使用 openwrt 对抗校园网多设备检测使用Xiaomi Mi Router WR30U (stock layout)以 immortalwrt 21.02 分支为例 包含( ua3f + TTL 统一相关模块 + DPI规避 / 时钟漂移模块 + IPID 顺序化)1.准备编译环境sudo apt update
sudo apt install build-essential clang flex bison g++ gawk
gcc-multilib g++-multilib gettext git libncurses5-dev libssl-dev
python3-setuptools rsync swig unzip zlib1g-dev file wget2.配置代理export http_proxy=http://192.168.0.6:20122
export https_proxy=http://192.168.0.6:20122
git config --global http.proxy http://192.168.0.6:20122
git config --global https.proxy http://192.168.0.6:201223.拉取源码git clone https://github.com/hanwckf/immortalwrt-mt798x.git
cd immortalwrt-mt798x
# 对于mt7981,使用mt7981-ax3000.config
cp -f defconfig/mt7981-ax3000.config .config4.加入第三方 feeds(IPID & argon)git clone --depth=1 https://github.com/CHN-beta/rkp-ipid.git package/rkp-ipid
git clone https://github.com/jerrykuku/luci-theme-argon.git package/luci-theme-argon5.feeds 更新 & 安装./scripts/feeds update -a
./scripts/feeds install -a
./scripts/feeds install kmod-rkp-ipid6.配置目标 & 插件make menuconfig▸ TTL 统一相关模块
位置:
Kernel modules → Netfilter Extensions → kmod-ipt-ipopt
Network → Firewall → iptables-mod-ipopt
▸ DPI规避 / 时钟漂移模块
位置:Kernel modules → Netfilter Extensions → kmod-nf-conntrack-netlink
▸ IPID 顺序化模块
位置:Kernel modules → Other modules → kmod-rkp-ipid▸ 启用 LuCI Web 界面和argon主题
路径:LuCI → Collections → luci
LuCI → Themes → luci-theme-argon
▸ 启用中文语言包
路径:LuCI → Modules → Translations → Chinese (zh-cn)
▸ 启用 WireGuard 支持
Kernel modules → Network Support → kmod-wireguard
Network → VPN → wireguard-tools
LuCI → Protocols → luci-proto-wireguardmake download -j$(nproc) V=cs
make V=s -j$(nproc)7.刷写后配置并验证7.1 安装 ShellClash#从URL安装ShellClash(以下链接三选一)
#GitHub源(可能需要代理)
export url='https://raw.githubusercontent.com/juewuy/ShellCrash/master' && sh -c "$(curl -kfsSl $url/install.sh)" && source /etc/profile &> /dev/null
#jsDelivrCDN源
export url='https://fastly.jsdelivr.net/gh/juewuy/ShellCrash@master' && sh -c "$(curl -kfsSl $url/install.sh)" && source /etc/profile &> /dev/null
#作者私人源
export url='https://gh.jwsc.eu.org/master' && sh -c "$(curl -kfsSl $url/install.sh)" && source /etc/profile &> /dev/null#用于UA3F的Clash配置(无外部代理)
https://cdn.jsdelivr.net/gh/SunBK201/UA3F@master/clash/ua3f-cn.yaml本阶段详细教程见视频 27:387.2 从URL安装UA3Fopkg update
opkg install curl libcurl luci-compat
export url='https://blog.sunbk201.site/cdn' && sh -c "$(curl -kfsSl $url/install.sh)"
service ua3f reload# 启动 UA3F
uci set ua3f.enabled.enabled=1
uci commit ua3f
service ua3f start
service ua3f enable7.3 配置 TTL统一模块等#防火墙:
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
# 防 IPID 检测
iptables -t mangle -N IPID_MOD
iptables -t mangle -A FORWARD -j IPID_MOD
iptables -t mangle -A OUTPUT -j IPID_MOD
iptables -t mangle -A IPID_MOD -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A IPID_MOD -d 127.0.0.0/8 -j RETURN
# 由于本校局域网是 A 类网,所以我将这一条注释掉了,具体要不要注释结合你所在的校园网内网类型
# iptables -t mangle -A IPID_MOD -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A IPID_MOD -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A IPID_MOD -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A IPID_MOD -d 255.0.0.0/8 -j RETURN
iptables -t mangle -A IPID_MOD -j MARK --set-xmark 0x10/0x10
# 防时钟偏移检测
iptables -t nat -N ntp_force_local
iptables -t nat -I PREROUTING -p udp --dport 123 -j ntp_force_local
iptables -t nat -A ntp_force_local -d 0.0.0.0/8 -j RETURN
iptables -t nat -A ntp_force_local -d 127.0.0.0/8 -j RETURN
iptables -t nat -A ntp_force_local -d 192.168.0.0/16 -j RETURN
iptables -t nat -A ntp_force_local -s 192.168.0.0/16 -j DNAT --to-destination 192.168.1.1
# 通过 iptables 修改 TTL 值
iptables -t mangle -A POSTROUTING -j TTL --ttl-set 128
# iptables 拒绝 AC 进行 Flash 检测
iptables -I FORWARD -p tcp --sport 80 --tcp-flags ACK ACK -m string --algo bm --string "src="http://1.1.1." -j DROP
#ShellClash
sleep 9s && pgrep -f ShellCrash >/dev/null || /etc/ShellCrash/start.sh start
#用以下抓包命令观察:
tcpdump -i wan -nn -vvv ip
