configure transparent proxy with router

Configure transparent proxy with router

Environment:

Router: ASUS ac66u_b1

OS: asus merlin 384.3

Shadowsocks: shadowsocks-libev 3.1(support udp relay)

  1. Install shadowsocks-libev on VPS, start ss-server with udp relay enabled -u.

  2. Install ss-redir on router(need to install entware first).

  3. Start ss-redir on router with -u.

    1
    nohup ss-redir -s [VPS's ipv6 address] -p [shadowsocks's port] -m [encrypt method] -k [password] -b 0.0.0.0 -l 1080 -u > /dev/null &
  4. Enable TPROXY on router:

    1
    2
    3
    4
    5
    modprobe ip_set
    modprobe ip_set_hash_net
    modprobe ip_set_hash_ip
    modprobe xt_set
    modprobe xt_TPROXY.ko
  5. Configure iptables:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    # TCP rules
    iptables -t nat -N SHADOWSOCKS_TCP
    iptables -t nat -A SHADOWSOCKS -d [VPS's ipv4 address] -j RETURN
    iptables -t nat -A SHADOWSOCKS_TCP -d 0.0.0.0/8 -j RETURN
    iptables -t nat -A SHADOWSOCKS_TCP -d 10.0.0.0/8 -j RETURN
    iptables -t nat -A SHADOWSOCKS_TCP -d 127.0.0.0/8 -j RETURN
    iptables -t nat -A SHADOWSOCKS_TCP -d 169.254.0.0/16 -j RETURN
    iptables -t nat -A SHADOWSOCKS_TCP -d 172.16.0.0/12 -j RETURN
    iptables -t nat -A SHADOWSOCKS_TCP -d 192.168.0.0/16 -j RETURN
    iptables -t nat -A SHADOWSOCKS_TCP -d 224.0.0.0/4 -j RETURN
    iptables -t nat -A SHADOWSOCKS_TCP -d 240.0.0.0/4 -j RETURN
    iptables -t nat -A SHADOWSOCKS_TCP -p tcp -j REDIRECT --to-ports 1080
    iptables -t nat -I PREROUTING 1 -p tcp -j SHADOWSOCKS_TCP
    iptables -t nat -I OUTPUT 1 -p tcp -j SHADOWSOCKS_TCP

    # UDP rules
    iptables -t mangle -N SHADOWSOCKS_UDP
    iptables -t mangle -N SHADOWSOCKS_MARK
    ip rule add fwmark 1 lookup 100
    ip route add local default dev lo table 100
    iptables -t nat -A SHADOWSOCKS_MARK -d [VPS's ipv4 address] -j RETURN
    iptables -t mangle -A SHADOWSOCKS_MARK -d 0.0.0.0/8 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_MARK -d 10.0.0.0/8 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_MARK -d 127.0.0.0/8 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_MARK -d 169.254.0.0/16 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_MARK -d 172.16.0.0/12 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_MARK -d 192.168.0.0/16 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_MARK -d 224.0.0.0/4 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_MARK -d 240.0.0.0/4 -j RETURN
    iptables -t nat -A SHADOWSOCKS_UDP -d [VPS's ipv4 address] -j RETURN
    iptables -t mangle -A SHADOWSOCKS_UDP -d 0.0.0.0/8 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_UDP -d 10.0.0.0/8 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_UDP -d 127.0.0.0/8 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_UDP -d 169.254.0.0/16 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_UDP -d 172.16.0.0/12 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_UDP -d 192.168.0.0/16 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_UDP -d 224.0.0.0/4 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_UDP -d 240.0.0.0/4 -j RETURN
    iptables -t mangle -A SHADOWSOCKS_MARK -p udp -d 8.8.8.8 --dport 53 -j MARK --set-mark 1
    iptables -t mangle -A SHADOWSOCKS_UDP -p udp --dport 53 -j TPROXY --on-port 1080 --on-ip 192.168.50.1 --tproxy-mark 0x01/0x01
    iptables -t mangle -A PREROUTING -p udp -j SHADOWSOCKS_UDP
    iptables -t mangle -A OUTPUT -p udp -j SHADOWSOCKS_MARK