Community discussions

MikroTik App
 
DeHb86
just joined
Topic Author
Posts: 14
Joined: Tue Dec 19, 2023 8:11 pm

VLess proxy tunnel on mikrotik via containers.

Mon Jan 15, 2024 12:29 pm

Hello everyone!
Pleez help me with containers and routing traffic on the router.
Have Mikrotik hAP ax3 with a USB flash drive for storage, AdguardHome, Xray-core and Tun2Socks containers are installed on the router.
Configuration:
/interface bridge
add name=Dockers port-cost-mode=short
/interface veth
add address=10.6.0.2/24 gateway=10.6.0.1 gateway6="" name=VETH1-adguard
add address=10.6.0.3/24 gateway=10.6.0.1 gateway6="" name=VETH2-xray
add address=10.6.0.4/24 gateway=10.6.0.1 gateway6="" name=VETH3-tun

/interface list
add name=LANs
add name=WANs

/container
add interface=VETH1-adguard root-dir=usb1-part1/Containers/adguard start-on-boot=yes workdir=/opt/adguardhome/work
add dns=10.6.0.2 interface=VETH2-xray root-dir=usb1-part1/Containers/xray-core start-on-boot=yes workdir=/root
add dns=10.6.0.2 interface=VETH3-tun root-dir=usb1-part1/Containers/tun2socks start-on-boot=yes

/container config
set ram-high=250.0MiB registry-url=https://ghcr.io tmpdir=usb1-part1/TMP

/interface bridge port
add bridge=Dockers interface=VETH1-adguard
add bridge=Dockers interface=VETH2-xray
add bridge=Dockers interface=VETH3-tun

/interface list member
add interface=Bridge list=LANs
add interface=WAN list=WANs

/ip address
add address=10.10.12.1/24 interface=Bridge network=10.10.12.0
add address=10.6.0.1/24 interface=Dockers network=10.6.0.0

/ip dhcp-server network
add address=10.10.12.0/24 dns-server=10.6.0.2 gateway=10.10.12.1 netmask=24

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w3d doh-timeout=6s query-server-timeout=2s500ms query-total-timeout=12s servers=1.1.1.1 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

/ip firewall filter
add action=fasttrack-connection chain=forward comment="Rule 1.0 Fasttrack" connection-state=established,related hw-offload=yes in-interface=Bridge out-interface=WAN
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes in-interface=WAN out-interface=Bridge
add action=accept chain=forward comment="Rule 1.0.1 Forward input established/related acept" connection-state=established,related,untracked log-prefix="Forward accept"
add action=accept chain=input connection-state=established,related,untracked log-prefix="Input accept"
add action=drop chain=forward comment="Rule 1.0.2 Forward input invalid drop" connection-state=invalid in-interface=WAN log-prefix="Forward drop invalid"
add action=drop chain=input connection-state=invalid in-interface=WAN log-prefix="Input drop invalid"
add action=drop chain=input comment="Rule 1.2.1 Input drop from WAN" in-interface-list=WANs log-prefix="Input all drop from WAN"

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=10.6.0.2 new-routing-mark=proxy_mark passthrough=yes src-address=10.10.12.52

/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT 1.01 - TCP 53 Redirect DNS requests to AdguardHome" dst-port=53 in-interface=Bridge protocol=tcp to-addresses=10.6.0.2
add action=dst-nat chain=dstnat comment="NAT 1.02 - UDP 53 Redirect DNS requests to AdguardHome" dst-port=53 in-interface=Bridge protocol=udp to-addresses=10.6.0.2
add action=masquerade chain=srcnat comment="Containers through NAT" out-interface=WAN src-address=10.6.0.0/24
add action=masquerade chain=srcnat comment="WWW through VPN" dst-address-list=rkn_wg out-interface=WG1-VPS
add action=masquerade chain=srcnat comment="LAN through NAT" out-interface=WAN src-address=10.10.12.2-10.10.12.254

/routing table
add disabled=no fib name=wg_mark
add disabled=no fib name=proxy_mark

/ip route
add comment="Acceess to WWW through Proxy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.6.0.4 pref-src="" routing-table=proxy_mark scope=30 suppress-hw-offload=yes target-scope=10
add comment="Acceess to WWW through WG1-VPS" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=WG1-VPS pref-src="" routing-table=wg_mark scope=30 suppress-hw-offload=yes target-scope=10
The AdguardHome container works without question, all devices on the network receive it as a DNS-server via DHCP.
The Xray-core container (acts as a client to the VPS server with 3X-UI is installed) - after launching the container is stopped and the file edited config.json (connection settings are specified). It also works without questions, it connects to the VPS server via XLTS+Reality, from a local computer (Windows) and virtual (Ubunta) when specifying http://socks=IP:port I can easily access the Internet through Socks.
The whole question is about the following Tun2Socks container.
To launch the container, an image was mounted from the github, then the container was started, i'm stopped it. And edited entrypoint.sh.
#!/bin/sh
ip tuntap add mode tun dev tun0
ip addr add 198.18.0.1/15 dev tun0
ip link set dev tun0 up
ip route del default
ip route add default via 198.18.0.1 dev tun0 metric 1
ip route add default via 10.6.0.1 dev eth0 metric 10
tun2socks -device tun0 -proxy socks5://10.6.0.3:30804 -interface eth0
run || exit 1
There is Internet access from inside the containers (I checked both in Xray-core and Tun2Socks). But when I want to send all traffic to the tunnel from a local device from the local network (using the mangle rule - proxy_mark marking), the Internet is completely inaccessible, ping and tracer do not pass through the tunnel to any site. Although using the same rule for WireGuard, everything works out, and the Internet is available on all devices).
I myself am not an expert in Unix systems at all, it was difficult to figure out the microtics.
So I can't understand the problem in the tunnel, or is it in the routing settings on the router?
Or maybe someone knows an easier way?
 
koalabambu
just joined
Posts: 7
Joined: Tue Dec 05, 2023 11:32 pm

Re: VLess proxy tunnel on mikrotik via containers.

Tue Jan 16, 2024 2:22 am

I am 110% not familar with you project ;)
But i wanted to know what you want to do , so i looked the tool websites up....
see attachment - maybe it help ...

its from https://github.com/xjasonlyu/tun2socks/wiki/Examples
You do not have the required permissions to view the files attached to this post.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3892
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: VLess proxy tunnel on mikrotik via containers.

Tue Jan 16, 2024 3:15 am

rp-filter is set in /ip/settings, but I'm not sure that's the issue.

Did you see this thread? viewtopic.php?p=1044220&hilit=xray#p984907
 
DeHb86
just joined
Topic Author
Posts: 14
Joined: Tue Dec 19, 2023 8:11 pm

Re: VLess proxy tunnel on mikrotik via containers.

Wed Jan 17, 2024 8:57 pm

I am 110% not familar with you project ;)
But i wanted to know what you want to do , so i looked the tool websites up....
see attachment - maybe it help ...
its from https://github.com/xjasonlyu/tun2socks/wiki/Examples
Thanks a lot for the answers.
I'll try to dig into this issue more, but I still can't find time for experiments.
rp-filter is set in /ip/settings, but I'm not sure that's the issue.

Did you see this thread? viewtopic.php?p=1044220&hilit=xray#p984907
Yes, I saw this theme by the user vanes32 just helped me with the setup, but what works for him - I couldn't get it to work in any way.
 
Oleg554555
just joined
Posts: 5
Joined: Sun May 21, 2023 4:03 am

Re: VLess proxy tunnel on mikrotik via containers.

Fri Feb 16, 2024 1:52 am

I am 110% not familar with you project ;)
But i wanted to know what you want to do , so i looked the tool websites up....
see attachment - maybe it help ...
its from https://github.com/xjasonlyu/tun2socks/wiki/Examples
Thanks a lot for the answers.
I'll try to dig into this issue more, but I still can't find time for experiments.
rp-filter is set in /ip/settings, but I'm not sure that's the issue.

Did you see this thread? viewtopic.php?p=1044220&hilit=xray#p984907
Yes, I saw this theme by the user vanes32 just helped me with the setup, but what works for him - I couldn't get it to work in any way.
Hey. Did you manage to wrap traffic from local devices to a container? I managed to deploy a proxy combine harvester container sing-box. The connection to the proxy server is established, as a test I chose the shadowsocks 2022. This container contains the default tun2socks,from inside the container, a request via curl ifconfig.me returns the ip address of the proxy server. There was a problem with routing, the traffic inside the container comes as can be seen from the output of the iftop, but the host packages are not returned because of what and there is no Internet access.
 
Madeus
just joined
Posts: 1
Joined: Fri Mar 01, 2024 11:58 am

Re: VLess proxy tunnel on mikrotik via containers.

Fri Mar 01, 2024 12:01 pm

Hi.
Were you able to set up this configuration?
 
DeHb86
just joined
Topic Author
Posts: 14
Joined: Tue Dec 19, 2023 8:11 pm

Re: VLess proxy tunnel on mikrotik via containers.  Topic is solved

Sat Jun 15, 2024 5:19 pm

Good afternoon It's been quite some time and I've been looking at this topic.
And to answer the last question - yes! I managed to get this scheme to work with three containers.
But over time, something changed inside the containers, and right now I can’t guarantee that everything will work the first time without trial.
On the cheaper aX2, I even managed to launch the installation of containers through a script, but after I did not have access to this device for 1.5 months, it turned out that the scheme stopped working, and there is no way yet to find out what the reason is. Perhaps the container assemblies themselves have been updated, and these settings are no longer suitable.

On a home aX3 with containers installed on USB-Flash, the scheme is currently working.
The settings are:
/interface bridge add name=Dockers port-cost-mode=short
/ip address add address=10.6.0.1/24 interface=Dockers network=10.6.0.0
/interface veth add address=10.6.0.2/24 gateway=10.6.0.1 gateway6="" name=VETH1-adguard
/interface veth add address=10.6.0.3/24 gateway=10.6.0.1 gateway6="" name=VETH2-xray
/interface veth add address=10.6.0.4/24 gateway=10.6.0.1 gateway6="" name=VETH3-tun
/interface bridge port add bridge=Dockers interface=VETH1-adguard
/interface bridge port add bridge=Dockers interface=VETH2-xray
/interface bridge port add bridge=Dockers interface=VETH3-tun

/container mounts add dst=/opt/adguardhome/work name=adguard_workdir src=/usb1-part1/Conf/adguardwork
/container mounts add dst=/opt/adguardhome/conf name=adguard_confdir src=/usb1-part1/Conf/adguardconf
/container envs add key=TZ name=adguard_envs value=Europe/Moscow
/container add envlist=adguard_envs interface=VETH1-adguard mounts=adguard_workdir,adguard_confdir root-dir=usb1-part1/Containers/adguard start-on-boot=yes workdir=/opt/adguardhome/work
/container add dns=10.6.0.2 interface=VETH2-xray root-dir=usb1-part1/Containers/xray-core start-on-boot=yes workdir=/root
/container add dns=10.6.0.2 interface=VETH3-tun root-dir=usb1-part1/Containers/tun2socks start-on-boot=yes

/ip dhcp-server network add address=10.10.12.0/24 dns-server=10.6.0.2 gateway=10.10.12.1 netmask=24
/routing table add disabled=no fib name=proxy_mark
/ip route add comment="Acceess to WWW through Proxy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.6.0.4 pref-src="" routing-table=proxy_mark scope=30 suppress-hw-offload=yes target-scope=10

/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=route_proxy log-prefix=markrou_ new-routing-mark=proxy_mark passthrough=yes
/ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=Dockers passthrough=yes protocol=tcp tcp-flags=syn

/ip firewall nat add action=dst-nat chain=dstnat comment="TCP 53 Redirect DNS requests to AdguardHome" dst-port=53 in-interface=Bridge protocol=tcp to-addresses=10.6.0.2
/ip firewall nat add action=dst-nat chain=dstnat comment="UDP 53 Redirect DNS requests to AdguardHome" dst-port=53 in-interface=Bridge protocol=udp to-addresses=10.6.0.2
/ip firewall nat add action=masquerade chain=srcnat comment="WWW through VPN Proxy" dst-address-list=route_proxy out-interface=Dockers
/ip firewall nat add action=masquerade chain=srcnat comment="Containers through NAT" out-interface-list=WANs src-address=10.6.0.0/24
In the containers themselves, as I wrote earlier, it is necessary to make changes to the files:
Xray-core (acts as a client to a VPS server with 3X-UI installed) - after launching the container, the config file is installed and edited.json (connection settings are set).
Tun2Socks, after installation and activation. We stop the container and replace it Entryppoint.sh
#!/bin/sh
ip tuntap add mode tun dev tun0
ip addr add 198.18.0.1/15 dev tun0
ip link set dev tun0 up
ip route del default
ip route add default via 198.18.0.1 dev tun0 metric 1
ip route add default via 10.6.0.1 dev eth0 metric 10
tun2socks -device tun0 -proxy socks5://10.6.0.3:30804 -interface eth0
After launching the container, all addresses included in the proxy_mark list go through the VLess proxy tunnel.
_____________
In Russian
Добрый день! Прошло довольно много времени и как просматривал эту тему.
И отвечая на последний вопрос - да! Мне удалось заставить работать эту схему с тремя контейнерами.
Но вот по прошествии времени что-то внутри контейнеров поменялось, и прямо сейчас не могу гарантировать, что все заработает с первого раза без разбирательств.
На более дешёвом aX2 даже получилось запускать установку контейнеров через скрипт, но после того как я 1,5 месяца не имел доступа к этому устройству, выяснилось что схема перестала работать, и пока нет возможности выяснить в чем причина. Возможно обновились сами сборки контейнеров, и данные настройки уже не подходят.

На домашнем aX3 с установкой контейнеров на USB-Flash, в данный момент схема работает.
Настройки такие:

В самих контейнерах как и ранее писал, необходимо внести изменения в файлы:
Xray-core (выполняет роль клиента к VPS-серверу с установленным 3X-UI) - после запуска контейнер останавливается и редактируется файл config.json (задаются настройки подключения).
Tun2Socks, после установки и включения. Останавливаем контейнер и подменяем Entryppoint.sh.

После запуска контейнера все адреса включённые в список proxy_mark ходят через Vless прокси туннель.
Last edited by DeHb86 on Fri Jun 28, 2024 8:26 am, edited 1 time in total.
 
universe5ht
just joined
Posts: 2
Joined: Thu Jul 06, 2023 4:16 pm

Re: VLess proxy tunnel on mikrotik via containers.

Sun Jun 16, 2024 8:57 am

@DeHb86
Hi! Could you write a more detailed article on how to make containers yourself? By the way, is it possible to run XRAY-core client in TUN Mode?

Привет! Ты не мог бы написать более подробную статью как сделать сами контейнеры? Кстати можно ли запустить XRAY-core client в TUN Mode?
 
DeHb86
just joined
Topic Author
Posts: 14
Joined: Tue Dec 19, 2023 8:11 pm

Re: VLess proxy tunnel on mikrotik via containers.

Sun Jun 16, 2024 10:22 am

@DeHb86
Hi! Could you write a more detailed article on how to make containers yourself? By the way, is it possible to run XRAY-core client in TUN Mode?

Привет! Ты не мог бы написать более подробную статью как сделать сами контейнеры? Кстати можно ли запустить XRAY-core client в TUN Mode?
And which step exactly do you need to go into more detail?
The container installation process itself? I did not rebuild the containers to suit my needs, I just installed them from the repository, and replaced the config file.json in xray-core (specifying the IP/key, etc. to connect to the server via the Vless protocol), and in the second container I also replaced the file entrypoint.sh

А какой именно шаг нужно подробней?
Сам процесс установки контейнера? Я не пере собирал под свои нужды контейнеры, я просто установил с репозитория, и подменил файл конфига config.json в xray-core (с указанием IP/ключа и т.д. для подключения к серверу через Vless протокол), и во втором контейнере так же подменил файл entrypoint.sh.
Если надо что-то подробней напиши на почту dehbсобакаlist.ru.
 
DeHb86
just joined
Topic Author
Posts: 14
Joined: Tue Dec 19, 2023 8:11 pm

Re: VLess proxy tunnel on mikrotik via containers.

Mon Jul 22, 2024 11:37 am

There is a small addition to all of the above.
I don't know why, but the tun2socks container has stopped working recently - it couldn't ping either local machines or remote hosts.
Colleagues who are not indifferent to our common problem figured out what the problem was with the container and advised us to make changes.
The solution was a change in spelling Entrypoint.sh , adding commands to turn interfaces off and on.
At the moment, I have restored work on all devices, so I will post an updated version:
#!/bin/sh
sleep 2
ifconfig eth0 down
sleep 2
ifconfig eth0 up
ip tuntap add mode tun dev tun0
ip addr add 198.18.0.1/15 dev tun0
ip link set dev tun0 up
sleep 2
ifconfig tun0 down
sleep 2
ifconfig tun0 up
ip route del default
ip route add default via 198.18.0.1 dev tun0 metric 1
ip route add default via 10.6.2.1 dev eth0 metric 10
tun2socks -device tun0 -proxy socks5://10.6.2.3:30804 -interface eth0
_____________
In Russian
Ко всему вышенаписанному небольшое дополнение.
Не знаю почему но все же контейнер tun2socks в последнее время переставал работать - не мог пинговать ни локальные машины, ни удаленные хосты.
Коллеги не равнодушные к нашей общей проблеме, разобрались в чем была проблема с контейнером и посоветовали внести изменения.
Решением стало изменение в написании Entrypoint.sh, добавление команд на выключение и включение интерфейсов.
В данный момент, у меня восстановилась работа на всех устройствах, так что выложу обновлённый вариант:
Last edited by DeHb86 on Sat Jul 27, 2024 7:22 pm, edited 1 time in total.
 
mike7
just joined
Posts: 15
Joined: Sun Oct 28, 2018 12:20 am

Re: VLess proxy tunnel on mikrotik via containers.

Sat Jul 27, 2024 6:14 pm

Just want to share entrypoints for both implementations, so you can build your own images for mikrotik.

Docker file something like this one:
# syntax=docker/dockerfile:1

FROM ghcr.io/<image>:latest

COPY --chown=0:0 --chmod=755 entrypoint.sh /entrypoint.sh

For https://github.com/xjasonlyu/tun2socks

#!/bin/sh

TUN="${TUN:-tun0}"
ADDR="${ADDR:-198.18.0.1/15}"
LOGLEVEL="${LOGLEVEL:-info}"

create_tun() {
  # create tun device
  ip tuntap add mode tun dev "$TUN"
  ip addr add "$ADDR" dev "$TUN"
  ip link set dev "$TUN" up
}

config_route() {
# https://forum.mikrotik.com/viewtopic.php?p=1044220&hilit=xray#p1044980
  ip route del default
  ip route add default via ${IPV4} dev ${TUN} metric 1
  ip route add default via $(ip -o -f inet address show eth0 | awk '/scope global/ {print $4}' | cut -d/ -f1) dev eth0 metric 10
}

run() {
  create_tun
  create_table
  config_route

  # execute extra commands
  if [ -n "$EXTRA_COMMANDS" ]; then
    sh -c "$EXTRA_COMMANDS"
  fi

  if [ -n "$MTU" ]; then
    ARGS="--mtu $MTU"
  fi

  if [ -n "$RESTAPI" ]; then
    ARGS="$ARGS --restapi $RESTAPI"
  fi

  if [ -n "$UDP_TIMEOUT" ]; then
    ARGS="$ARGS --udp-timeout $UDP_TIMEOUT"
  fi

  if [ -n "$TCP_SNDBUF" ]; then
    ARGS="$ARGS --tcp-sndbuf $TCP_SNDBUF"
  fi

  if [ -n "$TCP_RCVBUF" ]; then
    ARGS="$ARGS --tcp-rcvbuf $TCP_RCVBUF"
  fi

  if [ "$TCP_AUTO_TUNING" = 1 ]; then
    ARGS="$ARGS --tcp-auto-tuning"
  fi

  if [ -n "$MULTICAST_GROUPS" ]; then
    ARGS="$ARGS --multicast-groups $MULTICAST_GROUPS"
  fi

  exec tun2socks \
    --loglevel "$LOGLEVEL" \
    --interface eth0 \
    --device "$TUN" \
    --proxy "$PROXY" \
    $ARGS
}

run || exit 1

For https://github.com/heiher/hev-socks5-tunnel

#!/bin/sh

TUN="${TUN:-tun0}"
MTU="${MTU:-9000}"
IPV4="${IPV4:-198.18.0.1}"
IPV6="${IPV6:-}"

MARK="${MARK:-438}"

SOCKS5_ADDR="${SOCKS5_ADDR:-172.17.0.1}"
SOCKS5_PORT="${SOCKS5_PORT:-1080}"
SOCKS5_USERNAME="${SOCKS5_USERNAME:-}"
SOCKS5_PASSWORD="${SOCKS5_PASSWORD:-}"
SOCKS5_UDP_MODE="${SOCKS5_UDP_MODE:-udp}"

LOG_LEVEL="${LOG_LEVEL:-warn}"

config_file() {
  cat > /hs5t.yml << EOF
misc:
  log-level: '${LOG_LEVEL}'
tunnel:
  name: '${TUN}'
  mtu: ${MTU}
  ipv4: '${IPV4}'
  ipv6: '${IPV6}'
  post-up-script: '/route.sh'
socks5:
  address: '${SOCKS5_ADDR}'
  port: ${SOCKS5_PORT}
  udp: '${SOCKS5_UDP_MODE}'
  mark: ${MARK}
EOF

  if [ -n "${SOCKS5_USERNAME}" ]; then
      echo "  username: '${SOCKS5_USERNAME}'" >> /hs5t.yml
  fi

  if [ -n "${SOCKS5_PASSWORD}" ]; then
      echo "  password: '${SOCKS5_PASSWORD}'" >> /hs5t.yml
  fi
}

config_route() {
  echo "#!/bin/sh" > /route.sh
  chmod +x /route.sh

  echo "ip route del default" >> /route.sh
  echo "ip route add default via ${IPV4} dev ${TUN} metric 1" >> /route.sh
  echo "ip route add default via $(ip -o -f inet address show eth0 | awk '/scope global/ {print $4}' | cut -d/ -f1) dev eth0 metric 10" >> /route.sh
}

run() {
  config_file
  config_route
  echo "echo 1 > /success" >> /route.sh
  hev-socks5-tunnel /hs5t.yml
}

run || exit 1

Don't forget to set environments for containers.
 
mike7
just joined
Posts: 15
Joined: Sun Oct 28, 2018 12:20 am

Re: VLess proxy tunnel on mikrotik via containers.

Tue Aug 06, 2024 8:35 am

I successfully deployed tun2socks and hev-socks5-tunnels on hAP ac^3 (arm).
But the same configuration doesn't work on RB5009UG+S+ (arm64).

On RB5009 forwarding inside container simply do nothing. Using torch I can't catch outgoing packets from tun to socks but routing from local is working.
Connection in tun container from tun device can be checked with:
wget -S -O - http://one.one.one.one > /dev/null
I have more complicated firewall on RB5009 and will try to check with simple firewall on weekend.

@DeHb86
Looks like you also have arm64 platform. For the moment there is only difference in platform on my tests.

Routing inside container can be simplified a bit:
ip route del default

ip route add 10.0.0.0/8 via 172.21.0.17 dev eth0
ip route add 172.16.0.0/12 via 172.21.0.17 dev eth0
ip route add 192.168.0.0/16 via 172.21.0.17 dev eth0

ip route add default via 198.18.0.1 dev tun0
All private networks route thru router but external traffic will go to socks.
 
User avatar
snegowiki
just joined
Posts: 1
Joined: Wed Aug 28, 2024 3:05 pm

Re: VLess proxy tunnel on mikrotik via containers.

Wed Aug 28, 2024 3:14 pm

Here is an equivalent of the tun2socks Docker image for arm64 (e.g., AX2, AX3) - hev-socks5-tunnel-mikrotik
and shadowsocks-client, if you need. Also i have vless reality client container

PS. For arm you can try
snegowiki/hev-socks5-tunnel-mikrotik:test
, but i have not tested it.
Last edited by snegowiki on Mon Sep 02, 2024 3:56 pm, edited 2 times in total.
 
DeHb86
just joined
Topic Author
Posts: 14
Joined: Tue Dec 19, 2023 8:11 pm

Re: VLess proxy tunnel on mikrotik via containers.

Fri Aug 30, 2024 8:15 pm

Here is an equivalent of the tun2socks Docker image for arm64 (e.g., AX2, AX3) - hev-socks5-tunnel-mikrotik
and shadowsocks-client, if you need. Also i have vless reality client container
Hello!
On the first attempt, I failed to get a container, or rather, the container was installed and works, but does not act as a tunnel.

At startup, the container returns an error:
"Error: invalid prefix for the specified prefix length".
My local network is 10.10.12.0/24, the container network is 10.6.0.0/24, DNS server 10.6.0.2 (Adguardhome) (Router - aX3)
/container
add dns=10.6.0.2 envlist=HEV-tun interface=VETH4-tun2 logging=yes root-dir=usb1/Containers/Tun2 start-on-boot=yes
/container envs
add key=SOCKS5_ADDR name=HEV-tun value=10.6.0.3
add key=SOCKS5_PORT name=HEV-tun value=30804
add key=SOCKS5_UDP_MODE name=HEV-tun value=udp
add key=LOCAL_ROUTE name=HEV-tun value="ip r a 10.10.12.1/24 via 10.6.0.1"
According to the settings, everything seems to be correct, what could go wrong?
____________
my stupid mistake...
pointed out the network."...12.1/24" and not "...12.0/24" as it should be, everything started up and works.

snegowiki, Thank you very much!
 
rozhkovets
just joined
Posts: 4
Joined: Sat Aug 31, 2024 11:34 am

Re: VLess proxy tunnel on mikrotik via containers.

Sat Aug 31, 2024 12:12 pm

I confirm, it works well on hap ac3. The speed is a bit low, about 20 megabits with a 100 megabit channel. But I think it is not related to Mikrotik, the CPU load is no more than 30% at peak.
_____________
подтверждаю, работает хорошо на hap ac3. Скорость низковата, около 20 мегабит при 100 мегабитном канале. Но я думаю это не связано с микротиком, нагрузка на цпу не более 30% в пике.

мой путь установки.
не забудьте изменить IP-адреса и подсети на свои значения, а также путь до usb диска.

Установите дополнительный пакет container.npk
необходим usb диск отформатированный в ext4
/system/device-mode/update container=yes
/system reboot

/container config set ram-high=250.0MiB registry-url=https://registry-1.docker.io tmpdir=usb1/pull

/interface bridge add name=Dockers port-cost-mode=short

/interface veth add address=11.0.0.2/24 gateway=11.0.0.1 gateway6="" name=veth1-tun2sock
/interface veth add address=11.0.0.3/24 gateway=11.0.0.1 gateway6="" name=veth2-xray-core

/interface bridge port add bridge=Dockers interface=veth1-tun2sock
/interface bridge port add bridge=Dockers interface=veth2-xray-core

/ip address add address=11.0.0.1/24 interface=Dockers network=11.0.0.0

/ip firewall nat add action=masquerade chain=srcnat comment="Containers through NAT" out-interface=WAN src-address=11.0.0.0/24

/container add remote-image=xjasonlyu/tun2socks:latest interface=veth1-tun2sock root-dir=usb1/containers/tun2sock logging=yes
/container add remote-image=teddysun/xray:latest interface=veth2-xray-core root-dir=usb1/containers/ xray-core logging=yes

/routing table add disabled=no fib name=proxy
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=proxy_list new-routing-mark=proxy passthrough=yes src-address=<ip адреса клиентов(подсеть)>

/ip route add comment="Acceess to through Proxy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=11.0.0.2 pref-src="" routing-table=proxy scope=30 suppress-hw-offload=yes target-scope=10
при помощи встроенного SMB можно получить доступ к файлам контейнеров

Необходимо отредактировать файл ../containers/tun2sock/entrypoint.sh
Содержимое файла заменить на это:
#!/bin/sh
sleep 2
ifconfig eth0 down
sleep 2
ifconfig eth0 up
ip tuntap add mode tun dev tun0
ip addr add 198.18.0.1/15 dev tun0
ip link set dev tun0 up
sleep 2
ifconfig tun0 down
sleep 2
ifconfig tun0 up
ip route del default
ip route add default via 198.18.0.1 dev tun0 metric 1
ip route add default via 11.0.0.1 dev eth0 metric 10
tun2socks -device tun0 -proxy socks5://11.0.0.3:1080 -interface eth0
Для настройки подключения xray-core к VPS с установленным 3x-ui необходимо отредактировать файл \containers\xray-core\etc\xray\config.json
примеры конфигурации ищем здесь https://github.com/XTLS/Xray-examples
Last edited by rozhkovets on Thu Sep 12, 2024 1:04 pm, edited 1 time in total.
 
user7780
just joined
Posts: 1
Joined: Wed Sep 04, 2024 4:29 pm

Re: VLess proxy tunnel on mikrotik via containers.

Wed Sep 04, 2024 7:44 pm

I confirm, it works well on hap ac3. The speed is a bit low, about 20 megabits with a 100 megabit channel. But I think it is not related to Mikrotik, the CPU load is no more than 30% at peak.
Здравствуйте! А не могли бы поделится своим конфигом для xray (конечно удалив свои адреса) ? tun2 контейнер стартует, но вот внутри что-то не поднимает туннель к xraу.
Думаю загвоздка в конфиге xray.

Translated using Google Translate:
Hello! Could you share your config for xray (of course, deleting your addresses)? Tun2 container starts, but something inside does not raise the tunnel to XRAU.
I think the catch is in the xray config.
Last edited by user7780 on Wed Sep 04, 2024 8:00 pm, edited 2 times in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6050
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: VLess proxy tunnel on mikrotik via containers.

Wed Sep 04, 2024 9:29 pm

@user7780
Please use English as most will otherwise not be able to understand what you post.
Also for searching it's a nightmare when other languages are used.
 
rozhkovets
just joined
Posts: 4
Joined: Sat Aug 31, 2024 11:34 am

Re: VLess proxy tunnel on mikrotik via containers.

Thu Sep 05, 2024 10:43 am

I confirm, it works well on hap ac3. The speed is a bit low, about 20 megabits with a 100 megabit channel. But I think it is not related to Mikrotik, the CPU load is no more than 30% at peak.
Здравствуйте! А не могли бы поделится своим конфигом для xray (конечно удалив свои адреса) ? tun2 контейнер стартует, но вот внутри что-то не поднимает туннель к xraу.
Думаю загвоздка в конфиге xray.

Translated using Google Translate:
Hello! Could you share your config for xray (of course, deleting your addresses)? Tun2 container starts, but something inside does not raise the tunnel to XRAU.
I think the catch is in the xray config.
вместо #### вставь свои данные, их можно найти в панели 3x-ui или расшифровав url vless://
instead of #### insert your data, you can find it in the 3x-ui panel or by decoding the url vless://

/etc/xray/config.json VLESS-TCP-XTLS-Vision-REALITY
{
    "log": {
        "loglevel": "warning"
    },
    "inbounds": [
        {
            "listen": "11.0.0.3",
            "port": "1080",
            "protocol": "socks",
            "settings": {
                "auth": "noauth",
                "udp": true,
                "ip": "11.0.0.3"
            }
        },
        {
            "listen": "11.0.0.3",
            "port": "1081",
            "protocol": "http"
        }
    ],
	"outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "####", 
                        "port": 443, 
                        "users": [
                            {
                                "id": "####", // Needs to match server side
                                "encryption": "none",
                                "flow": "xtls-rprx-vision"
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "reality",
                "realitySettings": {
                    "fingerprint": "firefox", 
                    "serverName": "####", // A website that support TLS1.3 and h2. If your dest is `1.1.1.1:443`, then leave it empty
                    "publicKey": "####", // run `xray x25519` to generate. Public and private keys need to be corresponding.
                    "spiderX": "", // If your dest is `1.1.1.1:443`, then you can fill it with `/dns-query/` or just leave it empty
                    "shortId": "####" // Required
                }
            },
            "tag": "proxy"
        }
    ],
    "routing": {
        "domainStrategy": "AsIs",
        "rules": [
            {
                "type": "field",
                "ip": [
                    "geoip:private"
                ],
                "outboundTag": "direct"
            }
        ]
    }
}
 
floks
just joined
Posts: 1
Joined: Thu Sep 05, 2024 12:32 pm

Re: VLess proxy tunnel on mikrotik via containers.

Thu Sep 05, 2024 12:37 pm

Hi guys! I read this topic, but I can't understand the specific algorithm for running the client part of Vless for my VPS server. Maybe someone can systematize the recommendations and write a FAQ on this issue? So far I've understood one thing: I need Mikrotik on the ARM architecture with RouteOS 7.0, with the ability to install packages, then install the Xray-core and Tun2Socks package (I don't need ADGUARD), and the next steps are unclear...
 
DeHb86
just joined
Topic Author
Posts: 14
Joined: Tue Dec 19, 2023 8:11 pm

Re: VLess proxy tunnel on mikrotik via containers.

Thu Sep 05, 2024 3:54 pm

Hi guys! I read this topic, but I can't understand the specific algorithm for running the client part of Vless for my VPS server. Maybe someone can systematize the recommendations and write a FAQ on this issue? So far I've understood one thing: I need Mikrotik on the ARM architecture with RouteOS 7.0, with the ability to install packages, then install the Xray-core and Tun2Socks package (I don't need ADGUARD), and the next steps are unclear...
Good day!
At the moment, thanks to the rebuilt Xray-core and hev-socks5-tunnel containers (Thanks a lot for this Snegowiki! https://hub.docker.com/r/snegowiki/vless-mikrotik and https://hub.docker.com/r/snegowiki/hev- ... l-mikrotik) - it has become much easier to launch containers.
In addition to preparing the router for the installation of containers, it is also necessary to prescribe routing for marked traffic.

In short, these are the settings you need:
1. Create 2 virtual interfaces for each container, select an IP for them from a range of private addresses
/interface veth add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name=veth1-xray
/interface veth add address=172.17.0.3/24 gateway=172.17.0.1 gateway6="" name=veth2-tun

2. Create a bridge for veth and containers, аssign him an IP and network:
/interface/bridge/add name=containers
/ip/address/add address=172.17.0.1/24 network=172.17.0.0 interface=containers 

3. Add veth interfaces to the bridge:
/interface/bridge/port add bridge=containers interface=veth1-xray
/interface/bridge/port add bridge=containers interface=veth2-tun

4. Add a bridge to the LAN list
/interface list member add interface=containers list=LAN

5. Add a routing table for tagged traffic
/routing table add disabled=no fib name=proxy_mark

6. Setup NAT for outgoing traffic:
/ip firewall nat add action=masquerade chain=srcnat comment="Containers through NAT" out-interface-list=WAN src-address=172.17.0.0/24

7. Setup firewall for mark-routing traffic:
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=route_proxy new-routing-mark=proxy_mark passthrough=yes
#Optional /ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=containers passthrough=yes protocol=tcp tcp-flags=syn

8. Add resources to the address-list:
/ip firewall address-list add address=microsoft.com list=route_proxy
/ip firewall address-list add address=www.microsoft.com list=route_proxy

9. Add traffic routing for tagged traffic
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.17.0.3 routing-table=proxy_mark

10. Set the Environment for the Xray vless container
/container envs add key=SOCKS_PORT name=vless value=@port@
/container envs add key=REMOTE_ADDRESS name=vless value=@your_adress/ip_vps@
/container envs add key=REMOTE_PORT name=vless value=443
/container envs add key=ID name=vless value=@ID from panel 3x-ui@
/container envs add key=ENCRYPTION name=vless value=none
/container envs add key=FLOW name=vless value=xtls-rprx-vision
/container envs add key=FINGER_PRINT name=vless value=chrome
/container envs add key=SERVER_NAME name=vless value=@the domain you're masquerading as@
/container envs add key=PUBLIC_KEY name=vless value=@PUBLIC_KEY@
/container envs add key=SHORT_ID name=vless value=@SHORT_ID@

11. Set the Environment for the Tun containr
/container envs add key=SOCKS5_ADDR name=tun value=172.17.0.2
/container envs add key=SOCKS5_PORT name=tun value=@port@
/container envs add key=SOCKS5_UDP_MODE name=tun value=udp
/container envs add key=LOCAL_ROUTE name=tun value="ip r a @your network@ via 172.17.0.1"

12. Add container (in this case, the settings are not complete, the path from where to install from the hub directly, or from a file from the router is not specified)
/container add dns=@your network@ envlist=vless interface=veth1-xray root-dir=@your directory sample - usb1/Containers/vless-mikrotik@ start-on-boot=yes workdir=/root
/container add envlist=tun interface=veth2-tun root-dir=@your directory sample - usb1/Containers/Hev-Tun@ start-on-boot=yes
Last edited by DeHb86 on Mon Sep 09, 2024 9:09 pm, edited 1 time in total.
 
krokodaktil
just joined
Posts: 1
Joined: Sun Sep 08, 2024 9:56 pm

Re: VLess proxy tunnel on mikrotik via containers.

Sun Sep 08, 2024 11:01 pm

Great job! Thank you!

After adding my sites
/ip firewall address-list add address=@my_site@
tracert @my_site@ shows that at step 2 the node is 172.17.0.3 and traffic goes to the VLESS tunnel, but the site works very very slowly. I use RB5009 with
installation on a clean system after reset.
At the same time, the solution on OpenWRT, configured to connect to the same VPS server, shows good speed.
 
Cloudisparu
just joined
Posts: 7
Joined: Thu Jun 21, 2018 8:05 pm

Re: VLess proxy tunnel on mikrotik via containers.

Fri Sep 13, 2024 1:50 pm

Use a sing-box container would be more easiler for it contains a built-in tunnel of inbound.
I have built up a sing-box single container setup for one of my customer successfully.

sing-box configuration snippet
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "interface_name": "tun0",
      "inet4_address": [
        "172.16.255.1/24"
      ],
      "inet4_route_exclude_address": [
        "192.168.0.0/16",
        "172.16.0.0/12"
      ],
      "mtu": 1500,
      "auto_route": true,
      "strict_route": true,
      "stack": "system",
      "sniff": false
    }
  ],
 
rozhkovets
just joined
Posts: 4
Joined: Sat Aug 31, 2024 11:34 am

Re: VLess proxy tunnel on mikrotik via containers.

Tue Sep 17, 2024 10:37 am

but the site works very very slowly.
First I tried xjasonlyu/tun2socks, speed was about 25 Mbps
Now I switched to snegowiki/hev-socks5-tunnel-mikrotik, speed increased to 65 Mbps.
Maybe you should try other containers
 
rozhkovets
just joined
Posts: 4
Joined: Sat Aug 31, 2024 11:34 am

Re: VLess proxy tunnel on mikrotik via containers.

Tue Sep 17, 2024 10:44 am

Does anyone know an easy way to get connection data to add to the environment for the Xray vless container from the vless:// link

Who is online

Users browsing this forum: No registered users and 3 guests