Friday, October 13, 2017

HOW TO: Setup Shadowsocks on LEDE Router with Snapshot ROM and Snapshot Packages (PLAINTEXT EDITION)

## LEDE SNAPSHOT (2017 SEPT OR HIGHER) ROUTER INSTALLATION GUIDE WITH SHADOWSOCKS
## HARDWARE: Xiaomi Mini Wifi Router
## ROM SNAPSHOT DOWNLOAD LINK: https://downloads.lede-project.org/snapshots/targets/ramips/mt7620/
## 

## LEDE SNAPSHOT BASE INSTALLATION ##

## 1. ROUTER CONFIGURATION - GENERIC PACKAGES FOR VPN
## Flash a clean ROM on the router, connect via SSH, then set a password for router...the following command is just to set the password for the router since flashing the ROM is covered in other articles and connecting via SSH should already be in your tool bag of knowledge.

passwd

## Install Packages for Shadowsocks, OpenVPN, and Wireguard.

opkg update && opkg install luci luci-ssl-openssl luci-app-shadowsocks-libev shadowsocks-libev-config shadowsocks-libev-ss-local shadowsocks-libev-ss-redir shadowsocks-libev-ss-rules shadowsocks-libev-ss-server shadowsocks-libev-ss-tunnel iptables-mod-conntrack-extra kmod-ipt-tproxy iptables-mod-tproxy dnscrypt-proxy luci-app-dnscrypt-proxy rng-tools ca-certificates wget luci-app-uhttpd luci-app-wifischedule

## OPTIONAL: Manually install Shadowsocks Simple-OBFS onto the router
## Note: Must be behind a VPN because China blocks sourceforge.net

LEDE=http://openwrt-dist.sourceforge.net/packages/LEDE/base/mipsel_24kc && SIMPLEOBFS=simple-obfs_0.0.3-2_mipsel_24kc.ipk && wget $LEDE/$SIMPLEOBFS && opkg install $SIMPLEOBFS && rm $SIMPLEOBFS


## Backup Default Configs 

mkdir /usr/share/default-configs && cp /etc/config/dnscrypt-proxy /usr/share/default-configs/default.dncrypt-proxy && cp /etc/config/shadowsocks-libev /usr/share/default-configs/default.shadowsocks-libev && cp /etc/config/dhcp /usr/share/default-configs/default.dhcp && cp /etc/config/network /usr/share/default-configs/default.network

## Set Router HOSTNAME, TIMEZONE, NTP, and CUSTOMIZE LED (Indicates Modification) 

uci set system.@system[0].hostname='LEDE' && uci set system.@system[0].timezone='HKT-8' && uci set system.@system[0].zonename='Asia/Hong Kong' && uci set system.ntp.enable_server='1' && uci delete system.ntp.server && uci add_list system.ntp.server='stdtime.gov.hk' && uci add_list system.ntp.server='time.nist.gov' && uci add_list system.ntp.server='us.pool.ntp.org' && uci add_list system.ntp.server='time.google.com'

uci set system.led_power=led && uci set system.led_power.name='power' && uci set system.led_power.sysfs='miwifi-mini:blue:status' && uci set system.led_power.default='1' && uci commit


service rngd enable


## Configure Wireless Network
## NOTE: Update SSID and Password to your preferred name

uci set wireless.radio0.hwmode='11a' && uci set wireless.radio0.channel='40' && uci set wireless.radio0.country='00' && uci set wireless.default_radio0.ssid='LEDE-AC' && uci set wireless.default_radio0.encryption='psk2' && uci set wireless.default_radio0.key='PASSWORD'

uci set wireless.radio1.hwmode='11g' && uci set wireless.radio1.channel='11' && uci set wireless.radio1.country='00' && uci set wireless.default_radio1.ssid='LEDE' && uci set wireless.default_radio1.encryption='psk2' && uci set wireless.default_radio1.key='*PASSWORD'


uci delete wireless.radio0.disabled && uci delete wireless.radio1.disabled && uci commit && service network restart

## Configure LAN IP, Reboot (192.168.99.1 used here)

uci set network.lan.ipaddr='192.168.99.1' && uci commit && reboot && exit


## ENABLE HTTPS FOR LUCI WEB CONSOLE 
## Create the myconfig.conf 

cat > /etc/ssl/myconfig.conf

## Paste the following contents: 

[req]
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req
prompt              = no
[req_distinguished_name]
C           = US
ST          = CA
L           = LEDE
O           = Home
OU          = Router
CN          = 192.168.99.1
[v3_req] 
keyUsage           = keyEncipherment, dataEncipherment
extendedKeyUsage   = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = 192.168.99.1
IP.1 = 192.168.99.1

## Ctrl+d to exit and commit the text.

## Generate the keys 

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/mycert.key -out /etc/ssl/mycert.crt -config /etc/ssl/myconfig.conf && uci set uhttpd.main.redirect_https='1' && uci set uhttpd.main.cert='/etc/ssl/mycert.crt' && uci set uhttpd.main.key='/etc/ssl/mycert.key' && uci commit && service uhttpd restart

## Setup DNSCRYPT-PROXY for DNS Resolution
## Updates Resolver List (/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv) 

mv /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv /usr/share/dnscrypt-proxy/default.dnscrypt-resolvers ; wget -O- 'https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv' > /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv && cp /etc/config/dnscrypt-proxy /etc/config/default.dncrypt-proxy

## Add Server #1 

uci set dnscrypt-proxy.ns1=dnscrypt-proxy && uci set dnscrypt-proxy.ns1.address='127.0.0.1' && uci set dnscrypt-proxy.ns1.port='5353' && uci set dnscrypt-proxy.ns1.resolver='cisco' && uci set dnscrypt-proxy.ns1.resolvers_list='/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' && uci set dnscrypt-proxy.ns1.syslog='1' && uci commit dnscrypt-proxy

## Add Server #2 

uci set dnscrypt-proxy.ns2=dnscrypt-proxy && uci set dnscrypt-proxy.ns2.address='127.0.0.1' && uci set dnscrypt-proxy.ns2.port='5454' && uci set dnscrypt-proxy.ns2.resolver='fvz-anyone' && uci set dnscrypt-proxy.ns2.resolvers_list='/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' && uci set dnscrypt-proxy.ns2.syslog='1' && uci commit dnscrypt-proxy

## Enable and Start the Service

service dnscrypt-proxy enable && service dnscrypt-proxy start

## Configure DNSMASQ 
## Server list 

uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5353' && uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5454' && uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#1100' && uci set dhcp.@dnsmasq[0].noresolv='1' && uci set dhcp.@dnsmasq[0].nohosts='1' && uci commit dhcp && reboot && exit

## SHADOWSOCKS-LIBEV CONFIGURATION ##

## REMOVE UN-NEEDED CONFIGS

uci delete shadowsocks-libev.@ss_local[0]
uci delete shadowsocks-libev.@ss_tunnel[0]
uci delete shadowsocks-libev.hj
uci delete shadowsocks-libev.ss_rules
uci delete shadowsocks-libev.@ss_server[0]
uci commit shadowsocks-libev

## UPDATE CONFIG SS-HI (CUSTOM, CHECK THE FAST OPEN AND MODE SETTINGS ESPECIALLY)

uci set shadowsocks-libev.hi.server='sss0'
uci set shadowsocks-libev.hi.local_address='0.0.0.0'
uci set shadowsocks-libev.hi.local_port='1100'
uci set shadowsocks-libev.hi.mode='tcp_and_udp'
uci set shadowsocks-libev.hi.timeout='480'
uci set shadowsocks-libev.hi.fast_open='1'
uci set shadowsocks-libev.hi.verbose='1'
uci set shadowsocks-libev.hi.reuse_port='1'
uci delete shadowsocks-libev.hi.disabled
uci commit shadowsocks-libev

## CONFIG SS REMOTE SERVER (CUSTOM, YOUR REMOTE SERVER)

uci set shadowsocks-libev.sss0.server='###.###.###.###'
uci set shadowsocks-libev.sss0.method='rc4-md5'
uci set shadowsocks-libev.sss0.password='**************************'
uci set shadowsocks-libev.sss0.server_port='443'
uci delete shadowsocks-libev.sss0.disabled
uci commit shadowsocks-libev

## Optional - Settings for OBFS

uci set shadowsocks-libev.sss0.plugin='obfs-local'
uci set shadowsocks-libev.sss0.plugin_opts='obfs=http;obfs-host=cloudflare.net'
uci commit shadowsocks-libev

## CONFIG SS FORWARDING RULES (UNIVERSAL)

uci set shadowsocks-libev.ss_rules=ss_rules

uci set shadowsocks-libev.ss_rules.src_ips_forward='192.168.99.0/24'
uci set shadowsocks-libev.ss_rules.redir_tcp='hi'
uci set shadowsocks-libev.ss_rules.redir_udp='hi'
uci set shadowsocks-libev.ss_rules.local_default='forward'
uci set shadowsocks-libev.ss_rules.ifnames='br-lan'
uci set shadowsocks-libev.ss_rules.src_default='forward'
uci set shadowsocks-libev.ss_rules.dst_default='forward'
uci delete shadowsocks-libev.ss_rules.disabled
uci commit shadowsocks-libev
service shadowsocks-libev reload

## Download China bypass list (For Future Enhancement)

wget -O- 'https://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/chinadns_chnroute.txt

## Add some Scheduled Tasks to CRONTABS
## Add these in the LUCI webapp…until I figure out the command line

0 5 * * * sleep 70 && touch /etc/banner && reboot
0 */2 * * * /etc/init.d/shadowsocks-libev reload
5 4 * * 0 wget -O- 'https://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/chinadns_chnroute.txt
10 5 1 * * wget -O- 'https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv' > /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv