TurnToJPG -->


2核2G, 虚拟机, 其磁盘文件为openwrt-21.02.0-rc3-x86-64-generic-ext4-combined.img.







# opkg install redsocks








Enable dhcp server:








redsocks items


base {
        // debug: connection progress & client list on SIGUSR1
        log_debug = off;

        // info: start and end of client session
        log_info = on;

        /* possible `log' values are:
         *   stderr
         *   "file:/path/to/file"
         *   syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
        // log = stderr;
        // log = "file:/path/to/file";
        log = "syslog:local7";

        // detach from console
        daemon = on;

        /* Change uid, gid and root directory, these options require root
         * privilegies on startup.
         * Note, your chroot may requre /etc/localtime if you write log to syslog.
         * Log is opened before chroot & uid changing.
        // user = nobody;
        // group = nobody;
        // chroot = "/var/chroot";

        /* possible `redirector' values are:
         *   iptables   - for Linux
         *   ipf        - for FreeBSD
         *   pf         - for OpenBSD
         *   generic    - some generic redirector that MAY work
        redirector = iptables;

redsocks {
        /* `local_ip' defaults to for security reasons,
         * use if you want to listen on every interface.
         * `local_*' are used as port to redirect to.
        local_ip =;
        local_port = 12345;

        // listen() queue length. Default value is SOMAXCONN and it should be
        // good enough for most of us.
        // listenq = 128; // SOMAXCONN equals 128 on my Linux box.

        // `max_accept_backoff` is a delay to retry `accept()` after accept
        // failure (e.g. due to lack of file descriptors). It's measured in
        // milliseconds and maximal value is 65535. `min_accept_backoff` is
        // used as initial backoff value and as a damper for `accept() after
        // close()` logic.
        // min_accept_backoff = 100;
        // max_accept_backoff = 60000;

        // `ip' and `port' are IP and tcp-port of proxy-server
        // You can also use hostname instead of IP, only one (random)
        // address of multihomed host will be used.
        ip =;
        port = 8118;

        // known types: socks4, socks5, http-connect, http-relay
        type = socks5;

        // login = "foobar";
        // password = "baz";

redudp {
        // `local_ip' should not be as it's also used for outgoing
        // packets that are sent as replies - and it should be fixed
        // if we want NAT to work properly.
        local_ip =;
        local_port = 10053;
        // `ip' and `port' of socks5 proxy server.
        ip =;
       port = 1080;
        login = username;
        password = pazzw0rd;

        // redsocks knows about two options while redirecting UDP packets at
        // linux: TPROXY and REDIRECT.  TPROXY requires more complex routing
        // configuration and fresh kernel (>= 2.6.37 according to squid
        // developers[1]) but has hack-free way to get original destination
        // address, REDIRECT is easier to configure, but requires `dest_ip` and
        // `dest_port` to be set, limiting packet redirection to single
        // destination.
        // [1]
        dest_ip =;
        dest_port = 53;

        udp_timeout = 30;
        udp_timeout_stream = 180;

dnstc {
        // fake and really dumb DNS server that returns "truncated answer" to
        // every query via UDP, RFC-compliant resolver should repeat same query
        // via TCP in this case.
        local_ip =;
        local_port = 5300;

// you can add more `redsocks' and `redudp' sections if you need.

/etc/init.d/redsocks content:

##### /etc/init.d/redsocks######
#!/bin/sh /etc/rc.common
# Copyright (C) 2007


# check if configuration exists
[ -e "/etc/redsocks.conf" ] || exit 0

start() {
        if [ -e "/var/run/" ]; then
                echo "redsocks is already running"
                exit 0

        /bin/echo -n "running redsocks ..."

        # startup the safety-wrapper for the daemon
        /usr/sbin/redsocks -p /var/run/

        /bin/echo " done"

stop() {
        if [ ! -e "/var/run/" ]; then
                echo "redsocks is not running"
                exit 0

        /bin/echo -n "stopping redsocks ..."

        # kill the process
        /bin/kill $(cat /var/run/
        rm /var/run/

        echo " done"

Iptables rules:

iptables -t nat -N REDSOCKS
# Ignore LANs IP address
iptables -t nat -A REDSOCKS -d -j RETURN
iptables -t nat -A REDSOCKS -d -j RETURN
iptables -t nat -A REDSOCKS -d -j RETURN
iptables -t nat -A REDSOCKS -d -j RETURN
iptables -t nat -A REDSOCKS -d -j RETURN
iptables -t nat -A REDSOCKS -d -j RETURN
iptables -t nat -A REDSOCKS -d -j RETURN
iptables -t nat -A REDSOCKS -d -j RETURN
# Anything else should be redirected to redsocks's local port
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
iptables -t nat -I zone_lan_prerouting -j REDSOCKS

Then with a reverse proxy you could cross gfw.
Reverse connect:

Internet machine(with 53 as its dns server):

ssh -o GatewayPorts=true -f -N -T -R *:18888:localhost:18888 docker@10.xxxxx
ssh -o GatewayPorts=true -f -N -T -R *:8118: docker@10.xxxxxx
sudo socat tcp-listen:18888,reuseaddr,fork udp:

Intranet machine:

socat -T15 udp4-recvfrom:53,,fork tcp:localhost:18888