Last active
October 27, 2025 20:12
-
-
Save loskiq/d0a7af04be2029db8e8b5b825418247b to your computer and use it in GitHub Desktop.
Xray on OpenWrt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| inbounds: | |
| - listen: 192.168.1.1 | |
| tag: all-in | |
| port: 1083 | |
| protocol: dokodemo-door | |
| settings: | |
| network: tcp,udp | |
| followRedirect: true | |
| streamSettings: | |
| sockopt: | |
| tproxy: tproxy | |
| sniffing: | |
| enabled: true | |
| metadataOnly: false | |
| destOverride: | |
| - fakedns | |
| - listen: 127.0.0.1 | |
| tag: dns-in | |
| port: 5353 | |
| protocol: dokodemo-door | |
| settings: | |
| address: 192.168.1.1 | |
| network: tcp,udp | |
| routing: | |
| domainStrategy: AsIs | |
| domainMatcher: hybrid | |
| rules: | |
| - type: field | |
| inboundTag: | |
| - dns-in | |
| port: 5353 | |
| outboundTag: dns-out | |
| - type: field | |
| inboundTag: | |
| - all-in | |
| outboundTag: proxy | |
| outbounds: | |
| - protocol: dns | |
| tag: dns-out | |
| streamSettings: | |
| sockopt: | |
| mark: 2 | |
| - protocol: vless | |
| tag: proxy | |
| settings: | |
| vnext: | |
| - address: domain.com | |
| port: 443 | |
| users: | |
| - id: 71f84a4b-6b0c-4b84-b003-10f6ed1b6714 | |
| flow: xtls-rprx-vision | |
| encryption: none | |
| streamSettings: | |
| network: tcp | |
| security: reality | |
| realitySettings: | |
| fingerprint: chrome | |
| serverName: github.com | |
| publicKey: seBxvk7WKB1qw4YGQTWtqwfgvLPCGD-CB0zjY7lbF3o | |
| shortId: 032e0ae968dca962 | |
| sockopt: | |
| mark: 2 | |
| dns: | |
| servers: | |
| - fakedns | |
| - address: fakedns | |
| skipFallback: true | |
| queryStrategy: UseIPv4 | |
| fakedns: | |
| ipPool: 100.64.0.0/10 | |
| poolSize: 65535 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Netflix | |
| server=/netflix.com/127.0.0.1#5353 | |
| # ip.me | |
| server=/ip.me/127.0.0.1#5353 | |
| # YouTube | |
| server=/youtube.com/127.0.0.1#5353 | |
| server=/youtu.be/127.0.0.1#5353 | |
| server=/googlevideo.com/127.0.0.1#5353 | |
| server=/youtube.googleapis.com/127.0.0.1#5353 | |
| server=/youtubei.googleapis.com/127.0.0.1#5353 | |
| server=/ggpht.com/127.0.0.1#5353 | |
| server=/ytimg.com/127.0.0.1#5353 | |
| server=/doubleclick.net/127.0.0.1#5353 | |
| server=/gemini.google.com/127.0.0.1#5353 | |
| server=/play.google.com/127.0.0.1#5353 | |
| server=/news.google.com/127.0.0.1#5353 | |
| server=/instagram.com/127.0.0.1#5353 | |
| server=/cdninstagram.com/127.0.0.1#5353 | |
| server=/fbcdn.net/127.0.0.1#5353 | |
| server=/fb.com/127.0.0.1#5353 | |
| server=/facebook.com/127.0.0.1#5353 | |
| server=/twitter.com/127.0.0.1#5353 | |
| server=/x.com/127.0.0.1#5353 | |
| server=/twimg.com/127.0.0.1#5353 | |
| server=/t.co/127.0.0.1#5353 | |
| # ChatGPT | |
| server=/chatgpt.com/127.0.0.1#5353 | |
| server=/openai.com/127.0.0.1#5353 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| opkg update | |
| opkg list-upgradable | cut -f 1 -d " " | xargs opkg upgrade | |
| opkg install nano-full xray-core kmod-nft-tproxy |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nft 'add table xray' | |
| nft 'add chain xray prerouting { type filter hook prerouting priority mangle; }' | |
| nft 'add rule xray prerouting ip saddr 192.168.1.0/24 ip daddr 100.64.0.0/10 ip protocol { tcp, udp } tproxy to :1083 meta mark set 1' | |
| exit 0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh /etc/rc.common | |
| START=00 | |
| USE_PROCD=1 | |
| PROG="/usr/bin/xray" | |
| CONFIG="/etc/xray/config.yaml" | |
| ASSETS="/usr/share/xray" | |
| start_service() { | |
| procd_open_instance [xray] | |
| procd_set_param command $PROG -c $CONFIG | |
| procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5} | |
| procd_set_param env XRAY_LOCATION_ASSET="$ASSETS" | |
| procd_set_param limits core="unlimited" | |
| procd_set_param limits nofile="1000000 1000000" | |
| procd_set_param stdout 1 | |
| procd_set_param stderr 1 | |
| procd_set_param pidfile /var/run/xray.pid | |
| procd_set_param term_timeout 60 | |
| procd_close_instance | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Правило пересекается с подключением клиентов через CGNAT с провайдера. Skynet (СПб) использует эту же подсеть и все пакеты с клиентов уходят в это правило.
Может добавить сюда
iifname "br-lan"?P.S. Вернее сказать, это правило перехватывает пакеты от локального сервера к клиенту за CGNAT провайдера. Видимо в таком случае проще поменять подсеть, чтобы она не пересекалась с провайдером