::/10",
"ff00::/8"
]
},
{
"type": "field",
"ip": [
"geoip:telegram"
],
"outboundTag": "proxy"
},
{
"type": "field",
"domain": [
"geosite:gfw",
"geosite:greatfire",
"geosite:netflix",
"geosite:bahamut"
],
"outboundTag": "proxy"
}
]
}
}PS:如果群晖也需要走代理,在v2ray中开放一个inbound并在群晖中设置代理服务器即可
PS2: geoip.dat 和 geosite.dat 映射到 /usr/bin 目录下
PS3:放个开机流程感受一下(27分钟的时候电脑休眠了,实际上大概还要再往后10分钟左右)
点击加载PS4:因为节点有时会玄学断流需要fallback组又不想配DNS于是V2Ray+Clash的畸形组合诞生了
PS5:如果不想把群晖放到单独的网段,可以配上一个只给V2Ray用的VLAN,然后添加虚拟接口,在macvlan上绑定就好了
sudo vim /usr/local/etc/rc.d/00-dockervlan.sh
#!/bin/sh
#
# Put this file in /usr/local/etc/rc.d/your_script.sh
case "$1" in
stop)
echo "[Stop]"
;;
start)
sudo ovs-vsctl add-br ovs_eth0_2 ovs_eth0 2 #VLAN 2
sudo ip link set ovs_eth0_2 up
;;
restart)
echo "[Restart]"
;;
status)
echo "[Status]"
;;
*)
echo "usage: $0 { start | stop | restart | status}" >&2
exit 1
;;
esac
chmod +x /usr/local/etc/rc.d/00-dockervlan.sh
好评