使用ocserv全局翻

最近发现很多技术网站像www.dd-wrt.com都访问不了，连带wordpress更新都得挂vpn。所以干脆就在路由里折腾vpn。使用socks5代理可能因为干扰原因有速度上的优势，但是绝对不如vpn全能。

ocserv在openwrt下面使用openconnect进行连线，这个东西有个好处就是脚本化，可以在连接和断开时来生成相应的命令，这样一旦网络连接有异常就自动恢复原样。无奈由于chinadns在使用本地isp提供的dns解析一些被封的网站竟然返回随机的阿里或者百度的ip，使用chinadns智能分流只能做罢。本来想实现根据国内/外ip 路由分流的实现，自己对ip route2还是不熟悉，不知道为什么有网络无法连通的情况。所以最后又采用看似最简单的通过dnsmasq ipset 黑名单域名，然后根据 目的ip 通过vpn分流。通过域名ipset有些许问题，由于可能的域名数据庞大，不可能照顾到所有域名，有些敏感域名返回国内ip，而有些依然返回的是国外ip，只是ip被封锁了而己，目前已知像google play在android下面会导致图片不显示，所以终极方法还是根据国内/外ip分流，只要在获得的cn.lst基本上加入以下特殊ip就可以用-m set ! –match-set cn dst进行匹配了。
# Ignore LANs and some other reserved addresses.
# See http://en.wikipedia.org/wiki/Reserved_IP_addresses#Reserved_IPv4_addresses
# and http://tools.ietf.org/html/rfc5735 for full list of reserved networks.
vpservip1/32
vpservip2/32
0.0.0.0/8
10.0.0.0/8
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.168.0.0/16
224.0.0.0/4
240.0.0.0/4

连接ocserv vpn脚本

#!/bin/bash
rnd=`head /dev/urandom | tr -dc “12” | head -c1`
#$(awk ‘BEGIN{srand();print int(rand()*2)}’)
#`head /dev/urandom | tr -dc “0123456789” | head -c1`

case “$1” in
k)
echo “kkkkk”
kill -HUP $(pidof openconnect)
exit 0
;;

*)
esac

kill -HUP $(pidof openconnect)

case “$rnd” in
1)
echo “11111”
(echo global;sleep 1;echo password)|openconnect -u user –no-cert-check vpnserv1:443 –script /da/ocserv/vpnc-my &
;;
2)
echo “22222”
(echo global;sleep 1;echo password)|openconnect -u user –no-cert-check vpnserv2:443 –script /da/ocserv/vpnc-my &
;;
3)
echo “33333”
(echo global;sleep 1;echo password)|openconnect -u user –no-cert-check vpnserv3:443 –script /da/ocserv/vpnc-my –no-dtls &
;;

*)
esac

我的vpnc-my 脚本

#!/bin/sh
if [ -z “$reason” ]; then
logger -t openconnect “this script must be called from vpnc” 1>&2
exit 1
fi
connect() {
#设置vpn ip及开启虚拟网卡
ip addr add $INTERNAL_IP4_ADDRESS dev $TUNDEV
#默认1315，设置过大的mtu会导致没网络异常
ifconfig $TUNDEV mtu 1392
ip link set $TUNDEV up
ip route add $INTERNAL_IP4_NETADDR/$INTERNAL_IP4_NETMASKLEN dev $TUNDEV
#dns服务器走vpn
ip route add 8.8.8.8 dev $TUNDEV
#mark的数据走vpn
ip rule add fwmark 0xfe00/0xff00 table outwall prio 2
#路由表默认路由走vpn
ip route flush table outwall
ip route add default via 192.168.50.1 dev $TUNDEV table outwall
ip route flush cache
#建立ipset
ipset destroy outwall6
ipset -N outwall6 iphash family inet6
ipset destroy outwall4
ipset -N outwall4 iphash
kill -HUP $(pidof dnsmasq)
ipset flush outwall4
ipset flush outwall6
#生成iptables规则
iptables -t nat -A POSTROUTING -o $TUNDEV -j MASQUERADE
iptables -t mangle -I PREROUTING 2 -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00
iptables -t mangle -I OUTPUT -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00
cp /da/dlhosts.gfw /da/dlhosts
/etc/init.d/dnsmasq restart
#/etc/sysctl.conf
#net.ipv4.ip_forward=1

}
disconnect() {
#openconnect vpn断开后删除路由等操作
ip route del 8.8.8.8 dev $TUNDEV
ip route del $INTERNAL_IP4_NETADDR/$INTERNAL_IP4_NETMASKLEN dev $TUNDEV
ip link set $TUNDEV down
ip rule del fwmark 0xfe00/0xff00 table outwall
#ip route del default dev $TUNDEV table outwall
ip route flush cache
#删除iptables规则
iptables -t nat -D POSTROUTING -o $TUNDEV -j MASQUERADE
iptables -t mangle -D PREROUTING -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00
iptables -t mangle -D OUTPUT -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00
cp /da/dlhosts.0 /da/dlhosts
/etc/init.d/dnsmasq restart
}

case “$reason” in
pre-init)
logger -t openconnect “pre-init”
;;
connect)
logger -t openconnect “connect”
connect
;;
disconnect)
logger -t openconnect “disonnect”
disconnect
;;
reconnect)
logger -t openconnect “reconnect”
;;
*)
logger -t openconnect “unknown reason ‘$reason’. Maybe vpnc-script is out of date” 1>&2
exit 1
;;
esac

exit 0

其它，看youtube 需要的域名

server=/googlevideo.com/youtube.com/8.8.8.8
ipset=/googlevideo.com/youtube.com/outwall4,outwall6
server=/youtu.be/google.com/8.8.8.8
ipset=/youtu.be/google.com/outwall4,outwall6
server=/gstatic.com/ytimg.com/8.8.8.8
ipset=/gstatic.com/ytimg.com/ggpht.com/outwall4,outwall6

生成dnsmasq格式

for i in `cat /da/ocserv/gfwb`;do echo server=/$i/8.8.8.8>>/da/dlhosts;echo ipset=/$i/outwall4>>/da/dlhosts;done

ipset 实例

多ipset
ipset -N cn1 iphash
ipset -N cn nethash

ipset create dns list:set
ipset add dns cn1
ipset add dns cn
ipset -A cn 127.0.0.1 nomatch
ipset test 127.0.0.1 nomatch

for IP in $(cat /da/ocserv/cn1.lst)
do
ipset -A outwall4 $IP
done

ipset test outwall4 8.8.8.8

#获得ip 路由,可以用cidrmerge缩小子网，注意如果是使用uncn.lst的话，得排除vps服务器的ip地址范围

#!/bin/sh
rm -rf /tmp/ip;mkdir /tmp/ip;cd /tmp/ip
wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz

tar zvfx all-zones.tar.gz
sort -V -u cn.zone>cn.lst
rm -rf cn.zone
find -name “*.zone” -exec ‘cat’ {} \; > uncn.tmp
sort -V -u uncn.tmp>uncn.lst
rm -rf *.zone
wget http://www.ipdeny.com/ipv6/ipaddresses/blocks/ipv6-all-zones.tar.gz

tar zvfx ipv6-all-zones.tar.gz
sort -V -u cn.zone>cn6.lst
rm -rf cn.zone
find -name “*.zone” -exec ‘cat’ {} \; > uncn6.tmp
sort -V -u uncn6.tmp>uncn6.lst
rm -rf *.zone;
#sed -i -e ‘s/$/&,/g’ uncn.lst
#sed -i -e ‘s/$/&,/g’ cn.lst
#sed -i -e ‘s/$/&,/g’ uncn6.lst
#sed -i -e ‘s/$/&,/g’ cn6.lst

#sed -i -e ‘s/,$//’ uncn.lst