三个月前，我无意间看到：

这不冲？VPS 注册链接^[1] 可惜没有冲 100 活动了

昨天的主人公 Ubuntu 16.04 卡冒烟，今天的主人公 OpenWrt 真香

预览

要求

1. 具有 vnc 显示的 vps（能显示屏幕，控制键盘）
2. 有 Google 查阅文档的能力
3. 有一定的 linux 基础
4. 能够一键重装
5. Debian / RanHat 皆可

安装

收集信息

1. 确定当前系统的启动方式为legacy还是uefi，因为不同启动方式需要的固件不一样。可以使用lsblk查看，如果是uefi启动，会有/boot/efi目录或者一个分区号比较大的类似于/dev/vda128的分区，如果没有此目录，那就是legacy启动（不一定，通常是这样）

root@temp-sh:~# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
vda    254:0    0   40G  0 disk
├─vda1 254:1    0    1M  0 part
├─vda2 254:2    0  191M  0 part /boot/efi
└─vda3 254:3    0 39.8G  0 part /

2. 记录当前系统的网络配置，网络类型分两种：

   auto eth0
   iface eth0 inet static
     address 123.123.60.154/24
     gateway 123.123.60.1
     dns-nameservers 8.8.8.8 1.1.1.1
    #如果IP是DHCP获取的，可以使用netstat -rn 查看网关

1. VPS 在内网中，IP 地址为内网 IP，获取 IP 方式为 DHCP 或者 static
2. VPS 直接分配公网 IP

下载镜像

推荐 openwrt.ai

# 创建内存临时文件夹
mount -t tmpfs tmpfs /tmp/
cd /tmp

# 下载镜像
wget https://dl.openwrt.ai/releases/targets/armsr/armv8/openwrt-03.30.2024-armsr-armv8-generic-ext4-combined.img.gz -O ext4.img.gz
# 解压
gzip -d ext4.img.gz

刷机

切换到浏览器上的终端(VNC)，因为 SSH 80%几率会崩

dd if=/tmp/ext4.img of=/dev/vda bs=4M status=progress oflag=sync

# 当你看到这种文字的时候代表镜像写入完成
# 36147341 records in
# 36147341 records out

# 刷写完毕后可能强制重启不了，强制重启命令
echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger

等待

大概 3 分钟左右，看一下 VNC，如果卡住了没输出，就按一下回车，看看有没有反应，如果出现这种，就算安装好了

配置

修改网络配置

还是在 VNC 终端输入粘贴，信息需根据你的服务器自定义

uci set network.lan.proto='static'
uci set network.lan.ipaddr='192.168.10.100'
uci set network.lan.netmask='255.255.255.0'
uci set network.lan.gateway='192.168.10.1'
uci set network.lan.dns='8.8.8.8 114.114.114.114'
uci commit network
# 重启网络
/etc/init.d/network reload
# 关闭防火墙
/etc/init.d/firewall stop

登录

默认密码：root、paswd、password、admin、123456

扩容

opkg update && opkg install lsblk parted losetup resize2fs

curl "https://openwrt.org/_export/code/docs/guide-user/advanced/expand_root?codeblock=0" | sh

reboot

个性化配置

NGINX

我把默认的 uhttpd 替换成了 NGINX (openwrt.ai 默认就是 NGINX)

/etc/init.d/uhttpd stop
/etc/init.d/uhttpd disable
/etc/init.d/nginx enable
/etc/init.d/nginx start

uci set nginx.global.uci_enable=false
sed -i "s/option uci_enable 'true'/option uci_enable 'false'/g" /etc/config/nginx
/etc/init.d/nginx enable
/etc/init.d/nginx restart
# 听说得 mv /etc/nginx/uci.conf /etc/nginx/uci.conf.bak 不然重启就报错

/etc/nginx/nginx.conf

# This file is re-created when Nginx starts.
# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx
# UCI_CONF_VERSION=1.2

worker_processes auto;

user root;

include module.d/*.module;

events {}

http {
access_log off;
log_format openwrt
'$request_method $scheme://$host$request_uri => $status'
' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';

include mime.types;
default_type application/octet-stream;
sendfile on;

client_max_body_size 128M;
large_client_header_buffers 4 8k;

gzip on;
gzip_vary on;
gzip_proxied any;

# IP 访问给个假视野 默认 OpenWrt 安装的 NGINX 不存在 /usr/share/nginx/html 需要自己去下载Linux NGINX 安装包 然后解压提取: https://nginx.org/download/nginx-1.20.1.tar.gz
server {
listen 80;
# listen [::]:80;
server_name _lan;
root /usr/share/nginx/html;
access_log /var/log/nginx/_lan.log;
}

# SNI 防御
server {
listen 443 ssl default_server;
ssl_reject_handshake on;
access_log /var/log/nginx/_lan_ssl.log;
}
# OpenWrt 配置
server {
listen 80;
# listen [::]:80;
server_name xxx.com;
root /www;
include conf.d/*.locations;
access_log /var/log/nginx/op.log;

#禁止非 Mozilla/ 请求头的访问
if ($http_user_agent !~* "Mozilla/") {
return 403;
}

#禁止非GET|HEAD|POST方式的抓取
if ($request_method !~ ^(GET|HEAD|POST|PUT)$) {
return 403;
}

#禁止Scrapy等爬虫工具的采集
if ($http_user_agent ~* (Scrapy|Curl|HttpClient)) {
return 403;
}
}
include conf.d/*.conf;
}

单臂路由

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

Cloudflare

# https://www.cloudflare.com/ips replace the ips-v4 with ips-v6 if needed
# https://blog.cloudflare.com/cloudflare-now-supporting-more-ports/
for ip in $(curl -kfsSL https://www.cloudflare.com/ips-v4);
    do iptables -I INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -s $ip -j ACCEPT
done

for ip in $(curl -kfsSL https://www.cloudflare.com/ips-v6);
do ip6tables -I INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -s $ip -j ACCEPT
done

iptables -A INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j DROP

防火墙持久化

Alist^[2]

安装

sh -c "$(curl -ksS https://raw.githubusercontent.com/sbwml/luci-app-alist/master/install.sh)"

监听地址修改

# /etc/init.d/alist
sed -n 's/listen_addr=$lan_addr/listen_addr="127.0.0.1"/p' /etc/init.d/alist
sed -i 's/listen_addr=$lan_addr/listen_addr="127.0.0.1"/g' /etc/init.d/alist

# NGINX
server  {
    listen 80;
    server_name  alist.xxx.com;
    index  index.html;

#禁止非 Mozilla/ 请求头的访问
if ($http_user_agent !~* "Mozilla/") {
return 403;
}

#禁止非GET|HEAD|POST方式的抓取
if ($request_method !~ ^(GET|HEAD|POST|PUT)$) {
return 403;
}

#禁止Scrapy等爬虫工具的采集
if ($http_user_agent ~* (Scrapy|Curl|HttpClient)) {
return 403;
}

access_log /var/log/nginx/alist.log;

location / {
proxy_pass http://127.0.0.1:5244;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

致谢：