Edgerouter | @sskaje

EdgeRouter 部署 WireGuard

By @sskaje
Link: https://sskaje.me/2017/06/deploy-wireguard-on-edgerouter/

安装

从 https://github.com/Lochnair/vyatta-wireguard/releases 下载对应的包
ERL, ER等 mips架构的，下载 octeon 版本
ERX 下载 ralink版本。

可以选择上传到路由上，或者ssh登录路由，sudo su到root，执行类似如下的命令

curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-octeon-0.0.20170612-2.deb -o wireguard-octeon-0.0.20170612-2.deb

1	curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-octeon-0.0.20170612-2.deb -o wireguard-octeon-0.0.20170612-2.deb

或

curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-ralink-0.0.20170612-2.deb -o wireguard-ralink-0.0.20170612-2.deb

1	curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-ralink-0.0.20170612-2.deb -o wireguard-ralink-0.0.20170612-2.deb

下载完成后

dpkg -i xxx.deb

1	dpkg -i xxx.deb

配置

执行下列命令生成私钥、共享密钥，公钥

wg genkey > /config/auth/wg.private
wg genpsk > /config/auth/wg.psk
chmod 0600 /config/auth/wg.*
wg pubkey < /config/auth/wg.private

wg genkey > /config/auth/wg.private

wg genpsk > /config/auth/wg.psk

chmod 0600 /config/auth/wg.*

wg pubkey < /config/auth/wg.private

将最后一个命令的输出复制下来，配置到服务器端

获取服务器端的公钥，替换下文的“公钥”并执行命令

configure
set interfaces wireguard wg0 address 192.168.10.40/24
set interfaces wireguard wg0 listen-port 本地端口
set interfaces wireguard wg0 peer 公钥 allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer 公钥 endpoint '服务器IP:端口'
set interfaces wireguard wg0 peer 公钥 preshared-key /config/auth/wg-eos.psk
set interfaces wireguard wg0 private-key /config/auth/wg.private
set interfaces wireguard wg0 route-allowed-ips false
commit
save

configure

set interfaces wireguard wg0 address 192.168.10.40/24

set interfaces wireguard wg0 listen-port 本地端口

set interfaces wireguard wg0 peer 公钥 allowed-ips 0.0.0.0/0

set interfaces wireguard wg0 peer 公钥 endpoint '服务器IP:端口'

set interfaces wireguard wg0 peer 公钥 preshared-key /config/auth/wg-eos.psk

set interfaces wireguard wg0 private-key /config/auth/wg.private

set interfaces wireguard wg0 route-allowed-ips false

commit

save

配置好设备后，配置nat服务

configure
set service nat rule 5032 outbound-interface wg0
set service nat rule 5032 type masquerade
commit 
save

configure

set service nat rule 5032 outbound-interface wg0

set service nat rule 5032 type masquerade

commit

save

剩下就是配置路由规则了，可以参考我的其他blog.

EdgeRouter 部署 WireGuard by @sskaje: https://sskaje.me/2017/06/deploy-wireguard-on-edgerouter/

Incoming search terms:

EdgeRouter 策略路由实现分析

By @sskaje
Link: https://sskaje.me/2017/06/edgerouter-policy-based-routing-analysis/

最近家里的路由规则越来越复杂，而且越来越好用。正好昨天跟朋友讨论他的家用路由改造方案，所以研究了一下EdgeRouter的策略路由（Policy-based Routing，PBR）的实现。

我家里的路由是EdgeRouter Lite，固件1.9.1.1，这个实现跟固件关系不大。

首先，我们可以参考一下官方的文档：EdgeRouter – Policy-based routing (source address based)

Continue reading “EdgeRouter 策略路由实现分析” »

EdgeRouter 策略路由实现分析 by @sskaje: https://sskaje.me/2017/06/edgerouter-policy-based-routing-analysis/

Incoming search terms:

EdgeRouter + SoftEther Policy-based Routing Error

By @sskaje
Link: https://sskaje.me/2017/06/edgerouter-softether-policy-based-routing-error/

I have protocol config like

protocols {
  static {
    table 4 {
      route 0.0.0.0/0 {
        next-hop 192.168.10.1 {
        }
      }
    }
  }
}

protocols {

static {

table 4 {

route 0.0.0.0/0 {

next-hop 192.168.10.1 {

}

SoftEther TAP device name is tap_se, local ip is 192.168.10.2, remote ip 192.168.10.1.

Internet is connected via pppoe0.

Policy-based routing modified to table 4 route traffic to pppoe0 rather than tap_se.

Check current route table:

root@ubnt:/home/ubnt# show ip route table 4
default via 192.168.10.1 dev pppoe0

1 2	root@ubnt:/home/ubnt# show ip route table 4 default via 192.168.10.1 dev pppoe0

In my previous post, I added a softether start-up script in /config/scripts/post-config.d/.
I guess vpnserver is launched after policy-based routing rules been applied, that causes policy-based routing find no device/connected routes for 192.168.10.1, then pppoe0 is picked.

I don’t have any good idea (add custom config template is a good choice, but i’m lazy zzZZ..), just disable and re-enable that route table after router is booted.

configure
set protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable
commit
delete protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable
commit

configure

set protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable

commit

delete protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable

commit

EdgeRouter + SoftEther Policy-based Routing Error by @sskaje: https://sskaje.me/2017/06/edgerouter-softether-policy-based-routing-error/

另类方法劫持手机流量

By @sskaje
Link: https://sskaje.me/2017/04/hijack-mobile-phone-traffic-using-router-and-charlesproxy/

实际上看，CharlesProxy并不能100%地“劫持”到手机的https流量，说“劫持”可能不太合适，因为CharlesProxy根本都不把这个443端口的请求在请求列表里显示出来。

这次玩的是GameLoft的Asphalt Xtreme，从google play store下载下来玩后，发现游戏的免费门槛太高了，随便玩玩不消费就进行不下去。
之前玩GameLoft的游戏改数据，都是iPhone下备份数据，修改存档，因为那些游戏有存档。但是这次主要用了Android，且没有root。试过iOS的版本，文档里没看到明文数据（txt/bin都没有)。本来想找个游戏修改器试试，后来没继续下去。

具体选型上，我是在EdgeRouter Lite上跑了个redsocks。因为是临时方案，所以不考虑使用EdgeOS/VyOS的配置语法，而直接使用了iptables。
协议分析和数据劫持，使用了CharlesProxy，因为CharlesProxy支持socks代理，还自带”Rewrite”功能，可以做简单字符串替换和正则替换。

环境：
路由 EdgeRouter Lite 固件1.9.1，IP 192.168.1.1，基于debian wheezy
Redsocks，0.4+dfsg-1，下载地址 https://packages.debian.org/wheezy/redsocks

电脑 MacBook Pro macOS 12 + CharlesProxy 4.x, IP 192.168.1.20，HTTP端口8888，Socks端口8889

手机 Mate 9，IP 192.168.1.40；

路由端

ERL是mips/mips64，从debian官网下载mips版的deb，直接 dpkg -i 安装即可。如果路由上没有libevent，还得下载装一下。
安装好redsocks后，修改 /etc/default/redsocks，修改START=yes。
直接基于 /etc/redsocks.conf 修改

redsocks {
        /* `local_ip' defaults to 127.0.0.1 for security reasons,
         * use 0.0.0.0 if you want to listen on every interface.
         * `local_*' are used as port to redirect to.
         */
        local_ip = 0.0.0.0;
        local_port = 12345;

        // `ip' and `port' are IP and tcp-port of proxy-server
        // You can also use hostname instead of IP, only one (random)
        // address of multihomed host will be used.
        ip = 192.168.1.20;
        port = 8889;


        // known types: socks4, socks5, http-connect, http-relay
        type = socks5;

        // login = "foobar";
        // password = "baz";
}

redsocks {

/* `local_ip' defaults to 127.0.0.1 for security reasons,

* use 0.0.0.0 if you want to listen on every interface.

* `local_*' are used as port to redirect to.

local_ip = 0.0.0.0;

local_port = 12345;

// `ip' and `port' are IP and tcp-port of proxy-server

// You can also use hostname instead of IP, only one (random)

// address of multihomed host will be used.

ip = 192.168.1.20;

port = 8889;

// known types: socks4, socks5, http-connect, http-relay

type = socks5;

// login = "foobar";

// password = "baz";

}

改local_ip的原因是因为我iptables偷懒了。反正用完就关，无所谓。

使用 /etc/init.d/redsocks start启动服务。

iptables
只劫持了来自 192.168.1.40 的tcp 443的流量，修改到了12345端口。

iptables -t nat -N REDSOCKS
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.40 -p tcp --dport 443  -j REDSOCKS
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

iptables -t nat -N REDSOCKS

iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.40 -p tcp --dport 443 -j REDSOCKS

iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

电脑

开启CharlesProxy的Socks服务
Proxy菜单 -> Proxy Settings… -> Proxies
勾选“Enable SOCKS proxy”，Port“8889”，勾选“Enable HTTP proxying over SOCKS”和“Include default HTTP ports(80,443,8080,8443)”。

由于默认状态下，CharlesProxy列表里出现的都是IP，没有域名，所以简单粗暴地对所有的443端口开启SSL proxy。
Proxy菜单 -> SSL Proxy Settings… -> SSL Proxying
直接Add一个 Host=*，Port=443的项目，并启用。用完就关掉。

接下来就是Rewrite的了，在看到流量之前就不用考虑了。
工具在 Tools菜单里就能看到。

另类方法劫持手机流量 by @sskaje: https://sskaje.me/2017/04/hijack-mobile-phone-traffic-using-router-and-charlesproxy/

Incoming search terms:

EdgeRouter Policy Based Routing Using DNSMASQ IPSET

By @sskaje
Link: https://sskaje.me/2017/04/edgerouter-policy-based-routing-dnsmasq-ipset/

之前用SNIProxy按域名区分流量，着实麻烦。尤其是后期发现路由表莫名其妙出问题。

EdgeRouter的Policy Based Routing(PBR)使用的是自带配置语法的firewall modify功能。
官方有两篇教程：
EdgeRouter – Policy-based routing for destination port
EdgeRouter – Policy-based routing (source address based)

第二篇文章顺带提了network-group。之前在配置VPN时，使用过network-group，还比较过使用firewall modify + network-group 与配置一堆interface-route的区别。

而，这里的network-group的实现，使用了netfilter的ipset。Man pages可以看这里，命令在edgerouter上也附带了。

dnsmasq支持 ‘–ipset‘ 参数，把对配置域名解析的IP存入到指定的ipset。具体细节可以看dnsmasq的文档。

dnsmasq配置的语法比较简单。

--ipset=/<domain>/[domain/]<ipset>[,<ipset>]

1	--ipset=/<domain>/[domain/]<ipset>[,<ipset>]

domain 部分参考 address 的语法。例如：

ipset=/.sskaje.me/MY_SET
ipset=/test.com/MY_SET

1 2	ipset=/.sskaje.me/MY_SET ipset=/test.com/MY_SET

配置好所有自己需要的域名，重启dnsmasq即可。

ipset本身支持timeout，但是edge os的network-group不支持，所以在配置dnsmasq之前，最好创建一个新的network-group。

假定新建的ipset名叫 MY_SET，edge router的主要相关配置如下：

set firewall group network-group MY_SET

set firewall modify AUTO_VPN rule 20 action modify
set firewall modify AUTO_VPN rule 20 destination group network-group MY_SET
set firewall modify AUTO_VPN rule 20 modify table 4
set firewall modify AUTO_VPN rule 20 protocol all

set firewall group network-group MY_SET

set firewall modify AUTO_VPN rule 20 action modify

set firewall modify AUTO_VPN rule 20 destination group network-group MY_SET

set firewall modify AUTO_VPN rule 20 modify table 4

set firewall modify AUTO_VPN rule 20 protocol all

其他诸如配置 static table, interface firewall 可以参考最前边的文档。

EdgeRouter Policy Based Routing Using DNSMASQ IPSET by @sskaje: https://sskaje.me/2017/04/edgerouter-policy-based-routing-dnsmasq-ipset/