lz是斯德哥尔摩重症晚期,就不多说了,gfw应该给我发奖状吧,使用上文折腾编译出来的netcore q3可用的ss-libev,现在我们来用他翻回国内… orz
这个世界是残酷的 …
本文是在乱搞,国内vps没免费的,万网免费2年的那个还要备案买域名,国外的也是好用的基本都要钱(且慢,我是要翻回国内,用国外的当然不行),那放国内的路由器上大概可以吧?
- 首先连回国内的路由器看看
为了方便起见,把 ~/.ssh/id_rsa.pub里的key加到tomato的Adimistration里的Authorized Keys里,这样可以不用输密码,打开jffs后看看还省多少空间$ ssh root@router-in-China -p your-port root@unknown:/tmp/home/root# df -h Filesystem Size Used Available Use% Mounted on /dev/root 5.4M 5.4M 0 100% / tmpfs 30.0M 520.0K 29.5M 2% /tmp devfs 30.0M 0 30.0M 0% /dev /dev/mtdblock3 1.4M 196.0K 1.2M 13% /jffs # 似乎空间所剩无几阿,先把server拷上去,还好就100k $ scp -P your-port ~/tomato/ss-install/bin/ss-server root@router-in-China:/home/root
前台启动下看看能不能正常启动
ss-server -s router-in-China -p your-port -k your-password -m aes-256-cfb
*lz编译的ss似乎找不到MD5 symbol,所以默认的TABLE和RC4-MD5 cipher用不了,还没有进一步研究为何会如此
后来又试了一下,似乎没问题了,不知道为什么root@unknown:/tmp/home/root# ss-server -s xxx.com -p 8388 -k xxx 2015-09-10 11:36:15 INFO: initialize ciphers... table ss-server: can't resolve symbol 'MD5' in lib 'ss-server'.
测试后发现static版本无此问题,可能是因为dynamic版本编译时候用到的某些library文件和路由器上自带的不同,不管了,反正我也不会用这个默认的table
如果都试好了没问题,可以把配置写在配置文件里:
mkdir -p /etc/shadowsocks vi /etc/shadowsocks/config.json
配置文件内容
{ "server":"my_server_ip", "server_port":8388, "local_address": "127.0.0.1", "local_port":1080, "password":"mypassword", "timeout":300, "method":"aes-256-cfb", "fast_open": false, "workers": 1 }插一句,往vi里贴东西的时候,先按i进入insert模式,不然如果你贴的内容里有i或o等字样的时候可能会莫名其妙的少几行
然后启动试试root@unknown:/tmp/home/root# ss-server -c /etc/shadowsocks/config.json -f /tmp/ss.pid 2015-09-10 05:24:56 INFO: initialize ciphers... aes-256-cfb 2015-09-10 05:24:56 INFO: listening at router-in-China:8388
很好,说明编译出来的ss可用
简单起见,先拿客户端试试,比如拿shadowsocks-qt5这个gui客户端试试,没看到哪里有prebuilt binary,所以自己编译个试试看
还得下个巨大无比的qt5.5,我了个去…(真是找麻烦,其实windows的有编译好的,拿windows试不就行了,不过lz是伪处女座,前面说过了)# repo上能装的先装了 sudo yum install -y qt5-qtbase qt5-qtbase-devel qrencode qrencode-devel botan botan-devel libappindicator libappindicator-devel export PATH=~/Qt5.5.0/5.5/gcc_64/bin:$PATH # 装libQtShadowsocks git clone https://github.com/librehat/libQtShadowsocks.git cd libQtShadowsocks git checkout tags/v1.6.1 qmake make sudo make install # 装zbar git clone https://github.com/ZBar/ZBar.git cd ZBar sudo yum install -y pygtk2 pygtk2-devel ImageMagick ImageMagick-devel # 把-Werror去掉 patch configure.ac < configure.ac.patch autoreconf -vif ./configure make sudo make install git clone https://github.com/librehat/shadowsocks-qt5.git cd shadowsocks-qt5 git checkout tags/v2.4.2 qmake INSTALL_PREFIX=/home/oglop/tomato/shadowsocks-qt5-install make && make install
插播 zbar clone下来的代码compile不过去,似乎是因为-Werror,lz把他去了,这里是patch文件, 插播下Patch的用法
# 创建 diff -u configure.ac configure.new.ac > configure.ac.patch # 用 patch configure.ac < configure.ac.patch # 如果文件搞乱了,想恢复默认 git reset --hard HEAD && git clean -fxd
zbar安装的时候有个文件找不到,改makefile直接跳过…
make[4]: Leaving directory `/home/oglop/tomato/ZBar' /usr/bin/mkdir -p '/usr/local/share/man/man1' /usr/bin/install -c -m 644 ./doc/man/zbarcam.1 '/usr/local/share/man/man1' /usr/bin/install: cannot stat ‘./doc/man/zbarcam.1’: No such file or directory make[3]: *** [install-man1] Error 1 make[3]: Leaving directory `/home/oglop/tomato/ZBar' make[2]: *** [install-am] Error 2 make[2]: Leaving directory `/home/oglop/tomato/ZBar' make[1]: *** [install-recursive] Error 1 make[1]: Leaving directory `/home/oglop/tomato/ZBar' make: *** [install] Error 2
去到makefile里,把下面这两行去了,反正是帮助,不要紧吧
am__append_64 = doc/man/zbarimg.1 am__append_65 = doc/man/zbarcam.1
跑题了这么远,我们来试试这个shadowsocks-qt5
可是虽然能连不,但是总是显示timed out
路由器上的iptables如下root@unknown:/tmp/home/root# iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED shlimit tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 state NEW shlimit tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2223 state NEW ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 all -- 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.1.0/255.255.255.0 name: lan ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED wanin all -- 0.0.0.0/0 0.0.0.0/0 wanout all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain shlimit (2 references) target prot opt source destination all -- 0.0.0.0/0 0.0.0.0/0 recent: SET name: shlimit side: source DROP all -- 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source Chain wanin (1 references) target prot opt source destination Chain wanout (1 references) target prot opt source destination我来加上一条
iptables -A INPUT -p tcp --dport 8388 -j ACCEPT
之后shadowsocks-qt5就能连上了,之前总是timeout,下面我们要把这行命令加到tomato的webui界面里,因为刚才临时敲命令加的重启路由器之后就没了,tomato的rules都是启动时候动态生成的,所以把他贴到Administration -> Scripts -> Firewall里即可
下面在firefox里安装个FoxyProxy测试一下,添加localhost:1080的socks5 proxy,然后去虾米网站
内牛满面阿,世界终于和谐了
- 上面的手动操作已经确认了本文开头的想法可行,下面是进一步自动化操作
由于上文中的国内的ss-server就相当于普通人使用ss的时候装在国外vps上的server端,所以这里我们要在国外的本地路由器上装客户端,以达到 自动”逆”翻墙路由器 的最终目的在设置客户端之前,我们来看看有没有更“高级“的运行方式。有人用nohup,装在台机上的人也有用supervisor的(python编的),本意都是为了以防万一server(作为daemon运行的时候)挂了能自动重启,这里我们用另外一个perp来试试,但由于不幸的是q3没有usb接口,空间太小没法上entware,所以暂时放弃了。
-
首先我们使用之前准备好的工具链来编译perp,lz这里使用了perp官网的2.07版本
tar xvf perp-2.07.tar.gz cd perp-2.07
-
根据官网页面的install说明,首先要修改conf.mk,lz把修改过的版本放在了这里
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# conf.mk # project build/install configs # wcm, 2009.09.14 – 2013.01.08 # === ## build configuration, standard gcc + libc: CC = mipsel-unknown-linux-uclibc-gcc CFLAGS = -Wall -Wextra -Wshadow -DNDEBUG -O2 #CFLAGS = -Wall -Wextra -Wshadow -O2 ## build configuration, dietlibc: #CC = diet -Os gcc #CFLAGS = -Wall -Wextra -Wshadow -DNDEBUG ## strip configuration STRIP = mipsel-unknown-linux-uclibc-stri #STRIP = /some/other/stripper ## install configuration: BINDIR = /home/oglop/tomato/perp-2.07-install/usr/bin SBINDIR = /home/oglop/tomato/perp-2.07-install/usr/sbin MANDIR = /home/oglop/tomato/perp-2.07-install/usr/share/man 其实也就改了下说让用工具链里的gcc和strip,以及先暂时安装到我的临时目录
export PATH=/home/oglop/x-tools/mipsel-unknown-linux-uclibc/bin:$PATH make
- 首先你会看到
mipsel-unknown-linux-uclibc-gcc -Wall -Wextra -Wshadow -DNDEBUG -O2 -I. -o outvec/mk_outvec outvec/mk_outvec.c ./outvec/mk_outvec > outvec/outvec_STDOUT.h /bin/sh: ./outvec/mk_outvec: cannot execute binary file make[1]: *** [outvec/outvec_STDOUT.h] Error 126 make[1]: Leaving directory `/home/oglop/Downloads/perp-2.07/lasagna' make: *** [_done.lasagna] Error 2
此时我们手动把outvec/mk_outvec拷到路由器上运行,得到生成的outvec_STDOUT.h的内容,再贴回来
scp lasagna/outvec/mk_outvec root@router-address:/tmp # 然后去路由器上运行他 ssh root@router-address /tmp/mk_outvec
然后我们手动把生成的header文件的内容贴进outvec_STDOUT.h,继续运行make
-
第二个会看到的缺少header如下
mipsel-unknown-linux-uclibc-gcc -Wall -Wextra -Wshadow -DNDEBUG -O2 -I. -o rlimit/mk_rlimit rlimit/mk_rlimit.c ./rlimit/mk_rlimit > rlimit/rlimit_defs.c.in /bin/sh: ./rlimit/mk_rlimit: cannot execute binary file make[1]: *** [rlimit/rlimit_defs.c.in] Error 126 make[1]: Leaving directory `/home/oglop/Downloads/perp-2.07/lasagna' make: *** [_done.lasagna] Error 2
同理如上所示
scp lasagna/rlimit/mk_rlimit root@router-address:/tmp # 然后去路由器上运行他 ssh root@router-address /tmp/mk_rlimit
一样贴回rlimit_defs.c.in里,继续make
-
第三个少的文件如下
mipsel-unknown-linux-uclibc-gcc -Wall -Wextra -Wshadow -DNDEBUG -O2 -I. -o sysstr/mksysstr sysstr/mksysstr.c ./sysstr/mksysstr errno > sysstr/sysstr_errno.c.in /bin/sh: ./sysstr/mksysstr: cannot execute binary file make[1]: *** [sysstr/sysstr_errno.c.in] Error 126 make[1]: Leaving directory `/home/oglop/Downloads/perp-2.07/lasagna' make: *** [_done.lasagna] Error 2
同理
scp lasagna/sysstr/mksysstr root@router-address:/tmp # 然后去路由器上运行他 ssh root@router-address /tmp/mksysstr errno
贴回sysstr/sysstr_errno.c.in里
-
第4个少的文件是
mipsel-unknown-linux-uclibc-gcc -Wall -Wextra -Wshadow -DNDEBUG -O2 -I. -c sysstr/sysstr_errno.c ./sysstr/mksysstr signo > sysstr/sysstr_signo.c.in /bin/sh: ./sysstr/mksysstr: cannot execute binary file make[1]: *** [sysstr/sysstr_signo.c.in] Error 126 make[1]: Leaving directory `/home/oglop/Downloads/perp-2.07/lasagna' make: *** [_done.lasagna] Error 2
同理
ssh root@router-address /tmp/mksysstr signo
贴回sysstr/sysstr_signo.c.in里
-
# 装到我们再config.mk设好的/home/oglop/tomato/perp-2.07-install下面去 make install
为了节省空间,我们把他strip一下再upx一下,刚编译出来的大小
[oglop@localhost perp-2.07]$ ll /home/oglop/tomato/perp-2.07-install/usr/sbin/ total 760 -rwxr-xr-x. 1 oglop oglop 29328 Sep 11 22:26 perpboot -rwxr-xr-x. 1 oglop oglop 27932 Sep 11 22:26 perpctl -rwxr-xr-x. 1 oglop oglop 73117 Sep 11 22:26 perpd -rwxr-xr-x. 1 oglop oglop 22802 Sep 11 22:26 perphup -rwxr-xr-x. 1 oglop oglop 34241 Sep 11 22:26 perpls -rwxr-xr-x. 1 oglop oglop 27963 Sep 11 22:26 perpok -rwxr-xr-x. 1 oglop oglop 5261 Sep 11 22:26 perp-setup -rwxr-xr-x. 1 oglop oglop 42770 Sep 11 22:26 perpstat -rwxr-xr-x. 1 oglop oglop 28745 Sep 11 22:26 runargs -rwxr-xr-x. 1 oglop oglop 23193 Sep 11 22:26 runargv0 -rwxr-xr-x. 1 oglop oglop 28057 Sep 11 22:26 runchoom -rwxr-xr-x. 1 oglop oglop 23254 Sep 11 22:26 rundetach -rwxr-xr-x. 1 oglop oglop 28794 Sep 11 22:26 rundeux -rwxr-xr-x. 1 oglop oglop 33540 Sep 11 22:26 runenv -rwxr-xr-x. 1 oglop oglop 28836 Sep 11 22:26 runfile -rwxr-xr-x. 1 oglop oglop 33550 Sep 11 22:26 runlimit -rwxr-xr-x. 1 oglop oglop 24029 Sep 11 22:26 runlock -rwxr-xr-x. 1 oglop oglop 23544 Sep 11 22:26 runpause -rwxr-xr-x. 1 oglop oglop 23234 Sep 11 22:26 runsession -rwxr-xr-x. 1 oglop oglop 47885 Sep 11 22:26 runtool -rwxr-xr-x. 1 oglop oglop 29050 Sep 11 22:26 runtrap -rwxr-xr-x. 1 oglop oglop 23454 Sep 11 22:26 runuid -rwxr-xr-x. 1 oglop oglop 19154 Sep 11 22:26 sissylog -rwxr-xr-x. 1 oglop oglop 42375 Sep 11 22:26 tinylog -rwxr-xr-x. 1 oglop oglop 1375 Sep 11 22:26 tinylog_run
我们进行如下操作(正是练习一行命令行搞定体现高(da)逼(s)格(b)的好时机),其实就是不想对perp-setup和tinylog_run操作而已,因为他们只是文本的脚本而已
# 除了那两个script文件,其他的都strip一下 find /home/oglop/tomato/perp-2.07-install/usr/sbin/ \( -type f ! -name perp-setup ! -name tinylog_run \) -exec mipsel-unknown-linux-uclibc-strip "{}" \; # 再upx一下 find /home/oglop/tomato/perp-2.07-install/usr/sbin/ \( -type f ! -name perp-setup ! -name tinylog_run \) -exec upx "{}" \;下面是整蛊之后的大小,309k 小了一半
[oglop@localhost perp-2.07]$ ll /home/oglop/tomato/perp-2.07-install2/usr/sbin/ total 356 -rwxr-xr-x. 1 oglop oglop 13580 Sep 11 22:45 perpboot -rwxr-xr-x. 1 oglop oglop 13388 Sep 11 22:45 perpctl -rwxr-xr-x. 1 oglop oglop 26640 Sep 11 22:45 perpd -rwxr-xr-x. 1 oglop oglop 10764 Sep 11 22:45 perphup -rwxr-xr-x. 1 oglop oglop 15668 Sep 11 22:45 perpls -rwxr-xr-x. 1 oglop oglop 12588 Sep 11 22:45 perpok -rwxr-xr-x. 1 oglop oglop 5258 Sep 11 11:28 perp-setup -rwxr-xr-x. 1 oglop oglop 14920 Sep 11 22:45 perpstat -rwxr-xr-x. 1 oglop oglop 12228 Sep 11 22:45 runargs -rwxr-xr-x. 1 oglop oglop 10584 Sep 11 22:45 runargv0 -rwxr-xr-x. 1 oglop oglop 12272 Sep 11 22:45 runchoom -rwxr-xr-x. 1 oglop oglop 10716 Sep 11 22:45 rundetach -rwxr-xr-x. 1 oglop oglop 12608 Sep 11 22:45 rundeux -rwxr-xr-x. 1 oglop oglop 14052 Sep 11 22:45 runenv -rwxr-xr-x. 1 oglop oglop 12244 Sep 11 22:45 runfile -rwxr-xr-x. 1 oglop oglop 14636 Sep 11 22:45 runlimit -rwxr-xr-x. 1 oglop oglop 11820 Sep 11 22:45 runlock -rwxr-xr-x. 1 oglop oglop 10980 Sep 11 22:45 runpause -rwxr-xr-x. 1 oglop oglop 10628 Sep 11 22:45 runsession -rwxr-xr-x. 1 oglop oglop 18900 Sep 11 22:45 runtool -rwxr-xr-x. 1 oglop oglop 13420 Sep 11 22:45 runtrap -rwxr-xr-x. 1 oglop oglop 11632 Sep 11 22:45 runuid -rwxr-xr-x. 1 oglop oglop 8236 Sep 11 22:45 sissylog -rwxr-xr-x. 1 oglop oglop 17608 Sep 11 22:45 tinylog -rwxr-xr-x. 1 oglop oglop 1375 Sep 11 11:28 tinylog_run
这里需要注意的是,由于make过程中会运行编译出来的可执行文件,来生成几个.h文件,由于我这是交叉编译,当然是运行不了的,这里采取脑残手动法,make到哪一步看无法进行了,就把可执行文件传到路由器上运行,生成了需要的header文件之后再拷回来,继续make orz.. 例如
然后make就会华丽的完成了,你可以下载lz编译好的perp,当然也可以自己来一遍,既然lz已经掉进坑里,为了防止更多人跳坑,lz做了patch,放在这里了
diff -Naur ~/Downloads/perp-2.07-original ~/Downloads/perp-2.07-new > ~/Downloads/perp-2.07/perp.patch
用的时候你可以
cd perp-2.07 patch -p6 < perp.patch
下面一步是把perp安装到路由器上,并让他监视ss-server,但是q3剩余空间太小,所以计划是把编译出来的perp压缩一下,放到jffs里,每次路由器启动的时候解开并安装到/tmp下面(内存里)
# 压缩一下,拷到jffs里面,有214k scp -r usr/sbin/perp-2.07.tar.gz root@192.168.2.22:/jffs # 下面是手动测试,路由器重启后会被清空的,只有jffs,和nvram能保存数据 mkdir -p ~/perp tar xvzf /jffs/perp-2.07.tar.gz -C ~/perp cd ~/perp # 安装下试试 ./perp-setup /etc/perp # 不知为何没有提示,开debug模式试试 sh -x ./perp-setup /etc/perp # 这次看到了 + _mesg uh oh, neither /etc/inittab nor /etc/rc.local were found on your system! + echo perp-setup(1103): uh oh, neither /etc/inittab nor /etc/rc.local were found on your system! + _mesg this system will require manual startup configuration for perpd(8)/perpboot(8) + echo perp-setup(1103): this system will require manual startup configuration for perpd(8)/perpboot(8) + exit 1
不过似乎少了点什么
root@unknown:/tmp/home/root/perp# ./perpd ./perpd: can't resolve symbol 'fchdir' in lib './perpd'.
同样的可执行文件放去rt-n66u上运行就没问题,看来q3的v131的tomato上的libc里少了点什么
验证,看看我自己电脑上的
$ nm -g /usr/lib/libc.so.6 | grep fchdir 000e6310 W fchdir
废话,电脑当然有
把rt-n66上的libc.so拷来看看
mipsel-unknown-linux-uclibc-readelf -s libc.so.0 | grep fchdir 157: 00008a90 84 FUNC GLOBAL DEFAULT 6 fchdir
有!不过q3上的libc就没有,这要如何破?不死心的lz又拿tomato自带的工具链试了一遍也不行
试试其他版本的tomato行不行,用<a href="https://code.google.com/p/firmware-mod-kit/" target="_blank"Firmware Modification Kit打开其他版本的trx文件试试
sudo yum install -y python-magic file-libs ./extract-firmware.sh /home/oglop/Downloads/tomato-K26USB-1.28.RT-N5x-MIPSR2-131-AIO/image/tomato-K26USB-1.28.RT-N5x-MIPSR2-131-AIO.trx ~/temp/aio [oglop@localhost fmk]$ mipsel-unknown-linux-uclibc-readelf -s ~/temp/aio/rootfs/lib/libc.so.0 | grep fchdir 157: 00008a90 84 FUNC GLOBAL DEFAULT 6 fchdir #果然rt-n66u刷的AIO最大的固件里是有的 ./extract-firmware.sh /home/oglop/Downloads/tomato-K26USB-1.28.RT-N5x-MIPSR2-131-Big-VPN/image/tomato-K26USB-1.28.RT-N5x-MIPSR2-131-Big-VPN.trx ~/temp/bigvpn mipsel-unknown-linux-uclibc-readelf -s ~/temp/bigvpn/rootfs/lib/libc.so.0 | grep fchdir 147: 00008100 84 FUNC GLOBAL DEFAULT 6 fchdir # 这个big-vpn版本居然有,不过他7.9mb,q3才8mb,放了就没地方放ss和perp了阿 # 同理又查了<8mb的mini和mini-vpn版,都没有fchdir...
至此已经走投无路了,只能自己build一个tomato出来,插播见这里
ps:不知道这算不算多此一举,ss-server后面跟-f加pidfile的时候,就是把他自己daemon化(看到代码里调了daemonize函数,如果不会总是自己莫名其秒就挂了的话,其实用不着perp这种工具的)
各build版本功能对比
-
首先我们使用之前准备好的工具链来编译perp,lz这里使用了perp官网的2.07版本
- 为了提高安全性,不要使用root用户来运行ss
显示现在有哪些用户 cut -d: -f1 /etc/passwd
因为tomato不带useradd那些命令,而且重启后也不保存你新加的用户,所以你得按官网说明如下操作:
UNAM=ss RNAM="ss user" UNUM=200 UGRP=$UNUM #UGRP=0 echo "$UNAM:x:$UNUM:$UGRP:$RNAM:/tmp:/bin/sh" >> /etc/passwd echo "$UNAM:x:$UNUM:$UGRP:$RNAM:/home/$UNAM:/bin/sh" >> /etc/passwd.custom [[ $UGRP -ne 0 ]] && echo "$UNAM:x:$UGRP:" >>/etc/group [[ $UGRP -ne 0 ]] && echo "$UNAM:x:$UGRP:" >>/etc/group.custom sed -n -e "s,^root:,$UNAM:,p" < /etc/shadow >> /etc/shadow.custom chmod 777 /tmp/home ssh $UNAM@localhost "mkdir /home/$UNAM;touch /home/$UNAM/.profile && echo success" # press return for the password prompt, you should see the word "success" reported chmod 755 /tmp/home nvram setfile2nvram /etc/passwd.custom nvram setfile2nvram /etc/group.custom nvram setfile2nvram /etc/shadow.custom nvram setfile2nvram /home/$UNAM/.profile nvram commit # The following can also be accomplished by a reboot, or toggling on and off authenticated file sharing in the UI. sed -i "/^$UNAM:/d" /etc/passwd grep "^${UNAM}:" < /etc/shadow.custom >> /etc/shadow grep "^${UNAM}:" < /etc/passwd.custom >> /etc/passwd因为我用的是entware,似乎没有sudo su等,命令
root@unknown:/opt/bin# opkg update Downloading http://entware.wl500g.info/binaries/mipselsf/Packages.gz. Updated list of available packages in /opt/var/opkg-lists/mipselsf. root@unknown:/opt/bin# opkg install sudo
把/jffs/etc/config/ss.fire用于自动启动的文件内容改成:
#!/bin/sh sudo -u ss /jffs/ss/ss-server -c /jffs/ss/config.json -f /tmp/ss.pid
- lz准备使用飞羽博客中的方案3,为此需要dnsmasq,下面来编译磊科q3可用的版本
git clone git://thekelleys.org.uk/dnsmasq.git cd dnsmasq/ git checkout tags/v2.75 export PATH=/opt/brcm/hndtools-mipsel-linux/bin:/opt/brcm/hndtools-mipsel-uclibc/bin:$PATH CC=mipsel-linux-uclibc-gcc CXX=mipsel-linux-uclibc-g++ AR=mipsel-linux-uclibc-ar RANLIB=mipsel-linux-uclibc-ranlib make install PREFIX=/home/oglop/tomato/dnsmasq-install # 编译好以后strip,并upx,尺寸大概43k,拷到路由器jffs上 mipsel-linux-uclibc-strip ~/tomato/dnsmasq-install/sbin/dnsmasq upx ~/tomato/dnsmasq-install/sbin/dnsmasq scp ~/tomato/dnsmasq-install/sbin/dnsmasq root@your-router-ip:/jffs
如果是翻出去,那需要的是gfwlist,可是这里lz需要的是翻回去,lz需要用的也没几个网站,所以不如自己加
一开始试的是2.9,但是重启路由器以后似乎没启动,没去查什么错,直接试了下面的一些的版本的
2.73及以上都有这个错误inotify.c: In function 'inotify_dnsmasq_init': inotify.c:43: warning: implicit declaration of function 'inotify_init1' inotify.c:43: error: 'IN_NONBLOCK' undeclared (first use in this function) inotify.c:43: error: (Each undeclared identifier is reported only once inotify.c:43: error: for each function it appears in.) inotify.c:43: error: 'IN_CLOEXEC' undeclared (first use in this function) inotify.c:52: warning: null argument where non-null required (argument 2) make[1]: *** [inotify.o] Error 1 make[1]: Leaving directory `/home/oglop/Downloads/dnsmasq/src' make: *** [all] Error 2
没搜如何解决,最后用的版本是v2.72,似乎可行,在init script里替换tomato自己的2.73,据说是dnsmasq太新,ipset太旧
mount --bind /jffs/dnsmasq/dnsmasq /usr/sbin/dnsmasq killall dnsmasq #service dnsmasq restart # 路由器自带版本 root@unknown:/tmp/home/root# dnsmasq --version Dnsmasq version 2.73 Copyright (c) 2000-2015 Simon Kelley Compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth DNSSEC loop-detect no-inotify This software comes with ABSOLUTELY NO WARRANTY. Dnsmasq is free software, and you are welcome to redistribute it under the terms of the GNU General Public License, version 2 or 3. # 我替换的版本 root@unknown:/tmp/home/root# /jffs/dnsmasq/dnsmasq --version Dnsmasq version 2.72 Copyright (c) 2000-2014 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect This software comes with ABSOLUTELY NO WARRANTY. Dnsmasq is free software, and you are welcome to redistribute it under the terms of the GNU General Public License, version 2 or 3. # 似乎compile time options有几处不同 no-RTC 和 Tomato-helper DNSSEC no-inotify # 既然原版参数里有 no-inotify,而我编译2.75的时候也有inotify有关的错误,那我把他也给加上好了 # 所以下面编译dnsmasq git clone git://thekelleys.org.uk/dnsmasq.git cd dnsmasq git checkout tags/v2.75 export PATH=/opt/brcm/hndtools-mipsel-linux/bin:/opt/brcm/hndtools-mipsel-uclibc/bin:$PATH # 像下面这样就少了几个功能... 似乎我也用不到 -DHAVE_DNSSEC 加上又少nettle/rsa.h,不乱搞了, HAVE_TOMATO带来的asus fix也没了 CC=mipsel-linux-uclibc-gcc CXX=mipsel-linux-uclibc-g++ AR=mipsel-linux-uclibc-ar RANLIB=mipsel-linux-uclibc-ranlib make install PREFIX=/home/oglop/tomato/dnsmasq-install COPTS="-DNO_INOTIFY -DHAVE_BROKEN_RTC" #压小一点 mipsel-linux-uclibc-strip /home/oglop/tomato/dnsmasq-install/sbin/dnsmasq upx /home/oglop/tomato/dnsmasq-install/sbin/dnsmasq # 拷到路由器上 ssh root@router-address "mkdir -p /jffs/dnsmasq" scp /home/oglop/tomato/dnsmasq-install/sbin/dnsmasq root@router-address:/jffs/dnsmasq/ 似乎可以,又试了试2.72 git clean git checkout tags/v2.72 CC=mipsel-linux-uclibc-gcc CXX=mipsel-linux-uclibc-g++ AR=mipsel-linux-uclibc-ar RANLIB=mipsel-linux-uclibc-ranlib make install PREFIX=/home/oglop/tomato/dnsmasq-install
然后在tomato webui里加入
mount --bind /jffs/dnsmasq/dnsmasq /usr/sbin/dnsmasq service dnsmasq restart
这样路由器里的dnsmasq就会被替换为我编译的版本
此外lz想尝试下把ipset换成新版
# tomato kernel版本 root@unknown:/tmp/home/root# uname -r 2.6.22.19 # 系统自带ipset是4.5 root@unknown:/tmp/home/root# ipset --version ipset v4.5, protocol version 4. Kernel module protocol version 4.
不幸的是根据主页说明,最高只能用到4.5,tomato里已经是最新的了
所以最后lz编译了dnsmasq 2.75,不过比自带的版本少一些功能
# 拷到路由器上 ssh root@router-beside-me "mkdir -p /jffs/dnsmasq" scp dnsmasq root@router-beside-me:/jffs/dnsmasq/
在tomato webui中做如下设置
mount --bind /jffs/dnsmasq/dnsmasq /usr/sbin/dnsmasq killall dnsmasq
上面这一步替换dnsmasq似乎不是必要的,可以先不做,如果有问题连不上再试这一步
- 此处lz掉进大坑
首先lz在DHCP/DNS设置中,添加xiami到gfwlist set,并勾选Intercept DNS port(UDP 53)
server=/.xiami.com/127.0.0.1#53 ipset=/.xiami.com/gfwlist
然后ssh登入路由器,运行如下命令
modprobe ipt_REDIRECT modprobe ipt_set ipset -N gfwlist iphash iptables -t nat -A PREROUTING -p tcp -m set --set gfwlist dst -j REDIRECT --to-port 1080 # 注意很多教程里是--match-set, 不过lz用iptables -m set -h 查询后显示这个版本的iptables要用--set # 如果先
此处有个坑是之前加入的ipset里没有xiami
root@unknown:/tmp/home/root# ipset -L gfwlist Name: gfwlist Type: iphash References: 0 Header: hashsize: 1024 probes: 8 resize: 50 Members: # 此外下面命令可以看现在有哪些module cat /proc/net/ip_tables_matches # 看看加上没 iptables -t nat -nvL # 看看ss-redir运行了没 netstats -lnt # 删除加的redirect,测试用 iptables -t nat -D PREROUTING 7 # 关闭ss进程 kill -9 `cat /tmp/ss-local.pid`
试了半天无果,xiami那两行也可以放dnsmasq.custom里
nvram setfile2nvram /etc/dnsmasq.custom nvram commit # 如果想删除 nvram unset "FILE:/etc/dnsmasq.custom" nvram commit
ss-redir配置文件内容
{ "server":"my_server_ip", "server_port":8388, "local_address": "0.0.0.0", "local_port":1080, "password":"mypassword", "method":"aes-256-cfb", }可以用下面命令来判断路由器上的1080端口是否打开,当然也可以通过前台运行ss-redir来判断是否连上了
nmap -p 1080 192.168.2.1
iptables no match by that name (ipset)
openwrt下配置shadowsocks+dnsmasq+ipset+dns2socks
openwrt使用ipset和shadowsocks实现自动代理
配置OpenWrt路由器智能自动翻墙
问题:如果想搞成静态版怎么搞?
在shadowsocks-qt5.pro文件中加入
CONFIG += static
么?此外还需要把所有依赖都搞成静态的么?
乱搞备份:
用这个script把所有依赖拷到一起,再酌情自己目测删除行么?
Copying shared library dependencies
乱搞尝试:
用chrpath把rpath改为. yum install epel-release yum install qt5-qtbase qt5-qtbase-gui libappindicator-devel botan botan-devel # 乱搞以后还是有错 [oglop@localhost min]$ ./ss-qt5 ./ss-qt5: symbol lookup error: ./ss-qt5: undefined symbol: _ZN9QMetaType22registerNormalizedTypeERK10QByteArrayPFvPvEPFS3_S3_PKvEi6QFlagsINS_8TypeFlagEEPK11QMetaObject # 用http://demangler.com/来demangle一下 QMetaType::registerNormalizedType(QByteArray const&, void (*)(void*), void* (*)(void*, void const*), int, QFlags<QMetaType::TypeFlag>, QMetaObject const*)
本文中编译出来的文件下载:
好像不是那么容易搞成static的,先不放了
shadowsocks-libev_2.3.1_mipsel_OpenSSL_static.tar.gz
shadowsocks-libev_2.3.1_mipsel_OpenSSL_dynamic.tar.gz
openssl-1.0.2d_dynamic.tar.gz
tomato-K26-1.28.RT-N5x-MIPSR2-131-netcore-q3-Max.trx
tomato-K26-1.28.RT-N5x-MIPSR2-132-netcore-q3-Max.trx
参考:
Shadowsocks的图形化客户端Shadowsocks-Qt5介绍
How to statically link Qt 4
Building Qt Static (and Dynamic) and Making it Small with GCC, Microsoft Visual Studio, and the Intel Compiler
Where do executables look for shared objects at runtime
nohup Execute Commands After You Exit From a Shell Prompt
How to execute one command on all files within a folder
Exclude list of files from find
How do I list the symbols in a .so file
Router Decompiling
TomatoUSB – Script Name Extensions
Adding Your Own Users – tomatoUSB
Understanding /etc/passwd File Format
Understanding /etc/shadow file
小小白的总结纸 
看不懂,大佬大佬