Hi,
i run v2raya on my bpi-r3 with openwrt 24.10.2. But i want it to be transparent proxy only for a list of clients. It it possible to configure? I see the file v2raya.nft in /etc/v2raya. Does it contain the rules applied when i turn transparent proxy mode on? And does it mean, that i can change the rules so that only selected clients be proxied?
Nope. /etc/v2raya/v2raya.nft is overwritten when starting service. Any other thoughts?
What you want, I do with hev-socks5-tproxy. Where the correct setup of fw4-rules was a real PITA, because the standard openwrt package install s…. in this respect.
I.g. you can mod the fw4-rules in various ways; may be, you post the actual ones here.
Is the v2raya running as Tproxy, both for the openwrt-box, and the clients ?
it probably runs for clients. When i turn it on in tproxy mode it starts logging clients' access for the lan segment. Actually i don't want the whole traffic pass through the v2raya. It's not neded at all. I want my tizen tv to be tproxied only. The rules v2raya inserts, are:
table inet v2raya {
set whitelist {
type ipv4_addr
flags interval
auto-merge
elements = {
0.0.0.0/32,
10.0.0.0/8,
100.64.0.0/10,
127.0.0.0/8,
169.254.0.0/16,
172.16.0.0/12,
192.0.0.0/24,
192.0.2.0/24,
192.88.99.0/24,
192.168.0.0/16,
198.51.100.0/24,
203.0.113.0/24,
224.0.0.0/4,
240.0.0.0/4
}
}
set whitelist6 {
type ipv6_addr
flags interval
auto-merge
elements = {
::/128,
::1/128,
64:ff9b::/96,
100::/64,
2001::/32,
2001:20::/28,
fe80::/10,
ff00::/8
}
}
set interface {
type ipv4_addr
flags interval
auto-merge
}
set interface6 {
type ipv6_addr
flags interval
auto-merge
}
chain tp_out {
meta mark & 0x80 == 0x80 return
meta l4proto { tcp, udp } fib saddr type local fib daddr type != local jump tp_rule
}
chain tp_pre {
iifname "lo" mark & 0xc0 != 0x40 return
meta l4proto { tcp, udp } fib saddr type != local fib daddr type != local jump tp_rule
meta l4proto { tcp, udp } mark & 0xc0 == 0x40 tproxy ip to 127.0.0.1:52345
meta l4proto { tcp, udp } mark & 0xc0 == 0x40 tproxy ip6 to [::1]:52345
}
chain output {
type route hook output priority mangle - 5; policy accept;
meta nfproto { ipv4, ipv6 } jump tp_out
}
chain prerouting {
type filter hook prerouting priority mangle - 5; policy accept;
meta nfproto { ipv4, ipv6 } jump tp_pre
}
chain tp_rule {
meta mark set ct mark
meta mark & 0xc0 == 0x40 return
iifname "docker*" return
iifname "veth*" return
iifname "wg*" return
iifname "ppp*" return
# anti-pollution
ip daddr @interface return
ip daddr @whitelist return
ip6 daddr @interface6 return
ip6 daddr @whitelist6 return
jump tp_mark
}
chain tp_mark {
tcp flags & (fin | syn | rst | ack) == syn meta mark set mark | 0x40
meta l4proto udp ct state new meta mark set mark | 0x40
ct mark set mark
}
}
What i would like them to be - just add client lists:
set clientlist {
type ipv4_addr
flags interval
auto-merge
elements = {
....,
....
}
}
set clientlist6 {
type ipv6_addr
flags interval
auto-merge
elements = {
...,
...
}
}
and slightly modify chain tp_pre:
chain tp_pre {
iifname "lo" mark & 0xc0 != 0x40 return
meta l4proto { tcp, udp } fib saddr == @clientlist fib daddr type != local jump tp_rule
meta l4proto { tcp, udp } fib saddr == @clientlist6 fib daddr type != local jump tp_rule
meta l4proto { tcp, udp } mark & 0xc0 == 0x40 tproxy ip to 127.0.0.1:52345
meta l4proto { tcp, udp } mark & 0xc0 == 0x40 tproxy ip6 to [::1]:52345
}
that should do the trick if i'm not mistaken.. but it does not work with /etc/v2raya/v2raya.nft as it is maintained by the process and overwritten by it.
Makes things easier.
I am a bit wondering about the complexity of your fw4-setup for “simple tproxy”, but there should be a reason, so:
Your intension to mod tp_pre looks good to me. But I would inject separate, additional nft cmds, not to modify the existing ones, like you are trying to do. Ref. to https://openwrt.org/docs/guide-user/firewall/firewall_configuration
Includes !!!.
Unfortunately, I am just travelling, so I can not give working real life example, but in principle you should include a my_custom.nft in /etc/config/firewall, into very beginning of tp_pre. And my_custom.nft contains something like “If sadd != @clientlist return” Should bypass the tproxying of clients, NOT in your clientlist to be proxied.
BTW: What about DNS / webRTC leaks ? Might be possible in your setup, I guess.
What is this ? A script, modifying the standard fw4-rules for v2raya ? If yes, then it might be the easiest, just to directly edit this script according to your customization. Or to insert my “If sadd != @clientlist return” rules 
Yup, the construction sadd != @clientlist is what i was trying to run first (with Gemini AI tips)). But for now it's not ready yet raising some errors when loading addition from /etc/nftables.d/01-tproxy.nft. Thank you for confirming the right approach, i'll keep trying.
The file /etc/v2raya/v2raya.nft is the rules v2raya loads when activating tproxy mode indeed. But the problem is that it overwrites it every time. So editing the file is useless unfortunately.
As for DNS i use stubby in my network and prevent unsecure requests outside
So /etc/v2raya/v2raya.nft is dyn created. So to find, where/how, and modify there this creation. I guess, should originally be called somewhere from /etc/init.d/v2raya
Probably end of week, or beginning of next, I might be able to give v2raya a try myself on my travel router. Had a glance at v2raya, just out of curiosity, before messing around with hev-socks5-tproxy, which actually fulfills my requirements (server runs hidden behind sslh in home country on port 443, no DNS leak or webRTC leak, because all local traffic, esp. DNS, fully t-proxied, too) . Only disadvantage is missing cipher.
Seems that v2raya application wants to do too much work for me. What i'd like to try next is just run pure xray with my everyday config and use v2raya.nft as an example to modify nftables so that selected clients were tproxied by xray.
Let me know how is your try with v2raya then. May be i'm missing something.
Cheers
I found another xray application - luci-app-xray (https://github.com/yichya/luci-app-xray). Seems that it has far more options as full XRay with web interface, but still can't tune it to proxy specified client(s) only. Keep trying...
But that might be a more promising path: Use …luci-app-xray to set up a usable config, proxying all clients, which should be default, I guess. When this works, simply EDIT into /etc/config/firewall the filter for the clients, and restart firewall only. With some luck, edited firewall config will be used, without further modification. OR, instead editing /etc/config/firewall, directly inject the mods using nft cmnds (replace rule(s)).
Ok. It finally worked for me with luci-app-xray. Configured transparent proxy enabled on physical LAN port where my client is connected. Then added it's MAC to the individual tproxy enabled list.
My final setup got rid of the "ready to use" packages like v2raya or luci-app-xray. I've just setup pure XRay and configured nftables/ip rules/ip routes for clients to be proxied.
root@Banana:~# cat /etc/nftables.d/05-xray-route.nft
#!/usr/sbin/nft -f
set xray_clients_v4 {
type ipv4_addr
elements = { 10.0.0.148, 10.0.0.161 }
}
set xray_clients_v6 {
type ipv6_addr
elements = { 2a02:xxxx:xxxx:xxxx::57e }
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
# Mark packets from clients going to ports 80, 443
ip saddr 10.0.0.253 return # home gateway addr
ip saddr 77.mmm.mmm.239 return # wan ip addres
ip6 saddr 2a02:xxxx:xxxx:xxxx::1 return #home ipv6 gw
ip6 saddr 2a02:xxxx:xxxx:yyyy::2 return #wan ipv6 addr
ip saddr @xray_clients_v4 tcp dport 80 mark set 1 counter
ip saddr @xray_clients_v4 tcp dport 443 mark set 1 counter
ip saddr @xray_clients_v4 udp dport 443 mark set 1 counter
ip6 daddr != 2a02:xxxx:xxxx:xxxx::/56 # provider delegated prefix
ip6 saddr @xray_clients_v6 tcp dport 80 mark set 1 counter
ip6 saddr @xray_clients_v6 tcp dport 443 mark set 1 counter
ip6 saddr @xray_clients_v6 udp dport 443 mark set 1 counter
}
chain xray_output {
type route hook output priority mangle; policy accept;
ip daddr { 127.0.0.0/8, 10.0.0.0/24 } return
ip6 daddr { ::1/128, 2a02:xxxx:xxxx:xxxx::/64 } return # home delegated prefix
meta skuid { 0 } return
meta skgid { 0 } return
tcp dport 80 meta mark set 0x00000001 counter
tcp dport 443 meta mark set 0x00000001 counter
udp dport 443 meta mark set 0x00000001 counter
}
root@Banana:~# cat /etc/hotplug.d/iface/99-xray-routing
#!/bin/sh
[ "$ACTION" = ifup ] || exit 0
[ "$INTERFACE" = lan ] || exit 0
ip rule add fwmark 1 table 100 2>/dev/null || true
ip route add local 0.0.0.0/0 dev lo table 100 2>/dev/null || true
ip -6 rule add fwmark 1 table 100 2>/dev/null || true
ip -6 route add local ::/0 dev lo table 100 2>/dev/null || true
exit 0
'''
works like a charm
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.