V2raya does not bypass all traffic

hello every one

im new to openwrt and i just found out i can bypass my country filtering with this os and v2raya
so i get router linksys ea8300 installed openwrt 22.03.6
installed v2raya xray from this toping instruction https://github.com/v2rayA/v2raya-openwrt
imoprted v2ray config and have ping also i used this config in my other devices and im sure it is working perfectly

my problem is after i setup wifi still cant access blocked website it seems v2raya does not tunnle all traffic . it is strange that i can only can access youtube and just .ir website
i struggled very much with firewall and other config but i still have no success
and i should add this i connected internet port to lan1 because when i connect it to WAn i can not access anything even the router itself although it is set to dhcp client!

i add my counfiguration here and i would be very appreciate if anyone can help also i only could set wifi 2.4ghz working if any help with running 5ghz too it would be nice:))
v2raya config

config v2raya 'config'
	option address '0.0.0.0:2017'
	option ipv6_support 'auto'
	option nftables_support 'auto'
	option log_level 'info'
	option log_max_days '3'
	option log_disable_color '1'
	option enabled '1'


firewall config


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'v2ray'
	option src 'lan'
	option src_dport '2017'
	option dest_port '2017'
	option dest 'v2ray'

config zone
	option name 'v2ray'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list device 'br-lan'
	list device 'eth0'
	list device 'eth1'
	list device 'wlan0'
	list device 'wlan1'
	list device 'wlan2'
	list network 'wan'
	list network 'lan'

config forwarding
	option src 'v2ray'
	option dest 'lan'

config forwarding
	option src 'v2ray'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'v2ray'

config forwarding
	option src 'wan'
	option dest 'v2ray'


network config


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4f:7475:1fdd::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'


wireless config


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option channel 'auto'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrt1'
	option encryption 'psk2'
	option key '@Arash123'
	option network 'lan wan'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt2'
	option encryption 'psk2'
	option key '@Arash123'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk2'
	option key '@Arash123'


Raya is 3rd party overlay, that party may help.
for wifi part set country code, set channel to auto and change security keys you just posted in public forum.

This is wrong in /etc/config/wireless, there needs to be exactly one network for each AP, that network is almost always lan.

Also set your country code, same two letter country for both radios, you can of course redact it when posting configs.

I believe that v2ray is a proxy not a VPN, it will only pass SSL traffic. Usually a SSL based VPN such as OpenVPN is run on top of such a proxy. The proxy encrypts the VPN traffic so that it will not be identifiable as VPN traffic to a deep packet inspection firewall.

1 Like

the next problem i faced is when i connect internet cable to Port WAN the wifi devices can not take ip and so have no internet

my major problem is when i connect internet to LAN i can have internet on wifi devices but it works only for country (iran) website and the only exception is youtube but when i connect cable to wan i have no internet at all

Remove wifi from wan network, likely provider blocks you once you try to acquire more than 1-2 public IPs

1 Like

The wan port should go upstream, i.e. to your ISP device. Nothing other than the OpenWrt router should be connected to the ISP device's output port(s). Turn off the wifi in the ISP device if it has that feature. You want the entire house to route through OpenWrt.

If the wan IP ("Upstream IPv4" on the main status page) ends up being 192.168.1.X, lan->wan routing will not work, you need to change lan to something like 192.168.2.1 so that the IP ranges do not overlap.

Get the basic lan->wan routing working first, as everything related to proxies or VPNs builds on top of that.

1 Like

my internet provider is a outdoor TDLTE radio that has no wifi just cable come from roof to the router straight

Not important, due to small mishap you are connecting your wifi clients to that modem. All at once, remove WAN from wifi network and it will magically work. Next to approach is to configure wifi radio to your local country code to get the best out of it.

is it important to connect internet cable to WAN port or LAN port can do the same job? as a DHCP client

The purpose of router is to isolate your LAN from WAN.

Where would you put the gas pump nozzle to fuel up your car?
a) tank cap
b) exhaust pipe

--
one of the options promises rather spectacular results.

1 Like

ok now in interface i set lan to static ip 192.168.2.1 and wan has dhcb client from isp device and have 192.168.1.66 i also set wireless device network to lan now i have access to internet through wifi but v2ray does not involve and i can not bypass any cencorship . it seems v2ray does not tunnle traffic through itself i dont know this is firewall and routing issue or v2ray setting . below is my current configueation of firewall,network,wifi and v2ray

firewall:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option src 'lan'
	option src_dport '2017'
	option dest_port '2017'
	option dest 'v2ray'

config zone
	option name 'v2ray'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config forwarding
	option src 'lan'
	option dest 'v2ray'

config forwarding
	option src 'v2ray'
	option dest 'lan'


network :


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd30:ed2b:2f00::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option gateway '192.168.1.65'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

wifi :


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '100'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk2'
	option key '@Arash123'
	option network 'lan'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'


v2ray

config v2raya 'config'
option address '0.0.0.0:2017'
option ipv6_support 'auto'
option nftables_support 'auto'
option log_level 'info'
option log_max_days '3'
option log_disable_color '1'
option enabled '1'

also this is how i configured my v2ray:

routing A:

default: proxy

domain(ext:"iran.dat:ads")->block
domain(ext:"iran.dat:proxy")->proxy
domain(ext:"iran.dat:all")->direct
ip(geoip:ir)->direct

dns:

8.8.8.8->proxy
1.1.1.1->proxy

What are the new symptoms after correcting wifi interface connection?

i only can access internal website (iran ip) and cannot access blocked website like youtube , facebook,insta,...

can you ping -c3 microsoft.com

yes i can ping

And now try to catch with tcpdump if it exits through ray or through wan interface....

would you please explain this with detail? im not expert that much