【Router筆記】asuswrt-merlin部署shadowsocks-libev

asuswrt-merlin係華碩router嘅增強版第三方firmware，flash咗呢個firmware之後，你嘅router就會變為一個Linux Server，功能強大，威力無窮，請到

https://asuswrt.lostrealm.ca/搵到你型號嘅firmware，安裝手冊 https://github.com/RMerl/asuswrt-merlin/wiki

shadowsocks-libev係一個用C寫嘅shadowsocks分支，屬變形嘅socks5代理工具，支援多種加密方式，並有混淆流量偽裝插件，主要用嚟規避贏國嘅GFW

https://github.com/shadowsocks/shadowsocks-libev

以下安裝shadowsocks-libev以Asus RT-AC68U為例

flash咗做merlin firmware之後，login去router控制頁面，去系統管理，搵到呢2個部份照圖設定



之後搵隻8GB以上USB手指，插去router嘅usb port第一個，喺Linux用ssh login去router

$ ssh yourname@192.168.1.1

windows就安裝putty，可以搵個免安裝portable嘅

https://portableapps.com/apps/internet/putty_portable

同樣ssh入去

入到router命令行，輸入entware-setup.sh
詳細請睇https://github.com/RMerl/asuswrt-merlin/wiki/Entware]

等佢完成，之後要搞個DDNS，因為家用嘅寬頻通常非固定IP,需要用Domain指向當時IP連接，華碩官方嘅DDNS設置

https://www.asus.com/hk/support/FAQ/1011725/

如果唔鍾意呢啲DDNS供應商，可以參考 https://github.com/RMerl/asuswrt-merlin/wiki/Custom-DDNS用其它嘅供應商，我係用非華碩提供嘅，因為好多喺贏國block咗

搞掂咗DDNS之後，喺ROUTER命令列輸入

opkg list | grep shadowsocks-libev 會output呢堆

shadowsocks-libev-config - 3.1.3-2 - shadowsocks-libev config scripts
shadowsocks-libev-polarssl - 2.4.5-1
shadowsocks-libev-ss-local - 3.1.3-2 - shadowsocks-libev ss-local
shadowsocks-libev-ss-redir - 3.1.3-2 - shadowsocks-libev ss-redir
shadowsocks-libev-ss-rules - 3.1.3-2 - shadowsocks-libev ss-rules
shadowsocks-libev-ss-server - 3.1.3-2 - shadowsocks-libev ss-server
shadowsocks-libev-ss-tunnel - 3.1.3-2 - shadowsocks-libev ss-tunnel

唔需要佢其他嘅嘢，只要server, 再輸入

opkg install shadowsocks-libev-ss-server

等安裝完成，轉去 /jffs/scripts path , 輸入

cd /jffs/scripts/

睇吓有冇文字編輯器，輸入 which nano，冇就 opkg install nano，之後輸入

nano ss-init , 內容如下 https://pastebin.com/raw/wgsJ8uCn

如果懶copy&paste，輸入

wget --no-check-certificate -q https://pastebin.com/raw/wgsJ8uCn -O ss-init

之後輸入 chmod +x ss-init , 睇吓/jffs/scripts 有冇firewall-start 呢個file，輸入 ls ，有就喺內容後面加入，冇就開新嘅，file名一定係firewall-start

iptables -I INPUT -p tcp --dport 9089 -j ACCEPT
iptables -I INPUT -p udp --dport 9089 -j ACCEPT

上面9089個port係可以改嘅，配合返ss嘅config file就得，轉頭會講,搞完記得chmod +x firewall-start

跟住 nano services-start ，喺後面加入

/jffs/scripts/ss-init start
cronfile="/jffs/scripts/admin"
dest="/var/spool/cron/crontabs/"
/bin/cp "$cronfile" "$dest"

save之後跟住nano services-stop ,喺 /opt/etc/init.d/rc.unslung stop 呢行前面加入

/jffs/scripts/ss-init stop

save咗跟住nano admin , 裏面內容

*/15 * * * * /jffs/scripts/isup.sh
59 23 * * * /opt/bin/opkg update && /opt/bin/opkg upgrade

save咗nano isup.sh, 裏面內容 https://pastebin.com/raw/a2bAYyeT

#! /bin/sh
ss=$(ps w | awk '$5 ~ /ss-server/{print $1}')

if [ -n "$ss" ]
then
:
else
/jffs/scripts/ss-init start
fi

exit 0

如果懶得打就同上面玩法一樣，下載落嚟之後 chmod +x isup.sh

到呢度 /jffs/scripts 裏面要嘅嘢有晒，轉去 /mnt/sda1/entware/etc/

cd /mnt/sda1/entware/etc/ 之後輸入 mkdir shadowsocks ，完成 cd shadowsocks
然後nano config.json , 裏面內容

{
"server":"0.0.0.0",
"server_port":9089,
"password":"Your_password_here_need_change",
"local_port":1080,
"timeout":600,
"method":"chacha20-ietf-poly1305",
"fast_open":false,
"workers":1
}

save咗就完成需要嘅嘢，會隨開router啟動ss server，並自動15分鐘check ss server係咪運行，死咗會自動重開，config.json裏面個server port可以改成你鍾意嘅，冇其它嘢用緊就得，當然要改返firewall-start裏面個port

之後命令列輸入 /jffs/scripts/ss-init start ,就運行 ss server
/jffs/scripts/ss-init stop 就停服務，/jffs/scripts/ss-init status就睇運行狀態

客戶端喺ios嘅 app store輸入shadowsocks一堆，有收錢有免費，我用緊shadowrocket,以前8蚊 https://itunes.apple.com/hk/app/shadowrocket/id932747118?mt=8
或者google "ios shadowsocks客戶端"睇吓邊隻啱用

android就用作者嘅官方client最好
https://play.google.com/store/apps/details?id=com.github.shadowsocks&hl=zh_HK

client嘅設置同config.json相同就得，server就係DDNS嘅Domain

呢個設置主要為個人使用，或2個人用，原因router硬件好雞吓，驚唔穩定，如果多人用嘅話最好用VPS搞，每人唔同密碼唔同port，或者用NAS搞較為好啲

呢樣嘢主要係for有需要返贏國嘅人，或去外地旅行又要通過香港IP買波買馬，又或者不明WIFI之下安全起見用代理連接網絡

由於小弟唔係IT狗，所有嘢都係自學，有bug／錯唔奇，巴打請指出

會喺呢個post後面講埋點喺外地用手提電話check同控制ss server，由於設定ssh只可以由LAN login，我哋需要借助openvpn

等我整理就post上嚟

唔記得咗𠻹，冇reboot過router，要喺命令行打一次呢2句

iptables -I INPUT -p tcp --dport 9089 -j ACCEPT
iptables -I INPUT -p udp --dport 9089 -j ACCEPT

樓主好勁
我之前裝完哂堆嘢唔識點config結果放棄咗

用緊 koolshare 唔駛咁煩

想知佢個openvpn 有無得site-to-site
買咗兩隻ac 5300發現只係得client-to-site

巴打玩乜玩到要john Linux?

嗰個傳聞mod咗部份冇opensource嘅，唔知係咪，其實唔難

呢樣唔知 sor

由於安全起見，Router最好唔好由WAN可以login,冇用嘅service全部關閉，需要在外地設置嘅話，用openvpn連接咗再由LAN login較安全

Merlin firmware設置openvpn相當容易，手冊

https://github.com/RMerl/asuswrt-merlin/wiki/Configuring-OpenVPN-on-Merlin's-fw

喺贏國，openvpn只要檢測到流量稍大，就會block,所以唔好用佢長期當代理用，只適合用來設置吓Router,論速度亦贏唔到ss嘅

喺贏國遙控router嘅ss server, iOS 可以下在SSH Remote呢個app, 另外下載openvpn connect


Openvpn connect


Shadowrocket


SSH Remote

其實好簡單嘅設定，如是


最後個setting button可以睇到server返嚟嘅訊息
做個測試，閂咗連WiFi,用openvpn接router



停server







重新起動ss server





以上小弟喺贏國境內測試過

多謝收睇，有bug告知

想用 Xchacha20-ietf-poly1305 加密, 但iphone 好似仲未有client support

Android 都有SSH remote app,以前用過，play store搵搵，方式差唔多

或者去 https://f-droid.org/zh_Hant/ 搵搵

shadowrocket 咪有

比錢不了, 等緊 Potatso Lite update

一向追隨Mra同沈大師嘅我

如果遲啲有時間，或者寫個自動安裝shell script,咁可以方便啲嘅

不過唔保證幾時同一定work

關於改版merlin - Koolshare firmware，佢的確提供咗方便，不過請自己衡量安唔安全

殘體 -> https://www.v2ex.com/t/369415

贏國嘅IT狗都好多唔信佢

有啲複雜

https://www.v2ex.com/t/369415
clone merline改完冇open source返，贏國產品，改過咩冇人知，連贏國人都冇信心

-sh: /jffs/scripts/ss-init: not found
可以點做??

但係我CD左係有個SCRIPT係到

有冇chmod +x ss-init?

同樣情況求教~

drwxr-xr-x 2 root 0 Dec 26 01:39 .
drwxr-xr-x 10 root 0 Dec 26 01:30 ..
-rwxrwxrwx 1 root 95 Dec 26 01:39 admin
-rwxrwxrwx 1 root 97 Dec 26 01:36 firewall-start
-rwxrwxrwx 1 root 131 Dec 26 01:39 isup.sh
-rwxrwxrwx 1 root 74 Dec 26 01:01 post-mount
-rwxrwxrwx 1 root 312 Dec 26 01:37 services-start
-rwxrwxrwx 1 root 71 Dec 26 01:38 services-stop
-rwxrwxrwx 1 root 1048 Dec 26 01:46 ss-init

@RT-AC86U-E490:/jffs/scripts# cat ss-init
#! /bin/sh
# Control shadowsocks-libev [start|stop|status] on Asus Router powered by asuswrt-merlin
# put it at /jffs/scripts/ is must.

ss_id=$(ps w | awk '$5 ~ /ss-server/{print $1}')
ARG=$1

do_start(){

SS="/usr/bin/nohup $(which ss-server)"
LOG="/mnt/usb1/entware/etc/shadowsocks/ss.log"
CONFIG="/mnt/usb1/entware/etc/shadowsocks/config.json"

if [ -z "$ss_id" ]
then
eval $SS -u -v -d 1.1.1.1 -d 1.0.0.1 -c "$CONFIG" > "$LOG" 2>&1 &
[ $? -eq 0 ] && echo "Now shadowsocks-libev service is up."
fi
}

do_stop(){

if [ -n "$ss_id" ]
then
printf "Stopping Shadowsocks-libev service..."
kill "$ss_id" && sleep 2 && printf " Done.\n"
fi
}

do_status(){

if [ -n "$ss_id" ]
then
echo "Shadowsocks-libev is running."
RET=0
else
echo "Shadowsocks-libev is not running."
RET=5
fi
}

case "$ARG" in
start) do_start ;;
stop) do_stop ;;
status) do_status ;;
*) echo "$(basename $0) [start|stop|status]" >&2
exit 1
;;
esac

exit $RET