默认刷入的OpenWrt带的ss, 只有ss-redir服务, 但是在实际使用中, 很多时候还是希望访问直接通过正常网关, 只有少部分访问需要通过ss, 所以希望能配置成为ss-local服务.
在保留原有服务的基础上, 添加一个新的* Client配置界面.
/usr/lib/lua/luci/controller/ 下新增 shadowrock.lua
module("luci.controller.shadowrock", package.seeall)
function index()
entry({)
end
/usr/lib/lua/luci/model/cbi/ 下新增 shadowrock.lua
--[[
* LuCI Configuration Page Customized by RockBB
References:
https://github.com/ravageralpha/my_openwrt_mod - by RA-MOD
http://www.v2ex.com/t/139438 - by imcczy
https://github.com/rssnsj/network-feeds - by Justin Liu
]]--
local m, s, o, e
local fs = require "nixio.fs"
local state_msg = ""
)
if ss_local_on then
state_msg = "<br><b><font color=\"green\">" .. translate("ss-local Running") .. "</font></b>"
else
state_msg = "<br><b><font color=\"red\">" .. translate("ss-local Not running") .. "</font></b>"
end
)
if ss_redir_on then
state_msg = state_msg .. "<br><b><font color=\"green\">" .. translate("ss-redir Running") .. "</font></b>"
else
state_msg = state_msg .. "<br><b><font color=\"red\">" .. translate("ss-redir Not running") .. "</font></b>"
end
)
if ss_tunnel_on then
state_msg = state_msg .. "<br><b><font color=\"green\">" .. translate("ss-tunnel Running") .. "</font></b>"
else
state_msg = state_msg .. "<br><b><font color=\"red\">" .. translate("ss-tunnel Not running") .. "</font></b>"
end
m = Map("shadowrock", translate("*"), translate("* is an encrypted proxy designed to protect your Internet traffic.") .. " - " .. state_msg)
s = m:section(TypedSection, "shadowrock", translate("Global Setting"))
s.addremove = false
s.anonymous = true
-- ---------------------------------------------------
o = s:option(Flag, "use_conf_file", translate("Use Config File"))
o.default =
o.rmempty = false
o = s:option(Value, "config_file", translate("Config File"))
o.placeholder = "/etc/*.json"
o.default = "/etc/*.json"
o.datatype = "file"
o:depends()
o = s:option(Value, "server", translate("Server Address"))
o.datatype = "host"
o:depends("use_conf_file", "")
o = s:option(Value, "server_port", translate("Server Port"))
o.datatype = "port"
o:depends("use_conf_file", "")
o = s:option(Value, "password", translate("Password"))
o.password = true
o:depends("use_conf_file", "")
o = s:option(ListValue, "encrypt_method", translate("Encryption Method"))
o:value("table")
o:value("rc4")
o:value("rc4-md5")
o:value("aes-128-cfb")
o:value("aes-192-cfb")
o:value("aes-256-cfb")
o:value("bf-cfb")
o:value("cast5-cfb")
o:value("des-cfb")
o:value("camellia-128-cfb")
o:value("camellia-192-cfb")
o:value("camellia-256-cfb")
o:value("idea-cfb")
o:value("rc2-cfb")
o:value("seed-cfb")
o:value("salsa20")
o:value("chacha20")
o:depends("use_conf_file", "")
o = s:option(Value, "timeout", translate("Connection Timeout"))
o.datatype = "range(0,3600)"
o.placeholder = "
o:depends("use_conf_file", "")
o = s:option(Flag, "local_enable", translate("Enable Local"))
o.rmempty = false
o = s:option(Value, "ss_local_port", translate("Port"))
o.datatype = "range(1,65535)"
o:depends(")
o = s:option(Flag, "redir_enable", translate("Enable Redirect"))
o.rmempty = false
o = s:option(Value, "ss_redir_port", translate("Port"))
o.datatype = "range(1,65535)"
o:depends(")
ignore_list = s:option(Value, "ignore_list", translate("Proxy Ignore List"))
o = s:option(Value, "ignore_list", translate("Proxy Method"))
o:value("/dev/null", translate("Global Proxy"))
o:value("/etc/*/ignore.list", translate("Ignore List"))
o.default = "/etc/*/ignore.list"
o.rmempty = false
o = s:option(Flag, "udp_relay", translate("Proxy Protocol"))
o = s:option(Flag, "tunnel_enable", translate("Enable"))
o.default =
o.rmempty = false
o = s:option(Value, "tunnel_port", translate("UDP Local Port"))
o.datatype = "port"
o.default =
o.placeholder =
o = s:option(Value, "tunnel_forward",
translate("Forwarding Tunnel"),
translate("Setup a local port forwarding tunnel [addr:port]"))
o.default = "8.8.4.4:53"
o.placeholder = "8.8.4.4:53"
-- LAN Access Control
s = m:section(TypedSection, "shadowrock", translate("LAN Access Control"))
s.anonymous = true
o = s:option(ListValue, "lan_ac_mode", translate("Access Control Mode"))
o:value(", translate("Off"))
o:value(", translate("Whitelist"))
o:value(", translate("Blacklist"))
o.default =
o.rmempty = false
o = s:option(DynamicList, "lan_ac_ip", translate("LAN IP Address"))
o.datatype = "ipaddr"
o:depends()
o:depends()
local apply = luci.http.formvalue("cbi.apply")
if apply then
io.popen("/etc/init.d/shadowrock restart")
end
return m
/etc/config 下新增 shadowrock
config shadowrock
option ignore_list '/etc/chinadns_chnroute.txt'
option lan_ac_mode '
option use_conf_file '
option server_port '
option password 'pwd2016'
option encrypt_method 'aes-256-cfb'
option local_enable '
option ss_local_port '
option server 'milton.somewhere.tv'
option timeout '
/etc/init.d 下新增shadowrock, 需要chmod +x 变为可执行
#!/bin/sh /etc/rc.common
# shadowrock启动脚本,修改自*-spec项目.感谢原作者的辛勤付出
# Copyright (c) GuoGuo <gch981213@gmail.com>
START=
STOP=
SERVICE_USE_PID=
SERVICE_WRITE_PID=
SERVICE_DAEMONIZE=
EXTRA_COMMANDS="rules"
CONFIG_FILE=/var/etc/shadowrock.json
get_config() {
config_get_bool local_enable $ local_enable
config_get_bool redir_enable $ redir_enable
config_get ss_local_port $ ss_local_port '
config_get_bool use_conf_file $ use_conf_file
config_get config_file $ config_file '/etc/shadowrock/config.json'
config_get server $ server
config_get server_port $ server_port
config_get local $ local '0.0.0.0'
config_get ss_redir_port $ ss_redir_port '
config_get password $ password
config_get timeout $ timeout '
config_get encrypt_method $ encrypt_method
config_get ignore_list $ ignore_list '/dev/null'
config_get udp_relay $ udp_relay '
config_get_bool tunnel_enable $ tunnel_enable
config_get tunnel_port $ tunnel_port '
config_get tunnel_forward $ tunnel_forward '8.8.8.8:53'
config_get lan_ac_mode $ lan_ac_mode
config_get lan_ac_ip $ lan_ac_ip
config_get wan_bp_ip $ wan_bp_ip
config_get wan_fw_ip $ wan_fw_ip
config_get ipt_ext $ ipt_ext
}
start_rules() {
local ac_args
if [ -n "$lan_ac_ip" ]; then
case $lan_ac_mode in
) ac_args="w$lan_ac_ip"
;;
) ac_args="b$lan_ac_ip"
;;
esac
fi
/usr/bin/ss-rules \
-c "$CONFIG_FILE" \
-i "$ignore_list" \
-a "$ac_args" \
-b "$wan_bp_ip" \
-w "$wan_fw_ip" \
-e "$ipt_ext" \
-o $udp
return $?
}
start_local() {
service_start /usr/bin/ss-local \
-c "$CONFIG_FILE" \
-b "$local" \
-l "$ss_local_port"
return $?
}
start_redir() {
service_start /usr/bin/ss-redir \
-c "$CONFIG_FILE" \
-b "$local" $udp
return $?
}
start_tunnel() {
service_start /usr/bin/ss-tunnel \
-c "$CONFIG_FILE" \
-b "$local" \
-l "$tunnel_port" \
-L "$tunnel_forward" \
-u
return $?
}
genconf() {
config_load shadowrock
config_foreach get_config shadowrock
[ $local_enable -eq ] && [ $redir_enable -eq ] && [ $tunnel_enable -eq ] && {
echo "Everything are disabled.Exit now."
exit
}
[ ] && udp="-u"
mkdir -p $(dirname $CONFIG_FILE)
]; then
cat $config_file >$CONFIG_FILE
else
: ${server:?}
: ${server_port:?}
: ${password:?}
: ${encrypt_method:?}
cat <<-EOF >$CONFIG_FILE
{
"server": "$server",
"server_port": $server_port,
"local_port": $ss_redir_port,
"password": "$password",
"timeout": $timeout,
"method": "$encrypt_method"
}
EOF
fi
}
boot() {
until iptables-save -t nat | grep -q "^:zone_lan_prerouting"; do
done
start
}
start() {
genconf
[ ] && start_rules && start_redir
[ ] && start_local
[ ] && start_tunnel
}
stop() {
/usr/bin/ss-rules -f
service_stop /usr/bin/ss-local
service_stop /usr/bin/ss-redir
service_stop /usr/bin/ss-tunnel
rm -f $CONFIG_FILE
}
#重启防火墙时重载防火墙规则。
#该函数只会由firewall.include脚本判断存在ss-redir后执行所以不再重启redir
rules() {
genconf
start_rules
}
然后刷新你的luci控制台就能看到新的菜单项目了
在保存配置时, 这个/etc/init.d/shadowrock 脚本会同时在 /var/etc/*.json下写入配置信息, 同时用ss-local启动
启动的程序命令行可以通过 ps w 查看
Update 2017-01-04
如果路由器上已经运行了ss-local, 在局域网里的windows机器上如果再通过ss客户端直接连上ss服务, 容易在服务端出现
/usr/local/bin/ss-server[]: failed to handshake with [IP]
这样的错误, 在多次出现后, IP会被列入blocked list
服务端的ss已经支持One Time Auth, 但是开启后, 只有windows客户端可以连, OpenWrt和iOS的wingy包含的ss可能版本过低, 都只能connect, 但是会被reset, 无法使用.
Update 2017-01-07
在路由器上直接修改lua文件后, 如果需要让更改立即生效, 要删除对应的缓存文件, 可以使用命令
rm -r /tmp/luci-indexcache /tmp/luci-modulecache/