Using shadowsocks to build a LAN transparent gateway

Install and configure dnsmasq
Install and configure ChinaDNS
Install and configure shadowsocks-libev (including ss-redir and ss-tunnel)
Configure iptables and ipset

For individual users, ss is installed on the mobile phone or terminal. For enterprise users, such configuration is more troublesome and not easy to manage and maintain. Therefore, it needs to be configured at the gateway or on a server in the intranet and point to the gateway.

Ideas:

1.dnsmasq+China DNS+ss-tunnel solves the problem of DNS pollution

2. ss-redir cooperates with iptables and ipset to divert domestic and foreign traffic, so that domestic websites are directly connected, while foreign websites go through ss-redir

Gateway solution analysis:

1. dnsmasq mainly acts as a DNS cache. DNS requests will be sent to ChinaDNS, which will send the requests to domestic DNS servers and ss-tunnel at the same time. ss-tunnel is responsible for relaying to ss servers. Since ss will not be contaminated abroad, ChinaDNS will get two replies and determine whether the results are contaminated. Finally, dnsmasq will get an uncontaminated DNS response.

2.iptables cooperates with ipset to distinguish domestic and foreign traffic

System: Ubuntu 20.0

Install and configure dnsmasq

1. Install dnsmasq

apt-get install dnsmasq

2. Modify the configuration file /etc/dnsmasq.conf

no-resolv
server=127.0.0.1#5354

3. Start dnsmasq

service dnsmasq start

Install and configure ChinaDNS

1. Refer to ChinaDNS's official documentation

2. Download ChinaDNS, Link

wget -c https://github.com/shadowsocks/ChinaDNS/releases/download/1.3.2/chinadns-1.3.2.tar.gz

Compile

tar -xvf chinadns-1.3.2.tar.gz && cd chinadns-1.3.2
./configure && make 
src/chinadns -m -p 5353 -c chnroute.txt & ###Only used to test whether the chinadns can be started netstat -ntlpu ###### View the started port

3. After compilation, an executable file chinadns will be generated in the src directory and copied to /usr/local/bin

cp ./src/chinadns /usr/local/bin/

4. Create a file named chinadns in /etc/init.d/ and copy the following code into it. Remember to execute sudo chmod +x /etc/init.d/chinadns to make it executable

#!/bin/sh
### BEGIN INIT INFO
# Provides: chinadns
# Required-Start: $network $local_fs $remote_fs $syslog
# Required-Stop: $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start ChinaDNS at boot time
### END INIT INFO ### Begin Deploy Path
# Put this file at /etc/init.d/
### End Deploy PathDAEMON=/usr/local/bin/chinadns
DESC=ChinaDNS
NAME=chinadns
PIDFILE=/var/run/$NAME.pidtest -x $DAEMON || exit 0case "$1" in
  start)
    echo -n "Starting $DESC: "
    $DAEMON \
        -c /etc/chinadns/chnroute.txt \
 -m \
        -p 5354 \
 -s 114.114.114.114,127.0.0.1:5300 \
        1> /var/log/$NAME.log \
        2> /var/log/$NAME.err.log &
    echo $! > $PIDFILE
    echo "$NAME."
    ;;
  stop)
    echo -n "Stopping $DESC: "
    kill `cat $PIDFILE`
    rm -f $PIDFILE
    echo "$NAME."
    ;;
  restart|force-reload)
    $0 stop
    sleep 1
    $0 start
    ;;
  *)
    N=/etc/init.d/$NAME
    echo "Usage: $N {start|stop|restart|force-reload}" >&2
    exit 1
    ;;
esacexit 0

Note: For line 18 -c /etc/chinadns/chnroute.txt, please fill in the path according to your own needs.

5. Start/Restart/Stop chinadns

service chinadns start #Start chinadns
service chinadns restart #Restart chinadns
service chinadns stop #Stop chinadns

Install and configure shadowsocks-libev (including ss-redir and ss-tunnel)

1. For detailed process, please refer to the official documentation

2. Execute the following code

apt-get install software-properties-common -y
add-apt-repository ppa:max-c-lv/shadowsocks-libev -y
apt-get update
apt install shadowsocks-libev

3. Configure /etc/shadowsocks-libev/config.json. Please replace 111.111.111.111 with your own VPS Server address and change "password" by yourself.

{
    "server":"111.111.111.111",
    "server_port":8388,
    "local_address":"0.0.0.0",
    "local_port":1080,
    "password":"password",
    "timeout":60,
    "method":"aes-256-cfb",
    "mode": "tcp_and_udp"
}

4. Start ss-tunnel and ss-redir

/usr/bin/ss-tunnel -c /etc/shadowsocks-libev/config.json -u -l 5300 -L 8.8.8.8:53 &
/usr/bin/ss-redir -c /etc/shadowsocks-libev/config.json -b 0.0.0.0 -u &

Enable forwarding

1. Modify /etc/sysctl.conf and uncomment:

net.ipv4.ip_forward=1

2. Execute the command to make it effective

sysctl -p

Configure iptables and ipset

1. Generate ipset for domestic IP address

curl -sL http://f.ip.cn/rt/chnroutes.txt | egrep -v '^$|^#' > cidr_cn
###If the execution fails, you can use cat /usr/local/src/chinadns-1.3.2/chnroute.txt | egrep -v '^$|^#' > cidr_cn
ipset -N cidr_cn hash:net
for i in `cat cidr_cn`; do echo ipset -A cidr_cn $i >> ipset.sh; done
chmod +x ipset.sh && sudo ./ipset.sh
rm -f ipset.cidr_cn.rules
ipset -S > ipset.cidr_cn.rules
cp ./ipset.cidr_cn.rules /etc/ipset.cidr_cn.rules

2. Configure iptables

iptables -t nat -N shadowsocks# Reserved addresses, private addresses, and loopback addresses do not go through the proxy iptables -t nat -A shadowsocks -d 0/8 -j RETURN
iptables -t nat -A shadowsocks -d 127/8 -j RETURN
iptables -t nat -A shadowsocks -d 10/8 -j RETURN
iptables -t nat -A shadowsocks -d 169.254/16 -j RETURN
iptables -t nat -A shadowsocks -d 172.16/12 -j RETURN
iptables -t nat -A shadowsocks -d 192.168/16 -j RETURN
iptables -t nat -A shadowsocks -d 224/4 -j RETURN
iptables -t nat -A shadowsocks -d 240/4 -j RETURN# The following IPs are the IPs of devices in the LAN that do not use a proxy
iptables -t nat -A shadowsocks -s 192.168.2.10 -j RETURN# Data sent to the shadowsocks server does not go through the proxy, otherwise it will fall into an infinite loop# Replace 111.111.111.111 with your ss server ip/domain nameiptables -t nat -A shadowsocks -d 111.111.111.111 -j RETURN    
# Mainland China addresses do not use the proxy, because it is meaningless and takes a lot of effort iptables -t nat -A shadowsocks -m set --match-set cidr_cn dst -j RETURN# All other redirects are redirected to ss-redir listening port 1080 (the port number is arbitrary, just unify it)
iptables -t nat -A shadowsocks ! -p icmp -j REDIRECT --to-ports 1080# Add a rule to the OUTPUT chain to redirect to the shadowsocks chain iptables -t nat -A OUTPUT ! -p icmp -j shadowsocks
iptables -t nat -A PREROUTING ! -p icmp -j shadowsocks

Set the default gateway

The transparent gateway needs to set the default next-hop address, that is, where the gateway should send the data packet after determining the route of the data packet. In our home LAN environment, this next hop is the address of the router.

Please note that 192.168.2.1 should be the address of the router. Some may be 192.168.0.1, and some may be 192.168.1.1. You need to check the specific settings.

p2p1 is the network card, sometimes it may be eth0, please check your own network card code through ifconfig

route del default
route add default gw 192.168.2.1 p2p1

Set up the router's DNS and DHCP gateway

1. Assuming the IP address of the transparent gateway is 192.168.2.2, then set the router's DNS to 192.168.2.2

2. Under the DHCP sub-item of the router, set the router's intranet gateway to 192.168.2.2

This is the end of the article about using shadowsocks to build a LAN transparent gateway. For more information about using shadowsocks to build a transparent gateway, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:

Setting up shadowsocks+polipo global proxy in Linux environment

<<: Drop-down menu implemented by HTML+CSS3+JS

>>: CSS style reset and clear (to make different browsers display the same effect)

JS realizes the automatic playback effect of pictures

Using shadowsocks to build a LAN transparent gateway

Table of contents

Install and configure dnsmasq

Install and configure ChinaDNS

Install and configure shadowsocks-libev (including ss-redir and ss-tunnel)

Configure iptables and ipset

JS realizes the automatic playback effect of pictures

Example of implementing todo application with Vue

Advantages and Problems of XHTML CSS Website Design

Two ways to install Python3 on Linux servers

Today I will share some rare but useful JS techniques

Solve the problem of specifying udp port number in docker

Small program to implement a simple calculator

Detailed explanation of MySQL 8.0 dictionary table enhancement

MySQL data insertion optimization method concurrent_insert

MySQL Installer 8.0.21 installation tutorial with pictures and text

Recommend

Manjaro installation CUDA implementation tutorial analysis

Summary of the use of html meta tags (recommended)

Basic knowledge points of mysql worm replication

MySQL 5.7.17 installation graphic tutorial (windows)

How to operate the check box in HTML page

Detailed explanation of the use of the MySQL parameter sql_safe_updates in the production environment

How to hide the version number and web page cache time in Nginx

Detailed steps for deploying Tomcat server based on IDEA

HTML markup language - form

Detailed explanation of the order of Mysql query results according to the order of ID in in()

Detailed explanation of nginx reverse proxy webSocket configuration

Idea packaged into war package deployed to tomcat and access path issues (illustration and text)

Detailed basic operations on data tables in MySQL database

WeChat Mini Program uses simultaneous interpretation to implement speech recognition

MySQL semi-synchronous replication principle configuration and introduction detailed explanation