目标:
小米论坛中有一篇VPN科学上网的文章,亲测,对最新版本(0.7.63)的小米路由器mini无效,经过一番摸索,弄清楚了路由器中路由表的基本原理后,重写了脚本,共享之。
一、路由器开启SSH功能, https://d.miwifi.com/rom/ssh
二、登录路由器,在连接VPN之前,我们看看路由表的基本设置。执行命名ip rule list
,可以看到,路由器含有3个路由表:
1 2 3 4 |
root@XiaoQiang:~<span class="hljs-preprocessor"># ip rule list</span> <span class="hljs-number">0</span>: <span class="hljs-keyword">from</span> all lookup local <span class="hljs-number">32766</span>: <span class="hljs-keyword">from</span> all lookup main <span class="hljs-number">32767</span>: <span class="hljs-keyword">from</span> all lookup <span class="hljs-keyword">default</span> |
其中,local配置了一些本地路由,default是空的,我们平常执行route add
或者route del
,默认都是对main路由表进行操作。
1 2 |
ip route <span class="hljs-built_in">list</span> ip route <span class="hljs-built_in">list</span> table main |
两句命名是一样的效果,可以查看main路由表中的内容:
1 2 3 4 5 |
root<span class="hljs-property">@XiaoQiang</span>:~<span class="hljs-comment"># ip route list</span> <span class="hljs-number">121.35</span><span class="hljs-number">.148</span><span class="hljs-number">.1</span> dev pppoe-wan proto kernel scope link src <span class="hljs-number">121.35</span><span class="hljs-number">.148</span><span class="hljs-number">.36</span> <span class="hljs-number">192.168</span><span class="hljs-number">.31</span><span class="hljs-number">.0</span>/<span class="hljs-number">24</span> dev br-lan proto kernel scope link src <span class="hljs-number">192.168</span><span class="hljs-number">.31</span><span class="hljs-number">.1</span> <span class="hljs-reserved">default</span> via <span class="hljs-number">121.35</span><span class="hljs-number">.148</span><span class="hljs-number">.1</span> dev pppoe-wan proto static <span class="hljs-reserved">default</span> via <span class="hljs-number">121.35</span><span class="hljs-number">.148</span><span class="hljs-number">.1</span> dev pppoe-wan metric <span class="hljs-number">50</span> |
可以看到,默认路由是把所有流量都经过设备pppoe-wan出去的,通过拨号上网的一般都是使用pppoe协议。
三、连接VPN,看看路由设置有什么变化。执行命名ip rule list
,可以看到路由规则多了好多条:
1 2 3 4 5 6 7 8 9 10 11 |
root@XiaoQiang:/etc/ppp<span class="hljs-preprocessor"># ip rule list</span> <span class="hljs-number">0</span>: <span class="hljs-keyword">from</span> all lookup local <span class="hljs-number">32759</span>: <span class="hljs-keyword">from</span> all to <span class="hljs-number">202.96</span><span class="hljs-number">.128</span><span class="hljs-number">.86</span> lookup vpn <span class="hljs-number">32760</span>: <span class="hljs-keyword">from</span> all to <span class="hljs-number">202.96</span><span class="hljs-number">.134</span><span class="hljs-number">.33</span> lookup vpn <span class="hljs-number">32761</span>: <span class="hljs-keyword">from</span> all to <span class="hljs-number">8.8</span><span class="hljs-number">.4</span><span class="hljs-number">.4</span> lookup vpn <span class="hljs-number">32762</span>: <span class="hljs-keyword">from</span> all to <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span> lookup vpn <span class="hljs-number">32763</span>: <span class="hljs-keyword">from</span> all to <span class="hljs-number">8.8</span><span class="hljs-number">.4</span><span class="hljs-number">.4</span> lookup vpn <span class="hljs-number">32764</span>: <span class="hljs-keyword">from</span> all to <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span> lookup vpn <span class="hljs-number">32765</span>: <span class="hljs-keyword">from</span> <span class="hljs-number">192.168</span><span class="hljs-number">.31</span><span class="hljs-number">.0</span>/<span class="hljs-number">24</span> lookup vpn <span class="hljs-number">32766</span>: <span class="hljs-keyword">from</span> all lookup main <span class="hljs-number">32767</span>: <span class="hljs-keyword">from</span> all lookup <span class="hljs-keyword">default</span> |
其中,优先级为32765的规则,意思是,来自局域网中的所有流量,都查找vpn路由表,这条规则的优先级高于查找main的规则。
再看看这个vpn路由表中是啥东西,执行ip route list table vpn
:
1 2 3 |
root<span class="hljs-variable">@XiaoQiang</span><span class="hljs-symbol">:/etc/ppp</span><span class="hljs-comment"># ip route list table vpn</span> <span class="hljs-number">192.168</span>.<span class="hljs-number">31.0</span>/<span class="hljs-number">24</span> dev br-lan scope link default dev pptp-vpn scope link |
可以看到,vpn路由表中有一条默认路由,会把所有流量都通过VPN发送。
四、智能翻墙。要实现智能翻墙,首先需要去除默认的路由,所有的流量都不走VPN,然后再根据需要,让部分目的地ip的流量走VPN。执行如下命名删除所有 lookup vpn 的规则
1 2 3 4 5 |
vpn_rule_ids=`ip rule list | grep <span class="hljs-string">'lookup vpn'</span> | sed <span class="hljs-string">'s/://g'</span> | awk <span class="hljs-string">'{print $1}'</span>` <span class="hljs-keyword">for</span> rule_id <span class="hljs-keyword">in</span> <span class="hljs-variable">$vpn_rule_ids</span> <span class="hljs-keyword">do</span> ip ru del prio <span class="hljs-variable">$rule_id</span> <span class="hljs-keyword">done</span> |
根据自己的需要,手动添加需要走VPN的ip段:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
<span class="hljs-comment"># Google DNS and OpenDNS</span> <span class="hljs-title">route</span> add -host <span class="hljs-number">8.8.8.8</span> dev pptp-vpn route add -host <span class="hljs-number">8.8.4.4</span> dev pptp-vpn route add -host <span class="hljs-number">208.67.222.222</span> dev pptp-vpn route add -host <span class="hljs-number">208.67.220.220</span> dev pptp-vpn <span class="hljs-comment"># www.dropbox.com</span> route add -net <span class="hljs-number">199.47.217.0</span>/<span class="hljs-number">24</span> dev pptp-vpn <span class="hljs-comment"># www.facebook.com</span> route add -net <span class="hljs-number">69.171.228.0</span>/<span class="hljs-number">24</span> dev pptp-vpn route add -net <span class="hljs-number">173.252.0.0</span>/<span class="hljs-number">16</span> dev pptp-vpn route add -net <span class="hljs-number">184.51.198.0</span>/<span class="hljs-number">24</span> dev pptp-vpn route add -net <span class="hljs-number">31.13.0.0</span>/<span class="hljs-number">16</span> dev pptp-vpn route add -net <span class="hljs-number">72.246.189.0</span>/<span class="hljs-number">24</span> dev pptp-vpn route add -net <span class="hljs-number">69.192.4.0</span>/<span class="hljs-number">24</span> dev pptp-vpn <span class="hljs-comment"># for Google</span> route add -net <span class="hljs-number">74.125.0.0</span>/<span class="hljs-number">16</span> dev pptp-vpn route add -net <span class="hljs-number">173.194.0.0</span>/<span class="hljs-number">16</span> dev pptp-vpn route add -net <span class="hljs-number">59.24.3.0</span>/<span class="hljs-number">24</span> dev pptp-vpn route add -net <span class="hljs-number">198.144.96.0</span>/<span class="hljs-number">24</span> dev pptp-vpn route add -net <span class="hljs-number">216.58.192.0</span>/<span class="hljs-number">24</span> dev pptp-vpn |
至此,路由器就实现了智能翻墙的了。
五、重启自动设置设置科学上网。建立文件/etc/ppp/vpn-init.sh
,写入如下内容:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
<span class="hljs-title">sleep</span> <span class="hljs-number">15</span> vpn_rule_ids=`ip rule list | grep <span class="hljs-string">'lookup vpn'</span> | sed <span class="hljs-string">'s/://g'</span> | awk <span class="hljs-string">'{print <span class="hljs-variable">$1</span>}'</span>` for rule_id in <span class="hljs-variable">$vpn_rule_ids</span> do ip ru del prio <span class="hljs-variable">$rule_id</span> done <span class="hljs-comment"># Google DNS and OpenDNS</span> route add -host <span class="hljs-number">8.8.8.8</span> dev pptp-vpn route add -host <span class="hljs-number">8.8.4.4</span> dev pptp-vpn route add -host <span class="hljs-number">208.67.222.222</span> dev pptp-vpn route add -host <span class="hljs-number">208.67.220.220</span> dev pptp-vpn <span class="hljs-comment"># www.dropbox.com</span> route add -net <span class="hljs-number">199.47.217.0</span>/<span class="hljs-number">24</span> dev pptp-vpn <span class="hljs-comment"># www.facebook.com</span> route add -net <span class="hljs-number">69.171.228.0</span>/<span class="hljs-number">24</span> dev pptp-vpn route add -net <span class="hljs-number">173.252.0.0</span>/<span class="hljs-number">16</span> dev pptp-vpn route add -net <span class="hljs-number">184.51.198.0</span>/<span class="hljs-number">24</span> dev pptp-vpn route add -net <span class="hljs-number">31.13.0.0</span>/<span class="hljs-number">16</span> dev pptp-vpn route add -net <span class="hljs-number">72.246.189.0</span>/<span class="hljs-number">24</span> dev pptp-vpn route add -net <span class="hljs-number">69.192.4.0</span>/<span class="hljs-number">24</span> dev pptp-vpn <span class="hljs-comment"># for Google</span> route add -net <span class="hljs-number">74.125.0.0</span>/<span class="hljs-number">16</span> dev pptp-vpn route add -net <span class="hljs-number">173.194.0.0</span>/<span class="hljs-number">16</span> dev pptp-vpn route add -net <span class="hljs-number">59.24.3.0</span>/<span class="hljs-number">24</span> dev pptp-vpn route add -net <span class="hljs-number">198.144.96.0</span>/<span class="hljs-number">24</span> dev pptp-vpn route add -net <span class="hljs-number">64.233.189.0</span>/<span class="hljs-number">24</span> dev pptp-vpn route add -net <span class="hljs-number">216.58.128.0</span>/<span class="hljs-number">17</span> dev pptp-vpn |
建立/etc/ppp/vpnup.sh
写入如下内容:
1 |
/etc/ppp/vpn-init.sh & |
连接VPN后会自动执行/etc/ppp/vpnup.sh
这个脚本 。
六、DNS解释防止污染。修改/etc/hosts
,写入一些容易被解释污染域名,例如:
1 2 3 |
<span class="hljs-number">216.58</span><span class="hljs-number">.196</span><span class="hljs-number">.35</span> www.google.com <span class="hljs-number">216.58</span><span class="hljs-number">.196</span><span class="hljs-number">.35</span> www.google.com.hk <span class="hljs-comment">#更多请自行添加</span> |
添加后重启 DNS 服务:
1 |
/etc/init.d/dnsmasq restart |
来自http://segmentfault.com/a/1190000002494059