Notes of Xray — the censorship buster
There are myriad ways of bypassing censorship restrictions, but the most proficient people in the world are, by far and large Chinese internet users. The Great Firewall of China gave birth to a plethora of sneaky technologies to fight it. Now that fascism (as in telling us what we can and can not see) is on the rise in the so-called First World, Chinese tech is to the rescue.
Let me start with this: my use is by no means typical, and I’m not using it out of necessity. I just love to tinker with all kinds of tech.
My old setup
At home, I used to have a Google/Nest Wifi system that was connected to my ISP’s router. I used it for some years and might have kept living with it was it not for one of my neighbors who installed an extra-extra strong wifi system of his own and other neighbors who upgraded their systems so that suddenly wifi-5GHz space became crowded to an uncomfortable extent. The problem with Google/Nest wifi is that it does not allow you to set a specific wifi band. Their explanation — “we know better”. Real-life result: I was fucked.
And so I started to research alternatives. I basically had one major requirement for a mesh-wifi system: it needed to be operational in the so-called “bridge” mode (Google/Nest Wifi couldn’t. You can turn a single endpoint into a bridge but immediately lose the mesh), and one minor requirement: it should allow mapping multiple wifi SSNs to VLANs.
So I asked around, and a friend of mine gave me his old Linksys mesh set. The first thing I tried was flashing it with OpenWRT. That didn’t go well, the model I got wasn’t supported, so I reverted to the original firmware. Linksys satisfied my major requirement (bridge mode + mesh), but not minor (no SSID=>VLAN mapping; it doesn’t understand VLANS at all; oh well).
The router
I also realized I could turn my ISP’s router into a dumb bridge and do all the intelligent work myself. My first attempt was with an old Ubiquiti EdgeRouter Lite router, hacked to run OpenWRT. It was good, but having a 1-gigabit home internet required a different level of hardware - the speeds were abysmal. So the next thing I tried was runnig OpenWRT in a virtual machine on my NAS. That was much better, but the load on the NAS was considerable.
Feeling sufficiently competent, I ordered a dedicated router called FriendlyElec R5s. It’s got an okay CPU/GPU, two 2.5Gbit ports, and a single 1Gbit port. I added an SSD so I could stop caring about disk space and ordered it. In hindsight, I should’ve gone for a more powerful machine called NanoPC-T6 from the same company. It’s got a much more powerful CPU and better expandability (e.g., you can add a Google Coral Dual TPU (among other stuff), which would be handy for high-speed Wireguard transfers. Yes, my 4-core CPU only allows ~45 MB/sec Wireguard transfers. Oh well, first-world problems, I guess. Otherwise, I’m extremely happy with my little router box.
The routing
I have a couple of strategic directions for which I need specific VPN channels. And thanks to the fucking GDPR, I need to visit US sites as a US customer. Also, I prefer to visit even European sites as an ‘American’ — less hassle. So I used to have several Wireguard connections and local HTTP proxies, each dedicated to its own WG connection. Then in Chrome, I used the ProxySwitchyOmega extension to direct traffic accordingly. In a word, a mess :)
Then I heard about Project X., designed by the Chinese to bypass their firewall. It evolved into a flexible routing system. It is, first and foremost, a router, in addition to all the protocols for evading detection and whatnot. So that’s the way I use it primarily, but not so much as a hidden VPN endpoint, but a really powerful and lightweight routing system. But the very nature of Xray — a hacked TLS 1.3 proxy — allows me to do it.
Xray in action
Here’s the logic behind my Xray setup. It listens on several ports for input. Depending on the port used, it acts accordingly. For example, if I connect to SOCKS5 on port 10801, it sends all traffic via a VPN in country X. If I connect to 10802 — country Y, etc; 1090 — sends it directly, bypassing all rules. But the real marvels are ports 1080 (SOCKS5) and 10901 (Transparent Proxy), which perform smart routing.
Smart Routing
First, I check if the destination port is 53. If so, I have my own DNS server inside Xray (I used to use AdguardHome — yet another local service got eliminated).
DNS checks against the list of my domains (like .local, .lan, and a couple of others) and sends a request locally to OpenWRT. For domains in specific counties, it used DNS servers in those countries.
Then there’s a whitelist of domains never to be blocked. And imported extensive blocklists. Country-specific domain/IP ranges to be sent via a specific VPN. And so on.
Wireguard — inside or out?
Xray recently implemented the Wireguard protocol. But in my testing, it’s no match for the native OpenWRT implementation. So I just ‘mark’ traffic inside Xray that NFTables will use to route it.
Maybe eliminate Wireguard instead of upgrading the router?
Maybe. When my commercial VPN subscription runs out next June, I might go for a VLESS-protocol subscription. Since it uses regular TLS, the efficiency should be much higher. We’ll see.
Source of data
I find the default v2ray-provided data to be way too China-specific. So I make my own GeoSites and Geo-IP files.
For Geo-IP, I use V2fly=>GeoIP with additions from BGPview. For GeoSites — V2fly => Domain List Community with additions from IOSD (small list, regexp).
