此前一上使用 ImmortalWRT,偶遇 Esxi 断电,ImmortalWRT 无法启动,提示:对象类型需要托管的 I/O. 经查阅,可能原因是固件问题,或使用 Starwin v 2 转换固件格式导致。所以改为使用 OpenWrt官方包。
(一)官方包下载
官网下载:OpenWrt Downloads
(二)扩容
Openwrt官方包,安装后,仅124M容易,需要扩容,便于安装各插件
Qemu-img 下载:qemu-img for WIndows – Cloudbase Solutions
操作步骤:
一、镜像扩容前准备
- 获取原始镜像
从OpenWrt官网下载24.10版本的x86_64-generic-efi-combined.img镜像文件。选择ext4格式的分区镜像,因其支持动态调整容量 -
基础工具准备
安装Linux系统(如Ubuntu或CentOS)用于操作镜像,需安装以下工具:
sudo apt install qemu-utils cloud-utils e2fsprogs squashfs-tools
二、扩容根分区至2G
- 调整镜像容量
使用qemu-img扩展原始镜像文件大小:
# 扩展镜像文件(已执行)
qemu-img resize openwrt-24.10.1-x86-64-generic-squashfs-combined-efi.img +2G
# 挂载镜像并调整分区
sudo losetup -fP openwrt-24.10.1-x86-64-generic-squashfs-combined-efi.img
sudo cfdisk /dev/loop0 # 将根分区(第二个分区)扩展到新空间
- 挂载镜像并调整分区
通过losetup挂载镜像并进入交互式分区工具:
# 解压squashfs分区到临时目录
mkdir squashfs-root
sudo unsquashfs -d squashfs-root /dev/loop0p2
# 扩展解压后的文件系统(例如添加空文件占位)
sudo dd if=/dev/zero of=squashfs-root/dummy_file bs=1M count=2048
sudo rm squashfs-root/dummy_file
# 重新打包squashfs文件系统
sudo mksquashfs squashfs-root/ /dev/loop0p2 -comp xz -noappend
- 验证与转换VMDK
# 卸载镜像
sudo losetup -d /dev/loop0
# 转换为ESXi兼容的VMDK
qemu-img convert -f raw -O vmdk openwrt-24.10.1-x86-64-generic-squashfs-combined-efi.img openwrt-24.10.1.vmdk
# #### **生成精简置备磁盘**
qemu-img convert -f vmdk -O vmdk -o subformat=monolithicSparse openwrt-24.10.1.vmdk openwrt-24.vmdk
或在win系统中,安装VirtualBox后,命令行执行:
.\VBoxManage.exe clonemedium disk D:\openwrt-24.10.1.vmdk openwrt-24.vmdk --variant Standard
或
.\VBoxManage.exe clonemedium disk D:\openwrt-24.10.1.vmdk openwrt-24.vmdk --variant Split2G
(三)源替换
通过 LuCI 图形界面更换 OpenWrt 软件包源的详细步骤:
- 登录 OpenWrt LuCI 界面
打开浏览器:在您的电脑或手机上打开浏览器。
输入路由器地址:在地址栏输入路由器的 IP 地址,通常为 192.168.1.1,然后按下 Enter 键。
输入用户名和密码:使用您的管理员用户名和密码登录 LuCI 界面。如果您尚未更改默认密码,建议尽快设置一个强密码以确保安全。 -
备份当前配置
在进行任何更改之前,建议备份现有的配置,以防出现问题时能够恢复。
导航到系统备份:
在顶部菜单中,点击 “系统”(System)。
在下拉菜单中选择 “备份 / 恢复”(Backup / Restore)。
创建备份:
在 “备份配置”(Backup configuration)部分,点击 “生成备份”(Generate Archive)。
下载生成的备份文件并保存在安全的位置。
- 编辑软件包源配置
导航到软件包管理:
官方源:
src/gz openwrt_core https://downloads.openwrt.org/releases/24.10.1/targets/x86/64/packages
src/gz openwrt_base https://downloads.openwrt.org/releases/24.10.1/packages/x86_64/base
src/gz openwrt_kmods https://downloads.openwrt.org/releases/24.10.1/targets/x86/64/kmods/6.6.86-1-af351158cfb5febf5155a3aa53785982
src/gz openwrt_luci https://downloads.openwrt.org/releases/24.10.1/packages/x86_64/luci
src/gz openwrt_packages https://downloads.openwrt.org/releases/24.10.1/packages/x86_64/packages
src/gz openwrt_routing https://downloads.openwrt.org/releases/24.10.1/packages/x86_64/routing
src/gz openwrt_telephony https://downloads.openwrt.org/releases/24.10.1/packages/x86_64/telephony
替换为:
src/gz openwrt_core https://downloads.openwrt.org/releases/24.10.1/targets/x86/64/packages
src/gz openwrt_base https://downloads.openwrt.org/releases/24.10.1/packages/x86_64/base
src/gz openwrt_kmods https://downloads.openwrt.org/releases/24.10.1/targets/x86/64/kmods/6.6.86-1-af351158cfb5febf5155a3aa53785982
src/gz openwrt_luci https://downloads.openwrt.org/releases/24.10.1/packages/x86_64/luci
src/gz openwrt_packages https://downloads.openwrt.org/releases/24.10.1/packages/x86_64/packages
src/gz openwrt_routing https://downloads.openwrt.org/releases/24.10.1/packages/x86_64/routing
src/gz openlaoxiongb2c wrt_telephony https://downloads.openwrt.org/releases/24.10.1/packages/x86_64/telephony
[!tip] 注意这里的24.10.1版本号,应该要替换为你自己的版本。最好的方法是,替换原来的”https://downloads.openwrt.org/”为“https://mirrors.tuna.tsinghua.edu.cn/openwrt”,不涉及其他改动,保持原版本。
(四)插件安装
一、openclash 安装
IPK下载地址:Releases vernesong/OpenClash
#iptables
opkg update
opkg install bash iptables dnsmasq-full curl ca-bundle ipset ip-full iptables-mod-tproxy iptables-mod-extra ruby ruby-yaml kmod-tun kmod-inet-diag unzip luci-compat luci luci-base
opkg install /tmp/openclash.ipk
#nftables
opkg update
opkg install bash dnsmasq-full curl ca-bundle ip-full ruby ruby-yaml kmod-tun kmod-inet-diag unzip kmod-nft-tproxy luci-compat luci luci-base
opkg install /tmp/openclash.ipk
dnsmasq-full安装不上:
opkg update
opkg remove dnsmasq && opkg install dnsmasq-full
内核更新失败:
从OPT中手动下载后,用winscp上传至 /etc/openclash/core,重命名为 clash_meta,修改权限为 777 或 755
或在OPT ssh中执行:
# 进入内核安装目录
cd /etc/openclash/core/
# 下载内核安装包
(ARM内核)wget https://github.com/vernesong/OpenClash/releases/download/Clash/clash-linux-armv8.tar.gz
(x86内核)wget https://raw.githubusercontent.com/vernesong/OpenClash/core/master/meta/clash-linux-amd64.tar.gz
# 解压内核安装包
tar -zxvf clash-linux-armv8.tar.gz
# 给予最高权限
chmod 777 clash
也可以使用Mihomo内核:
通过SSH登入OpenWRT,并进入OpenClash的核心所在文件夹:
cd /etc/openclash/core
cp clash-meta clash-meta.backup
下载Mihomo核心,从https://github.com/MetaCubeX/mihomo/releases 选择版本和自己路由器架构的核心包,并复制链接地址,替换下面命令中的地址,X86-64用户选择mihomo-linux-amd64-compatible-go120后缀即可。
wget -c https://github.com/MetaCubeX/mihomo/releases/download/v1.19.5/mihomo-linux-amd64-compatible-go120-v1.19.5.gz
# 解压,-d 后面的文件名称根据你所下载的核心文件压缩包名称更换
gzip -d mihomo-linux-amd64-compatible-go120-v1.18.7.gz
#重命名 文件名称根据你所下载的核心文件名称更换
mv mihomo-linux-amd64-compatible-go120-v1.18.7 clash-meta
OpenWRT网页端进入OpenClash,点击插件设置 – 版本更新,查看[Meta]当前内核版本是否为v1.19.5,如图所示
如果显示为当前下载的内核版本号,即表示替换成功。重启OpenClash即可生效。不要再点击检查并更新了。
二、mosdns 安装
官网地址:mosdns v5 | mosdns-wiki-zh
opkg update
opkg install curl
sh -c "$(curl -ksS https://raw.githubusercontent.com/sbwml/luci-app-mosdns/v5/install.sh)"
三、Adguardhome 安装
IPK下载:Releases kongfl888/luci-app-adguardhome
AdguardHome 核心:Releases AdguardTeam/AdGuardHome
AdguardHome规则:GitHub – AdguardTeam/AdGuardSDNSFilter: AdGuard DNS filter oisd | Set up
或在ssh中执行:
cd /usr/bin/AdGuardHome/AdGuardHome
wget https://github.com/AdguardTeam/AdGuardHome/releases/download/v0.107.61/AdGuardHome_linux_amd64.tar.gz
tar -zxvf AdGuardHome_linux_amd64.tar.gz
mv AdGuardHome_linux_amd64/AdguardHome /usr/bin/AdGuardHome/AdGuardHome
chmod 777 AdguardHome
开机自动启动:
chmod 755 /etc/init.d/AdGuardHome
service AdGuardHome restart
/etc/init.d/adguardhome start
如果上述无法启动,执行
/etc/init.d/AdGuardHome enable
详细设置:[[Adguardhome 配置、优化教程]]
四、Lucky 安装
下载地址:url21.ctfile.com/d/44547821-55537427-a5525e?p=16601 GitHub – gdy666/luci-app-lucky
将 lucky、luci-app-lucky、luci-i18n-lucky-zh-cn 上传到路由 /tmp,再执行
opkg install lucky*
opkg install luci-app-lucky*
opkg install luci-i18*
详细设置:[[Openwrt Lucky 详细设置]]
五、WireGuard 安装
先ssh登录旁路由,再运行如下:
opkg update
opkg install kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard wireguard-tools
详细设置:[[Openwrt Wireguard 安装与配置]]
六、Argon 主题安装
down_name='luci-theme-argon_2.3.2-r20250207_all.ipk'
# 必须下结尾带_all的
cd /tmp
wget --no-check-certificate -O "/tmp/$down_name" "https://github.com/jerrykuku/luci-theme-argon/releases/download/v2.3.1/luci-theme-argon_2.3.1_all.ipk"
# wget --no-check-certificate -O "/tmp/$down_name" "http://d.imoke.local/ISO/01.软路由/OpenWrt/luci-theme/$down_name"
oplaoxiongb2c kg update
opkg install luci-compat
opkg install luci-lib-ipkg
opkg install "/tmp/$down_name"
# clean
rm -rf "/tmp/$down_name"
(五)插件设置
一、OpenClash
OpenClash 配置繁多,初始配置请自行参考 OpenClash 的 wiki,下面只说换成本文方案所需的配置。
插件设置–模式设置–运行模式: 切换到Fake-IP(增强)模式我用的是Fake-IP(TUN-混合)模式「UDP-TUN, TCP-转发」插件设置–DNS 设置–本地 DNS 劫持选择禁用插件设置–流量控制–绕过中国大陆 IP取消勾选插件设置–流量控制–仅允许内网开启插件设置–IPv6 设置这页的选项全都关闭就行了覆写设置–常规设置这里都不用改,只需要记住 DNS 监听,后面配置 mosdns 要用覆写设置–DNS 设置–自定义上游 DNS 服务器勾选覆写设置–DNS 设置–追加上游 DNS勾选覆写设置–DNS 设置–追加默认 DNS勾选覆写设置–DNS 设置–Fake-IP 持久化勾选覆写设置–DNS 设置页面下方NameServer,FallBack,Default-NameServer里的 DNS 服务器全都取消勾选,我们只用运营商提供的 DNS 服务器就够了,一般运营商 DNS 都是最快的,也是 CDN 最优化的。插件设置–GEO 数据库订阅把GeoIP Dat和GeoSite这两个库的自动更新打开,都选 Loyalsoldier 的版本,这个是用来给 mosdns 用的。插件设置–开发者选项里,我们自定义一下防火墙规则,增加如下这些行。
#!/bin/sh
. /usr/share/openclash/log.sh
. /lib/functions.sh
# This script is called by /etc/init.d/openclash
# Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules
LOG_OUT "Tip: Start Add Custom Firewall Rules..."
if [ "$en_mode" == "fake-ip" ]; then
LOG_OUT "limit route to only fake ips with proxy port $proxy_port"
/etc/mosdns/rule/geoip2ipset.sh /etc/openclash/GeoIP.dat telegram
if [ -n "$FW4" ]; then
handle=$(nft -a list chain inet fw4 openclash | grep 'ip protocol tcp counter' | awk '{print $NF}')
LOG_OUT "deleting nft rule handle $handle"
nft delete rule inet fw4 openclash handle $handle
nft add rule inet fw4 openclash ip protocol tcp ip daddr @telegram counter redirect to $proxy_port
else
iptables -t nat -D openclash -p tcp -j REDIRECT --to-ports $proxy_port
iptables -t nat -A openclash -m set --match-set telegram dst -p tcp -j REDIRECT --to-ports $proxy_port
fi
fi
# 停止AdguradHome
LOG_OUT "stop adguardhome"
/etc/init.d/AdGuardHome stop
sleep 1
# 开启AdguradHome
LOG_OUT "start adguardhome"
/etc/init.d/AdGuardHome start
sleep 1
# 停止Mosdns
LOG_OUT "stop mosdns"
/etc/init.d/mosdns stop
sleep 1
# 开启Mosdns
LOG_OUT "start mosdns"
/etc/init.d/mosdns start
sleep 1
# 重载Mosdns
LOG_OUT "reload mosdns"
/etc/init.d/mosdns reload
sleep 1
exit 0
其中/etc/mosdns/rule/geoip2ipset.sh这个脚本可以根据 GeoIP 数据库来生成对应的 ipset。内容如下,这个文件放到路由器上后,记得要执行chmod a+x /etc/mosdns/rule/geoip2ipset.sh给它赋予可执行权限。
#!/bin/bash
geoipfile="$1"
tag="$2"
tmpdir="/tmp/v2dat"
FW4=$(command -v fw4)
cd $(cd $(dirname $BASH_SOURCE) && pwd)
mkdir -p "$tmpdir"
filename=$(basename -- "$geoipfile")
filename="${filename%.*}"
filename="$tmpdir/${filename}_$tag.txt"
if [ "$tag" == "telegram" ]; then
wget -4 --timeout 5 -O "$filename" 'https://raw.githubusercontent.com/fernvenue/telegram-cidr-list/master/CIDR.txt'
if [ "$?" != "0" ]; then
/usr/bin/v2dat unpack geoip -o "$tmpdir" -f "$tag" "$geoipfile"
fi
else
/usr/bin/v2dat unpack geoip -o "$tmpdir" -f "$tag" "$geoipfile"
fi
if test -f "$filename"; then
if [ -n "$FW4" ]; then
nft add set inet fw4 "$tag" { type ipv4_addr\; flags interval\; auto-merge\; }
nft add set inet fw4 "${tag}6" { type ipv6_addr\; flags interval\; auto-merge\; }
nft flush set inet fw4 "$tag"
nft flush set inet fw4 "${tag}6"
fi
ipset create "$tag" hash:net -!
ipset create "${tag}6" hash:net family inet6 -!
ipset flush "$tag"
ipset flush "${tag}6"
while read p; do
if ! grep -q ":" <<< "$p"; then
if [ -n "$FW4" ]; then
nft add element inet fw4 "$tag" { "$p" }
fi
ipset add "$tag" "$p"
else
if [ -n "$FW4" ]; then
nft add element inet fw4 "${tag}6" { "$p" }
fi
ipset add "${tag}6" "$p"
fi
done <"$filename"
else
echo "$filename missing."
fi
rm -rf "$tmpdir"
二、MosDNS
MosDNS 可以只做分流,配合Adguardhome 去广告使用,也可以在MosDNS 中实现广告屏蔽的功能。两种方法的配置文件如下。
[!info] 注意
mosdns v 5.3.4 之后,apple-cn 无法获取,需要尝试删除
解决办法:
1.可以把自定义配置的第19、20行注销掉(- “/var/mosdns/geosite_apple-cn.txt”和- “/var/mosdns/geosite_category-games@cn.txt”)让MOSDNS正常运行,不过感觉这样怪怪的。
2.打开MOSDNS的数据库自更新,修改/usr/share/mosdns/mosdns.sh
将
https://github.com/Loyalsoldier/geoip/releases/latest/download/geoip-only-cn-private.dat
https://github.com/Loyalsoldier/geoip/releases/latest/download/geoip-only-cn-private.dat.sha256sum
修改为
https://github.com/Loyalsoldier/“师夷长技以制夷”-rules-dat/releases/latest/download/geoip.dat
https://github.com/Loyalsoldier/“师夷长技以制夷”-rules-dat/releases/latest/download/geosite.dat.sha256sum
然后在ssh运行/usr/share/mosdns/mosdns.sh geodata更新数据库。
自定义规则列表里移除domain:bing.com,并添加到灰名单列表里,这样newbing就可以正常使用
选自定义配置文件,取消DNS 转发 的勾,然后我就直接贴配置了,注意 Clash DNS 端口要改成你自己在 OpenClash 里的配置,LAN IP-CIDR 也要改成你自己的内网配置,这里 mosdns 监听了 5335 端口。并且要在GeoData 数据导出里配置上我们用到的标签:GeoSite: cn, apple-cn, category-games@cn, geolocation-!cn,GeoIP: cn。需要对Adguardhome 进行相应配置。
log:
level: error
file: "/tmp/mosdns.log"
# API 入口设置
api:
http: "0.0.0.0:9091"
plugins:
# 缓存插件
- tag: cache
type: cache
args:
size: 409600
lazy_cache_ttl: 604800
dump_file: /etc/mosdns/cache.dump
dump_interval: 60
# 国内域名
- tag: geosite_cn
type: domain_set
args:
exps:
- "lan"
- "local"
- "arpa"
files:
- "/etc/mosdns/rule/whitelist.txt"
- "/var/mosdns/geosite_cn.txt"
- "/var/mosdns/geosite_apple-cn.txt"
- "/var/mosdns/geosite_category-games@cn.txt"
# 国内 IP
- tag: geoip_cn
type: ip_set
args:
files:
- "/var/mosdns/geoip_cn.txt"
# 国外域名
- tag: geosite_no_cn
type: domain_set
args:
files:
- "/etc/mosdns/rule/greylist.txt"
- "/var/mosdns/geosite_geolocation-!cn.txt"
# # 广告域名
# - tag: adlist
# type: domain_set
# args:
# files:
# - "/etc/mosdns/rule/adlist.txt"
# hosts 文件
- tag: hosts
type: hosts
args:
files:
- "/etc/mosdns/rule/hosts.txt"
# 国内 DNS
- tag: forward_local
type: forward
args:
concurrent: 3
upstreams:
# - addr: 59.51.78.210 #湖南运营商DNS
# enable_pipeline: false
# - addr: 114.114.114.114
# enable_pipeline: false
# - addr: 222.246.129.80
# enable_pipeline: false
- addr: 127.0.0.1
enable_pipeline: false
# 国外 DNS
- tag: forward_remote
type: forward
args:
concurrent: 3
upstreams:
# Google DNS
- addr: "127.0.0.1:7874"
enable_pipeline: false
insecure_skip_verify: true
idle_timeout: 60
# timeout: 5 启用后,mosdns无法运行,可能没有此字段,待验证
# 私人分流 dns
- tag: forward_private
type: forward
args:
concurrent: 3
upstreams:
- addr: "https://127.0.0.1:7874/dns-query"
enable_pipeline: false
insecure_skip_verify: true
# 强制使用远程DNS
- tag: force_remote_sites
type: domain_set
args:
exps:
- "download.windowsupdate.com"
- "*.microsoft.com"
- "*.msedge.net"
- "huggingface.co"
- "hf.co"
- "civitai.com"
# # 广告域名
# - tag: ad_sequence
# type: sequence
# args:
# - matches: # 如果
# - qname $adlist # 如果请求的域名在广告列表内。
# exec: reject 3 # 执行 直接返回 NXDOMAIN(3) 屏蔽。
# 国内解析
- tag: local_sequence
type: sequence
args:
- exec: prefer_ipv4
- exec: $forward_local
# 国外解析
- tag: remote_sequence
type: sequence
args:
- exec: prefer_ipv4
- exec: $forward_remote
# 分流解析
- tag: private_sequence
type: sequence
args:
- exec: prefer_ipv4
- exec: $forward_private
# clash 解析
- tag: clash_sequence
type: sequence
args:
- exec: prefer_ipv4
- exec: forward 127.0.0.1:7874
- exec: ttl 0
# 有响应终止返回
- tag: has_resp_sequence
type: sequence
args:
- matches: has_resp
exec: accept
# fallback 用分流 sequence
# 返回国外 IP 则用 clash 解析得出 fakeip
- tag: fallback_sequence
type: sequence
args:
- exec: $private_sequence
- matches: "!resp_ip $geoip_cn"
exec: goto clash_sequence
- exec: accept
# 国外 sequence
- tag: fallback2_sequence
type: sequence
args:
- exec: $remote_sequence
- matches: "resp_ip $geoip_cn"
exec: goto local_sequence
- exec: goto clash_sequence
# fallback 用分流 DNS ,超时后用国外 DNS 解析
- tag: fallback
type: fallback
args:
primary: fallback_sequence
secondary: fallback2_sequence
threshold: 2000
always_standby: true
# 主要的运行逻辑插件
# sequence 插件中调用的插件 tag 必须在 sequence 前定义,
# 否则 sequence 找不到对应插件。
- tag: main_sequence
type: sequence
args:
- exec: $hosts
- exec: jump has_resp_sequence
# 先拦截广告,避免执行后续逻辑
# - exec: $ad_sequence
# 屏蔽 HTTPS DNS 类型请求(可视需求保留)
- matches:
- qtype 65
exec: reject 3
# 屏蔽IPV6
# - matches: qtype 28 # AAAA记录过滤
# exec: reject 0
# PTR 解析
- matches:
- qtype 12
exec: $local_sequence
- exec: jump has_resp_sequence
# 国内域名
- matches:
- qname $geosite_cn
exec: $local_sequence
- exec: jump has_resp_sequence
# 国外域名
- matches:
- qname $geosite_no_cn
exec: $remote_sequence
- exec: jump has_resp_sequence
- matches:
- qname $force_remote_sites
exec: $remote_sequence
- exec: jump has_resp_sequence
# 缓存调用
- exec: $cache
- exec: jump has_resp_sequence
# fallback
- exec: $fallback
- tag: udp_server
type: udp_server
args:
entry: main_sequence
listen: ":5335" #mosdns 监听端口
- tag: server_tcp
type: tcp_server
args:
entry: main_sequence
listen: ":5335"
三、AdGuardHome
在 luci 页面上,开启端口重定向,选择重定向53端口到AdGuardHome,这里注意 AdGuardHome 本身不要监听 53 端口,把 53 端口留给 dnsmasq,AdGuardHome 设置一个其它的端口就可以了。
在 Web 管理页面上,设置–DNS 设置中,上游 DNS 服务器内只填写一个 mosdns 的地址127.0.0.1:5335 #mosdns,私人反向 DNS 服务器写上127.0.0.1 #dnsmasq。DNS 缓存配置里面,缓存大小看你内存大小填写,乐观缓存勾上。
对于不想走代理的设备,可以在 设置–客户端设置 中添加,并且把上游 DNS 服务器设置成127.0.0.1。
解决谷歌 Play 商店不能更新:
ADG – 过滤器 – 添加 DNS 重写,[services.googleapis.cn](http://services.googleapis.cn/)198.18.1.50
如果无法使用游戏加速器:OpenClash – 插件设置 – 模式设置,取消勾选 UDP 流量转发
参考教程:https://blog.openwrtcn.eu.org/dnsling-wu-ran/https://github.com/IrineSistiana/mosdns/discussions/796
其他设置,请查看 [[Adguardhome 配置、优化教程]]
配置如下:
http:
pprof:
port: 6060
enabled: false
address: 0.0.0.0:3000
session_ttl: 720h
users:
- name: yanghaixiong
password: $2y$10$t4WZhKFulyEy245kV4zitOAmyHGGBASFezaASPefwXRGDuPZB6z72
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
bind_hosts:
- 0.0.0.0
port: 6060
anonymize_client_ip: false
ratelimit: 0
ratelimit_subnet_len_ipv4: 24
ratelimit_subnet_len_ipv6: 56
ratelimit_whitelist: []
refuse_any: false
upstream_dns:
- 127.0.0.1:5335
upstream_dns_file: ""
bootstrap_dns:
- 8.8.8.8
fallback_dns: []
upstream_mode: fastest_addr
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 0
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: true
enable_dnssec: false
edns_client_subnet:
custom_ip: ""
enabled: true
use_custom: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
bootstrap_prefer_ipv6: false
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: false
local_ptr_upstreams:
- 127.0.0.1
use_dns64: false
dns64_prefixes: []
serve_http3: false
use_http3_upstreams: false
serve_plain_dns: true
hostsfile_enabled: true
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
strict_sni_check: false
querylog:
dir_path: ""
ignored: []
interval: 6h
size_memory: 1000
enabled: true
file_enabled: true
statistics:
dir_path: ""
ignored: []
interval: 6h
enabled: true
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard Simplified Domain Names filter
id: 1
- enabled: true
url: https://adaway.org/hosts.txt
name: AdAway
id: 2
- enabled: true
url: https://raw.githubusercontent.com/vokins/yhosts/master/data/tvbox.txt
name: tvbox
id: 1575018007
- enabled: true
url: http://sbc.io/hosts/hosts
name: StevenBlack host basic
id: 1575618242
- enabled: true
url: http://sbc.io/hosts/alternates/fakenews-gambling-porn-social/hosts
name: StevenBlack host+fakenews + gambling + porn + social
id: 1575618243
- enabled: true
url: https://cdn.jsdelivr.net/gh/privacy-protection-tools/anti-AD/anti-ad-easylist.txt
name: anti-AD(Adblock+neohostslaoxiongb2c +yhosts+cjxlist+adhlist)
id: 1577113202
- enabled: true
url: https://raw.githubusercontent.com/o0HalfLife0o/list/master/ad.txt
name: halflife
id: 1734811795
- enabled: true
url: https://anti-ad.net/easylist.txt
name: anti-AD
id: 1734811796
- enabled: true
url: https://cdn.jsdelivr.net/gh/neoFelhz/neohosts@gh-pages/full/hosts.txt
name: neoHosts
id: 1734811797
- enabled: true
url: https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts
name: 大圣净化
id: 1734811798
- enabled: true
url: https://raw.githubusercontent.com/banbendalao/ADgk/master/ADgk.txt
name: adgk手机去广告规则
id: 1734811799
- enabled: true
url: http://sub.adtchrome.com/adt-chinalist-easylist.txt
name: 广告终结者
id: 1734811800
- enabled: true
url: https://easylist-downloads.adblockplus.org/easylistchina+easylist.txt
name: EasyList China+EasyList
id: 1734811801
- enabled: true
url: https://easylist-downloads.adblockplus.org/easyprivacy.txt
name: EasyPrivacy
id: 1734811802
- enabled: true
url: https://raw.githubusercontent.com/cjx82630/cjxlist/master/cjx-annoyance.txt
name: EasyList China
id: 1734811803
- enabled: true
url: https://raw.githubusercontent.com/o0HalfLife0o/list/master/ad-pc.txt
name: ad-pc
id: 1734811804
- enabled: true
url: https://raw.githubusercontent.com/o0HalfLife0o/list/master/ad-mo.txt
name: ad-mo
id: 1734811805
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_21.txt
name: 'CHN: anti-AD'
id: 1734811811
- enabled: true
url: https://adrules.top/dns.txt
name: Adlist
id: 1734811812
whitelist_filters:
- enabled: true
url: https://raw.githubusercontent.com/privacy-protection-tools/dead-horse/master/anti-ad-white-list.txt
name: anti-ad白名单
id: 1734811806
- enabled: true
url: https://raw.githubusercontent.com/hl2guide/Filterlist-for-AdGuard/master/filter_whitelist.txt
name: filter_whitelist
id: 1734811807
- enabled: true
url: https://raw.githubusercontent.com/liwenjie119/adg-rules/master/white.txt
name: LWJ's white list
id: 1734811808
- enabled: true
url: https://raw.githubusercontent.com/ChengJi-e/AFDNS/master/QD.txt
name: DNS允许白名单
id: 1734811809
- enabled: true
url: https://gist.githubusercontent.com/YiDaCP/8f51ee10c770e5726ca4b8aff890de92/raw/dns.txt
name: 自用
id: 1734811810
user_rules:
- '@@||xhamster.com^'
- '@@||xhamsterlive.com^'
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
filtering:
blocking_ipv4: ""
blocking_ipv6: ""
blocked_services:
schedule:
time_zone: UTC
ids: []
protection_disabled_until: null
safe_search:
enabled: false
bing: true
duckduckgo: true
ecosia: true
google: true
pixabay: true
yandex: true
youtube: true
blocking_mode: nxdomain
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
rewrites:
- domain: services.googleapis.cn
answer: services.googleapis.com
- domain: developers.google.cn
answer: developers.google.com
safe_fs_patterns:
- /usr/bin/AdGuardHome/data/userfilters/*
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
filters_update_interval: 24
blocked_response_ttl: 10
filtering_enabled: true
parental_enabled: false
safebrowsing_enabled: false
protection_enabled: true
clients:
runtime_sources:
whois: true
arp: true
rdns: false
dhcp: true
hosts: true
persistent: []
log:
enabled: true
file: ""
max_backups: 0
max_size: 100
max_age: 3
compress: false
local_time: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 29
4. 防火墙
添加如下规则,重启防火墙:
#6060 是 AdGuardHome 的 DNS 监听端口,两个端口必须一致
iptables -t nat -A PREROUTING -d 198.18.0.0/16 -p tcp -j REDIRECT --to-ports 7892
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 6060
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 6060
ip6tables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 6060
ip6tables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 6060
firewall4 nftables 的补充说明:
在 /etc/nftables.d/10-custom-filter-chains.nft 添加以下规则,注意每行前面都要有空格
chain adg_redirect {
type nat hook prerouting priority -10; policy accept;
# UDP DNS重定向
meta nfproto { ipv4, ipv6 } udp dport 53 counter redirect to 6060 comment "ADG_UDP"
# TCP DNS重定向(可选)
meta nfproto { ipv4, ipv6 } tcp dport 53 counter redirect to 6060 comment "ADG_TCP"
}
(六)定期清理缓存
一、创建清理脚本
在 OpenWrt 路由器上创建一个清理脚本,假设我们把它保存在 /root/clear_cache.sh。
#!/bin/sh
# 清理 AdGuardHome 缓存
echo "清理 AdGuardHome 缓存..."
/etc/init.d/adguardhome stop
rm -rf /etc/adguardhome/cache/*
/etc/init.d/adguardhome start
# 清理 OpenClash 缓存
echo "清理 OpenClash 缓存..."
/etc/init.d/openclash stop
rm -rf /etc/openclash/*.yaml
/etc/init.d/openclash start
# 清理 MosDNS 缓存
echo "清理 MosDNS 缓存..."
/etc/init.d/mosdns stop
rm -rf /var/cache/mosdns/*
/etc/init.d/mosdns start
# 清理系统缓存
echo "清理系统缓存..."
sync; echo 3 > /proc/sys/vm/drop_caches
# 输出完成信息
echo "缓存清理完成"
二、给脚本文件添加执行权限
运行以下命令为脚本添加执行权限:
chmod +x /root/clear_cache.sh
三、设置定时任务
接下来,我们通过 cron 设置定时任务来定期执行此脚本。假设你希望每天凌晨 2 点执行清理任务,可以在 OpenWrt 上配置 cron 定时任务。
首先,编辑 cron 配置文件:
crontab -e
然后在文件中添加以下行:
0 2 * * * /root/clear_cache.sh
这条命令表示每天凌晨 2 点执行清理脚本 /root/clear_cache.sh。
四、重新加载 cron 配置
保存并退出后,重新加载 cron 配置:
/etc/init.d/cron reload
五、验证定时任务
你可以检查定时任务是否生效,运行以下命令:
crontab -l
如果一切正常,定时任务将按预定时间执行,清理 AdGuardHome、OpenClash、MosDNS 和系统缓存。
[Total: 0 Average: 0]
必须 注册 为本站用户, 登录 后才可以发表评论!