[Tutorial] Build OpenWrt with Multipath TCP

arinc9 · July 23, 2021, 6:47am

Hey Andy. I plan to write a full-fledged tutorial about MPTCP aggregation and encryption as a whole, (including v2ray, wireguard, configuration on the client & server side).

In the meantime, since you already set up your VPS using OMR script, I can just refer you to an example v2ray configuration.

For OpenWrt, you need to compile iptables-mod-tproxy with the image to use Tproxy method of transparent proxy, so you can forward all the traffic to v2ray and aggregate links.

Server:

{
  "inbounds": [
    {
      "port": 31351,
      "protocol": "socks",
      "settings": {
        "auth": "password",
        "accounts": [
          {
            "user": "change this",
            "pass": "change this"
          }
        ]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}

Client:

Put this config to /etc/v2ray/config.json

{
  "inbounds": [
    {
      "port": 12345,
      "listen": "127.0.0.1",
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp",
        "followRedirect": true
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol":"socks",
      "settings": {
        "servers": [
          {
            "address": "ServerIP",
            "port": 31351,
            "users": [
              {
                "user": "change this",
                "pass": "change this"
              }
            ]
          }
        ]
      }
    }
  ]
}

iptables OpenWrt

Change your Server IP on the iptables rule then issue the commands.

# Identify packets with destination address matching a local socket, set the packet mark to 1
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

# Match on packet mark 1 using policy routing to have those packets delivered locally
ip rule add fwmark 1 table 100
ip route add local default dev lo table 100

# Create new chain
iptables -t mangle -N V2RAY

# Ignore v2ray server address, routed devices won't be able to reach the server with this
# iptables -t mangle -A V2RAY -d "ServerIP" -j RETURN

# Ignore local IPv4 addresses to bypass the proxy
iptables -t mangle -A V2RAY -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A V2RAY -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY -d 240.0.0.0/4 -j RETURN

# Anything else should be redirected to Dokodemo-door's local port
iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1

# Transparent proxy for routed devices
iptables -t mangle -A PREROUTING -j V2RAY

# ---

# Create new chain for proxying the router
iptables -t mangle -N V2RAY_LOCAL

# Ignore v2ray server address
iptables -t mangle -A V2RAY_LOCAL -d "ServerIP" -j RETURN

# Ignore local IPv4 addresses to bypass the proxy
iptables -t mangle -A V2RAY_LOCAL -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_LOCAL -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_LOCAL -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_LOCAL -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A V2RAY_LOCAL -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A V2RAY_LOCAL -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A V2RAY_LOCAL -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_LOCAL -d 240.0.0.0/4 -j RETURN

# Mark anything else as 1
iptables -t mangle -A V2RAY_LOCAL -p tcp -j MARK --set-mark 1

# Transparent proxy for the router
iptables -t mangle -A OUTPUT -j V2RAY_LOCAL

You can put the iptables rules on firewall settings and ip rule & ip route commands to startup section on LuCI for the configuration to survive reboots.

v2ray OpenWrt startup script

I also wrote a simple script to automatically initialize v2ray after reboot. Put it to /etc/init.d/v2ray
Run service v2ray enable && service v2ray start

#!/bin/sh /etc/rc.common

USE_PROCD=1

START=99

CONF=/etc/v2ray/config.json
EXEC=/usr/bin/v2ray

start_service() {
  procd_open_instance
  procd_set_param command $EXEC -c $CONF
  procd_set_param file $CONF
  procd_set_param pidfile /var/run/v2ray.pid
  procd_set_param respawn
  procd_close_instance
}

start() {
        service_start $EXEC
}

stop() {
        service_stop $EXEC
}

reload() {
        service_reload $EXEC
}

Your OpenWrt router should survive reboots and automatically aggregate links now.