- first setup v2ray listening on port 12345 for tproxy, and mark every output packet with 0xff.
"streamSettings": {
"sockopt": {
"mark": 255
}
}
- add policy based routing for packet with mark 1
ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
to persist these rules across reboots, add config to /etc/config/network
config rule
option lookup '100'
option mark '0x1'
config route
option interface 'loopback'
option type 'local'
option target '0.0.0.0/0'
option table '100'
- add nft rules to file:
/usr/share/nftables.d/ruleset-post/v2ray.nft
table ip v2ray
flush table ip v2ray
table ip v2ray {
chain prerouting {
type filter hook prerouting priority filter - 1; policy accept;
meta mark 0x000000ff return
ip saddr != { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } ip daddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } return
ip daddr { <openwrt ip here> } udp dport 53 meta mark set 0x00000001 tproxy to 127.0.0.1:12345 accept
ip daddr { 127.0.0.1, 224.0.0.0/4, 255.255.255.255 } return
ip saddr { 127.0.0.1, 224.0.0.0/4, 255.255.255.255 } return
ip daddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } return
meta l4proto { tcp, udp } meta mark set 0x00000001 tproxy to 127.0.0.1:12345 accept
}
}
- allow input in firewall for the whole ip range you want to tproxy for.