Posted Updated Tutorials11 minutes read (About 1603 words)

Github Access

导言

作为程序员,最经常遇到的问题就是无法访问github,这无异于和世界断开连接。

  1. 由于http代理可以代理DNS请求,所以不太可能是DNS污染的问题。
  2. github加速访问两种思路:
    1. VPN加速
    2. warp或者wg转发到墙外(linux 服务器)
  3. 之前能访问,但是现在不能访问,可能是wg配置重启掉了。

Proxy in terminal

ssh config

linux下通过按照如下修改.ssh/config设置账号密码,并 ssh -vT [email protected],成功后输出Hi Kirrito-k423! You've successfully authenticated, but GitHub does not provide shell access.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# .ssh/config
Host github.com
  User [email protected]
  Hostname ssh.github.com
  PreferredAuthentications publickey
  ProxyCommand nc -X 5 -x 127.0.0.1:7890 %h %p #如果通过代理需要这句话
  IdentityFile ~/.ssh/id_rsa
  Port 443

Host *
  # Win报错取消下面三行 getpeername failed: Not a socket getsockname failed: Not a socket
  ControlMaster auto
  ControlPath /tmp/sshcontrol-%C
  ControlPersist 1d
  ServerAliveInterval 30

Windows PowerShell 平台

假如是windows下,如果安装了git bash,会有connect.exe的程序

配置如下[^1]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Host github.com
  User git
  Port 22
  Hostname github.com
  # 注意修改路径为你的路径
  IdentityFile "C:\Users\Administrator\.ssh\id_rsa"
  TCPKeepAlive yes
  # 这里的 -a none 是 NO-AUTH 模式,参见 https://bitbucket.org/gotoh/connect/wiki/Home 中的 More detail 一节
  ProxyCommand E:\\commonSoftware\\Git\\mingw64\\bin\\connect.exe -S 127.0.0.1:7890 -a none %h %p

Host ssh.github.com
  User git
  Port 443
  Hostname ssh.github.com
  # 注意修改路径为你的路径
  IdentityFile "C:\Users\Administrator\.ssh\id_rsa"
  TCPKeepAlive yes

debug ssh clone/push

ssh-git 与 https-git的不同

1
2
3
4
git config --global http.proxy localhost:7890 # PowerShell proxy
git config --global http.proxy "http://127.0.0.1:7890"
git config --global https.proxy "http://127.0.0.1:7890"
GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone [email protected]:Kirrito-k423/autoUpdateIpconfigPushGithub.git

1
GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone https://github.com/llvm/llvm-project.git

Windows PowerShell 平台 git push –verbose

不同于linux平台的GIT_TRACE=1 git push,Windows PowerShell 平台应该如下设置:

1
2
3
$env:GIT_CURL_VERBOSE = 1
$env:GIT_TRACE = 1
git push

ssh成功,但是git操作还是失败

没使用上指定config文件,git操作需要明确指定。

1
2
$env:GIT_SSH_COMMAND = 'ssh -F /path/to/your/ssh_config'
git push

http代理

There are tons of identical solutions over the internet for defining proxy tunnel for git’s downloads like this one, which all is by setting git’s https.proxy & http.proxy config. but those answers are not working when you try to clone/push/pull etc. over the ssh protocol!

For example, by setting git config --global https.proxy socks5://127.0.0.1:9999 when you try to clone git clone [email protected]:user/repo.git it does not go through the defined sock5 tunnel!

环境实在是只有https代理, 可以利用github_token的https协议

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Method 1. git http + proxy http
git config --global http.proxy "http://127.0.0.1:1080"
git config --global https.proxy "http://127.0.0.1:1080"

# Method 2. git http + proxy shocks
git config --global http.proxy "socks5://127.0.0.1:1080"
git config --global https.proxy "socks5://127.0.0.1:1080"

# to unset
git config --global --unset http.proxy
git config --global --unset https.proxy

# Method 3. git ssh + proxy http
vim ~/.ssh/config
Host github.com
HostName github.com
User git
ProxyCommand socat - PROXY:127.0.0.1:%h:%p,proxyport=1087

# Method 4. git ssh + proxy socks
vim ~/.ssh/config
Host github.com
HostName github.com
User git
ProxyCommand nc -v -x 127.0.0.1:1080 %h %p

%h %phostpost的意思

或者

After some visiting so many pages, I finally find the solution to my question:

1
2
3
4
5
6
7
8
9
10
11
12
# [step 1] create a ssh-proxy
  ssh -D 9999 -qCN [email protected]

# [step 2] make git connect through the ssh-proxy
  # [current script only]
  export GIT_SSH_COMMAND='ssh -o ProxyCommand="connect -S 127.0.0.1:9999 %h %p"'
  # OR [git global setting] 
  git config --global core.sshCommand 'ssh -o ProxyCommand="connect -S 127.0.0.1:9999 %h %p"'
  # OR [one-time only use]
  git clone -c=core.sshCommand 'ssh -o ProxyCommand="connect -S 127.0.0.1:9999 %h %p"' [email protected]:user/repo.git
  # OR [current repository use only]
  git config core.sshCommand 'ssh -o ProxyCommand="connect -S 127.0.0.1:9999 %h %p"'

To install connect on Ubuntu:

1
sudo apt install connect-proxy

ssh代理

1
2
3
4
5
ssh -vT -o "ProxyCommand connect -S 127.0.0.1:7890 %h %p" [email protected]
ssh -vT -o "ProxyCommand nc -X 5 -x 127.0.0.1:7890 %h %p" [email protected]
# 使用HTTP 代理
ssh -o ProxyCommand='corkscrew proxy.net 8888 %h %p' [email protected]
ssh -o ProxyCommand='proxytunnel -p proxy.net:8888 -P username -d %h:%p' [email protected]

Wireguard 代理

post request forward is an all-in-one solution.

1
2
3
4
5
6
7
8
9
10
11
interface: warp
  public key: fcDZCrGbcpz3sKFqhBw7PtdInygUOtEJfPAs08Wwplc=
  private key: (hidden)
  listening port: 51825

peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
  endpoint: [2606:4700:d0::a29f:c001]:1701
  allowed ips: 172.16.0.0/24, 0.0.0.0/0, ::/0
  latest handshake: 89 days, 23 hours, 15 minutes, 28 seconds ago
  transfer: 3.51 GiB received, 1.71 GiB sent
  persistent keepalive: every 25 seconds

latest handshake: 89 days ago demonstrate wg is done for a long time. At the same time mtr github.com shows no output prove the bad situation.

STEP1: first try is to bring the wg-proxy up again

1
2
3
4
python register.py #自动生成warp-op.conf,warp.conf和warp-helper
mv warp-helper /etc/default
vim /etc/config/network #填写warp-op.conf内容,修改只用替换option private_key 和 ipv6 的 list addresses 即可
ifup warp #启动warp, 代替wg-quick up warp.conf

and test brainiac machine is back online

常见情形

大文件提交

Sometimes,it‘s the big log fault.

1
2
3
4
5
6
7
8
9
10
11
# find file
find . -type f -name "zsim.log.0" -size +10M
# find the most repeated lines
head -n 10000 your_file.txt | sort | uniq -c | sort -nr | head
# delete partten line in files
sed -i '/\[S 0\] WARN: \[6\] ContextChange, reason SIGRETURN, inSyscall 1/d' /staff/shaojiemike/github/PIA_huawei/log/zsim/chai-n/hsti/1000/cpu_tlb/zsim.log.0

# conbine two command
find . -type f -name "zsim.log.0" -size +10M -print0 | xargs -0 sed -i '/字符串模式/d'
# or just save the tail (sth wrong needed test)
find . -type f -name "zsim.log.0" -size +1M -exec bash -c 'tail -n 2000 "$1" > "$1"_back ' _ {} \;

请求被拦截

1
2
3
4
t00906153@A2305023964 MINGW64 ~/github
$ git clone https://github.com/jeremy-rifkin/cpptrace.git
Cloning into 'cpptrace'...
fatal: unable to access 'https://github.com/jeremy-rifkin/cpptrace.git/': SSL certificate problem: self-signed certificate in certificate chain

常见问题

error

出现于使用https协议,下载大仓库时,出现该错误。

  1. 首先使用retry脚本,多重试。
  2. 脚本中有http下载的限制修改。
  3. 使用depth=1参数,只下载最新提交。之后下好后能适应unshallow复原
  4. 使用更快的https代理。 e.g., 华为xgate使用HK或者Auto

expecting SSH2_MSG_KEX_ECDH_REPLY

设置mtu解决:

STEP1:

1
2
3
4
5
6
7
8
9
10
eno0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 202.38.73.217  netmask 255.255.255.0  broadcast 202.38.73.255
        inet6 fe80::ae1f:6bff:fe8a:e4ba  prefixlen 64  scopeid 0x20<link>
        inet6 2001:da8:d800:811:ae1f:6bff:fe8a:e4ba  prefixlen 64  scopeid 0x0<global>
        inet6 2001:da8:d800:730:ae1f:6bff:fe8a:e4ba  prefixlen 64  scopeid 0x0<global>
        ether ac:1f:6b:8a:e4:ba  txqueuelen 1000  (以太网)
        RX packets 12345942  bytes 2946978044 (2.9 GB)
        RX errors 0  dropped 1438318  overruns 0  frame 0
        TX packets 4582067  bytes 675384424 (675.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

STEP2:

1
ifconfig eno0 mtu 1200

STEP3:

1
2
3
4
[root@localhost ~]# vi /etc/sysconfig/network-scripts/ifcfg-eno0
MTU=1200            #MTU设置

[root@localhost ~]# systemctl restart network

参考文献

Posted Updated network19 minutes read (About 2791 words)

Wireguard

简介

  • WireGuard 是由 Jason Donenfeld 等人用 C 语言编写的一个开源 VPN 协议,被视为下一代 VPN 协议,旨在解决许多困扰 IPSec/IKEv2、OpenVPN 或 L2TP 等其他 VPN 协议的问题。它与 Tinc 和 MeshBird 等现代 VPN 产品有一些相似之处,即加密技术先进、配置简单。
  • 从 2020 年 1 月开始,它已经并入了 Linux 内核的 5.6 版本,这意味着大多数 Linux 发行版的用户将拥有一个开箱即用的 WireGuard。
  • WireGuard 作为一个更先进、更现代的 VPN 协议,比起传统的 IPSec、OpenVPN 等实现,效率更高,配置更简单,并且已经合并入 Linux 内核,使用起来更加方便。

常见VPN方法比较

  • wireguard 精簡、速度極快:
    • 只有 4000 行程式碼,是最精簡的 VPN 協議。对比下 OpenVPN,大约有 10 万行代码。
  • WireGuard 利用内核空间处理来提升性能(更高吞吐和更低延迟),同时避免了不必要的内核和用户空间频繁上下文切换开销。

Wireguard客户端连接Debug

  • 首先,服务端的ip或者域名能ping通
  • 其次端口确定开放> nc -z -v -u 4.shaojiemike.top 51822,wg是udp
  • 修改wg客户端配置文件,限制ip为wg设置的内网段,AllowedIPs = 192.168.31.0/24,10.0.233.1/24.然后ping 192.168.31.1测试
  • 如果还不行,判断为wg的VPN包被中间网关识别并丢弃

配置文件

配置详解参考中文文档

PersistentKeepalive

  • 一端位于 NAT 后面,另一端直接通过公网暴露
  • 这种情况下,最简单的方案是:通过公网暴露的一端作为服务端,另一端指定服务端的公网地址和端口,然后通过 persistent-keepalive 选项维持长连接,让 NAT 记得对应的映射关系。
    • [peer]里设定字段 PersistentKeepalive = 25,表示每隔 25 秒发送一次 ping 来检查连接。

AllowedIPs

虽然AllowedIPs = 0.0.0.0/0AllowedIPs = 0.0.0.0/1, 128.0.0.0/1包含的都是全部的ip。

但是前者在iptable里为default dev wg1,后者为两条0.0.0.0/1 dev wg1128.0.0.0/1 dev wg1

由于路由的ip匹配遵循最长前缀匹配规则,如果路由表里原本有一条efault dev eth0。使用前者会导致混乱。但是使用后者,由于两条的优先级会更高,会屏蔽掉原本的default规则。

前者的iptable修改如下:(macbook上)

1
2
3
4
5
6
7
8
> ip route
default via link#18 dev utun3
default via 192.168.233.1 dev en0
10.0.233.5/32 via 10.0.233.5 dev utun3
224.0.0.0/4 dev utun3  scope link
224.0.0.0/4 dev en0  scope link
255.255.255.255/32 dev utun3  scope link
255.255.255.255/32 dev en0  scope link

后者的iptable修改如下

1
2
3
4
5
6
7
8
9
10
> ip route
0.0.0.0/1 dev utun3  scope link
default via 192.168.233.1 dev en0
default via link#18 dev utun3
10.0.233.5/32 via 10.0.233.5 dev utun3
128.0.0.0/1 dev utun3  scope link
224.0.0.0/4 dev en0  scope link
224.0.0.0/4 dev utun3  scope link
255.255.255.255/32 dev en0  scope link
255.255.255.255/32 dev utun3  scope link

原理

建议看WireGuard 教程:WireGuard 的工作原理WireGuard 基础教程:wg-quick 路由策略解读,详细解释了wg是如何修改路由表规则的。

wireguard 运行原理以及配置文件

默认会产生51840的路由table,ip rule优先级较高。可以通过配置文件中添加PostUp来修改最后一个default的路由规则。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@snode6:/etc/wireguard# cat wg0.conf
[Interface]
Address = 192.168.253.5/32,fd00::aaaa:5/128
PrivateKey = eGj5skRAGJu8d………………1PVfu0lY=
# PublicKey = VWe0wBVztgX………………xd7/kZ2CVJlEvS51c=

#Table必须有,不然默认的还是会修改ip rule
Table = 51820
#DNS = 1.1.1.1 #指定DNS服务器

#启动时运行: %i 是指wg的路由, 默认修改default, metric 一般不用指定
PostUp   = /sbin/ip -4 route replace default dev %i table default metric 1
PostUp   = /sbin/ip -6 route replace default dev %i table default metric 1
#down后运行
PostDown = /sbin/ip -4 route delete  default dev %i table default metric 1
PostDown = /sbin/ip -6 route delete  default dev %i table default metric 1

PostUp会产生下面的规则

1
2
root@snode6:/staff/shaojiemike# ip ro show table default
default dev wg0 scope link metric 1

OpenVPN原理

OpenVPN原理通过在main添加all规则来实现

1
2
3
# shaojiemike @ node5 in ~ [22:29:05]
$ ip route show table main
0.0.0.0/1 via 192.168.255.5 dev tun1

clash TUN模式

Macbook上的应用上的ClashX Pro的增强模式类似, 会添加如下配置,将基本所有流量代理(除开0.0.0.0/8

1
2
3
4
5
6
7
8
9
10
> ip route
1.0.0.0/8 via 198.18.0.1 dev utun3
2.0.0.0/7 via 198.18.0.1 dev utun3
4.0.0.0/6 via 198.18.0.1 dev utun3
8.0.0.0/5 via 198.18.0.1 dev utun3
16.0.0.0/4 via 198.18.0.1 dev utun3
32.0.0.0/3 via 198.18.0.1 dev utun3
64.0.0.0/2 via 198.18.0.1 dev utun3
128.0.0.0/1 via 198.18.0.1 dev utun3 #前面接受所有的ip,然后转换成198.18.0.1
198.18.0.1/32 via 198.18.0.1 dev utun3 #接受转换后的198.18.0.1,由于最长前缀匹配

明显有代理死循环问题,如何解决???

1
2
3
4
5
6
shaojiemike@shaojiemikedeMacBook-Air ~/github/hugoMinos (main*) [10:59:32]
> ip route get 198.18.0.42
198.18.0.42 via 198.18.0.1 dev utun3  src 198.18.0.1
shaojiemike@shaojiemikedeMacBook-Air ~/github/hugoMinos (main*) [10:59:38]
> ip route get 198.18.0.1
198.18.0.1 dev utun3  src 198.18.0.1

Wireguard 环境配置

wireguard-go: 安装客户端 wg-quick up config
wireguard-tools: 安装服务端 wg

Wireguard 常见命令

  • 启动wg-quick up wg1
  • 关闭wg-quick down wg1
  • 查看状态 wg显示全部,或者wg show wg1显示wg1

wireguard开机启动

1
systemctl enable wg-quick@wg1 --now

使用wireguard 代理ipv6请求

  • WireGuard 也支持 IPv6。OpenWRT 服务端,当然要allowed ip fd00::aaaa:5/128
  • 注意:这是伪需求,为什么ipv6的流量需要走ipv6,不走wg,每个机器可以获得独立的公网ipv6,对于PT做种是很好的。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
brainiac1# cat wg-tsj.conf
[Interface]
PrivateKey = xxx
ListenPort = 51828
Address = 10.0.233.7/32, fd00::aaaa:5/128
Table = 51820
#DNS = 1.1.1.1

# 使用iptable修改ipv6的路由规则
PostUp   = /sbin/ip -4 route replace default dev %i table default metric 1
PostUp   = /sbin/ip -6 route replace default dev %i table default metric 1
PostDown = /sbin/ip -4 route delete  default dev %i table default metric 1
PostDown = /sbin/ip -6 route delete  default dev %i table default metric 1

[Peer]
#AllowedIPs = 0.0.0.0/0,::/0
PublicKey = xxx
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = 4.shaojiemike.top:51822
PersistentKeepalive = 30

两次wireguard上网

修改sysctl.conf文件的net.ipv4.ip_forward参数。其值为0,说明禁止进行IP转发;如果是1,则说明IP转发功能已经打开。

需要执行指令sysctl -p 后新的配置才会生效。

两台机器的wireguard配置

注意中间需要NAT转换, 相当于把kunpeng机器的请求,隐藏成snode6的请求。在后一次wireguard转发时,就不会被过滤掉。

1
2
PostUp   = iptables -t nat -A POSTROUTING -s 10.1.0.0/24 ! -o %i -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 10.1.0.0/24 ! -o %i -j MASQUERADE || true

机器(Nas)使用Wireguard上网

问题场景

由于换了wg服务端,导致nas变成闭环的网络了。最后是通过群晖助手(Synology Assistant / Web Assistant)的设置静态ip才连接上机器,但是iptable被设置乱了。

Synology Assistant can not find nas

静态连接上机器,首先在网页管理页面切换成DHCP(静态ip的DNS解析有误),iptable变成如下

1
2
3
4
5
6
7
sh-4.4# ip ro
default via 222.195.90.254 dev eth0  src 222.195.90.2
10.0.233.0/24 dev wg1  proto kernel  scope link  src 10.0.233.3
222.195.90.0/24 dev eth0  proto kernel  scope link  src 222.195.90.2

sh-4.4# ip ro s t eth0-table
222.195.90.0/24 via 222.195.90.2 dev eth0

注意iptable的修改是实时生效的。

思路

为了让nas上网我们需要满足两点

  1. 本地ssh eth0的222.195.90.2能访问机器(优先级更高)
  2. 其余网络走wg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# 重要项如下
sh-4.4# ip rule
3:      from 222.195.90.2 lookup eth0-table (ping 和 ssh ip 222.195.90.2的会使用这个规则)
32766:  from all lookup main (ping 和 ssh 其余ip 比如wg的10.0.233.3的会使用这个规则)

# 1. 设置本地ssh eth0的222.195.90.2的高优先级,不至于开启wg断开ssh
# 使用命令添加: ip ro add default via 222.195.90.254 dev eth0 table eth0-table
sh-4.4# ip route show table eth0-table
default via 222.195.90.254 dev eth0
222.195.90.0/24 via 222.195.90.2 dev eth0

# 2. 为了使得除开本地ssh网络走wg,需要删除屏蔽default的wg的DHCP(如果提前删,导致机器ssh连接不上了,重新插拔网线,让DHCP重新配置):
# 使用命令添加:ip ro d default via 222.195.90.254 dev eth0  src 222.195.90.2 table main,
# 3. 防止服务端重启,Nas的wg客户端失联
# 使用命令添加:ip ro a 114.214.233.0/24 via 222.195.90.254 dev eth0  src 222.195.90.2 table main 
# 4. 测试: ping域名能正常运行

# 其余方法:为了使得除开本地ssh网络走wg,也可以不删除,在DHCP的前面添加wg的网络通路
# 使用命令添加: ip ro add default dev wg1  proto kernel  scope link  src 10.0.233.3 table main
sh-4.4# ip r s t main
default dev wg1  proto kernel  scope link  src 10.0.233.3

使用wg1配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sh-4.4# cat /etc/wireguard/wg1.conf
[Interface]
PrivateKey = xxx
ListenPort = xxx
Address = 10.0.xxx.xxx/24

Table = 51820
PostUp   = /sbin/ip -4 route replace default dev %i table default metric 1
PostDown = /sbin/ip -4 route delete  default dev %i table default metric 1

[Peer]
PublicKey = xxx
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = 114.xxx.xxx.xxx:xxx
PersistentKeepalive = 25

问题:服务端重启,Nas的wg客户端失联

要保留没有wg的时候访问服务端的eth0(114.214.233.xxx)的通路

1
2
3
4
sh-4.4# ip ro s t main
···
114.214.233.0/24 via 222.195.90.254 dev eth0  src 222.195.90.2
···

来自eth0的ssh与ping请求原路返回

源地址为自身IP的包走学校的路由器

目的:需要ssh和ping ipv4成功

修改netplan的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# shaojiemike @ node5 in ~ [22:29:11]
$ cat /etc/netplan/acsa.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    eno0:
      dhcp4: false
      dhcp6: false
      accept-ra: false
      addresses:
        - 202.38.73.217/24
        - 2001:da8:d800:730::217/64
      gateway4: 202.38.73.254
      gateway6: 2001:da8:d800:730::1
      nameservers:
        addresses:
          - 202.38.64.1
      routing-policy:
        - from: 202.38.73.217
          table: 1
          priority: 2
      routes:
        - to: 0.0.0.0/0
          via: 202.38.73.254
          table: 1

$netplan apply

routing-policy会产生

1
2
3
4
5
6
7
8
9
10
# shaojiemike @ node5 in ~ [22:30:33]
$ ip rule
0:      from all lookup local
2:      from 202.38.73.217 lookup 1
32766:  from all lookup main
32767:  from all lookup default
# 也可以手动添加
ip rule add from 202.38.73.217 table 1 pref 2
或者
ip rule add from 202.38.73.217 lookup 1 pref 2

由于2优先级高,使得ping和ssh的返回信包(源地址为自身机器IP的包)走table1 规则,而不是走

routes使得所有的table1都会走学校的路由器(202.38.73.254)

1
2
3
4
$ ip route show table 1
default via 202.38.73.254 dev eno0 proto static
# 也可以通过`ip route add`
$ ip route add default via 202.38.73.254 dev eno0 proto static table 1

衍生问题:网络请求的源地址不是自己吗?怎么确定的

开启wg后,网络请求源地址变成了10.0.33.2。不是202.38.73.217

1
2
root@node5:/home/shaojiemike# ip ro
10.0.33.0/24 dev wg2 proto kernel scope link src 10.0.33.2

但是外界ping的是202.38.73.217。返回包交换所以会产生源地址为202.38.73.217的包

wireguard 实现翻墙

  • WireGuard 在国内网络环境下会遇到一个致命的问题:UDP 封锁/限速。虽然通过 WireGuard 可以在隧道内传输任何基于 IP 的协议(TCP、UDP、ICMP、SCTP、IPIP、GRE 等),但 WireGuard 隧道本身是通过 UDP 协议进行通信的,而国内运营商根本没有能力和精力根据 TCP 和 UDP 的不同去深度定制不同的 QoS 策略,几乎全部采取一刀切的手段:对 UDP 进行限速甚至封锁。
  • 虽然对 UDP 不友好,但却无力深度检测 TCP 连接的真实性。
  • 将 UDP 连接伪装成 TCP 连接不就蒙混过关了。目前支持将 UDP 流量伪装成 TCP 流量的主流工具是 udp2raw,但是有一款更强大的新工具: Phantun

需要进一步的研究学习

暂无

遇到的问题

暂无

开题缘由、总结、反思、吐槽~~

参考文献

WireGuard 基础教程:使用 Phantun 将 WireGuard 的 UDP 流量伪装成 TCP

https://nordvpn.com/zh-tw/blog/vpn-xieyi/

https://blog.mozcp.com/wireguard-usage/

Posted Updated toLearn21 minutes read (About 3219 words)

OpenWRT on router

OpenWRT Installation on router

原理

原理在路由器的两个flash(firmware和firmware1)的两个系统里,写入一个支持图形化OpenWRT的新系统

查看路由器型号是否支持

查看系统型号[^1]:路由器默认是魔改的openwrt的系统:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@XiaoQiang:~# cat /etc/os-release
NAME="OpenWrt"
VERSION="18.06-SNAPSHOT"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 18.06-SNAPSHOT"
VERSION_ID="18.06-snapshot"
HOME_URL="http://openwrt.org/"
BUG_URL="http://bugs.openwrt.org/"
SUPPORT_URL="http://forum.lede-project.org/"
BUILD_ID="unknown"
LEDE_BOARD="mediatek/mt7622"
LEDE_ARCH="aarch64_cortex-a53_neon-vfpv4"
LEDE_TAINTS="no-all glibc busybox"
LEDE_DEVICE_MANUFACTURER="OpenWrt"
LEDE_DEVICE_MANUFACTURER_URL="http://openwrt.org/"
LEDE_DEVICE_PRODUCT="Generic"
LEDE_DEVICE_REVISION="v0"
LEDE_RELEASE="OpenWrt 18.06-SNAPSHOT unknown"

刷入OpenWRT后:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@ax6s:~# cat /etc/os-release
NAME="OpenWrt"
VERSION="22.03.2"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 22.03.2"
VERSION_ID="22.03.2"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r19803-9a599fee93"
OPENWRT_BOARD="mediatek/mt7622"
OPENWRT_ARCH="aarch64_cortex-a53"
OPENWRT_TAINTS=""
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 22.03.2 r19803-9a599fee93"

路由器开启dropbear

dropbear 是一种轻量级sshd服务

1
2
3
nvram set ssh_en=1  # 不是1也退出1
/etc/init.d/dropbear start # 脚本start段里增加了判断,稳定版不让启动直接退出
netstat -n # 查看22端口

修改/etc/dropbear/authorized_keys 来添加ssh公钥

Redmi-Ax6s实操

参考教程,和具体的视频

Step2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/env python3
import sys
import hashlib

if sys.version_info < (3,7):
    print("python version is not supported", file=sys.stderr)
    sys.exit(1)

# credit goes to zhoujiazhao:
# https://blog.csdn.net/zhoujiazhao/article/details/102578244

salt = {'r1d': 'A2E371B0-B34B-48A5-8C40-A7133F3B5D88',
        'others': 'd44fb0960aa0-a5e6-4a30-250f-6d2df50a'}


def get_salt(sn):
    if "/" not in sn:
        return salt["r1d"]

    return "-".join(reversed(salt["others"].split("-")))


def calc_passwd(sn):
    passwd = sn + get_salt(sn)
    m = hashlib.md5(passwd.encode())
    return m.hexdigest()[:8]


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <S/N>")
        sys.exit(1)

    serial = sys.argv[1]
    print(calc_passwd(serial))

Step3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
XiaoQiang login: root
Password:


BusyBox v1.25.1 (2021-10-25 11:02:56 UTC) built-in shell (ash)

-----------------------------------------------------
    Welcome to XiaoQiang!
-----------------------------------------------------
$$$$$$\  $$$$$$$\  $$$$$$$$\      $$\      $$\        $$$$$$\  $$\   $$\
$$  __$$\ $$  __$$\ $$  _____|     $$ |     $$ |      $$  __$$\ $$ | $$  |
$$ /  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ /  $$ |$$ |$$  /
$$$$$$$$ |$$$$$$$  |$$$$$\         $$ |     $$ |      $$ |  $$ |$$$$$  /
$$  __$$ |$$  __$$< $$  __|        $$ |     $$ |      $$ |  $$ |$$  $$<
$$ |  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ |  $$ |$$ |\$$\
$$ |  $$ |$$ |  $$ |$$$$$$$$\       $$$$$$$$$  |       $$$$$$  |$$ | \$$\
\__|  \__|\__|  \__|\________|      \_________/        \______/ \__|  \__|


root@XiaoQiang:~# ls

Step4

  1. 通过cat /proc/mtd,知道对应关系

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    root@XiaoQiang:/tmp# cat /proc/mtd
    dev:    size   erasesize  name
    mtd0: 07f80000 00020000 "ALL"
    mtd1: 00080000 00020000 "Bootloader"
    mtd2: 00040000 00020000 "Config"
    mtd3: 00040000 00020000 "Bdata"
    mtd4: 00040000 00020000 "Factory"
    mtd5: 00040000 00020000 "crash"
    mtd6: 00040000 00020000 "crash_syslog"
    mtd7: 00040000 00020000 "cfg_bak"
    mtd8: 00400000 00020000 "kernel0"
    mtd9: 00400000 00020000 "kernel1"
    mtd10: 01a00000 00020000 "rootfs0"
    mtd11: 01a00000 00020000 "rootfs1"
    mtd12: 02600000 00020000 "overlay"
    mtd13: 01b80000 00020000 "obr"
    mtd14: 00c1c000 0001f000 "ubi_rootfs"
    mtd15: 021e8000 0001f000 "data"

  2. 备份,其中Factory中存储了EEPROM的数据

    1
    2
    3
    4
    5
    6
    cat /dev/mtd4 > Factory.dump
    cat /dev/mtd3 > Bdata.dump

    #on windows
    scp [email protected]:/tmp/factory.bin .
    scp [email protected]:/tmp/factory.bin .

Step5

  1. 路由器ssh终端,配置环境变量

     
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    # nvram写入flash
    # Enable uart and boot_wait, useful for testing or recovery if you have an uart adapter!
    nvram set ssh_en=1
    # 设置串口打开,以便ssh失败时,硬件debug
    nvram set uart_en=1 
    nvram set boot_wait=on

    # Set kernel1 as the booting kernel
    nvram set flag_boot_success=1
    nvram set flag_try_sys1_failed=0
    nvram set flag_try_sys2_failed=0

    # Commit our nvram changes
    nvram commit

  2. 电脑本地准备传输可执行文件(开启了ssh服务,直接scp传上去即可)

    1. Rename the file openwrt-mediatek-mt7622-xiaomi_redmi-router-ax6s-squashfs-factory.bin you previously downloaded to your computer to factory.bin
    2. in the same directory where the file factory.bin is located, run the following command python -m http.server

  3. 路由器ssh终端,配置环境变量接受并运行

    1
    2
    3
    cd /tmp
    wget http://<IP address of your computer>:8000/factory.bin
    mtd -r write factory.bin firmware

  4. 完成后重启,默认ip变成192.168.1.1

  5. 失败加上nvram set "boot_fw1=run boot_rd_img;bootm" 重来

WireGuard Server in OpenWRT

OpenWRT换软件安装源

修改/etc/opkg/distfeeds.conf的配置,参考

下面为x86软路由的源(由于是snapshot的安装不了,内核不匹配),如果是arm的需要看对应架构代号。

1
2
3
4
5
6
src/gz openwrt_core https://mirrors.ustc.edu.cn/openwrt/releases/22.03.3/targets/x86/64/packages
src/gz openwrt_base https://mirrors.ustc.edu.cn/openwrt/releases/22.03.3/packages/x86_64/base
src/gz openwrt_luci https://mirrors.ustc.edu.cn/openwrt/releases/22.03.3/packages/x86_64/luci
src/gz openwrt_packages https://mirrors.ustc.edu.cn/openwrt/releases/22.03.3/packages/x86_64/packages
src/gz openwrt_routing https://mirrors.ustc.edu.cn/openwrt/releases/22.03.3/packages/x86_64/routing
src/gz openwrt_telephony https://mirrors.ustc.edu.cn/openwrt/releases/22.03.3/packages/x86_64/telephony

比如ax6s

1
2
3
4
5
6
7
[root@ax6s ~]$ cat /etc/opkg/distfeeds.conf
src/gz openwrt_core https://downloads.openwrt.org/releases/22.03.2/targets/mediatek/mt7622/packages
src/gz openwrt_base https://downloads.openwrt.org/releases/22.03.2/packages/aarch64_cortex-a53/base
src/gz openwrt_luci https://downloads.openwrt.org/releases/22.03.2/packages/aarch64_cortex-a53/luci
src/gz openwrt_packages https://downloads.openwrt.org/releases/22.03.2/packages/aarch64_cortex-a53/packages
src/gz openwrt_routing https://downloads.openwrt.org/releases/22.03.2/packages/aarch64_cortex-a53/routing
src/gz openwrt_telephony https://downloads.openwrt.org/releases/22.03.2/packages/aarch64_cortex-a53/telephony

可以通过cat /etc/os-release查看, 上面的如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@OpenWrt:~# cat /etc/os-release
NAME="OpenWrt"
VERSION="SNAPSHOT" # snapshot是开发版的意思
PRETTY_NAME="OpenWrt SNAPSHOT"
VERSION_ID="snapshot"
BUILD_ID="r5636-25f88e06f"
OPENWRT_BOARD="x86/64"
OPENWRT_ARCH="x86_64"

[root@ax6s ~]$ cat /etc/os-release
NAME="OpenWrt"
VERSION="22.03.2"
PRETTY_NAME="OpenWrt 22.03.2"
VERSION_ID="22.03.2"
BUILD_ID="r19803-9a599fee93"
OPENWRT_BOARD="mediatek/mt7622"
OPENWRT_ARCH="aarch64_cortex-a53"

WireGuard安装服务端程序

  1. eSir精品小包固件下载地址(感谢esir的辛勤付出)

    1. 内置了wireguard(使用对等节点的公私钥加密)

  2. OpenWrt安装WireGuard命令(eSir精品小包已集成WireGuard,无需安装)

    1
    2
    3
    4
    5
    6
    opkg update
    opkg install luci-proto-wireguard luci-app-wireguard wireguard kmod-wireguard wireguard-tools
    reboot

    # x86
    opkg install wireguard luci-app-wireguard luci-i18n-wireguard-zh-cn wireguard-tools

WireGuard服务端设置

具体步骤

  1. 配置WG服务器端公私钥
  2. OpenWrt的luci界面配置服务器节点
  3. OpenWrt-网络-防火墙设置
    1. 如果OpenWrt做主路由,还需要在防火墙->通信规则中开放端口
    2. 假如是旁路由,需要设置端口转发
  4. 为每个客户端节点创建密钥
  5. OpenWrt->网络->接口,修改原本的WG0设置。修改Peers
    1. 左下角更多选项选择预共享密钥,添加
    2. 由于不能同时用,所以每个机器要单独配置,不能公用

WireGuard客户端设置

客户端模板文件test.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[Interface]
Address = 192.168.100.2 约定的IP
PrivateKey = cprivatekey文件内容 
DNS = 路由器IP


[Peer]
PublicKey = spublickey文件内容  

AllowedIPs = 0.0.0.0/0
//上面代表所有流量走WG。如果启用下面这行代码,表示只有192.168.2.0/24, 192.168.100.0/24这两个子网的IP走WireGuard
//逗号前是家庭局域网的IP段,后面是VPN的IP段
//AllowedIPs = 192.168.2.0/24, 192.168.100.0/24

PresharedKey=sharedkey内容
Endpoint = 公网IP(动态域名):端口号
PersistentKeepalive = 25

WireGuard配置匹配一览图

"[Interface] Address" is the address that gets assigned to the (virtual) network interface (e.g. wg0).
简单来说客户端和服务器端约定的相同的虚拟地址来通信。

注意防火墙放行端口

官方客户端软件下载

WireGuard常见问题

注意:如果连接不上

  1. 首先保证路由器有网,不是路由器下的电脑有网
    1. 上次师兄的电脑开了OpenVPN上网,导致路由器ipv6能ping通,但是不能上网
  2. 注意防火墙,一个是wan口允许某几个端口进来(wg连接请求)。另一个是wan能到wg,wg也能到wan,才能实现上网
    1. 至于和lan的关系,如果需要通过wg访问lan口下的设备(nas,电脑)再打开即可。

Clash in OpenWrt

  • 安装版本来自github
  • 但是由于DDNS会出问题,所以关闭了。(可以考虑2次wireguard蹭网和clash for linux)
  • BT,PT有时也会被代理,需要注意。

安装编译好的 IPK 文件(openwrt 的软件包)

安装依赖

1
2
3
4
5
6
7
8
9
10
11
12
13
#iptables
opkg update
opkg install coreutils-nohup bash iptables dnsmasq-full curl ca-certificates ipset ip-full iptables-mod-tproxy iptables-mod-extra libcap libcap-bin ruby ruby-yaml kmod-tun kmod-inet-diag unzip luci-compat luci luci-base

#nftables
opkg update
opkg install kmod-nft-tproxy

wget https://github.com/vernesong/OpenClash/releases/download/v0.45.59-beta/luci-app-openclash_0.45.59-beta_all.ipk
root@ax6s:/tmp# opkg install luci.ipk
Installing luci-app-openclash (0.45.59-beta) to root...
Configuring luci-app-openclash.
cfg117882

重启后出现

注意不会代理ping,所以ping不通的话,可以用curl来测试代理是否生效。https失败可以尝试http

安装问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Collected errors:
 * check_data_file_clashes: Package dnsmasq-full wants to install file /etc/hotplug.d/ntp/25-dnsmasqsec
        But that file is already provided by package  * dnsmasq
 * check_data_file_clashes: Package dnsmasq-full wants to install file /etc/init.d/dnsmasq
        But that file is already provided by package  * dnsmasq
 * check_data_file_clashes: Package dnsmasq-full wants to install file /usr/lib/dnsmasq/dhcp-script.sh
        But that file is already provided by package  * dnsmasq
 * check_data_file_clashes: Package dnsmasq-full wants to install file /usr/sbin/dnsmasq
        But that file is already provided by package  * dnsmasq
 * check_data_file_clashes: Package dnsmasq-full wants to install file /usr/share/acl.d/dnsmasq_acl.json
        But that file is already provided by package  * dnsmasq
 * check_data_file_clashes: Package dnsmasq-full wants to install file /usr/share/dnsmasq/dhcpbogushostname.conf
        But that file is already provided by package  * dnsmasq
 * check_data_file_clashes: Package dnsmasq-full wants to install file /usr/share/dnsmasq/rfc6761.conf
        But that file is already provided by package  * dnsmasq
 * opkg_install_cmd: Cannot install package luci-app-openclash.

解决办法如下

1
2
opkg update
opkg remove dnsmasq && opkg install dnsmasq-full

DDNS in OpenWRT

DDNS简介

Dynamic DNS: 根據網際網路的域名訂立規則,域名必須跟從固定的IP位址。但動態DNS系統為動態網域提供一個固定的名稱伺服器(Name server),透過即時更新,使外界使用者能夠連上動態使用者的網址。

cloudflare动态域名 或者阿里云动态域名的DDNS都是很好的选择。

定时脚本实现DDNS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@ax6s ~]$ cat ddns.sh
#!/bin/bash

Network=wan@eth0

Date=`echo $'\n\n' >> /tmp/ddns_ipv4`
Date=`echo "$(date)" >> /tmp/ddns_ipv4`
IPv4=`ip a|grep -A 2 ${Network}|sed -n '3p'|awk  '{print $2}' |sed -e 's/\/[0-9]*//'`
echo $IPv4 >> /tmp/ddns_ipv4
IPv6=`ip a|grep -A 4 ${Network}|sed -n '5p'|awk  '{print $2}' |sed -e 's/\/[0-9]*//'`
echo $IPv6 >> /tmp/ddns_ipv4

curl -v http://v6.sync.afraid.org/u/4TY5…………tKF/?address=${IPv6} 2>&1 >> /tmp/ddns_ipv4
curl -v http://sync.afraid.org/u/M8uh9Zf…………ryjxs/?address=${IPv4} 2>&1 >> /tmp/ddns_ipv4

修改crontab -e

1
2
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
4,9,14,19,24,29,34,39,44,49,54,59 * * * * sleep 11 ; /root/ddns.sh

OpenWRT 为局域网设备设置IPv6 DDNS

脚本围绕,打印邻居路由表命令

1
2
3
4
5
6
[root@ax6s ~]$ ip -6 neigh | grep 2c:f0:5d
2001:da8:d800:611:1818:61b6:6422:56a1 dev br-lan lladdr 2c:f0:5d:ac:1d:2c DELAY
2001:da8:d800:611:5464:f7ab:9560:a646 dev br-lan lladdr 2c:f0:5d:ac:1d:2c STALE
2001:da8:d800:611:4d13:ead8:9aaf:bfc4 dev br-lan lladdr 2c:f0:5d:ac:1d:2c REACHABLE
2001:da8:d800:611:a063:863f:caa3:4a73 dev br-lan lladdr 2c:f0:5d:ac:1d:2c STALE
2001:da8:d800:611:8c75:4f49:f9d0:42b6 dev br-lan lladdr 2c:f0:5d:ac:1d:2c STALE

新建 /usr/lib/ddns/dynamic_dns_iphelper.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/bin/sh
 
get_ip(){
    MAC=$1
    if [ "$MAC" = "" ]
    then
        exit 0
    fi
    IP=$(ip -6 neigh | grep -i $MAC | grep -v "fe80:" | grep -E "REACHABLE|STALE" | cut -d" " -f1 | grep -m 1 -E -o "([0-9a-fA-F]{1,4}(:?)){8}")
    if [ "$IP" = "" ]
    then
        IP=$(mac_to_ipv6_ll $MAC $(get_ip_prefix))
    fi
    echo $IP
}
 
mac_to_ipv6_ll() {
    PREFIX="fe80::"
    if [ "$#" = 2 ]; then
        PREFIX=$2
    fi
    IFS=':'; set $1; unset IFS
    echo "$PREFIX$(printf %02x $((0x$1 ^ 2)))$2:${3}ff:fe$4:$5$6"
}
 
get_ip_prefix() {
    IP_PREFIX=$(ip -6 addr | awk '{print $2}' | grep '::1' | grep -m 1 -E -o "([0-9a-fA-F]{1,4}(:?)){4}")
    echo $IP_PREFIX
}
 
if [ "$1" != "" ]; then
    echo `get_ip $1`
fi

新建 /usr/lib/ddns/getip_demo.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/sh
 
. /usr/lib/ddns/dynamic_dns_iphelper.sh
# 遵循 EUI-64 的设备使用这个方式 可以获取到静态后缀的IPv6地址
# 00:00:00:00:00:00修改为目标设备的MAC地址
echo $(mac_to_ipv6_ll "00:00:00:00:00:00" $(get_ip_prefix))

# 或者
#!/bin/sh
 
. /usr/lib/ddns/dynamic_dns_iphelper.sh
# 00:00:00:00:00:00修改为目标设备的MAC地址
# 不遵循 EUI-64 的设备 可以获取到动态IPv6地址
echo `get_ip "00:00:00:00:00:00"`

脚本chmod +x就行

School Network

  • 根据学校的网络通各个端口的说明,0号端口没有经过NAT,登录之后获得公网ipv4。但是IPv4封了许多端口(至少ssh的22端口是不行的)
  • IPv6是直接可以ssh访问的。

参考文献

https://www.youtube.com/watch?v=F8z74oE71Gg&t=19s

https://xiumu.org/technology/openwrt-set-for-local-area-network-lan-equipment-ipv6-ddns.shtml

Follow

Categories

Subscribe for updates

follow.it

Links

Recents

Archives

Tags

5G1
64bits vs 32bits1
AI3
AMAT1
AMD3
ASPLOS1
ATI1
AVX2
Algorithm1
Alpha1
Analysis1
Apt1
Assembly4
BFS1
BHive1
BT3
BTL1
Baka Mitai1
Bash1
Big-Endian1
×