Brush OpenWRT router installation shadowsocks to use transparent proxy + DNS poisoning

Previous articleRouting introducedHow to open a double-wan bandwidth superimposed on OpenWRT,This is also the students brushOpenWRTThe most common requirement,Then,Is there any way to increase the way itTransparent Proxyfunctions?

Now that the router has to brush up on the third-party firmware OpenWRT,That certainly is a possible wireless。

Agent types

Today in our common species among agents,It is probably the most historicVPNThe,This is also the majority outside the service game of choice for users -have to say,It has a unique advantage UDP。

Another use Google App Engine,The 俗称,For example, more representativegoagent、such aswallproxy

There is otherShadowSocksThis kind of,Of course, it is so three kinds,In fact, there are many protocols can be used,But considering the topic of this article is ShadowSocks,Then the other proxy mode if we do not speak skip。


To install on your routerShadowSocks,Then you need to know your router chip type,Since theoretically able to brush OpenWRT,So there should be a corresponding package ShadowSocks,You have to do is to look to that model。

For example, the router is routingrg100a,Chip is usedbrcm63xxa series of。


  1. Packages routes useaa65535s solution,The advantage is directly dependent included without additional installation;Also supports graphical configuration -Of course,Parts still need to use the CLI to get the。
  2. We also need softwarednsmasq,But if I am not mistaken,Your router should be in the software has been installed to provide DHCP and dns for the subnet! and so,You have to do is customize it to match the advanced ShadowSocks can!
  3. wget,This on your router is definitely yes,But it does not support https download,So,You still need to install an additional GNU wget to download the complete list of the two rules。

Open dry!

All right,First you need to download the necessary software package - a package that is shadowsocks luci and graphical control app,Their addresses are downloadingHere(Shadowsocks-libev-spec) andHere(Luci-app-shadowsocks-spec) - consider that you may not open two pages,Well I am here to provide shadowsocks and chinadns both software and graphics package ends,Of course, the article is written in the latest version as of this day:)openwrt shadowsocks family of fourThis article does not use chinadns,The same function is replaced by dnsmasq。

After downloading the two files,We ordered the two files using SCP to push up the router - if you are using a Windows system,Then you may need to download a single called "WinSCP"Software。

Use the above form of the command,The two files are pushed to the router/tmpAfter directory,We use ssh to log router。

After logging router,Change directory to/tmp,Both files found,Using the package management tool to install them separately。Command example is as follows

Two such packages is now installed,Use your browser to open the router management interface,If there is no accident,You should have been able to. "service"Menu to see it!

shadowsocks service menu

shadowsocks service menu

Do not rush to open ShadowSocks,We then configure dns it awayDNS poisoning,So you can browse the Internet carefree unimpeded,otherwise,Even if you take the ladder out of the wall,Only encountered a haze。

Of course,dnsmasq configuration is only CLI is configured with,Because there is no end graphics options are given so much ╮(╯▽╰)╭

Next, make sure your network router,Then the software update package manager list,Then download the GNU wget,We need it to download dns rule。

Download and install wget good,Use the following command to downloadAccelerate domestic domain listandPollution address block list,This list is used to set the two-country visit whitelist,One is used to shield the contaminated IP blacklist,You can also be specific contentHereLook。


All right,Thus also configure the dnsmasq,Let us go back to the configuration ShadowSocks。


As shown below,Uncheck "Use profile" this one,So you can in a web page to configure SS,Follow your own remote server or provider information,Fill in your SS configure it!

Uncheck "Use Profile" page to configure SS

Uncheck "Use Profile" page to configure SS

It is noteworthy that:

Your SS server address If you are using domain names rather than IP,Then you have to pay attention to resolve the problem domain (Due to the use of SS set up dns forwarding,It may be unable to resolve the domain name before the SS connected,Write host,Or replace the IP best!),The last line of the global proxy mode can be selected,If you use a Smart Agent,We can not control。

Since we configured the front access dns dnsmasq forwards,So the next step is to configure

UDP forwarding:

Select the UDP query packets to where

Select the UDP query packets to where

Tick ​​Enable,Then according to the configuration of the front dnsmasq,We set the local port to the corresponding7913To receive DNS query packet,Then fill in the forwarding address,We allow these packets through the SS agent queries,Then access to Google Public DNS 53 port on。

Thus,To achieve a selection of domestic and foreign intelligence DNS (you can seeaccelerated-domains.china.confTo which the domain name will be sent to confirm the country's resolve。)

Now,The entire configuration process is over,Open ShadowSocks,Then enter the CLI interface/etc/init.d/dnsmasq restartWithRestart dnsmasqservice。

At this point,You can enjoy free Internet friends

At last,If you are not satisfied with the status quo - Take a lookBrush OpenWRT routers use a transparent proxy ShadowSocks Advanced ConfigurationNow!

Original article written by Gerber drop-off:R0uter's Blog » Brush OpenWRT router installation shadowsocks to use transparent proxy + DNS poisoning

Reproduced Please keep the source and description link:

About the Author


The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。


    1. Landlord Hello I use the version 15.05.1,Installed (shadowsocks-client) and (luci-app-shadowsocks-spec) interface does not display,I ask how to deal with ah

  1. I would like to ask the landlord,ipv6 router how to configure the SS,With this the same?
    College Students,Use ipv6 + ss + wireless router to achieve global free Internet access,Hey,It is enough to toss。

  2. root@OpenWrt:~# scp /Users/xuyi/Desktop/tmp/libpolarssl_1.3.8-1_ar71xx.ipk root@

    /usr/bin/dbclient: Connection to root@ exited:

    ssh-rsa host key mismatch for !
    Fingerprint is md5 3d:b3:a4:bd:70:6c:db:9e:46:80:36:01:23:60:be:6f
    Expected md5 3c:00:94:83:8a:56:she:db:a6:7a:ff:a4:23:ff:from:b8
    If you know that the host key is correct you can
    remove the bad entry from ~/.ssh/known_hosts
    lost connection
    root@OpenWrt:~# scp /Users/xuyi/Desktop/tmp/luci-app-shadowsocks-spec_1.5.0-1_al
    l.ipk root@

    /usr/bin/dbclient: Connection to root@ exited:

    ssh-rsa host key mismatch for !
    Fingerprint is md5 3d:b3:a4:bd:70:6c:db:9e:46:80:36:01:23:60:be:6f
    Expected md5 3c:00:94:83:8a:56:she:db:a6:7a:ff:a4:23:ff:from:b8
    If you know that the host key is correct you can
    remove the bad entry from ~/.ssh/known_hosts
    lost connection
    What is the situation?

  3. Hello bloggers,I have a question to ask。Now with the Internet over the wall ss remote dns not have it? Why do we need dns dnsmasq solve the pollution problem?

    1. According to the program you're using a different,In fact, dns does not necessarily resolve all the remote,Most of the programs but it is still local to parse over again。
      For purposes of pure wall,In fact, the anti-anti-pollution does little significance,Because pollution is not effective domestic ip ip,Or it will lead to the determination of the wall ip,This does not affect you over the wall - but from a security point of view,This is called dns leak ,If you experience DNS hijacking,So although it is not a middleman attacker must have seen that you are accessing content,But you have to be able to get the domain name,And then infer that you are accessing content。

    1. Recommended linksys router then brush open source systems,My own words currently used are those cheap junk router,Have nothing to recommend the,Because I often change the workplace,Not suitable for deployment router。

  4. Thousands of sites are not the wall! ! ! This will makes accelerated-domains.china.conf large! ! And unscientific! Some have not been recorded by the wall should not go the vpn dns queries! ! Open the Web page will become well slow! ! You can turn enough!

  5. Click to somehow automatically after article over the wall,But from time to time off the network router,Into the router checks to see shadowsock found hanging,Description Press articles added regularly check shadowsocks script,The question now is,Almost half the time Problem decteted, restarting shadowsocks. Does the problem lie? My shadowsocks my own VPS server,And computer use on mobile phones are very stable。
    Routes for NETGEAR WNR3500L V1 Broadcom BCM4718A @ 453MHz 64M Ram 8M Flash

    1. To download the latest version of the client to try ss,If you download my blog to provide a family of four,It has become obsolete。,,,,I do not know if you ever received a reply to my e-mail,My blog seems to reverse the,it's wired。

      1. shadowsocks is on github download,It should be the latest version of the fishes,I do not know what the problem,With logread command can not see what they were,English comparison humble count

  6. In accordance with the younger man's way,To make a transparent proxy routing,Equipment home'd automatically take the ladder,But there are several questions to ask my dear friend
    1,Brother home as well as these NAS devices,After doing a transparent proxy,Unable to vpn to the home LAN
    2,Routing intermittently broken network
    We look to the wing man,Thank you to solve the problem

    1. First of all,Router off network can be the remote cause of the DNS resolution,If I am not wrong, then,It should be a DNS resolution failure。You can try to get rid of this or specified on a computer and then try for example will not be broken net。As VPN,I do not know what method do you use the server,So I did not approach。

Leave a Reply

Your email address will not be published. Required fields are marked *