So recently I switched to a x86 router which runs Proxmox VE. On PVE there’s OpenWrt and iKuai (I’m gonna replace this sneaky thing). I’m not covering these stuff in this blog post, instead I’m writing down how I deployed a ShadowSocks client implementation that routes traffic intelligently on my OpenWrt.
We are gonna use Clash, you must have been aware of it because it’s in the title. Clash is a new software that is nearly the same to Surge. They both support “rules” mode which routes internet traffic depends on your rules. It’s so convenient that you don’t have to use GFWList anymore, and they are more precise and customizable, like you can route Google to a Hong Kong proxy, YouTube to United States and Netflix to Japan, etc. Clash also has a redir mode which can transparent proxy the traffic sent to
redir-port, and this is what we are gonna make use of.
These are what we are going to do:
- Download Clash to OpenWrt
- Write some configurations
- Configure OpenWrt
- Route the traffic to Clash
- Run Clash
- Controll Clash
It’s quite simple.
$ mkdir /etc/clash
It’s the most complicated step in this process. It depends on whether your ShadowSocks service provider provides a managed clash configuration. If they don’t, check these out:
You’ll still have to manually write the
Proxy section. Ultimately, your Clash config must at least have these lines:
Let’s tear it down.
8887 is the redir port,
external-controller is for the API that we’re gonna use later to control Clash. We will use the
dns provided by Clash to resolve all the domains. Notice that the port in
53, we’re going to talk about this in the next section.
We’re going to change the port of OpenWrt DNS server to something else than 53, or it’ll conflict with Clash’s one.
[https://luci.openwrt/cgi-bin/luci/admin/network/dhcp], go to
Advanced Settings, find
DNS server port and change it to something else, like for example
Save & Apply and done.
Clash is now taking over all DNS packets, so you get clean DNS results instead of polluted ones.
Open up https://luci.openwrt/cgi-bin/luci/admin/network/firewall/custom, add the following two lines to the end of the rules. Be aware that you need to change
8887 is the redir port we previously configured in Clash’s configuration.
iptables -t nat -A PREROUTING -p tcp --dport YOUR_SSH_PORT -j ACCEPT
Congratulations to your last step. Run the following to launch Clash.
$ cd /etc/clash
You can open your browser (make sure to disable proxies on your computer) and open
https://www.google.com and see if it works! If it does,
Ctrl+C to terminate Clash, and run the following to keep Clash running in background.
$ ./clash -d . &
external-controller? We’re gonna make use of it… right now.
There’s a fantastic web interface that does exactly the work: http://clash.razord.top/. Use your OpenWrt IP address, and the
external-controller port to authenticate. Be aware that it’s in Chinese.
We can make clash into a system service. Create
/etc/init.d/clash with the following shell script:
After saving the file, run
chmod +x /etc/init.d/clash to make it executable. Now you can control Clash using:
$ service clash start