openwrt下openconnect使用dnsmasq ipset自动路由
这个实例是用来实现看youtube视频的,现在能用的vpn也只剩下ocserv了,不过最终没打算用这个方案,可能还是受制于vps流量的稳定性,持续长时间大流量的话,ping vps丢包厉害,所以记录一下
dnsmasq.conf
server=/googlevideo.com/youtube.com/8.8.8.8
ipset=/googlevideo.com/youtube.com/outwall4,outwall6
server=/youtu.be/google.com/8.8.8.8
ipset=/youtu.be/google.com/outwall4,outwall6
server=/gstatic.com/ytimg.com/8.8.8.8
ipset=/gstatic.com/ytimg.com/ggpht.com/outwall4,outwall6
载入gfw黑名单
for i in `cat /gfwb`;do echo server=/$i/8.8.8.8>>/etc/dnsmasq.conf;echo ipset=/$i/outwall4>>/etc/dnsmasq.conf;done
重启dnsmasq
/etc/init.d/dnsmasq restart
vpnc-script
#!/bin/sh
if [ -z “$reason” ]; then
logger -t openconnect “this script must be called from vpnc” 1>&2
exit 1
fi
connect() {
#设置vpn ip及开启虚拟网卡
ip addr add $INTERNAL_IP4_ADDRESS dev $TUNDEV
#默认1315,设置过大的mtu会导致没网络异常
#ifconfig $TUNDEV mtu 1392
ip link set $TUNDEV up
ip route add $INTERNAL_IP4_NETADDR/$INTERNAL_IP4_NETMASKLEN dev $TUNDEV
#dns服务器走vpn
ip route add 8.8.8.8 dev $TUNDEV
#mark的数据走vpn
ip rule add fwmark 0xfe00/0xff00 table outwall
#路由表默认路由走vpn
ip route flush table outwall
ip route add default dev $TUNDEV table outwall
#建立ipset
ipset destroy outwall6
ipset -N outwall6 iphash family inet6
ipset destroy outwall4
ipset -N outwall4 iphash
#清空ipset结果
kill -HUP $(pidof dnsmasq)
ipset flush outwall4
ipset flush outwall6
iptables -t nat -A POSTROUTING -o $TUNDEV -j MASQUERADE
iptables -t mangle -I PREROUTING 2 -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00
iptables -t mangle -I OUTPUT -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00}
disconnect() {
#openconnect vpn断开后删除路由等操作
ip route del 8.8.8.8 dev $TUNDEV
ip route del $INTERNAL_IP4_NETADDR/$INTERNAL_IP4_NETMASKLEN dev $TUNDEV
ip link set $TUNDEV down
ip rule del fwmark 0xfe00/0xff00 table outwall
ip route del default dev $TUNDEV table outwall
iptables -t nat -D POSTROUTING -o $TUNDEV -j MASQUERADE
iptables -t mangle -D PREROUTING -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00
iptables -t mangle -D OUTPUT -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00}
case “$reason” in
pre-init)
logger -t openconnect “pre-init”
;;
connect)
logger -t openconnect “connect”
connect
;;
disconnect)
logger -t openconnect “disonnect”
disconnect
;;
reconnect)
logger -t openconnect “reconnect”
;;
*)
logger -t openconnect “unknown reason ‘$reason’. Maybe vpnc-script is out of date” 1>&2
exit 1
;;
esacexit 0
kill -HUP $(pidof openconnect)
#采用密码登录
(echo global;sleep 1;echo password)|openconnect -u username –no-cert-check xxx.xxx.xxx.xxx:179 –script /etc/vpnc-script
其它
SIGNALS
In the data phase of the connection, the following signals are handled:
SIGINT
performs a clean shutdown by logging the session off, disconnecting from the gateway, and running the vpnc-script to restore the network configuration.
SIGHUP
disconnects from the gateway and runs the vpnc-script, but does not log the session off; this allows for reconnection later using –cookie.
SIGUSR2
forces an immediate disconnection and reconnection; this can be used to quickly recover from LAN IP address changes.
SIGTERM
exits immediately without logging off or running vpnc-script.
LIMITATIONS
Note that although IPv6 has been tested on all platforms on which openconnect is known to run, it depends on a suitable vpnc-script to configure the network. The standard vpnc-script shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from git://git.infradead.org/users/dwmw2/vpnc-scripts.git will be required.