Merge pull request #71 from whalechoi/master

[v1.0.13] Use dnscrypt-proxy to build local dns.
This commit is contained in:
whyou 2020-08-16 13:54:47 +08:00 committed by GitHub
commit 676c6783a4
17 changed files with 1256 additions and 305 deletions

View File

@ -7,6 +7,7 @@ This is a v2ray module for Magisk, and includes binaries for arm, arm64, x86, x6
## Included
* [V2Ray core](<https://github.com/v2fly/v2ray-core>)
* [dnscrypt-proxy](<https://github.com/DNSCrypt/dnscrypt-proxy>)
* [magisk-module-installer](https://github.com/topjohnwu/magisk-module-installer)
- V2Ray service script and Android transparent proxy iptables script
@ -23,11 +24,12 @@ You can download the release installer zip file and install it via the Magisk Ma
- V2ray config file is store in `/data/v2ray/config.json` .
- Please make sure the config is correct. You can check it by running a command :
`export V2RAY_LOCATION_ASSET=/data/v2ray; v2ray -test -config /data/v2ray/config.json` in android terminal or ssh.
- dnscrypt-proxy config file is store in `/data/v2ray/dnscrypt-proxy/` folder, you can update cn domains list via run the shell script `update-rules.sh` or if you dislike the default rules, you can edit them by yourself.
- Tips: Please notice that the default configuration has already set inbounds section to cooperate work with transparent proxy script. It is recommended that you only edit the first element of outbounds section to your proxy server and edit file `/data/v2ray/appid.list` to select which App to proxy.

View File

@ -7,6 +7,7 @@ SKIPUNZIP=1
# prepare v2ray execute environment
ui_print "- Prepare V2Ray execute environment."
mkdir -p /data/v2ray
mkdir -p /data/v2ray/dnscrypt-proxy
mkdir -p /data/v2ray/run
mkdir -p $MODPATH/scripts
mkdir -p $MODPATH/system/bin
@ -47,7 +48,7 @@ unzip -j -o "${download_v2ray_zip}" "geosite.dat" -d /data/v2ray >&2
unzip -j -o "${download_v2ray_zip}" "v2ray" -d $MODPATH/system/bin >&2
unzip -j -o "${download_v2ray_zip}" "v2ctl" -d $MODPATH/system/bin >&2
unzip -j -o "${ZIPFILE}" 'v2ray/scripts/*' -d $MODPATH/scripts >&2
unzip -j -o "${ZIPFILE}" "v2ray/bin/$ARCH/v2ray-dns.keeper" -d $MODPATH/scripts >&2
unzip -j -o "${ZIPFILE}" "v2ray/bin/$ARCH/dnscrypt-proxy" -d $MODPATH/system/bin >&2
unzip -j -o "${ZIPFILE}" 'service.sh' -d $MODPATH >&2
unzip -j -o "${ZIPFILE}" 'uninstall.sh' -d $MODPATH >&2
rm "${download_v2ray_zip}"
@ -58,6 +59,7 @@ echo "softap0" > /data/v2ray/softap.list
[ -f /data/v2ray/resolv.conf ] || \
unzip -j -o "${ZIPFILE}" "v2ray/etc/resolv.conf" -d /data/v2ray >&2
unzip -j -o "${ZIPFILE}" "v2ray/etc/config.json.template" -d /data/v2ray >&2
unzip -j -o "${ZIPFILE}" 'v2ray/etc/dnscrypt-proxy/*' -d /data/v2ray/dnscrypt-proxy >&2
[ -f /data/v2ray/config.json ] || \
cp /data/v2ray/config.json.template /data/v2ray/config.json
ln -s /data/v2ray/resolv.conf $MODPATH/system/etc/resolv.conf
@ -69,7 +71,7 @@ echo "id=v2ray" > $MODPATH/module.prop
echo "name=V2ray for Android" >> $MODPATH/module.prop
echo -n "version=" >> $MODPATH/module.prop
echo ${latest_v2ray_version} >> $MODPATH/module.prop
echo "versionCode=20200611" >> $MODPATH/module.prop
echo "versionCode=20200815" >> $MODPATH/module.prop
echo "author=chendefine" >> $MODPATH/module.prop
echo "description=V2ray core with service scripts for Android" >> $MODPATH/module.prop
@ -81,9 +83,8 @@ set_perm $MODPATH/scripts/start.sh 0 0 0755
set_perm $MODPATH/scripts/v2ray.inotify 0 0 0755
set_perm $MODPATH/scripts/v2ray.service 0 0 0755
set_perm $MODPATH/scripts/v2ray.tproxy 0 0 0755
set_perm $MODPATH/scripts/v2ray-dns.handle 0 0 0755
set_perm $MODPATH/scripts/v2ray-dns.keeper 0 0 0755
set_perm $MODPATH/scripts/v2ray-dns.service 0 0 0755
set_perm $MODPATH/scripts/dnscrypt-proxy.service 0 0 0755
set_perm $MODPATH/system/bin/dnscrypt-proxy 0 0 0755
set_perm $MODPATH/system/bin/v2ray ${inet_uid} ${inet_uid} 0755
set_perm $MODPATH/system/bin/v2ctl ${inet_uid} ${inet_uid} 0755
set_perm /data/v2ray ${inet_uid} ${inet_uid} 0755

View File

@ -1,6 +1,6 @@
id=v2ray
name=V2ray for Android
version=latest_version
versionCode=20200611
versionCode=20200815
author=chendefine
description=V2ray core with service scripts for Android

View File

@ -5,6 +5,7 @@
"log": {
// By default, V2Ray writes access log to stdout.
// "access": "/path/to/access/log/file",
"access": "none",
// By default, V2Ray write error log to stdout.
// "error": "/path/to/error/log/file",
@ -15,22 +16,6 @@
},
// List of inbound proxy configurations.
"inbounds": [{
// Just listen for DNS proxy.
"port": 65534,
// Tag of the inbound for DNS proxy routing.
"tag": "dns-in",
// DNS proxy protocol must be dokodemo-door.
"protocol": "dokodemo-door",
// Setting of DNS proxy.
"settings": {
"port": 53,
"address": "1.1.1.1",
"network": "tcp,udp"
}
},{
// Port to listen on. You may need root access if the value is less than 1024.
"port": 65535,
@ -51,11 +36,9 @@
"followRedirect": true
},
// Enable sniffing on TCP connection.
// Disable sniffing.
"sniffing": {
"enabled": true,
// Target domain will be overriden to the one carried by the connection, if the connection is HTTP or HTTPS.
"destOverride": ["http", "tls"]
"enabled": false
}
}],
// List of outbound proxy configurations.
@ -77,12 +60,6 @@
// Tag of the outbound. May be used for routing.
"tag": "direct"
},{
// DNS Proxy Outbond
"protocol": "dns",
// Tag of the outbound for DNS proxy routing.
"tag": "dns-out"
},{
"protocol": "blackhole",
"settings": {},
@ -95,14 +72,8 @@
// Routing controls how traffic from inbounds are sent to outbounds.
"routing": {
"domainStrategy": "IPOnDemand",
"domainStrategy": "AsIs",
"rules":[
{
// Proxy DNS request
"type": "field",
"inboundTag": ["dns-in"],
"outboundTag": "dns-out"
},
{
// Bypass private IPs.
"type": "field",
@ -114,56 +85,10 @@
"type": "field",
"ip": ["geoip:cn"],
"outboundTag": "direct"
},
{
// Bypass all china sites.
"type": "field",
"domain": ["geosite:cn"],
"outboundTag": "direct"
},
{
// Bypass all BT steams.
"type": "field",
"protocol":["bittorrent"],
"outboundTag": "direct"
},
{
// Blocks major ads.
"type": "field",
"domain": ["geosite:category-ads"],
"outboundTag": "blocked"
}
]
},
// Dns settings for domain resolution.
"dns": {
// Static hosts, similar to hosts file.
"hosts": {
// Match v2ray.com to another domain on CloudFlare. This domain will be used when querying IPs for v2ray.com.
"domain:v2ray.com": "www.vicemc.net",
// The following settings help to eliminate DNS poisoning in mainland China.
// It is safe to comment these out if this is not the case for you.
"domain:github.io": "pages.github.com",
"domain:wikipedia.org": "www.wikimedia.org",
"domain:shadowsocks.org": "electronicsrealm.com"
},
"servers": [
// This dns ip address must as same as the DNS proxy in this file at line 30.
"1.1.1.1",
{
"address": "114.114.114.114",
"port": 53,
// List of domains that use this DNS first.
"domains": [
"geosite:cn"
]
},
"localhost"
]
},
// Policy controls some internal behavior of how V2Ray handles connections.
// It may be on connection level by user levels in 'levels', or global settings in 'system.'
"policy": {

View File

@ -5,6 +5,7 @@
"log": {
// By default, V2Ray writes access log to stdout.
// "access": "/path/to/access/log/file",
"access": "none",
// By default, V2Ray write error log to stdout.
// "error": "/path/to/error/log/file",
@ -15,22 +16,6 @@
},
// List of inbound proxy configurations.
"inbounds": [{
// Just listen for DNS proxy.
"port": 65534,
// Tag of the inbound for DNS proxy routing.
"tag": "dns-in",
// DNS proxy protocol must be dokodemo-door.
"protocol": "dokodemo-door",
// Setting of DNS proxy.
"settings": {
"port": 53,
"address": "1.1.1.1",
"network": "tcp,udp"
}
},{
// Port to listen on. You may need root access if the value is less than 1024.
"port": 65535,
@ -51,11 +36,9 @@
"followRedirect": true
},
// Enable sniffing on TCP connection.
// Disable sniffing.
"sniffing": {
"enabled": true,
// Target domain will be overriden to the one carried by the connection, if the connection is HTTP or HTTPS.
"destOverride": ["http", "tls"]
"enabled": false
}
}],
// List of outbound proxy configurations.
@ -77,12 +60,6 @@
// Tag of the outbound. May be used for routing.
"tag": "direct"
},{
// DNS Proxy Outbond
"protocol": "dns",
// Tag of the outbound for DNS proxy routing.
"tag": "dns-out"
},{
"protocol": "blackhole",
"settings": {},
@ -95,14 +72,8 @@
// Routing controls how traffic from inbounds are sent to outbounds.
"routing": {
"domainStrategy": "IPOnDemand",
"domainStrategy": "AsIs",
"rules":[
{
// Proxy DNS request
"type": "field",
"inboundTag": ["dns-in"],
"outboundTag": "dns-out"
},
{
// Bypass private IPs.
"type": "field",
@ -114,56 +85,10 @@
"type": "field",
"ip": ["geoip:cn"],
"outboundTag": "direct"
},
{
// Bypass all china sites.
"type": "field",
"domain": ["geosite:cn"],
"outboundTag": "direct"
},
{
// Bypass all BT steams.
"type": "field",
"protocol":["bittorrent"],
"outboundTag": "direct"
},
{
// Blocks major ads.
"type": "field",
"domain": ["geosite:category-ads"],
"outboundTag": "blocked"
}
]
},
// Dns settings for domain resolution.
"dns": {
// Static hosts, similar to hosts file.
"hosts": {
// Match v2ray.com to another domain on CloudFlare. This domain will be used when querying IPs for v2ray.com.
"domain:v2ray.com": "www.vicemc.net",
// The following settings help to eliminate DNS poisoning in mainland China.
// It is safe to comment these out if this is not the case for you.
"domain:github.io": "pages.github.com",
"domain:wikipedia.org": "www.wikimedia.org",
"domain:shadowsocks.org": "electronicsrealm.com"
},
"servers": [
// This dns ip address must as same as the DNS proxy in this file at line 30.
"1.1.1.1",
{
"address": "114.114.114.114",
"port": 53,
// List of domains that use this DNS first.
"domains": [
"geosite:cn"
]
},
"localhost"
]
},
// Policy controls some internal behavior of how V2Ray handles connections.
// It may be on connection level by user levels in 'levels', or global settings in 'system.'
"policy": {

View File

@ -0,0 +1,37 @@
###########################
# Blacklist #
###########################
## Rules for name-based query blocking, one per line
##
## Example of valid patterns:
##
## ads.* | matches anything with an "ads." prefix
## *.example.com | matches example.com and all names within that zone such as www.example.com
## example.com | identical to the above
## =example.com | block example.com but not *.example.com
## *sex* | matches any name containing that substring
## ads[0-9]* | matches "ads" followed by one or more digits
## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
#ad.*
#ads.*
#banner.*
#banners.*
#creatives.*
#oas.*
#oascentral.* # inline comments are allowed after a pound sign
#stats.*
#tag.*
#telemetry.*
#tracker.*
#*.local
#eth0.me
#*.workgroup
## Time-based rules
# *.youtube.* @time-to-sleep
# facebook.com @work

View File

@ -0,0 +1,136 @@
# Converted from https://github.com/felixonmars/dnsmasq-china-list/blob/master/bogus-nxdomain.china.conf
# https://github.com/felixonmars/dnsmasq-china-list
# Thanks to all contributors.
123.125.81.12
101.226.10.8
198.105.254.11
104.239.213.7
61.191.206.4
218.30.64.194
61.139.8.101
61.139.8.102
61.139.8.103
61.139.8.104
42.123.125.237
202.100.68.117
113.12.83.4
113.12.83.5
202.100.220.54
60.191.124.236
60.191.124.252
222.221.5.204
124.232.132.94
202.102.110.204
61.131.208.210
61.131.208.211
202.102.110.203
202.102.110.205
219.146.13.36
180.168.41.175
180.153.103.224
111.175.221.58
61.183.1.186
125.76.239.244
125.76.239.245
222.221.5.252
222.221.5.253
220.165.8.172
220.165.8.174
112.132.230.179
202.106.199.34
202.106.199.35
202.106.199.36
202.106.199.37
202.106.199.38
221.192.153.41
221.192.153.42
221.192.153.43
221.192.153.44
221.192.153.45
221.192.153.46
221.192.153.49
125.211.213.130
125.211.213.131
125.211.213.132
125.211.213.133
125.211.213.134
218.28.144.36
218.28.144.37
218.28.144.38
218.28.144.39
218.28.144.40
218.28.144.41
218.28.144.42
202.98.24.121
202.98.24.122
202.98.24.123
202.98.24.124
202.98.24.125
60.19.29.21
60.19.29.22
60.19.29.23
60.19.29.24
60.19.29.25
60.19.29.26
60.19.29.27
220.250.64.18
220.250.64.19
220.250.64.20
220.250.64.21
220.250.64.22
220.250.64.23
220.250.64.24
220.250.64.25
220.250.64.26
220.250.64.27
220.250.64.28
220.250.64.29
220.250.64.30
220.250.64.225
220.250.64.226
220.250.64.227
220.250.64.228
202.99.254.231
202.99.254.232
202.99.254.230
123.129.254.11
123.129.254.12
123.129.254.13
123.129.254.14
123.129.254.15
123.129.254.16
123.129.254.17
123.129.254.18
123.129.254.19
221.204.244.36
221.204.244.37
221.204.244.38
221.204.244.39
221.204.244.40
221.204.244.41
218.68.250.117
218.68.250.118
218.68.250.119
218.68.250.120
218.68.250.121
120.209.138.64
211.139.136.73
221.179.46.190
221.179.46.194
183.207.232.253
223.82.248.117
211.138.74.132
211.137.130.101
211.136.113.1
211.138.102.198
120.192.83.163
183.221.242.172
183.221.250.11
111.11.208.2
183.224.40.24
211.98.70.226
211.98.70.227
211.98.71.195
114.112.163.232
114.112.163.254

View File

@ -0,0 +1,37 @@
################################
# Cloaking rules #
################################
# The following example rules force "safe" (without adult content) search
# results from Google, Bing and YouTube.
#
# This has to be enabled with the `cloaking_rules` parameter in the main
# configuration file
#www.google.* forcesafesearch.google.com
#www.bing.com strict.bing.com
#yandex.ru familysearch.yandex.ru # inline comments are allowed after a pound sign
#=duckduckgo.com safe.duckduckgo.com
#www.youtube.com restrictmoderate.youtube.com
#m.youtube.com restrictmoderate.youtube.com
#youtubei.googleapis.com restrictmoderate.youtube.com
#youtube.googleapis.com restrictmoderate.youtube.com
#www.youtube-nocookie.com restrictmoderate.youtube.com
# Multiple IP entries for the same name are supported.
# In the following example, the same name maps both to IPv4 and IPv6 addresses:
#localhost 127.0.0.1
#localhost ::1
# For load-balancing, multiple IP addresses of the same class can also be
# provided using the same format, one <pattern> <ip> pair per line.
# ads.* 192.168.100.1
# ads.* 192.168.100.2
# ads.* ::1

View File

@ -0,0 +1,113 @@
##################################
# Global settings #
##################################
listen_addresses = ['127.0.0.1:65534']
max_clients = 250
# user_name = 'nobody'
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = false
doh_servers = false
require_dnssec = false
require_nolog = true
require_nofilter = true
disabled_server_names = []
force_tcp = true
# proxy = "socks5://127.0.0.1:9050"
# http_proxy = "http://127.0.0.1:8888"
timeout = 2500
keepalive = 30
blocked_query_response = 'hinfo'
lb_strategy = 'p2'
lb_estimator = true
log_level = 2
log_file = 'dnscrypt-proxy.log'
log_file_latest = true
use_syslog = false
cert_refresh_delay = 240
dnscrypt_ephemeral_keys = false
tls_disable_session_tickets = false
tls_cipher_suite = [52392, 49199]
fallback_resolver = '202.141.162.123:53'
ignore_system_dns = false
netprobe_timeout = 60
netprobe_address = "223.5.5.5:53"
# offline_mode = false
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
#########################
# Filters #
#########################
block_ipv6 = true
##################################################################################
# Route queries for specific domains to a dedicated set of servers #
##################################################################################
forwarding_rules = 'dnscrypt-forwarding-rules.txt'
###############################
# Cloaking rules #
###############################
# cloaking_rules = 'dnscrypt-cloaking-rules.txt'
###########################
# DNS cache #
###########################
cache = true
cache_size = 512
cache_min_ttl = 600
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
###############################
# Query logging #
###############################
[query_log]
file = 'dnscrypt-query.log'
format = 'tsv'
# ignored_qtypes = ['DNSKEY', 'NS']
############################################
# Suspicious queries logging #
############################################
[nx_log]
file = 'dnscrypt-nxdomain.log'
format = 'tsv'
######################################################
# Pattern-based blocking (blacklists) #
######################################################
[blacklist]
blacklist_file = 'dnscrypt-blacklist-domains.txt'
log_file = 'dnscrypt-blacklist-domains.log'
log_format = 'tsv'
###########################################################
# Pattern-based IP blocking (IP blacklists) #
###########################################################
[ip_blacklist]
blacklist_file = 'dnscrypt-blacklist-ips.txt'
log_file = 'dnscrypt-blacklist-ips.log'
log_format = 'tsv'
######################################################
# Pattern-based whitelisting (blacklists bypass) #
######################################################
[whitelist]
whitelist_file = 'dnscrypt-whitelist.txt'
log_file = 'dnscrypt-whitelisted.log'
log_format = 'tsv'
#########################
# Servers #
#########################
[static]
[static.'cloudflare']
stamp = 'sdns://AgcAAAAAAAAABzEuMC4wLjEAEmRucy5jbG91ZGZsYXJlLmNvbQovZG5zLXF1ZXJ5'
[static.'cisco']
stamp = 'sdns://AgAAAAAAAAAADDE0Ni4xMTIuNDEuMiBoU4_HgY6B0kIqkGBjb6UoKkP2Dc4bumDC1_Orq2YAlw9kb2gub3BlbmRucy5jb20KL2Rucy1xdWVyeQ'
[static.'google']
stamp = 'sdns://AgUAAAAAAAAABzguOC44LjigHvYkz_9ea9O63fP92_3qVlRn43cpncfuZnUWbzAMwbkgdoAkR6AZkxo_AEMExT_cbBssN43Evo9zs5_ZyWnftEUKZG5zLmdvb2dsZQovZG5zLXF1ZXJ5'

View File

@ -0,0 +1,17 @@
###########################
# Whitelist #
###########################
## Rules for name-based query whitelisting, one per line
##
## Example of valid patterns:
##
## ads.* | matches anything with an "ads." prefix
## *.example.com | matches example.com and all names within that zone such as www.example.com
## example.com | identical to the above
## =example.com | whitelists example.com but not *.example.com
## *sex* | matches any name containing that substring
## ads[0-9]* | matches "ads" followed by one or more digits
## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
##tracker.debian.org

View File

@ -0,0 +1,757 @@
##############################################
# #
# dnscrypt-proxy configuration #
# #
##############################################
## This is an example configuration file.
## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
##
## Online documentation is available here: https://dnscrypt.info/doc
##################################
# Global settings #
##################################
## List of servers to use
##
## Servers from the "public-resolvers" source (see down below) can
## be viewed here: https://dnscrypt.info/public-servers
##
## The proxy will automatically pick working servers from this list.
## Note that the require_* filters do NOT apply when using this setting.
##
## By default, this list is empty and all registered servers matching the
## require_* filters will be used instead.
##
## Remove the leading # first to enable this; lines starting with # are ignored.
# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
## Example with both IPv4 and IPv6:
## listen_addresses = ['127.0.0.1:53', '[::1]:53']
listen_addresses = ['127.0.0.1:53']
## Maximum number of simultaneous client connections to accept
max_clients = 250
## Switch to a different system user after listening sockets have been created.
## Note (1): this feature is currently unsupported on Windows.
## Note (2): this feature is not compatible with systemd socket activation.
## Note (3): when using -pidfile, the PID file directory must be writable by the new user
# user_name = 'nobody'
## Require servers (from static + remote sources) to satisfy specific properties
# Use servers reachable over IPv4
ipv4_servers = true
# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = false
# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true
# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true
## Require servers defined by remote sources to satisfy specific properties
# Server must support DNS security extensions (DNSSEC)
require_dnssec = false
# Server must not log user queries (declarative)
require_nolog = true
# Server must not enforce its own blocklist (for parental control, ads blocking...)
require_nofilter = true
# Server names to avoid even if they match all criteria
disabled_server_names = []
## Always use TCP to connect to upstream servers.
## This can be useful if you need to route everything through Tor.
## Otherwise, leave this to `false`, as it doesn't improve security
## (dnscrypt-proxy will always encrypt everything even using UDP), and can
## only increase latency.
force_tcp = false
## SOCKS proxy
## Uncomment the following line to route all TCP connections to a local Tor node
## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
# proxy = 'socks5://127.0.0.1:9050'
## HTTP/HTTPS proxy
## Only for DoH servers
# http_proxy = 'http://127.0.0.1:8888'
## How long a DNS query will wait for a response, in milliseconds.
## If you have a network with *a lot* of latency, you may need to
## increase this. Startup may be slower if you do so.
## Don't increase it too much. 10000 is the highest reasonable value.
timeout = 5000
## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
keepalive = 30
## Response for blocked queries. Options are `refused`, `hinfo` (default) or
## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
## Using the `hinfo` option means that some responses will be lies.
## Unfortunately, the `hinfo` option appears to be required for Android 8+
# blocked_query_response = 'refused'
## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'
# lb_strategy = 'p2'
## Set to `true` to constantly try to estimate the latency of all the resolvers
## and adjust the load-balancing parameters accordingly, or to `false` to disable.
# lb_estimator = true
## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
# log_level = 2
## Log file for the application, as an alternative to sending logs to
## the standard system logging service (syslog/Windows event log).
##
## This file is different from other log files, and will not be
## automatically rotated by the application.
# log_file = 'dnscrypt-proxy.log'
## When using a log file, only keep logs from the most recent launch.
# log_file_latest = true
## Use the system logger (syslog on Unix, Event Log on Windows)
# use_syslog = true
## Delay, in minutes, after which certificates are reloaded
cert_refresh_delay = 240
## DNSCrypt: Create a new, unique key for every single DNS query
## This may improve privacy but can also have a significant impact on CPU usage
## Only enable if you don't have a lot of network load
# dnscrypt_ephemeral_keys = false
## DoH: Disable TLS session tickets - increases privacy but also latency
# tls_disable_session_tickets = false
## DoH: Use a specific cipher suite instead of the server preference
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
## 4865 = TLS_AES_128_GCM_SHA256
## 4867 = TLS_CHACHA20_POLY1305_SHA256
##
## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
## the following suite improves performance.
## This may also help on Intel CPUs running 32-bit operating systems.
##
## Keep tls_cipher_suite empty if you have issues fetching sources or
## connecting to some DoH servers. Google and Cloudflare are fine with it.
# tls_cipher_suite = [52392, 49199]
## Fallback resolvers
## These are normal, non-encrypted DNS resolvers, that will be only used
## for one-shot queries when retrieving the initial resolvers list, and
## only if the system DNS configuration doesn't work.
## No user application queries will ever be leaked through these resolvers,
## and they will not be used after IP addresses of resolvers URLs have been found.
## They will never be used if lists have already been cached, and if stamps
## don't include host names without IP addresses.
## They will not be used if the configured system DNS works.
## Resolvers supporting DNSSEC are recommended.
##
## People in China may need to use 114.114.114.114:53 here.
## Other popular options include 8.8.8.8 and 1.1.1.1.
##
## If more than one resolver is specified, they will be tried in sequence.
fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
## Always use the fallback resolver before the system DNS settings.
ignore_system_dns = true
## Maximum time (in seconds) to wait for network connectivity before
## initializing the proxy.
## Useful if the proxy is automatically started at boot, and network
## connectivity is not guaranteed to be immediately available.
## Use 0 to not test for connectivity at all (not recommended),
## and -1 to wait as much as possible.
netprobe_timeout = 60
## Address and port to try initializing a connection to, just to check
## if the network is up. It can be any address and any port, even if
## there is nothing answering these on the other side. Just don't use
## a local address, as the goal is to check for Internet connectivity.
## On Windows, a datagram with a single, nul byte will be sent, only
## when the system starts.
## On other operating systems, the connection will be initialized
## but nothing will be sent at all.
netprobe_address = '9.9.9.9:53'
## Offline mode - Do not use any remote encrypted servers.
## The proxy will remain fully functional to respond to queries that
## plugins can handle directly (forwarding, cloaking, ...)
# offline_mode = false
## Additional data to attach to outgoing queries.
## These strings will be added as TXT records to queries.
## Do not use, except on servers explicitly asking for extra data
## to be present.
## encrypted-dns-server can be configured to use this for access control
## in the [access_control] section
# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"]
## Automatic log files rotation
# Maximum log files size in MB - Set to 0 for unlimited.
log_files_max_size = 10
# How long to keep backup files, in days
log_files_max_age = 7
# Maximum log files backups to keep (or 0 to keep all backups)
log_files_max_backups = 1
#########################
# Filters #
#########################
## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
## configure dnscrypt-proxy to do any kind of filtering (including the filters
## below and blocklists).
## You can still choose resolvers that do DNSSEC validation.
## Immediately respond to IPv6-related queries with an empty response
## This makes things faster when there is no IPv6 connectivity, but can
## also cause reliability issues with some stub resolvers.
block_ipv6 = false
## Immediately respond to A and AAAA queries for host names without a domain name
block_unqualified = true
## Immediately respond to queries for local zones instead of leaking them to
## upstream resolvers (always causing errors or timeouts).
block_undelegated = true
## TTL for synthetic responses sent when a request has been blocked (due to
## IPv6 or blocklists).
reject_ttl = 600
##################################################################################
# Route queries for specific domains to a dedicated set of servers #
##################################################################################
## See the `example-forwarding-rules.txt` file for an example
# forwarding_rules = 'forwarding-rules.txt'
###############################
# Cloaking rules #
###############################
## Cloaking returns a predefined address for a specific name.
## In addition to acting as a HOSTS file, it can also return the IP address
## of a different name. It will also do CNAME flattening.
##
## See the `example-cloaking-rules.txt` file for an example
# cloaking_rules = 'cloaking-rules.txt'
## TTL used when serving entries in cloaking-rules.txt
# cloak_ttl = 600
###########################
# DNS cache #
###########################
## Enable a DNS cache to reduce latency and outgoing traffic
cache = true
## Cache size
cache_size = 4096
## Minimum TTL for cached entries
cache_min_ttl = 2400
## Maximum TTL for cached entries
cache_max_ttl = 86400
## Minimum TTL for negatively cached entries
cache_neg_min_ttl = 60
## Maximum TTL for negatively cached entries
cache_neg_max_ttl = 600
##################################
# Local DoH server #
##################################
[local_doh]
## dnscrypt-proxy can act as a local DoH server. By doing so, web browsers
## requiring a direct connection to a DoH server in order to enable some
## features will enable these, without bypassing your DNS proxy.
## Addresses that the local DoH server should listen to
# listen_addresses = ['127.0.0.1:3000']
## Path of the DoH URL. This is not a file, but the part after the hostname
## in the URL. By convention, `/dns-query` is frequently chosen.
## For each `listen_address` the complete URL to access the server will be:
## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
# path = "/dns-query"
## Certificate file and key - Note that the certificate has to be trusted.
## See the documentation (wiki) for more information.
# cert_file = "localhost.pem"
# cert_key_file = "localhost.pem"
###############################
# Query logging #
###############################
## Log client queries to a file
[query_log]
## Path to the query log file (absolute, or relative to the same directory as the config file)
## Can be set to /dev/stdout in order to log to the standard output.
# file = 'query.log'
## Query log format (currently supported: tsv and ltsv)
format = 'tsv'
## Do not log these query types, to reduce verbosity. Keep empty to log everything.
# ignored_qtypes = ['DNSKEY', 'NS']
############################################
# Suspicious queries logging #
############################################
## Log queries for nonexistent zones
## These queries can reveal the presence of malware, broken/obsolete applications,
## and devices signaling their presence to 3rd parties.
[nx_log]
## Path to the query log file (absolute, or relative to the same directory as the config file)
# file = 'nx.log'
## Query log format (currently supported: tsv and ltsv)
format = 'tsv'
######################################################
# Pattern-based blocking (blocklists) #
######################################################
## Blocklists are made of one pattern per line. Example of valid patterns:
##
## example.com
## =example.com
## *sex*
## ads.*
## ads*.example.*
## ads*.example[0-9]*.com
##
## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/
## A script to build blocklists from public feeds can be found in the
## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code.
[blocked_names]
## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
# blocked_names_file = 'blocked-names.txt'
## Optional path to a file logging blocked queries
# log_file = 'blocked-names.log'
## Optional log format: tsv or ltsv (default: tsv)
# log_format = 'tsv'
###########################################################
# Pattern-based IP blocking (IP blocklists) #
###########################################################
## IP blocklists are made of one pattern per line. Example of valid patterns:
##
## 127.*
## fe80:abcd:*
## 192.168.1.4
[blocked_ips]
## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
# blocked_ips_file = 'blocked-ips.txt'
## Optional path to a file logging blocked queries
# log_file = 'blocked-ips.log'
## Optional log format: tsv or ltsv (default: tsv)
# log_format = 'tsv'
######################################################
# Pattern-based allow lists (blocklists bypass) #
######################################################
## Allowlists support the same patterns as blocklists
## If a name matches an allowlist entry, the corresponding session
## will bypass names and IP filters.
##
## Time-based rules are also supported to make some websites only accessible at specific times of the day.
[allowed_names]
## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)
# allowed_names_file = 'allowed-names.txt'
## Optional path to a file logging allowed queries
# log_file = 'allowed-names.log'
## Optional log format: tsv or ltsv (default: tsv)
# log_format = 'tsv'
##########################################
# Time access restrictions #
##########################################
## One or more weekly schedules can be defined here.
## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
##
## For example, the following rule in a blocklist file:
## *.youtube.* @time-to-sleep
## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
##
## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
## {after= '9:00', before='18:00'} matches 9:00-18:00
[schedules]
# [schedules.'time-to-sleep']
# mon = [{after='21:00', before='7:00'}]
# tue = [{after='21:00', before='7:00'}]
# wed = [{after='21:00', before='7:00'}]
# thu = [{after='21:00', before='7:00'}]
# fri = [{after='23:00', before='7:00'}]
# sat = [{after='23:00', before='7:00'}]
# sun = [{after='21:00', before='7:00'}]
# [schedules.'work']
# mon = [{after='9:00', before='18:00'}]
# tue = [{after='9:00', before='18:00'}]
# wed = [{after='9:00', before='18:00'}]
# thu = [{after='9:00', before='18:00'}]
# fri = [{after='9:00', before='17:00'}]
#########################
# Servers #
#########################
## Remote lists of available servers
## Multiple sources can be used simultaneously, but every source
## requires a dedicated cache file.
##
## Refer to the documentation for URLs of public sources.
##
## A prefix can be prepended to server names in order to
## avoid collisions if different sources share the same for
## different servers. In that case, names listed in `server_names`
## must include the prefixes.
##
## If the `urls` property is missing, cache files and valid signatures
## must already be present. This doesn't prevent these cache files from
## expiring after `refresh_delay` hours.
[sources]
## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
prefix = ''
## Anonymized DNS relays
[sources.'relays']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
cache_file = 'relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
## Quad9 over DNSCrypt - https://quad9.net/
# [sources.quad9-resolvers]
# urls = ['https://www.quad9.net/quad9-resolvers.md']
# minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
# cache_file = 'quad9-resolvers.md'
# prefix = 'quad9-'
## Another example source, with resolvers censoring some websites not appropriate for children
## This is a subset of the `public-resolvers` list, so enabling both is useless
# [sources.'parental-control']
# urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md']
# cache_file = 'parental-control.md'
# minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
#########################################
# Servers with known bugs #
#########################################
[broken_implementations]
# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
# truncate reponses larger than questions as expected by the DNSCrypt protocol.
# This prevents large responses from being received over UDP and over relays.
#
# The `dnsdist` server software drops client queries larger than 1500 bytes.
# They are aware of it and are working on a fix.
#
# The list below enables workarounds to make non-relayed usage more reliable
# until the servers are fixed.
fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
#################################################################
# Certificate-based client authentication for DoH #
#################################################################
# Use a X509 certificate to authenticate yourself when connecting to DoH servers.
# This is only useful if you are operating your own, private DoH server(s).
# 'creds' maps servers to certificates, and supports multiple entries.
# If you are not using the standard root CA, an optional "root_ca"
# property set to the path to a root CRT file can be added to a server entry.
[doh_client_x509_auth]
#
# creds = [
# { server_name='myserver', client_cert='client.crt', client_key='client.key' }
# ]
################################
# Anonymized DNS #
################################
[anonymized_dns]
## Routes are indirect ways to reach DNSCrypt servers.
##
## A route maps a server name ("server_name") to one or more relays that will be
## used to connect to that server.
##
## A relay can be specified as a DNS Stamp (either a relay stamp, or a
## DNSCrypt stamp), an IP:port, a hostname:port, or a server name.
##
## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
## and "example-server-2" via the relay whose relay DNS stamp
## is "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
##
## !!! THESE ARE JUST EXAMPLES !!!
##
## Review the list of available relays from the "relays.md" file, and, for each
## server you want to use, define the relays you want connections to go through.
##
## Carefully choose relays and servers so that they are run by different entities.
##
## "server_name" can also be set to "*" to define a default route, but this is not
## recommended. If you do so, keep "server_names" short and distinct from relays.
# routes = [
# { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
# { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
# ]
# Skip resolvers incompatible with anonymization instead of using them directly
skip_incompatible = false
# If public server certificates for a non-conformant server cannot be
# retrieved via a relay, try getting them directly. Actual queries
# will then always go through relays.
# direct_cert_fallback = false
###############################
# DNS64 #
###############################
## DNS64 is a mechanism for synthesizing AAAA records from A records.
## It is used with an IPv6/IPv4 translator to enable client-server
## communication between an IPv6-only client and an IPv4-only server,
## without requiring any changes to either the IPv6 or the IPv4 node,
## for the class of applications that work through NATs.
##
## There are two options to synthesize such records:
## Option 1: Using a set of static IPv6 prefixes;
## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver.
##
## If both options are configured - only static prefixes are used.
## (Ref. RFC6147, RFC6052, RFC7050)
##
## Do not enable unless you know what DNS64 is and why you need it, or else
## you won't be able to connect to anything at all.
[dns64]
## (Option 1) Static prefix(es) as Pref64::/n CIDRs.
# prefix = ["64:ff9b::/96"]
## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs.
## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
# resolver = ["[2606:4700:4700::64]:53", "[2001:4860:4860::64]:53"]
########################################
# Static entries #
########################################
## Optional, local, static list of additional servers
## Mostly useful for testing your own servers.
[static]
# [static.'myserver']
# stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'

View File

@ -0,0 +1,35 @@
wget -N https://github.com/felixonmars/dnsmasq-china-list/raw/master/accelerated-domains.china.conf
echo '# Converted from https://github.com/felixonmars/dnsmasq-china-list/blob/master/accelerated-domains.china.conf' >dnscrypt-forwarding-rules.txt
echo '# https://github.com/felixonmars/dnsmasq-china-list' >>dnscrypt-forwarding-rules.txt
echo '# Thanks to all contributors.' >>dnscrypt-forwarding-rules.txt
echo '' >>dnscrypt-forwarding-rules.txt
cat accelerated-domains.china.conf | grep -v '^#server' | sed -e 's|/| |g' -e 's|^server= ||' | sed 's/114.114.114.114/114.114.114.114,114.114.115.115/g' >>dnscrypt-forwarding-rules.txt
wget -N https://github.com/felixonmars/dnsmasq-china-list/raw/master/bogus-nxdomain.china.conf
echo '# Converted from https://github.com/felixonmars/dnsmasq-china-list/blob/master/bogus-nxdomain.china.conf' >dnscrypt-blacklist-ips.txt
echo '# https://github.com/felixonmars/dnsmasq-china-list' >>dnscrypt-blacklist-ips.txt
echo '# Thanks to all contributors.' >>dnscrypt-blacklist-ips.txt
echo '' >>dnscrypt-blacklist-ips.txt
cat bogus-nxdomain.china.conf | grep -v '^#bogus' | grep bogus-nxdomain | sed 's/bogus-nxdomain=//g' >>dnscrypt-blacklist-ips.txt
#wget -N https://github.com/missdeer/blocklist/raw/master/toblock-without-shorturl-optimized.lst
#echo '# Converted from https://github.com/missdeer/blocklist/blob/master/toblock-without-shorturl-optimized.lst' >dnscrypt-blacklist-domains.txt
#echo '# https://github.com/missdeer/blocklist' >>dnscrypt-blacklist-domains.txt
#echo '# Thanks to all contributors.' >>dnscrypt-blacklist-domains.txt
#echo '' >>dnscrypt-blacklist-domains.txt
#echo 'ad.*' >>dnscrypt-blacklist-domains.txt
#echo 'ad[0-9]*' >>dnscrypt-blacklist-domains.txt
#echo 'ads.*' >>dnscrypt-blacklist-domains.txt
#echo 'ads[0-9]*' >>dnscrypt-blacklist-domains.txt
#cat toblock-without-shorturl-optimized.lst | grep -v '^#' | tr -s '\n' | tr A-Z a-z | grep -v '^ad\.' | grep -v -e '^ad[0-9]' | grep -v '^ads\.' | grep -v -e '^ads[0-9]' | rev | sort -n | uniq | rev >>dnscrypt-blacklist-domains.txt
#wget -N https://github.com/googlehosts/hosts/raw/master/hosts-files/dnscrypt-proxy-cloaking.txt
#echo '# Converted from https://github.com/googlehosts/hosts/blob/master/hosts-files/dnscrypt-proxy-cloaking.txt' >dnscrypt-cloaking-rules.txt
#echo '# https://github.com/googlehosts/hosts' >>dnscrypt-cloaking-rules.txt
#echo '# Thanks to all contributors.' >>dnscrypt-cloaking-rules.txt
#echo '' >>dnscrypt-cloaking-rules.txt
#cat dnscrypt-proxy-cloaking.txt >>dnscrypt-cloaking-rules.txt
rm accelerated-domains.china.conf bogus-nxdomain.china.conf toblock-without-shorturl-optimized.lst dnscrypt-proxy-cloaking.txt
wget -N https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-proxy/example-dnscrypt-proxy.toml

View File

@ -1,15 +1,23 @@
#!/system/bin/sh
host_ip=""
inet_uid="3003"
proxy_port="65534"
conf_file="/data/v2ray/config.json"
dns_ip=`sed -n '30p' ${conf_file} | grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}"`
iptables_wait="iptables"
proxy_for_app=false
bin_name="dnscrypt-proxy"
bin_file="/system/bin/${bin_name}"
run_path="/data/v2ray/run"
pid_file="${run_path}/dnscrypt-proxy.pid"
conf_path="/data/v2ray/dnscrypt-proxy"
conf_file="${conf_path}/dnscrypt-proxy.toml"
bin_opts="-config ${conf_file}"
appid_file="/data/v2ray/appid.list"
work_path="`dirname $0`"
find_outbound="${work_path}/v2ray-dns.keeper -o"
appid_list=()
softap_file="/data/v2ray/softap.list"
softap_list=()
iptables_wait="iptables"
v2ray_share=false
proxy_for_app=false
inet_uid="3003"
host_ip="127.0.0.1"
dns_port="65534"
proxy_port="65535"
suit_iptables_version() {
iptables_version=`iptables -V | grep -o "v1\.[0-9]"`
@ -40,14 +48,19 @@ iptables_chain_exist() {
return 1
}
probe_dnscrypt-proxy_alive() {
[ -f ${pid_file} ] && cmd_file="/proc/`cat ${pid_file}`/cmdline" || return 1
[ -f ${cmd_file} ] && grep -q "dnscrypt-proxy" ${cmd_file} && return 0 || return 1
}
probe_v2ray_listen() {
find_netstat_path || return
v2ray_listen=`netstat -unlp | grep v2ray`
if eval "echo \"${v2ray_listen}\" | grep -q :::${proxy_port}" || eval "echo \"${v2ray_listen}\" | grep -q 0.0.0.0:${proxy_port}" ; then
return
v2ray_share=true
return 0
else
echo "[Error]: V2Ray service is not listening on port ${proxy_port} ."
exit 1
return 1
fi
}
@ -76,13 +89,15 @@ probe_v2ray_target() {
done
done < ${appid_file}
fi
## probe proxy wifi interface
${v2ray_share} && [ -f ${softap_file} ] && softap_list=(`cat ${softap_file}`) || unset softap_list
## check proxy app or not
if ( [ "${app_proxy_mode}" = "skip" ] || ( [ "${app_proxy_mode}" = "pick" ] && [ ${#appid_list[@]} -gt 0 ] ) ) ; then
proxy_for_app=true
fi
## check enable proxy iptables or not
if ! ${proxy_for_app} ; then
echo "[Error]: V2Ray service is not proxy for APP."
if ! ( ${proxy_for_app} ) ; then
echo "[Error]: DNS is not proxy for APP."
exit 1
fi
}
@ -113,51 +128,50 @@ proxy_app_dns_iptables() {
## proxy all apps network
if [ "${appid_list[*]}" = "0" ] ; then
echo "[Info]: Proxy all APP's DNS request."
${iptables_wait} -t nat -A APP_DNS_PROXY -d ${dns_ip}/32 -m owner ! --uid-owner ${inet_uid} -j V2RAY_APP_DNS
${iptables_wait} -t nat -A APP_DNS_PROXY -m owner ! --uid-owner ${inet_uid} -j V2RAY_APP_DNS
## proxy assign app
else
for appid in ${appid_list[@]}; do
probe_uid_app_name ${appid} "Proxy" && \
${iptables_wait} -t nat -A APP_DNS_PROXY -d ${dns_ip}/32 -m owner --uid-owner ${appid} -j V2RAY_APP_DNS
${iptables_wait} -t nat -A APP_DNS_PROXY -m owner --uid-owner ${appid} -j V2RAY_APP_DNS
done
fi
## black-list mode
elif [ "${app_proxy_mode}" = "skip" ] ; then
for appid in ${appid_list[@]}; do
probe_uid_app_name ${appid} "Ignore" && \
${iptables_wait} -t nat -A APP_DNS_PROXY -d ${dns_ip}/32 -m owner --uid-owner ${appid} -j RETURN
${iptables_wait} -t nat -A APP_DNS_PROXY -m owner --uid-owner ${appid} -j RETURN
done
echo "[Info]: Proxy all remaining APP's DNS request."
${iptables_wait} -t nat -A APP_DNS_PROXY -d ${dns_ip}/32 -m owner ! --uid-owner ${inet_uid} -j V2RAY_APP_DNS
${iptables_wait} -t nat -A APP_DNS_PROXY -m owner ! --uid-owner ${inet_uid} -j V2RAY_APP_DNS
fi
## apply proxy rules to iptables
${iptables_wait} -t nat -A APP_DNS_PROXY -m owner --uid-owner 0 -j V2RAY_APP_DNS
${iptables_wait} -t nat -A OUTPUT -p udp --dport 53 -j APP_DNS_PROXY
}
create_proxy_iptables() {
while [ "${host_ip}" == "" ] || [ "${host_ip}" == "0.0.0.0" ] || [ "${host_ip}" == "127.0.0.1" ] ; do
host_ip=`${find_outbound}`
sleep 2
done
local iptables_chains=`iptables-save -t nat | cut -d ' ' -f 1 | tr "\n" " " | grep -o ":[0-9A-Z_]* "`
if ! iptables_chain_exist "${iptables_chains}" "V2RAY_APP_DNS" ; then
## create basic iptables proxy chains
echo "[Info]: Create DNS proxy chains to ${host_ip}:${proxy_port}"
${iptables_wait} -t nat -N V2RAY_APP_DNS
else
## flush basic iptables proxy chains
echo "[Info]: Rebuild DNS proxy chains to ${host_ip}:${proxy_port}"
${iptables_wait} -t nat -F V2RAY_APP_DNS
fi
echo "[Info]: Create DNS proxy chains."
## create iptables proxy chains for dns
${iptables_wait} -t nat -N V2RAY_APP_DNS
## build basic iptables proxy chains
${iptables_wait} -t nat -A V2RAY_APP_DNS -p udp -j DNAT --to-destination ${host_ip}:${proxy_port}
${iptables_wait} -t nat -A V2RAY_APP_DNS -p udp -j DNAT --to-destination ${host_ip}:${dns_port}
if ! iptables_chain_exist "${iptables_chains}" "APP_DNS_PROXY" && ${proxy_for_app} ; then
## proxy app network
proxy_app_dns_iptables
fi
}
display_dnscrypt-proxy_pid() {
if probe_dnscrypt-proxy_alive ; then
echo "[Info]: ${bin_name} service is running. ( PID: `cat ${pid_file}` )"
return 0
else
echo "[Info]: ${bin_name} service is stopped."
return 1
fi
}
flush_endpoint_iptables() {
${iptables_wait} -t nat -F V2RAY_APP_DNS 2>/dev/null
}
@ -177,22 +191,61 @@ flush_nat_iptables() {
unset iptables_chains
}
disable_proxy() {
flush_nat_iptables
start_dnscrypt-proxy() {
if probe_dnscrypt-proxy_alive ; then
echo "[Info]: ${bin_name} service is running. ( PID: `cat ${pid_file}` )"
return 0
elif probe_v2ray_listen ; then
echo "[Info]: Starting ${bin_name} service."
mkdir -p ${run_path}
chmod 6755 ${bin_file}
nohup ${bin_file} ${bin_opts} &
sleep 1
echo -n $! > ${pid_file}
if probe_dnscrypt-proxy_alive ; then
echo "[Info]: ${bin_name} service is running. ( PID: `cat ${pid_file}` )"
return 0
else
echo "[Error]: Start ${bin_name} service Failed."
rm -f ${pid_file}
return 1
fi
else
echo "[Error]: V2Ray service is not listening on port ${proxy_port} for DNS proxy."
exit 1
return 2
fi
}
stop_dnscrypt-proxy() {
if display_dnscrypt-proxy_pid ; then
echo "[Info]: Stopping ${bin_name} service."
kill `cat ${pid_file}`
sleep 1
display_dnscrypt-proxy_pid
fi
rm -f ${pid_file}
}
suit_iptables_version
case "$1" in
enable)
flush_endpoint_iptables
probe_v2ray_listen
probe_v2ray_target
sleep 2
create_proxy_iptables
if start_dnscrypt-proxy ; then
flush_endpoint_iptables
probe_v2ray_target
sleep 2
create_proxy_iptables
fi
;;
disable)
disable_proxy
flush_nat_iptables
stop_dnscrypt-proxy
;;
status)
display_dnscrypt-proxy_pid
;;
*)
echo "usage: $0 {enable|disable}"
echo "$0: usage: $0 {enable|disable|status}"
;;
esac

View File

@ -6,7 +6,9 @@ start_proxy () {
${MODDIR}/v2ray.service start &> /data/v2ray/run/service.log && \
if [ -f /data/v2ray/appid.list ] || [ -f /data/v2ray/softap.list ] ; then
${MODDIR}/v2ray.tproxy enable &>> /data/v2ray/run/service.log && \
${MODDIR}/v2ray-dns.service start &>> /data/v2ray/run/service.log &
if [ -f /data/v2ray/dnscrypt-proxy/dnscrypt-proxy.toml ] ; then
${MODDIR}/dnscrypt-proxy.service enable &>> /data/v2ray/run/service.log &
fi
fi
}
if [ ! -f /data/v2ray/manual ] ; then

View File

@ -1,91 +0,0 @@
#!/system/bin/sh
proxy_port="65534"
work_path="`dirname $0`"
bin_name="v2ray-dns.keeper"
bin_file="${work_path}/${bin_name}"
run_path="/data/v2ray/run"
pid_file="${run_path}/dns-keeper.pid"
log_file="${run_path}/dns-keeper.log"
handle_script="${work_path}/v2ray-dns.handle"
find_netstat_path() {
[ -f /system/bin/netstat ] && alias netstat="/system/bin/netstat" && return 0
[ -f /system/xbin/netstat ] && alias netstat="/system/xbin/netstat" && return 0
return 1
}
probe_keeper_alive() {
[ -f ${pid_file} ] && cmd_file="/proc/`cat ${pid_file}`/cmdline" || return 1
[ -f ${cmd_file} ] && grep -q "v2ray-dns.keeper" ${cmd_file} && return 0 || return 1
}
probe_v2ray_listen() {
find_netstat_path || return
v2ray_listen=`netstat -unlp | grep v2ray`
if eval "echo \"${v2ray_listen}\" | grep -q :::${proxy_port}" || eval "echo \"${v2ray_listen}\" | grep -q 0.0.0.0:${proxy_port}" ; then
return 0
else
return 1
fi
}
display_keeper_pid() {
if probe_keeper_alive ; then
echo "[Info]: ${bin_name} service is running. ( PID: `cat ${pid_file}` )"
return 0
else
echo "[Info]: ${bin_name} service is stopped."
return 1
fi
}
start_service() {
if probe_keeper_alive ; then
echo "[Info]: ${bin_name} service is running. ( PID: `cat ${pid_file}` )"
return 0
elif probe_v2ray_listen ; then
echo "[Info]: Starting ${bin_name} service."
mkdir -p ${run_path}
nohup ${bin_file} -d "${handle_script} enable" &>${log_file} &
echo -n $! > ${pid_file}
if probe_keeper_alive ; then
echo "[Info]: ${bin_name} service is running. ( PID: `cat ${pid_file}` )"
return 0
else
echo "[Error]: Start ${bin_name} service Failed."
rm -f ${pid_file}
return 1
fi
else
echo "[Error]: V2Ray service is not listening on port ${proxy_port} for DNS proxy."
exit 1
return 2
fi
}
stop_service() {
if display_keeper_pid ; then
echo "[Info]: Stopping ${bin_name} service."
kill `cat ${pid_file}`
sleep 1
display_keeper_pid
fi
${handle_script} disable
rm -f ${pid_file}
}
case "$1" in
start)
start_service
;;
stop)
stop_service
;;
status)
display_keeper_pid
;;
*)
echo "$0: usage: $0 {start|stop|status}"
;;
esac

View File

@ -4,8 +4,9 @@ inotify=`realpath $0`
scripts_dir=`dirname ${inotify}`
service="${scripts_dir}/v2ray.service"
tproxy="${scripts_dir}/v2ray.tproxy"
dns_proxy_keeper="${scripts_dir}/v2ray-dns.keeper"
dns_proxy_service="${scripts_dir}/v2ray-dns.service"
dns_proxy_binary="/system/bin/dnscrypt-proxy"
dns_proxy_service="${scripts_dir}/dnscrypt-proxy.service"
dnscrypt_conf="/data/v2ray/dnscrypt-proxy/dnscrypt-proxy.toml"
events=$1
monitor_dir=$2
@ -15,13 +16,13 @@ start_v2ray() {
${service} start && \
if [ -f /data/v2ray/appid.list ] || [ -f /data/v2ray/softap.list ] ; then
${tproxy} enable
[ -f "${dns_proxy_keeper}" ] && ${dns_proxy_service} start
[ -f "${dnscrypt_conf}" ] && ${dns_proxy_service} enable
fi
}
stop_v2ray() {
${tproxy} disable
[ -f "${dns_proxy_keeper}" ] && ${dns_proxy_service} stop
[ -f "${dnscrypt_conf}" ] && ${dns_proxy_service} disable
${service} stop
}

View File

@ -174,6 +174,7 @@ proxy_app_tcp_iptables() {
${iptables_wait} -t nat -A APP_TCP_PROXY -m owner ! --uid-owner ${inet_uid} -j V2RAY
fi
## apply proxy rules to iptables
${iptables_wait} -t nat -A APP_TCP_PROXY -m owner --uid-owner 0 -j V2RAY
${iptables_wait} -t nat -A OUTPUT -p tcp -j APP_TCP_PROXY
}
@ -210,7 +211,7 @@ create_proxy_iptables() {
filter_proxy_iptables() {
if ${v2ray_share} ; then
echo "[Info]: Block illegal visit."
echo "[Info]: Block illegal v2ray visit."
## create iptables firewall chains
${iptables_wait} -t filter -N PROTECT_V2RAY
## permit localhost