Great work! Is there a tutorial for OpenWRT? 中文回答也行

[alcatraz-zz]

I'd love to install this on an OpenWRT xiaomi/redmi router (mipsel 24kc).

I wish there was a tutorial, even an incomplete one would be helpful.

I would like to set up an Xray SERVER on a mipsel 24kc router. I already have certificates and config files on my linux machine. I don't care if performance is lower on the router. I'm interested in the reliability.

Thanks!

[yichya]

Try https://github.com/yichya/luci-app-xray. It comes with the ability to act as a server.

[alcatraz-zz]

Amazing! I have to try this! Thank you so much.

[alcatraz-zz]

Try https://github.com/yichya/luci-app-xray. It comes with the ability to act as a server.

What openwrt packages do I need for just running the HTTP Server? I wouldn't want to install all the proxy stuff and what else?

It can't be just luci-app-xray and openwrt-xray, can it?

I'm starting off a fresh official OpenWRT install.

[alcatraz-zz]

I spent 3 hours and finally got it to work. The server works beautifully and I'm amazed at the throughput. I was able to saturate my 100Mbit connection with this Xiaomi R3G mips router. This openwrt-xray package seems to be extremely efficient. While downloading at 100Mbit over xray, the load on the router got to 3.0-4.0 thereabout. I thought mips architechture was supposed to be very slow. This thing is FLYING! The ram usage doesn't even change during max throughput. I still have like 140/256MB free ram.

I do have one problem. When running the CLIENT config on the router, I'm having DNS issues. It seems that domestic addresses are super slow to resolve. I tried changing the default 114.114.114.114 dns server to my ISP's dns server but it still takes like 5-10 seconds to resolve a chinese domain like baidu.com, 138ip.com, youku.com etc. I don't know why. I downloaded geoip and geosite and enabled them in DNS Settings and Transparent Proxy Rules.

Getting a "polluted domain" to resolve is very fast compared. Shouldn't it be the other way around? Any ideas?

Thank you! 如果写英语麻烦用中文吧，随便。

[yichya]

I do have one problem. When running the CLIENT config on the router, I'm having DNS issues. It seems that domestic addresses are super slow to resolve. I tried changing the default 114.114.114.114 dns server to my ISP's dns server but it still takes like 5-10 seconds to resolve a chinese domain like baidu.com, 138ip.com, youku.com etc. I don't know why. I downloaded geoip and geosite and enabled them in DNS Settings and Transparent Proxy Rules.

Is it only slow when resolving domestic domains, or both DNS and actual HTTP / HTTPS requests are slow?

[alcatraz-zz]

I remember that refreshing a domain was instant, but first opening it was slow. So I'm guessing that it's a DNS issue. But I'm not sure if it's perhaps a proxy issue. Like perhaps even if the local dns ip is excluded from going over the proxy, the requests still go through the proxy, perhaps? I remember it being slow with the 114.114.114.114 as well as the ISP dns set, and with the IP set as excluded from going over the proxy.

My server is in Europe so I can really feel the difference when local dns queries go over the server. Maybe you guys with Hong Kong servers don't feel the difference.

[alcatraz-zz]

I installed everything again on an even smaller router. The Xiaomi Mini R1C. It works and I still have like 30-40MB free RAM out of 128MB.

It works fast now but I had to turn of sniffing and I set it to IfIPNonMatch, and "GeoIP Direct Code List" set to "cn".

If I ping 8.8.8.8 I get a low delay like 60ms, and my server has a 200ms latency. Doesn't that mean it's not running dns requests over the proxy? That's susceptible to poisoning, no?

So I love the plugins but I don't understand the proxy settings. That's where I'm at right now.

[yichya]

If I ping 8.8.8.8 I get a low delay like 60ms, and my server has a 200ms latency. Doesn't that mean it's not running dns requests over the proxy? That's susceptible to poisoning, no?

ICMP requests won't be forwarded.

[yichya]

I remember that refreshing a domain was instant, but first opening it was slow. So I'm guessing that it's a DNS issue. But I'm not sure if it's perhaps a proxy issue. Like perhaps even if the local dns ip is excluded from going over the proxy, the requests still go through the proxy, perhaps? I remember it being slow with the 114.114.114.114 as well as the ISP dns set, and with the IP set as excluded from going over the proxy.

Try some utilities like dig to check whether it is slow on DNS only.

It works fast now but I had to turn of sniffing and I set it to IfIPNonMatch, and "GeoIP Direct Code List" set to "cn".

It is also recommended to disable sniffing on your another MIPS router.

[alcatraz-zz]

Ok, thanks!

1. If I want to keep using the two DNS servers provided by my ISP, can I leave the DNS field blank? Or do I just add one of the two DNS servers?

2. Geosite.dat isn't downloaded when installing xray-geodata. Only geoip.dat. Is that enough? I uploaded the file manually, but it won't update hmm.

3. When not using sniffing, what's the downside? It seems to work fine without. Hmm....

Cheers! I have to say running xray on small routers is amazing. You've done such a fantastic job. I learned a lot working with openwrt.

[alcatraz-zz]

4. I tested dig on different (previously unresolved domains) and I get query times between 20-90ms regardless if they're chinese sites or blocked. That's strange isn't it? My server has a 200ms delay and I can dig to like gmail/facebook/instagram .com and get 50ms. Baidu, 138ip, right.com.cn, taobao.com, tencent.com are 10-50ms.

[yichya]

1. If I want to keep using the two DNS servers provided by my ISP, can I leave the DNS field blank? Or do I just add one of the two DNS servers?

Pick one and fill there.

2. Geosite.dat isn't downloaded when installing xray-geodata. Only geoip.dat. Is that enough? I uploaded the file manually, but it won't update hmm.

Although luci-app-xray works without them, both files are needed to work in the best condition.

3. When not using sniffing, what's the downside? It seems to work fine without. Hmm....

Sniffing mainly enables routing by domain names. However it does impact performance a lot on low-end devices like old MIPS routers. If you are running without problems, just leave it on.

4. I tested dig on different (previously unresolved domains) and I get query times between 20-90ms regardless if they're chinese sites or blocked. That's strange isn't it? My server has a 200ms delay and I can dig to like gmail/facebook/instagram .com and get 50ms. Baidu, 138ip, right.com.cn, taobao.com, tencent.com are 10-50ms.

Make sure that response is not coming from local cache (dnsmasq or Xray).

[alcatraz-zz]

I spent another couple of hours on this. I managed to get the HTTPS Server working once on the R3G but now I can't for the life of me get it to work on the R1C.

I've done a clean install twice and no go. I set it up the same way I remembered but no go.

Just to be clear. To run a server, we don't need to enable any proxies right?

I'm getting odd things in the log. Mentioning of 8.8.8.8 and 1.1.1.1 when I'm just running a local server. I did accept input on 443, the log shows the requests coming in, but then it just stops. I tried setting my local ISP dns in all the fields of the config. I tried adding geoip and deleting it. Servers shouldn't use that.

[alcatraz-zz]

In general settings I just leave TCP + UDP at disabled. Proxies all disabled.

I've been trying to skip luci alltogether and try to edit the config.json file myself, but whenever I restart xray I get the weird config back.

[alcatraz-zz]

Wed Feb 1 17:32:55 2023 daemon.info xray[4117]: 2023/02/01 09:32:55 [Info] [897566363] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > context canceled

It seems that the router can't like access the sites.

[yichya]

Just to be clear. To run a server, we don't need to enable any proxies right?

HTTPS server acts as an inbound like those mentioned in "Proxy Settings", so you should make sure you can reach the sites you're trying to access without any proxy if you disable all proxies.

Mentioning of 8.8.8.8 and 1.1.1.1 when I'm just running a local server.

DNS settings have nothing to do with other settings. These settings always show in config file generated.

I've been trying to skip luci alltogether and try to edit the config.json file myself, but whenever I restart xray I get the weird config back.

/var/etc/xray/config.json is generated by luci-app-xray every time it starts.

[alcatraz-zz]

Yeah. They're just sites like www.baidu.com etc.

I get 8.8.8.8 and 1.1.1.1 in the log even if I replace those fields with my ISP dns ip in luci. So xray is quering 8.8.8.8 and 1.1.1.1 but with only the HTTPS Server enabled. So weird.

[alcatraz-zz]

Wed Feb  1 19:24:13 2023 daemon.info xray[5051]: Xray 1.7.2 (Xray, Penetrates Everything.) Custom (go1.19.4 linux/mipsle)
Wed Feb  1 19:24:13 2023 daemon.info xray[5051]: A unified platform for anti-censorship.
Wed Feb  1 19:24:13 2023 daemon.err xray[5051]: 2023/02/01 11:24:13 Using confdir from arg: /var/etc/xray
Wed Feb  1 19:24:13 2023 daemon.info xray[5051]: 2023/02/01 11:24:13 [Info] infra/conf/serial: Reading config: /var/etc/xray/config.json
Wed Feb  1 19:24:15 2023 daemon.info xray[5051]: 2023/02/01 11:24:15 [Warning] core: Xray 1.7.2 started
Wed Feb  1 19:24:57 2023 daemon.info xray[5051]: 2023/02/01 11:24:57 [Warning] [913656892] app/proxyman/inbound: connection ends > proxy/vless/inbound: failed to dial to 127.0.0.1:0 > common/retry: [dial tcp 127.0.0.1:0: connect: connection refused] > common/retry: all retry attempts failed
Wed Feb  1 19:24:57 2023 daemon.info xray[5051]: 2023/02/01 11:24:57 [Warning] [3799396831] app/proxyman/inbound: connection ends > proxy/vless/inbound: failed to dial to 127.0.0.1:0 > common/retry: [dial tcp 127.0.0.1:0: connect: connection refused] > common/retry: all retry attempts failed
Wed Feb  1 19:24:57 2023 daemon.info xray[5051]: 2023/02/01 11:24:57 [Warning] [2010889506] app/proxyman/inbound: connection ends > proxy/vless/inbound: failed to dial to 127.0.0.1:0 > common/retry: [dial tcp 127.0.0.1:0: connect: connection refused] > common/retry: all retry attempts failed
Wed Feb  1 19:25:06 2023 daemon.info xray[5051]: 2023/02/01 11:25:06 [Warning] [1503599886] app/proxyman/inbound: connection ends > proxy/vless/inbound: failed to dial to 127.0.0.1:0 > common/retry: [dial tcp 127.0.0.1:0: connect: connection refused] > common/retry: all retry attempts failed
Wed Feb  1 19:25:11 2023 daemon.info xray[5051]: 2023/02/01 11:25:11 [Warning] [843515631] app/proxyman/inbound: connection ends > proxy/vless/inbound: failed to dial to 127.0.0.1:0 > common/retry: [dial tcp 127.0.0.1:0: connect: connection refused] > common/retry: all retry attempts failed
Wed Feb  1 19:25:13 2023 daemon.info xray[5051]: 2023/02/01 11:25:13 [Warning] [3352166071] app/proxyman/inbound: connection ends > proxy/vless/inbound: failed to dial to 127.0.0.1:0 > common/retry: [dial tcp 127.0.0.1:0: connect: connection refused] > common/retry: all retry attempts failed
Wed Feb  1 19:25:15 2023 daemon.info xray[5051]: 2023/02/01 11:25:15 [Warning] [2420201163] app/proxyman/inbound: connection ends > proxy/vless/inbound: failed to dial to 127.0.0.1:0 > common/retry: [dial tcp 127.0.0.1:0: connect: connection refused] > common/retry: all retry attempts failed

[alcatraz-zz]

Fresh install 22.03.03. Port 443 accept input. Disabled uhttpd listen on 443. Following config.

[alcatraz-zz]

I'm confused. There are two configs. One in /etc/config/xray and one in /var/etc/xray/config.json

xray ` config general option xray_bin '/usr/bin/xray' option mark '255' option tproxy_port_tcp '1080' option tproxy_port_udp '1081' option socks_port '1082' option http_port '1083' option dns_port '5300' option dns_count '3' option fast_dns '114.114.114.114' option secure_dns '8.8.8.8' option default_dns '1.1.1.1' list bypassed_domain_rules 'geosite:cn' list forwarded_domain_rules 'geosite:geolocation-!cn' list blocked_domain_rules 'geosite:category-ads' option wan_bp_list '/dev/null' option lan_target 'TP_SPEC_WAN_AC' option lan_ifaces 'br-lan' list wan_bp_ips '114.114.114.114' option xray_api '1' option routing_domain_strategy 'AsIs' option conn_idle '300' option loglevel 'warning' option handshake '4' option uplink_only '2' option downlink_only '5' option buffer_size '512' option main_server 'disabled' option tproxy_udp_server 'disabled' option web_server_enable '1' option web_server_port '443' option web_server_cert_file '/etc/luci-uploads/xray/cert.crt' option web_server_key_file '/etc/luci-uploads/xray/private.key' option web_server_protocol 'vless' option vless_tls 'xtls' option vless_flow 'xtls-rprx-direct' option web_server_password '902a9161-fec6-464f-ae99-7dff097cxxxx'

config servers option security 'auto' option transport 'tcp' option tcp_guise 'none' option tls '0' option tests_enabled 'none' option protocol 'vless' option server_port '443' option password '00000000-0000-0000-0000-000000000000' option vless_security 'none' option vless_encryption 'none' option server 'example.org' option alias 'VLESS XTLS Splice Example' option vless_flow 'xtls-rprx-splice' option vless_tls 'xtls' option vless_xtls_host 'example.org' option vless_xtls_insecure '0'

config servers option password 'supersecret' option transport 'tcp' option tcp_guise 'none' option server 'example.org' option server_port '443' option protocol 'trojan' option alias 'Trojan Example' option trojan_flow 'none' option trojan_tls 'tls' option trojan_tls_host 'example.org' option trojan_tls_insecure '0'

`

config.json { "inbounds": [ { "port": "1083", "protocol": "http", "tag": "http_inbound", "settings": { "allowTransparent": false } }, { "port": "1080", "protocol": "dokodemo-door", "tag": "tproxy_tcp_inbound", "sniffing": null, "settings": { "network": "tcp", "followRedirect": true }, "streamSettings": { "sockopt": { "tproxy": "tproxy", "mark": 255 } } }, { "port": "1081", "protocol": "dokodemo-door", "tag": "tproxy_udp_inbound", "settings": { "network": "udp", "followRedirect": true }, "streamSettings": { "sockopt": { "tproxy": "tproxy", "mark": 255 } } }, { "port": "1082", "protocol": "socks", "tag": "socks_inbound", "settings": { "udp": true } }, { "port": 5300, "protocol": "dokodemo-door", "tag": "dns_server_inbound_5300", "settings": { "address": "1.1.1.1", "port": 53, "network": "tcp,udp" } }, { "port": 5301, "protocol": "dokodemo-door", "tag": "dns_server_inbound_5301", "settings": { "address": "1.1.1.1", "port": 53, "network": "tcp,udp" } }, { "port": 5302, "protocol": "dokodemo-door", "tag": "dns_server_inbound_5302", "settings": { "address": "1.1.1.1", "port": 53, "network": "tcp,udp" } }, { "port": 5303, "protocol": "dokodemo-door", "tag": "dns_server_inbound_5303", "settings": { "address": "1.1.1.1", "port": 53, "network": "tcp,udp" } }, { "port": "443", "protocol": "vless", "tag": "https_inbound", "settings": { "clients": [ { "id": "902a9161-fec6-464f-ae99-7dff097cxxxx", "flow": "xtls-rprx-direct" } ], "decryption": "none", "fallbacks": [ { "dest": null } ] }, "streamSettings": { "network": "tcp", "security": "xtls", "tlsSettings": null, "xtlsSettings": { "alpn": [ "http/1.1" ], "certificates": [ { "certificateFile": "/etc/luci-uploads/xray/cert.crt", "keyFile": "/etc/luci-uploads/xray/private.key" } ] } } }, { "listen": "127.0.0.1", "port": 8080, "protocol": "dokodemo-door", "settings": { "address": "127.0.0.1" }, "tag": "api" } ], "outbounds": [ { "protocol": "freedom", "tag": "direct", "settings": { "domainStrategy": "UseIPv4" }, "streamSettings": { "sockopt": { "mark": 255 } } }, { "protocol": "dns", "streamSettings": { "sockopt": { "mark": 255 } }, "tag": "dns_server_outbound" }, { "tag": "blackhole_outbound", "protocol": "blackhole" }, { "protocol": "freedom", "tag": "tcp_outbound", "settings": { "domainStrategy": "UseIPv4" }, "streamSettings": { "sockopt": { "mark": 255 } } }, { "protocol": "freedom", "tag": "udp_outbound", "settings": { "domainStrategy": "UseIPv4" }, "streamSettings": { "sockopt": { "mark": 255 } } } ], "dns": { "hosts": { }, "servers": [ { "address": "114.114.114.114", "port": 53, "domains": [ ] }, { "address": "8.8.8.8", "port": 53, "domains": [ ] }, { "address": "114.114.114.114", "port": 53, "domains": [ ] }, { "address": "1.1.1.1", "port": 53 } ], "tag": "dns_conf_inbound", "queryStrategy": "UseIPv4" }, "api": { "tag": "api", "services": [ "HandlerService", "LoggerService", "StatsService" ] }, "metrics": null, "policy": { "levels": { "0": { "handshake": 4, "connIdle": 300, "uplinkOnly": 2, "downlinkOnly": 5, "bufferSize": 512, "statsUserUplink": false, "statsUserDownlink": false } }, "system": { "statsInboundUplink": false, "statsInboundDownlink": false, "statsOutboundUplink": false, "statsOutboundDownlink": false } }, "log": { "access": "none", "loglevel": "warning", "dnsLog": false }, "stats": null, "observatory": null, "reverse": { "bridges": [ ] }, "routing": { "domainStrategy": "AsIs", "rules": [ { "type": "field", "inboundTag": [ "tproxy_tcp_inbound", "dns_conf_inbound", "socks_inbound", "https_inbound", "http_inbound" ], "outboundTag": "tcp_outbound" }, { "type": "field", "inboundTag": [ "tproxy_udp_inbound" ], "outboundTag": "udp_outbound" }, { "type": "field", "inboundTag": [ "dns_server_inbound_5300", "dns_server_inbound_5301", "dns_server_inbound_5302", "dns_server_inbound_5303" ], "outboundTag": "dns_server_outbound" }, { "type": "field", "inboundTag": [ "api" ], "outboundTag": "api" } ] } }

[alcatraz-zz]

I figured out why I saw 1.1.1.1 dns requests after changing those settings. It was set in my damn v2rayNG app.

When I figure this out Yichya, I'm going to celebrate. I have big plans you know.

I'm on shitty 长城宽带 and I want to try and put an xray "Portal" (reverseproxy) at someones home with 联通 and then use that if the internet connection is weak. Also to reach servers behind NAT, or help my chinese friends abroad appear to be in China. What a great use for your amazing contribution, and put these reliable mips routers to good use. Thumbs up!