openwrt

㈠ IPTV INTERNET双网融合

一、添加VLAN3，将LAN1口定义为IPTV的WAN口。模仿internet的WAN口进行定义，如下图。

二、添加IPTV的接口

 

三、实现IPTV局域网内同时播放。

1、方案一

安装IGMPPROXY，并进行配置。完成后，局域网内的IPTV应该就可以进行播放了。这是组播放的方式，此方法后，节目地址为rtp://239.253.254.77:8000

root@OpenWrt:~#opkg update
root@OpenWrt:~#opkg install igmpproxy

root@OpenWrt:~#vim /etc/config/igmpproxy


config igmpproxy
        option quickleave 1
#       option verbose [0-3](none, minimal[default], more, maximum)

config phyint
        option network iptv
        option zone iptv
        option direction upstream
        list altnet 0.0.0.0/0

config phyint
        option network lan
        option zone lan
        option direction downstream

root@OpenWrt:~# vim /etc/config/firewall

config rule
        option target 'ACCEPT'
        option src 'iptv'
        option name 'Allow_IGMP'
        option proto 'IGMP'

config zone
        option network 'iptv'
        option forward 'REJECT'
        option name 'iptv'
        option output 'ACCEPT'
        option masq '1'
        option input 'REJECT'

config forwarding
        option dest 'iptv'
        option src 'lan'


root@OpenWrt:~# service igmpproxy restart
root@OpenWrt:~# service firewall restart

2、方案二

安装 UDPXY。此方法缺点是耗用系统资源较大。节目地址前面需要加入：http://192.168.1.1/udp/rtp/239.253.254.77:8000

㈡ 安装OpenClash

一、先卸载dnsmasq，再安装依赖。

#nftables
opkg remove dnsmasq && opkg update && opkg install coreutils-nohup bash dnsmasq-full curl ca-certificates ipset ip-full libcap libcap-bin ruby ruby-yaml kmod-tun kmod-inet-diag unzip kmod-nft-tproxy luci-compat luci luci-base

二、到github上下载最新版的openclash，手动安装

https://github.com/vernesong/OpenClash/releases/download/v0.45.129-beta/luci-app-openclash_0.45.129-beta_all.ipk

三、安装后，注销OpenWRT再登录，

1、服务-->OpenClash-->Config Subscribe-->添加订阅地址。

https://1b7acc72.ghelper.me/subs/clash/74607fef99ae8fd9cc61ec27667c8c10

2、服务-->OpenClash-->Plugin Settings-->更新版本信息。

㈢、更改OpenClash国内清华源

src/gz openwrt_core https://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/22.03.5/targets/x86/64/packages
src/gz openwrt_base https://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/22.03.5/packages/x86_64/base
src/gz openwrt_luci https://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/22.03.5/packages/x86_64/luci
src/gz openwrt_packages https://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/22.03.5/packages/x86_64/packages
src/gz openwrt_routing https://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/22.03.5/packages/x86_64/routing
src/gz openwrt_telephony https://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/22.03.5/packages/x86_64/telephony

㈣、动态DDNS服务

但是这种情况下，即使用pppoe-wan接口时，会造成ddn服务不能开机启动，原因在于ddns启动时会检测pppoe-wan接口，而此时拔号如果没有成功的话，则ddns服务即行停止，造成这种后果。解决方法如下，在/etc/init.d/目录下新建一个check_ddns.sh，并chmod +777，然后在计划任务中设置启动。

另：OpenWRT shell 的命令解释：

ps |grep -w ddns是查看ddns的PID进程，

|grep -v grep 这个参数是排除 grep本身的进程

|wc -l   是统计进程数

[ $num -le 0 ] 是判断条件,即如果进程统计数是0, 注意[和]之间的空格是必须的 

#!/bin/sh
printf "--------------------------DDNS Checking Start!-----------------------------\n"
num=`ps |grep -w ddns |grep -v grep |wc -l`  # 计算进程数
if [ $num -le 0 ]; then
	service ddns start
	echo "--------------------------ddns is restarting!------------------------------"               
else
	echo "--------------------------ddns is already runing!--------------------------"
fi
printf "--------------------------DDNS Checking Over!------------------------------\n"

㈤、安装Alist

这个没什么好说的，从github上下载，选择正确版本，比如手工安装即可

https://github.com/sbwml/luci-app-alist/releases

https://github.com/sbwml/luci-app-alist/releases/download/v3.28.0/openwrt-22.03-arm_cortex-a15_neon-vfpv4.tar.gz

㈥、安装OenVPN client

从服务器中导出配置后，可以在OpenWRT中直接使用，导入即可。

但是OpenWRT的防火墙需要简单设置一下，如下两图。

防火墙，区域-->WAN-->编辑-->高级设置-->涵盖的设备-->添加tunX

㈦、安装OpenVPN Server

1、安装

opkg update
opkg install openvpn-easy-rsa openvpn-openssl luci-app-openvpn

2、配置防火墙开放相应端口

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.lan.device="tun1"
uci add_list firewall.lan.device="tun1"
uci -q delete firewall.vpn
uci set firewall.ovpn="rule"
uci set firewall.ovpn.name="Allow-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.dest_port="1191"
uci set firewall.ovpn.proto="udp"
uci set firewall.ovpn.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

3、生成服务器和客户端证书

# Configuration parameters
export EASYRSA_PKI="/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="ovpnca"
 
# Remove and re-initialize the PKI directory
easyrsa --batch init-pki
 
# Generate DH parameters
# 此步会较久
easyrsa --batch gen-dh
 
# Create a new CA
easyrsa --batch build-ca nopass
 
# Generate a keypair and sign locally for a server
easyrsa --batch build-server-full QDServer nopass
 
# Generate a keypair and sign locally for a client
easyrsa --batch build-client-full surface nopass
easyrsa --batch build-client-full phone nopass
easyrsa --batch build-client-full desktop nopass

4、生成服务器配置文件

# Generate TLS PSK
OVPN_PKI="/etc/easy-rsa/pki"
openvpn --genkey --secret ${OVPN_PKI}/tc.pem
 
# Configuration parameters
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_DEV="$(uci get firewall.lan.device | sed -e "s/^.*\s//")"
OVPN_PORT="$(uci get firewall.ovpn.dest_port)"
OVPN_PROTO="$(uci get firewall.ovpn.proto)"
OVPN_POOL="192.168.255.0 255.255.255.0"
OVPN_DNS="${OVPN_POOL%.* *}.1"
OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'
 
# Configure VPN server
umask u=rw,g=,o=
grep -l -r -e "TLS Web Server Auth" "${OVPN_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read -r OVPN_ID
do
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
cat << EOF > ${OVPN_DIR}/${OVPN_ID}.conf
verb 3
user nobody
group nogroup
dev ${OVPN_DEV}
port ${OVPN_PORT}
proto ${OVPN_PROTO}
server ${OVPN_POOL}
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS ${OVPN_DNS}"
push "dhcp-option DOMAIN ${OVPN_DOMAIN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>${NL}${OVPN_DH}${NL}</dh>
<tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt>
<ca>${NL}${OVPN_CA}${NL}</ca>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<key>${NL}${OVPN_KEY}${NL}</key>
EOF
done
/etc/init.d/openvpn restart

5、生成客户端ovp

# 先确定使用DDNS还是公网IP作为OpenVPN连接使用，并配置好OVPN_SERV参数，本次以DDNS地址为例子
OVPN_SERV="liyujian.dns.army"

# Configuration parameters
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_DEV="$(uci get firewall.lan.device | sed -e "s/^.*\s//")"
OVPN_PORT="$(uci get firewall.ovpn.dest_port)"
OVPN_PROTO="$(uci get firewall.ovpn.proto)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'
 
# Generate VPN client profiles
umask u=rw,g=,o=
grep -l -r -e "TLS Web Client Auth" "${OVPN_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read -r OVPN_ID
do
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
cat << EOF > ${OVPN_DIR}/${OVPN_ID}.ovpn
verb 3
dev ${OVPN_DEV%%[0-9]*}
nobind
client
remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO}
auth-nocache
remote-cert-tls server
<tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt>
<ca>${NL}${OVPN_CA}${NL}</ca>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<key>${NL}${OVPN_KEY}${NL}</key>
EOF
done
ls ${OVPN_DIR}/*.ovpn

6、OpenWRT Luci集成

这一步主要是方便在OpenWRT的Web界面方便看到OpenVPN的状态信息

确保已经安装好

opkg install luci-app-openvpn

通过命令修改luci配置

# Provide VPN instance management
ls /etc/openvpn/*.conf \
| while read -r OVPN_CONF
do
OVPN_ID="$(basename ${OVPN_CONF%.*} | sed -e "s/\W/_/g")"
uci -q delete openvpn.${OVPN_ID}
uci set openvpn.${OVPN_ID}="openvpn"
uci set openvpn.${OVPN_ID}.enabled="1"
uci set openvpn.${OVPN_ID}.config="${OVPN_CONF}"
done
uci commit openvpn
/etc/init.d/openvpn restart

㈧㈨㈩