此方案成功实现了全局域网透明代理(Trojan-GFW+V2ray),BBR上传加速,内网穿透,KMS全自动激活Windows和Office,无污染本地dns,使用Qbittorrent-nox下bt以及pt,Web服务器等功能。本文最新更新于2020.4.2,原文写于2019.9.4。           ‌


基本需求篇 难度:木有,课金就行

物理需求:一台x86_64架构工控机/电脑/服务器(3865u 6网口工控机你值得拥有)+ 几根网线(建议cat6起)+ 宽带(建议100m起)+ 显示器 + 鼠标 + 键盘 + UPS(可选) +另外一台电脑(ssh用 可选)。

性能需求(重要!):Ubuntu Server 18.04需要足够高的性能。

我自己的硬件配置: 3865u 6千兆网口工控机(2c2t 1.8Ghz 8g DDR4内存 250G SATA SSD)

性能参考(仅供参考,不是我写的)


基础篇(实现基础上网功能)难度:★

一.安装Ubuntu 18.04 Server系统

Download Ubuntu Server | Download | Ubuntu
Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.
pbatard/rufus
The Reliable USB Formatting Utility. Contribute to pbatard/rufus development by creating an account on GitHub.

使用rufus刷iso制作u盘启动盘,进入bios关闭快速启动(fast boot)以及安全启动(secure boot),切换启动顺序为u盘第一,F10 save and exit。

选语言(选中文会默认初始.cn源,利弊请自行抉择),分区自动就行,设置账户,然后一路点下一步然后重启就安装完成。

二.通过pppoe联网

插上网线(建议固定接口)桌面右键打开终端,键入 sudo pppoeconf 输入账号密码然后选项选全部yes(/etc/ppp有具体配置文件)路由器本身就可以上网了。

sudo pppoeconf

PS:单线多拨教程,仅供参考

Linux 软路由单线多拨
Linux 软路由宽带多拨(单线多拨),测试机为树莓派 3B,系统为 ArchLinux for ARM,ISP 为电信,实测只能稳定双拨,但带宽没变。

三.更新系统

打开终端,输入

sudo apt-get update
sudo apt-get upgrade -y

四.配置网桥以及NAT让局域网用户连接外部网络(重要!!)

(1) Ubuntu 18.04使用netplan配置网络

cd /etc/netplan
ls
sudo nano (默认配置文件)
network:
    renderer: networkd
    ethernets:
        enp1s0:
          dhcp4: no
        enp2s0:
          dhcp4: no
        enp3s0:
          dhcp4: no
        enp4s0:
          dhcp4: no
        enp5s0:
          dhcp4: no
        enp6s0:
          dhcp4: no
    bridges:
      br0:
        addresses: [10.0.0.1/24,'ipv6全球路由前缀/64']
        dhcp4: no
        dhcp6: no
        accept-ra: no
        interfaces:
          - enp6s0
          - enp5s0
          - enp4s0
          - enp3s0
          - enp2s0
    version: 2

注:我使用10.0.0.1/24作为内网ip,enp1s0作为外部网络(WAN)接口,其余接口作为局域网(LAN)接口

(2) 编辑sysctl配置文件开启ipv4,ipv6转发

sudo nano /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
sudo sysctl -p

(3) 配置iptables实现nat转发

ip addr | grep ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

测试网络连接

ping baidu.com | echo OK

出现OK就表明网络已经可以正常使用了

然后wan口连接外网,lan口插入pc或者无线AP之类的设备。pc手动设置一个 10.0.0.0/24 网络内的ip(比如10.0.0.2),并把网关设置为 10.0.0.1 就可以上网了。


进阶应用篇(实现内网设备自动获取ip,内网dns服务器,bbr上传加速)难度:★☆

基本没人希望手动设置所有设备的ip,所以一个本地搭建DHCP服务器是必不可少的。

一.安装Dnsmasq作为dhcp服务器

sudo apt-get update
sudo apt-get install dnsmasq -y
sudo rm /etc/dnsmasq.conf
sudo touch /etc/dnsmasq.conf
sudo nano /etc/dnsmasq.conf

原有配置文件太长,不方便修改,故使用精简版。

	cat > '/etc/dnsmasq.conf' << EOF
port=0
domain-needed
bogus-priv
filterwin2k
#dnssec
#strict-order
no-resolv
bind-interfaces
except-interface=ppp0
#no-hosts
#addn-hosts=/etc/banner_add_hosts
dhcp-range=10.0.0.50,10.0.0.150,255.255.255.0,7d
dhcp-option=option:router,10.0.0.1
dhcp-option=option:dns-server,10.0.0.1
dhcp-authoritative
#dhcp-range=1234::,ra-only #无状态ipv6地址获取 (路由器ra通告设置)1234::换成你自己的ipv6前缀
#enable-ra #启用路由器ipv6 ra通告
#dhcp-option=option6:dns-server,[2620:119:35::35],[2620:119:53::53] #通告ipv6的dns服务器
cache-size=10000
no-negcache
log-queries 
log-facility=/var/log/dnsmasq.log
EOF

2二.安装Dnscrypt-proxy

dnsver=$(curl -s "https://api.github.com/repos/DNSCrypt/dnscrypt-proxy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
tar -xvf dnscrypt-proxy-linux_x86_64-${dnsver}.tar.gz
rm dnscrypt-proxy-linux_x86_64-${dnsver}.tar.gz
cd linux-x86_64
cp -f dnscrypt-proxy /usr/sbin/dnscrypt-proxy
chmod +x /usr/sbin/dnscrypt-proxy
cd ..
rm -rf linux-x86_64
setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/dnscrypt-proxy
wget -P /etc/dnscrypt-proxy/ https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md -q --show-progress
wget -P /etc/dnscrypt-proxy/ https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/opennic.md -q --show-progress
wget -P /etc/dnscrypt-proxy/ https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md -q --show-progress
    cat > '/etc/dnscrypt-proxy/dnscrypt-proxy.toml' << EOF
#Do not change these settings unless you know what you are doing !
listen_addresses = ['127.0.0.1:5353']
user_name = 'nobody'
max_clients = 250
ipv4_servers = true
ipv6_servers = true
dnscrypt_servers = true
doh_servers = true
require_dnssec = false
require_nolog = true
require_nofilter = true
disabled_server_names = ['cisco', 'cisco-ipv6', 'cisco-familyshield']
force_tcp = false
timeout = 5000
keepalive = 30
lb_estimator = true
log_level = 2
use_syslog = true
#log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
cert_refresh_delay = 720
tls_disable_session_tickets = true
#tls_cipher_suite = [4865]
fallback_resolvers = ['1.1.1.1:53', '8.8.8.8:53']
ignore_system_dns = true
netprobe_timeout = 60
netprobe_address = '1.1.1.1:53'
# Maximum log files size in MB - Set to 0 for unlimited.
log_files_max_size = 0
# How long to keep backup files, in days
log_files_max_age = 7
# Maximum log files backups to keep (or 0 to keep all backups)
log_files_max_backups = 0
block_ipv6 = false
## Immediately respond to A and AAAA queries for host names without a domain name
block_unqualified = true
## Immediately respond to queries for local zones instead of leaking them to
## upstream resolvers (always causing errors or timeouts).
block_undelegated = true
## TTL for synthetic responses sent when a request has been blocked (due to
## IPv6 or blacklists).
reject_ttl = 600
cache = true
cache_size = 4096
cache_min_ttl = 2400
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600

[query_log]

  #file = '/var/log/dnscrypt-proxy/query.log'
  format = 'tsv'

[blacklist]

  blacklist_file = '/etc/dnscrypt-proxy/blacklist.txt'

[sources]

  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  prefix = ''

  [sources.'opennic']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/opennic.md', 'https://download.dnscrypt.info/dnscrypt-resolvers/v2/opennic.md']
  cache_file = 'opennic.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  prefix = ''

  ## Anonymized DNS relays

  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''
EOF
	cat > '/etc/dnscrypt-proxy/blacklist.txt' << EOF

###########################
#        Blacklist        #
###########################

## Rules for name-based query blocking, one per line
##
## Example of valid patterns:
##
## ads.*         | matches anything with an "ads." prefix
## *.example.com | matches example.com and all names within that zone such as www.example.com
## example.com   | identical to the above
## =example.com  | block example.com but not *.example.com
## *sex*         | matches any name containing that substring
## ads[0-9]*     | matches "ads" followed by one or more digits
## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster

#ad.*
#ads.*

####Block 360####
#*.cn
*.360.com
*.360jie.com
*.360kan.com
*.360taojin.com
*.i360mall.com
*.qhimg.com
*.qhmsg.com
*.qhres.com
*.qihoo.com
*.nicaifu.com
*.so.com
####Block Xunlei###
*.xunlei.com
####Block Baidu###
*baidu.*
*.bdimg.com
*.bdstatic.com
*.duapps.com
*.quyaoya.com
*.tiebaimg.com
*.xiaodutv.com
*.sina.com
EOF
	cat > '/etc/systemd/system/dnscrypt-proxy.service' << EOF
[Unit]
Description=DNSCrypt client proxy
Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki
After=network.target
Before=nss-lookup.target
Wants=nss-lookup.target

[Service]
#User=nobody
NonBlocking=true
ExecStart=/usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
CacheDirectory=dnscrypt-proxy
LogsDirectory=dnscrypt-proxy
RuntimeDirectory=dnscrypt-proxy
LimitNOFILE=51200
LimitNPROC=51200
Restart=on-failure
RestartSec=3s

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable dnscrypt-proxy.service
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl restart dnsmasq
sudo systemctl status dnsmasq
sudo systemctl start dnscrypt-proxy
sudo systemctl enable dnscrypt-proxy
关闭systemd-resolved,阻止冲突
iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 10.0.0.1
iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 10.0.0.1
劫持所有53端口流量

只要状态是active并且没有错误Log就没有问题了,内网就可以直接获取ip了。

二.开启bbr上传加速

google/bbr
Contribute to google/bbr development by creating an account on GitHub.
	cat > '/etc/sysctl.d/99-sysctl.conf' << EOF
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
################################
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
################################
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
################################
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.default.accept_ra = 2
################################
net.core.netdev_max_backlog = 100000
net.core.netdev_budget = 50000
net.core.netdev_budget_usecs = 5000
#fs.file-max = 51200
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.rmem_default = 65536
net.core.wmem_default = 65536
net.core.somaxconn = 4096
################################
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 6
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
net.ipv4.tcp_mtu_probing = 0
##############################
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_max_syn_backlog = 30000
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_frto = 0
##############################
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
vm.swappiness = 5
net.ipv4.ip_unprivileged_port_start = 0
EOF

sudo sysctl -p

只要没有错误显示,bbr就成功启用了。


透明代理Trojan-GFW+V2ray篇 难度:★★ 最新更新于 2020.4.2

一.安装Trojan+V2ray

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install xz-utils -y
sudo bash -c "$(wget -O- https://raw.githubusercontent.com/trojan-gfw/trojan-quickstart/master/trojan-quickstart.sh)"
trojan-gfw/trojan-quickstart
A simple installation script for trojan server. Contribute to trojan-gfw/trojan-quickstart development by creating an account on GitHub.
sudo apt-get install curl unzip -y
sudo bash <(curl -L -s https://install.direct/go.sh)

二.配置Trojan-GFW以及V2ray(关键!!)

sudo modprobe xt_TPROXY
临时加载TPROXY模块

编辑/etc/modules-load.d/TPROXY.conf 使自动加载TPROXY模块:

echo "xt_TPROXY" > '/etc/modules-load.d/TPROXY.conf'
更改配置文件
sudo nano /usr/local/etc/trojan/config.json
{
    "run_type": "client",
    "local_addr": "127.0.0.1",
    "local_port": 1080,
    "remote_addr": "1.1.1.1", //填节点ip或域名
    "remote_port": 443,
    "password": [
        "password1"
    ],
    "log_level": 1,
    "ssl": {
        "verify": true,
        "verify_hostname": true,
        "cert": "",
        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA",
        "cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
        "sni": "example.com", //填节点域名
        "alpn": [
            "h2",
            "http/1.1"
        ],
        "reuse_session": true,
        "session_ticket": false,
        "curves": ""
    },
    "tcp": {
        "no_delay": true,
        "keep_alive": true,
        "reuse_port": false,
        "fast_open": false,
        "fast_open_qlen": 20
    }
}
Trojan配置
systemctl start trojan
systemctl enable trojan
sudo rm /etc/v2ray/config.json
sudo touch /etc/v2ray/config.json
sudo nano /etc/v2ray/config.json

{
	"log": {
    "error": "/etc/v2ray/error.log",
    "access": "/etc/v2ray/access.log",
    "loglevel": "warning"
  	},
	"inbounds": [
 {
   "tag":"transparent",
   "port": 12345,
   "protocol": "dokodemo-door",
   "settings": {
     "network": "tcp,udp",
     "followRedirect": true
   },
   "sniffing": {
     "enabled": true,
     "destOverride": ["http", "tls"]
   },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
   },
		{
			"tag": "dns-in",
			"protocol": "dokodemo-door",
			"port": 53,
			"settings": {
				"address": "1.1.1.1",
				"port": 53,
				"network": "udp"
			}
		},
        {
            "listen": "0.0.0.0",
            "port": 8001,
            "protocol": "http",
            "settings": {
                 "timeout": 0,
                 "allowTransparent": false,
                 "userLevel": 0
                        },
            "sniffing": {
                "enabled": true,
                "destOverride": ["http","tls"]
            }
        }
	],
	"outbounds": [
    {
      "tag": "proxy", //本教程配合Trojan-GFW client模式使用
      "protocol": "socks",
      "settings": {
  "servers": [{
    "address": "127.0.0.1",
    "port": 1080
  		}]
	},
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      }
    },
        {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {},
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      }
    },
         {
       "tag": "adblock",
       "protocol" : "blackhole",
       "settings": {},
       "streamSettings": {
         "sockopt": {
           "mark": 255
               }
            }
        },
    {
      "protocol": "dns",
      "tag": "dns-out"
    }
	],
    "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "inboundTag": ["dns-in"],
        "outboundTag": "dns-out"
      },
      {
        "type": "field",
        "inboundTag": [
          "transparent"
        ],
        "port": 53,
        "network": "udp",
        "outboundTag": "dns-out"
      },
      {
        "type": "field",
        "inboundTag": [
          "transparent"
        ],
        "port": "10000-65535",
        "network": "tcp,udp",
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "inboundtag": [
          "transparent"
       ],
       "port": 123,
       "network": "udp",
       "outboundTag": "direct"
      },
      {
        "type": "field",
        "inboundtag": [
          "transparent"
       ],
       "port": 1723,
       "network": "tcp,udp",
       "outboundTag": "adblock"
      },
      {
        "type": "field",
        "ip": ["223.5.5.5","114.114.114.114"],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "ip": ["8.8.8.8","1.1.1.1"],
        "outboundTag": "proxy"
      },
      {
        "type": "field",
        "domain": ["geosite:qihoo360"],
        "outboundTag": "adblock"
      },
      {
        "type": "field",
        "ip": ["geoip:private","geoip:cn"],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "domain": ["geosite:cn"],
        "outboundTag": "direct"
      },
      {
         "type": "field",
         "outboundTag": "direct",
         "protocol": ["bittorrent"]
      }
    ]
  },
    "dns": {
      "hosts": {
    "geosite:qihoo360": "www.johnrosen1.com" //劫持dns
    },
    "servers": [{"address": "127.0.0.1","port": 5353},{"address": "114.114.114.114","port": 53,"domains": ["geosite:cn","bilibili.com","ntp.org"]}]
  }
}

测试配置文件

sudo /usr/bin/v2ray/v2ray -test -config /etc/v2ray/config.json

看到Configuration OK.的字样就表示配置文件没问题。

sudo systemctl start v2ray
sudo systemctl status v2ray

状态是active就表示正常运行了。

配置iptables流量重定向实现透明代理(感谢下面这位大佬提供的教程)
TProxy實現透明代理
上一篇介紹的透明代理,使用的是REDIRECT(TCP)+TProxy(UDP)的方式,此篇要介紹完全使用TProxy透明代理的方式,注意shadowsocks是不支持TCP使用TProxy的.1. 加载TPROXY模块临时加载TPROXY模块:sudo modprobe xt_TPROXY编辑/etc/modules-load.d/TPROXY.conf 使自动加载TPROXY模块:xt_TPROXY

TCP+UDP

#!/bin/bash

# 设置策略路由
ip rule add fwmark 1 table 100 
ip route add local 0.0.0.0/0 dev lo table 100

# 代理局域网设备
iptables -t mangle -N V2RAY
iptables -t mangle -A V2RAY -d 127.0.0.1/32 -j RETURN
iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY -d 10.0.0.0/24 -j RETURN
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -j RETURN # 直连局域网,避免 V2Ray 无法启动时无法连网关的 SSH,如果你配置的是其他网段(如 10.x.x.x 等),则修改成自己的
iptables -t mangle -A V2RAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 # 给 UDP 打标记 1,转发至 12345 端口
iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 # 给 TCP 打标记 1,转发至 12345 端口
iptables -t mangle -A PREROUTING -j V2RAY # 应用规则

#ipv6
#ip6tables -t mangle -N V2RAY
#ip6tables -t mangle -A V2RAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 # 给 UDP 打标记 1,转发至 12345 端口
#ip6tables -t mangle -A V2RAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 # 给 TCP 打标记 1,转发至 12345 端口
#ip6tables -t mangle -A PREROUTING -j V2RAY # 应用规则

# 代理网关本机 (无特殊需求不建议开启)
#iptables -t mangle -N V2RAY_MASK 
#iptables -t mangle -A V2RAY_MASK -d 224.0.0.0/4 -j RETURN 
#iptables -t mangle -A V2RAY_MASK -d 255.255.255.255/32 -j RETURN 
#iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p tcp -j RETURN # 直连局域网
#iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN # 直连局域网,53 端口除外(因为要使用 V2Ray 的 DNS)
#iptables -t mangle -A V2RAY_MASK -j RETURN -m mark --mark 0xff    # 直连 SO_MARK 为 0xff 的流量(0xff 是 16 进制数,数值上等同与上面V2Ray 配置的 255),此规则目的是避免代理本机(网关)流量出现回环问题
#iptables -t mangle -A V2RAY_MASK -p udp -j MARK --set-mark 1   # 给 UDP 打标记,重路由
#iptables -t mangle -A V2RAY_MASK -p tcp -j MARK --set-mark 1   # 给 TCP 打标记,重路由
#iptables -t mangle -A OUTPUT -j V2RAY_MASK # 应用规则

安装rc.local实现透明代理重启不失效

cat > '/lib/systemd/system/rc-local.service' << EOF
#  SPDX-License-Identifier: LGPL-2.1+
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# This unit gets pulled automatically into multi-user.target by
# systemd-rc-local-generator if /etc/rc.local is executable.
[Unit]
Description=/etc/rc.local Compatibility
Documentation=man:systemd-rc-local-generator(8)
ConditionFileIsExecutable=/etc/rc.local
After=network.target

[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
RemainAfterExit=yes
GuessMainPID=no

[Install]
 WantedBy=multi-user.target
EOF
systemctl enable rc-local
cat > '/etc/rc.local' << EOF
#!/bin/bash

# 设置策略路由
ip rule add fwmark 1 table 100 
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 10.0.0.1
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 10.0.0.1

iptables -I INPUT -s 36.110.236.68/16 -j DROP
iptables -I FORWARD -d 36.110.236.68/16 -j DROP
iptables -I OUTPUT -d 36.110.236.68/16 -j DROP

# 代理局域网设备
iptables -t mangle -N V2RAY
iptables -t mangle -A V2RAY -d 127.0.0.1/32 -j RETURN
iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY -d 10.0.0.0/24 -j RETURN
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -j RETURN # 直连局域网,避免 V2Ray 无法启动时无法连网关的 SSH,如果你配置的是其他网段(如 10.x.x.x 等),则修改成自己的
iptables -t mangle -A V2RAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 # 给 UDP 打标记 1,转发至 12345 端口
iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 # 给 TCP 打标记 1,转发至 12345 端口
iptables -t mangle -A PREROUTING -j V2RAY # 应用规则

#ipv6
#ip6tables -t mangle -N V2RAY
#ip6tables -t mangle -A V2RAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 # 给 UDP 打标记 1,转发至 12345 端口
#ip6tables -t mangle -A V2RAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 # 给 TCP 打标记 1,转发至 12345 端口
#ip6tables -t mangle -A PREROUTING -j V2RAY # 应用规则

# 代理网关本机 (无特殊需求不建议开启)
#iptables -t mangle -N V2RAY_MASK 
#iptables -t mangle -A V2RAY_MASK -d 224.0.0.0/4 -j RETURN 
#iptables -t mangle -A V2RAY_MASK -d 255.255.255.255/32 -j RETURN 
#iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p tcp -j RETURN # 直连局域网
#iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN # 直连局域网,53 端口除外(因为要使用 V2Ray 的 DNS)
#iptables -t mangle -A V2RAY_MASK -j RETURN -m mark --mark 0xff    # 直连 SO_MARK 为 0xff 的流量(0xff 是 16 进制数,数值上等同与上面V2Ray 配置的 255),此规则目的是避免代理本机(网关)流量出现回环问题
#iptables -t mangle -A V2RAY_MASK -p udp -j MARK --set-mark 1   # 给 UDP 打标记,重路由
#iptables -t mangle -A V2RAY_MASK -p tcp -j MARK --set-mark 1   # 给 TCP 打标记,重路由
#iptables -t mangle -A OUTPUT -j V2RAY_MASK # 应用规则
exit 0

EOF
chmod +x /etc/rc.local

这样的话重启失效的问题就彻底解决了!

这时使用电脑/手机尝试直接访问被墙网站,应该是可以访问的(如果不能,你可能得请教大神手把手指导了)。

附:

iptables -I INPUT -s 36.110.236.68/16 -j DROP
iptables -I FORWARD -d 36.110.236.68/16 -j DROP
iptables -I OUTPUT -d 36.110.236.68/16 -j DROP
屏蔽360方法
Persistent ipset for Ubuntu/Debian compatible with ufw and iptables-persistent
UPD: Added optional saving of changed ipset sets on service stop, thanks to the comment by Derhomp
关于ipset可以看此文

高级篇(其他好用的软件)

一.frp内网穿透(有公网ip得请忽略)

fatedier/frp
A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet. - fatedier/frp
[frp] 内网穿透神器搭建 萌新也看得懂的教程系列 - 神代綺凜の萌化小基地
目前个人认为配置和使用上是最方便的内网穿透工具,已经用了快两年了,拿来穿透进没有公网的位于学校宿舍的路由器,蹭蹭百度文库企业账号和知网之类的23333

二.Qbittorrent-nox

add-apt-repository ppa:qbittorrent-team/qbittorrent-stable -y
apt-get update
apt-get install qbittorrent-nox -q -y
qbittorrent/qBittorrent
qBittorrent BitTorrent client. Contribute to qbittorrent/qBittorrent development by creating an account on GitHub.
Qbittorrent-nox --玩转VPS篇一
Qbittorrent作为一款现代化,高效能,功能强大的BT客户端受到了相当多人包括我在内的人的喜欢。本文主要介绍Debian/Ubuntu系统下Qbittorrent-nox的安装,使用以及优化。

三.Nginx web server

curl -LO --progress-bar https://nginx.org/keys/nginx_signing.key
apt-key add nginx_signing.key
rm -rf nginx_signing.key
touch /etc/apt/sources.list.d/nginx.list
cat > '/etc/apt/sources.list.d/nginx.list' << EOF
deb https://nginx.org/packages/mainline/$dist/ $(lsb_release -cs) nginx
deb-src https://nginx.org/packages/mainline/$dist/ $(lsb_release -cs) nginx
EOF
apt-get update
apt-get install nginx -q -y
systemctl start nginx
Home

四.Aria2c

ariaport=$(shuf -i 10000-19000 -n 1)
#trackers_list=$(wget -qO- https://trackerslist.com/all.txt |awk NF|sed ":a;N;s/\n/,/g;ta")
trackers_list=$(wget -qO- https://trackerslist.com/all_aria2.txt)
cat > '/etc/systemd/system/aria2.service' << EOF
[Unit]
Description=Aria2c download manager
Requires=network.target
After=network.target

[Service]
Type=forking
User=root
RemainAfterExit=yes
ExecStart=/usr/local/bin/aria2c --conf-path=/etc/aria2.conf
ExecReload=/usr/bin/kill -HUP \$MAINPID
ExecStop=/usr/bin/kill -s STOP \$MAINPID
LimitNOFILE=51200
LimitNPROC=51200
RestartSec=3s
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF
	cat > '/etc/aria2.conf' << EOF
#Do not change these settings unless you know what you are doing !
#Global Settings###
daemon=true
async-dns=true
#enable-async-dns6=true
log-level=notice
console-log-level=info
human-readable=true
log=/var/log/aria2.log
rlimit-nofile=51200
event-poll=epoll
min-tls-version=TLSv1.1
dir=/usr/share/nginx/aria2/
file-allocation=falloc
check-integrity=true
conditional-get=false
disk-cache=64M #Larger is better,but should be smaller than available RAM !
enable-color=true
continue=true
always-resume=true
max-concurrent-downloads=50
content-disposition-default-utf8=true
#split=16
##Http(s) Settings#######
enable-http-keep-alive=true
http-accept-gzip=true
min-split-size=10M
max-connection-per-server=16
lowest-speed-limit=0
disable-ipv6=false
max-tries=0
#retry-wait=0
input-file=/usr/local/bin/aria2.session
save-session=/usr/local/bin/aria2.session
save-session-interval=60
force-save=true
metalink-preferred-protocol=https
##Rpc Settings############
enable-rpc=true
rpc-allow-origin-all=true
rpc-listen-all=true
rpc-secure=false
rpc-listen-port=6800
rpc-secret=$ariapasswd
#Bittorrent Settings######
follow-torrent=true
listen-port=$ariaport
enable-dht=true
enable-dht6=true
enable-peer-exchange=true
seed-ratio=0
bt-enable-lpd=true
bt-hash-check-seed=true
bt-seed-unverified=false
bt-save-metadata=true
bt-load-saved-metadata=true
bt-require-crypto=true
bt-force-encryption=true
bt-min-crypto-level=arc4
bt-max-peers=0
bt-tracker=$trackers_list
EOF
apt-get install nettle-dev libgmp-dev libssh2-1-dev libc-ares-dev libxml2-dev zlib1g-dev libsqlite3-dev libssl-dev libuv1-dev -q -y
curl -LO --progress-bar https://raw.githubusercontent.com/johnrosen1/trojan-gfw-script/master/binary/aria2c.xz
xz --decompress aria2c.xz
cp -f aria2c /usr/local/bin/aria2c
chmod +x /usr/local/bin/aria2c
rm aria2c
apt-get autoremove -q -y
systemctl daemon-reload
systemctl enable aria2
systemctl start aria2

五.Netdata

bash <(curl -Ss https://my-netdata.io/kickstart-static64.sh)   
Netdata - Get control of your Linux Servers. Simple. Effective. Awesome.
Unparalleled insights, in real-time, of everything happening on your Linux systems and applications, with stunning, interactive web dashboards and powerful performance and health alarms.

六.内网KMS服务器

Wind4/vlmcsd
KMS Emulator in C (currently runs on Linux including Android, FreeBSD, Solaris, Minix, Mac OS, iOS, Windows with or without Cygwin) - Wind4/vlmcsd

七.中文输入法

fcitx/fcitx
A Flexible Input Method Framework. Contribute to fcitx/fcitx development by creating an account on GitHub.

相关文章链接

Ubuntu Sources List Generator
Sources List Generator for Ubuntu, Xubuntu, Kubuntu, Edubuntu, Ubuntu Server and other Ubuntu-based distros. It features the official Canonical one repositories as well as other 3rd party repos.
将ubuntu变为路由器 · Sinchie’s Blog
上个月攒了台小主机作为家庭服务器,安装了 pve 虚拟机平台,并在平台上安装了 openwrt/lede 软路由系统。科学上网、去广告等功能直接在路由器级别使用确实很爽。因为服务器的性能还是有不少的冗余,我想再装个 ubuntu 系统作为一个自己折
利用shadowsocks打造局域网翻墙透明网关
update: 这个方案我已经不再使用了,仅在此留作一个记录。目前我已改用软路由方案,用esxi作为虚拟机host,上面建ikuai和lede(openwrt),分别用来做流控和翻墙,感兴趣的童鞋可以参考https://www.vediotalk.com/?p=1055 这篇文章,有比较详细的过程。…
MassSmith/smgate
用树莓派做v2ray透明翻墙网关. Contribute to MassSmith/smgate development by creating an account on GitHub.

效果图