## LEDE SNAPSHOT (2017 SEPT OR HIGHER) ROUTER INSTALLATION GUIDE WITH SHADOWSOCKS
## HARDWARE: Xiaomi Mini Wifi Router
## ROM SNAPSHOT DOWNLOAD LINK: https://downloads.lede-project.org/snapshots/targets/ramips/mt7620/
##
## LEDE SNAPSHOT BASE INSTALLATION ##
## 1. ROUTER CONFIGURATION - GENERIC PACKAGES FOR VPN
## Flash a clean ROM on the router, connect via SSH, then set a password for router...the following command is just to set the password for the router since flashing the ROM is covered in other articles and connecting via SSH should already be in your tool bag of knowledge.
passwd
## Install Packages for Shadowsocks, OpenVPN, and Wireguard.
opkg update && opkg install luci luci-ssl-openssl luci-app-shadowsocks-libev shadowsocks-libev-config shadowsocks-libev-ss-local shadowsocks-libev-ss-redir shadowsocks-libev-ss-rules shadowsocks-libev-ss-server shadowsocks-libev-ss-tunnel iptables-mod-conntrack-extra kmod-ipt-tproxy iptables-mod-tproxy dnscrypt-proxy luci-app-dnscrypt-proxy rng-tools ca-certificates wget luci-app-uhttpd luci-app-wifischedule
## OPTIONAL: Manually install Shadowsocks Simple-OBFS onto the router
## Note: Must be behind a VPN because China blocks sourceforge.net
LEDE=http://openwrt-dist.sourceforge.net/packages/LEDE/base/mipsel_24kc && SIMPLEOBFS=simple-obfs_0.0.3-2_mipsel_24kc.ipk && wget $LEDE/$SIMPLEOBFS && opkg install $SIMPLEOBFS && rm $SIMPLEOBFS
## Backup Default Configs
mkdir /usr/share/default-configs && cp /etc/config/dnscrypt-proxy /usr/share/default-configs/default.dncrypt-proxy && cp /etc/config/shadowsocks-libev /usr/share/default-configs/default.shadowsocks-libev && cp /etc/config/dhcp /usr/share/default-configs/default.dhcp && cp /etc/config/network /usr/share/default-configs/default.network
## Set Router HOSTNAME, TIMEZONE, NTP, and CUSTOMIZE LED (Indicates Modification)
uci set system.@system[0].hostname='LEDE' && uci set system.@system[0].timezone='HKT-8' && uci set system.@system[0].zonename='Asia/Hong Kong' && uci set system.ntp.enable_server='1' && uci delete system.ntp.server && uci add_list system.ntp.server='stdtime.gov.hk' && uci add_list system.ntp.server='time.nist.gov' && uci add_list system.ntp.server='us.pool.ntp.org' && uci add_list system.ntp.server='time.google.com'
uci set system.led_power=led && uci set system.led_power.name='power' && uci set system.led_power.sysfs='miwifi-mini:blue:status' && uci set system.led_power.default='1' && uci commit
service rngd enable
## Configure Wireless Network
## NOTE: Update SSID and Password to your preferred name
uci set wireless.radio0.hwmode='11a' && uci set wireless.radio0.channel='40' && uci set wireless.radio0.country='00' && uci set wireless.default_radio0.ssid='LEDE-AC' && uci set wireless.default_radio0.encryption='psk2' && uci set wireless.default_radio0.key='PASSWORD'
uci set wireless.radio1.hwmode='11g' && uci set wireless.radio1.channel='11' && uci set wireless.radio1.country='00' && uci set wireless.default_radio1.ssid='LEDE' && uci set wireless.default_radio1.encryption='psk2' && uci set wireless.default_radio1.key='*PASSWORD'
uci delete wireless.radio0.disabled && uci delete wireless.radio1.disabled && uci commit && service network restart
## Configure LAN IP, Reboot (192.168.99.1 used here)
uci set network.lan.ipaddr='192.168.99.1' && uci commit && reboot && exit
## ENABLE HTTPS FOR LUCI WEB CONSOLE
## Create the myconfig.conf
cat > /etc/ssl/myconfig.conf
## Paste the following contents:
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = CA
L = LEDE
O = Home
OU = Router
CN = 192.168.99.1
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = 192.168.99.1
IP.1 = 192.168.99.1
## Ctrl+d to exit and commit the text.
## Generate the keys
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/mycert.key -out /etc/ssl/mycert.crt -config /etc/ssl/myconfig.conf && uci set uhttpd.main.redirect_https='1' && uci set uhttpd.main.cert='/etc/ssl/mycert.crt' && uci set uhttpd.main.key='/etc/ssl/mycert.key' && uci commit && service uhttpd restart
## Setup DNSCRYPT-PROXY for DNS Resolution
## Updates Resolver List (/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv)
mv /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv /usr/share/dnscrypt-proxy/default.dnscrypt-resolvers ; wget -O- 'https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv' > /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv && cp /etc/config/dnscrypt-proxy /etc/config/default.dncrypt-proxy
## Add Server #1
uci set dnscrypt-proxy.ns1=dnscrypt-proxy && uci set dnscrypt-proxy.ns1.address='127.0.0.1' && uci set dnscrypt-proxy.ns1.port='5353' && uci set dnscrypt-proxy.ns1.resolver='cisco' && uci set dnscrypt-proxy.ns1.resolvers_list='/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' && uci set dnscrypt-proxy.ns1.syslog='1' && uci commit dnscrypt-proxy
## Add Server #2
uci set dnscrypt-proxy.ns2=dnscrypt-proxy && uci set dnscrypt-proxy.ns2.address='127.0.0.1' && uci set dnscrypt-proxy.ns2.port='5454' && uci set dnscrypt-proxy.ns2.resolver='fvz-anyone' && uci set dnscrypt-proxy.ns2.resolvers_list='/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' && uci set dnscrypt-proxy.ns2.syslog='1' && uci commit dnscrypt-proxy
## Enable and Start the Service
service dnscrypt-proxy enable && service dnscrypt-proxy start
## Configure DNSMASQ
## Server list
uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5353' && uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5454' && uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#1100' && uci set dhcp.@dnsmasq[0].noresolv='1' && uci set dhcp.@dnsmasq[0].nohosts='1' && uci commit dhcp && reboot && exit
## SHADOWSOCKS-LIBEV CONFIGURATION ##
## REMOVE UN-NEEDED CONFIGS
uci delete shadowsocks-libev.@ss_local[0]
uci delete shadowsocks-libev.@ss_tunnel[0]
uci delete shadowsocks-libev.hj
uci delete shadowsocks-libev.ss_rules
uci delete shadowsocks-libev.@ss_server[0]
uci commit shadowsocks-libev
## UPDATE CONFIG SS-HI (CUSTOM, CHECK THE FAST OPEN AND MODE SETTINGS ESPECIALLY)
uci set shadowsocks-libev.hi.server='sss0'
uci set shadowsocks-libev.hi.local_address='0.0.0.0'
uci set shadowsocks-libev.hi.local_port='1100'
uci set shadowsocks-libev.hi.mode='tcp_and_udp'
uci set shadowsocks-libev.hi.timeout='480'
uci set shadowsocks-libev.hi.fast_open='1'
uci set shadowsocks-libev.hi.verbose='1'
uci set shadowsocks-libev.hi.reuse_port='1'
uci delete shadowsocks-libev.hi.disabled
uci commit shadowsocks-libev
## CONFIG SS REMOTE SERVER (CUSTOM, YOUR REMOTE SERVER)
uci set shadowsocks-libev.sss0.server='###.###.###.###'
uci set shadowsocks-libev.sss0.method='rc4-md5'
uci set shadowsocks-libev.sss0.password='**************************'
uci set shadowsocks-libev.sss0.server_port='443'
uci delete shadowsocks-libev.sss0.disabled
uci commit shadowsocks-libev
## Optional - Settings for OBFS
uci set shadowsocks-libev.sss0.plugin='obfs-local'
uci set shadowsocks-libev.sss0.plugin_opts='obfs=http;obfs-host=cloudflare.net'
uci commit shadowsocks-libev
## CONFIG SS FORWARDING RULES (UNIVERSAL)
uci set shadowsocks-libev.ss_rules=ss_rules
uci set shadowsocks-libev.ss_rules.src_ips_forward='192.168.99.0/24'
uci set shadowsocks-libev.ss_rules.redir_tcp='hi'
uci set shadowsocks-libev.ss_rules.redir_udp='hi'
uci set shadowsocks-libev.ss_rules.local_default='forward'
uci set shadowsocks-libev.ss_rules.ifnames='br-lan'
uci set shadowsocks-libev.ss_rules.src_default='forward'
uci set shadowsocks-libev.ss_rules.dst_default='forward'
uci delete shadowsocks-libev.ss_rules.disabled
uci commit shadowsocks-libev
service shadowsocks-libev reload
## Download China bypass list (For Future Enhancement)
wget -O- 'https://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/chinadns_chnroute.txt
## Add some Scheduled Tasks to CRONTABS
## Add these in the LUCI webapp…until I figure out the command line
0 5 * * * sleep 70 && touch /etc/banner && reboot
0 */2 * * * /etc/init.d/shadowsocks-libev reload
5 4 * * 0 wget -O- 'https://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/chinadns_chnroute.txt
10 5 1 * * wget -O- 'https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv' > /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
-
After connecting my iDRAC ports to the network and connecting to the webpage using the IP address in Internet Explorer, I needed to login.....
-
The Xiaomi Mini wifi router has a low price and spacious ROM (16MB) and RAM (128MB) for easily supporting a VPN service on a OpenWRT/LEDE ... -
UPDATE: I am writing a SSH version of this document since it's much easier to run commands that way. Please see that document HERE . ...