EdgeOS Settings

OpenWRT不稳定, 还是EdgeOS香

• 基础配置
• 科学上网
  • Shadowsocks
  • DNS
    • dnscrypt-proxy
    • dnsmasq分流
• 其它有用的脚本
• 定时任务
• ZeroTier

基础配置

• 首先通过页面的wizard做一下简单的配置, WAN口DHCP, 否则配置都是空的, 后续一些步骤可能走不下去
• 202109补充: 对于上海电信国际精品网PPPoE MTU=1442 MSS=1402 否则er-4 offload貌似不生效, 网速只有360左右
• 设置一下系统DNS, 一般不用ISP提供的

configure
set system name-server 223.5.5.5
commit ; save
exit

• 增加支持Debian包官方链接

configure
set system package repository stretch components 'main contrib non-free' 
set system package repository stretch distribution stretch
set system package repository stretch url http://archive.debian.org/debian
commit ; save

• HWNAT 不同CPU(型号)具体的命令不一样

configure
set system offload hwnat enable
set system offload ipsec enable
commit ; save

• Dnsmasq

configure
set service dhcp-server use-dnsmasq enable 
commit ; save

• VLAN

科学上网

• https://wiki.debian.org/systemd/Services
• https://wiki.debian.org/systemd
• 必须使用stretch-backports的shadowsocks-libev, 否则不支持gcm

Shadowsocks

echo "deb http://archive.debian.org/debian stretch-backports main" >>  /etc/apt/sources.list.d/stretch.list
# change ftp to archive 
# deb http://archive.debian.org/debian stretch main contrib non-free # stretch #
sudo apt update
sudo apt -t stretch-backports install shadowsocks-libev simple-obfs
sudo apt install wget
# ss-server的服务我们不需要
sudo systemctl stop shadowsocks-libev
sudo systemctl disable shadowsocks-libev

# ss-local的配置文件 可以从gist或其它路由器上拉下来
# 这里@后面的local和redir实际对应配置文件的名称, 也就是systemctl unitfile中%i的作用
sudo touch /etc/shadowsocks-libev/local.json
sudo systemctl start shadowsocks-libev-local@local.service
sudo systemctl enable shadowsocks-libev-local@local.service

# ss-redir的配置文件 可以从gist或其它路由器上拉下来
sudo touch /etc/shadowsocks-libev/redir.json
sudo systemctl start shadowsocks-libev-redir@redir.service
sudo systemctl enable shadowsocks-libev-redir@redir.service

# iptable设置大陆白名单模式
# 复制gist中的ss-redir-iptables到/usr/bin
wget https://raw.githubusercontent.com/pexcn/daily/gh-pages/chnroute/chnroute.txt -O /etc/shadowsocks-libev/chnroute.txt
chmod +x /usr/bin/ss-redir-iptables
# 该脚本需要开机执行
vi /etc/rc.local
# ss-redir-iptables start >> /dev/null 2>&1

DNS

dnscrypt-proxy

• dnscrypt-proxy

sudo apt-get install -y dnsutils
cd /tmp

# ER-X
curl -L -o /tmp/dnscrypt-proxy.tar.gz https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.4/dnscrypt-proxy-linux_mipsle-2.1.4.tar.gz
# ER-4
curl -L -o /tmp/dnscrypt-proxy.tar.gz https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.4/dnscrypt-proxy-linux_mips64-2.1.4.tar.gz

tar xzf dnscrypt-proxy.tar.gz

# ER-X
sudo mv linux-mipsle /config/dnscrypt-proxy
# ER-4
sudo mv linux-mips64 /config/dnscrypt-proxy

chmod +x /config/dnscrypt-proxy/dnscrypt-proxy
# 把dnscrypt-proxy配置复制到/config/dnscrypt-proxy/

# 自动启动服务
echo '#!/bin/sh' | sudo tee /config/scripts/post-config.d/dnscrypt.sh
echo '/config/dnscrypt-proxy/dnscrypt-proxy -service install' | sudo tee -a /config/scripts/post-config.d/dnscrypt.sh
echo '/config/dnscrypt-proxy/dnscrypt-proxy -service start' | sudo tee -a /config/scripts/post-config.d/dnscrypt.sh
sudo chmod +x /config/scripts/post-config.d/dnscrypt.sh
sudo /config/scripts/post-config.d/dnscrypt.sh

# 验证
/config/dnscrypt-proxy/dnscrypt-proxy -list
/config/dnscrypt-proxy/dnscrypt-proxy -resolve dnscrypt.info
dig @localhost -p 55553 google.com

reboot

dnsmasq分流

• 首先生成gfw2dnsmasq的配置, 配置内容为GFW域名解析走dnscrypt-proxy

# 在任意一台VPS上
git clone https://github.com/cokebar/gfwlist2dnsmasq.git
cd gfwlist2dnsmasq/

# 55553为dnscrypt-proxy的本地监听端口
sh gfwlist2dnsmasq.sh -p 55553 -o dnsmasq_gfwlist.conf

• 在edgeos中配置dnsmasq的DNS转发https://help.ui.com/hc/en-us/articles/115010913367-EdgeRouter-DNS-Forwarding-Setup-and-Options#3
• 我们也可以不使用edgeos的配置方式, dnsmasq的默认配置在/etc/default/dnsmasq, 配置中指定了CONFIG_DIR=/etc/dnsmasq.d, 所以我们只需要把刚刚生成的dnsmasq_gfwlist.conf放到/etc/dnsmasq.d目录下

# 前面已经设置edgeos使用DNSMASQ
configure
# Prevent dnsmasq using your ISP's DNS (eth0 is WAN port)
set interfaces ethernet eth0 dhcp-options name-server no-update

# 设置默认DNS, 一般不用ISP的
set system name-server 223.5.5.5
# 默认转发必须配置
set service dns forwarding system

# Make sure dnsmasq is not using the content of /etc/resolv.conf
set service dns forwarding options no-resolv
commit ; save

# 把刚刚生成的dnsmasq_gfwlist.conf放到/etc/dnsmasq.d

其它有用的脚本

• 清理空间

rm -rf /var/cache/apt/*
rm -rf /var/lib/apt/*
rm -rf /var/core/*
rm -rf /config/url-filtering/*

定时任务

• 参考链接https://docs.vyos.io/en/latest/configuration/system/task-scheduler.html
• 下面的貌似不生效, 直接crontab -e在最后加上 5 2 * * * /config/scripts/dnscrypt-proxy.sh
• service dnscrypt-proxy restart需要定时执行, 否则会有memory leak

sudo su
var='!'
echo -e "#${var}/bin/bash" > /config/scripts/dnscrypt-proxy.sh
echo "sudo service dnscrypt-proxy restart" >> /config/scripts/dnscrypt-proxy.sh
chmod 0755 /config/scripts/dnscrypt-proxy.sh
configure
set system task-scheduler task restartDnscryptProxy executable path /config/scripts/dnscrypt-proxy.sh
set system task-scheduler task restartDnscryptProxy interval 1d
commit;save;exit

ZeroTier

• https://github.com/zerotier/ZeroTierOne/issues/1144

curl -s https://install.zerotier.com | sudo bash
cd /tmp
wget https://github.com/dkruyt/resources/raw/master/zerotier-edgeos.tgz
tar -C / -xvzf /tmp/zerotier-edgeos.tgz

zerotier-cli join xxxx       # Join network
zerotier-cli orbit xxxx xxxx # MOON