• v2ray-core to redirect traffic to proxy.

  • ip rule and route to route traffic marked as 100 to the system.

    ip rule add fwmark 1 table 100 pref 0
ip route add local default dev lo table 100

  • OpenWrt network configuration to route traffic marked as 100 to the system.

    config rule
	option priority '0'
	option lookup '100'
	option mark '1'

config route
	option interface 'loopback'
	option type 'local'
	option target '0.0.0.0/0'
	option table '100'

  • /etc/nftables.d/proxy.nft for OpenWrt's firewall4.

    • Mark the socket that connects to the proxy server as 2 to prevent it from being proxied.
    • Remove the proxy_output chain if you don't want to proxy the local processes on the system.
    set proxy_byp4 {
	typeof ip daddr
	flags interval
	elements = { 0.0.0.0/8, 10.0.0.0/8,
		     100.64.0.0/10, 127.0.0.0/8,
		     169.254.0.0/16, 172.16.0.0/12,
		     192.0.0.0/24, 192.0.2.0/24,
		     192.88.99.0/24, 192.168.0.0/16,
		     198.18.0.0/15, 198.51.100.0/24,
		     203.0.113.0/24, 224.0.0.0/4,
		     240.0.0.0/4 }
}

set proxy_byp6 {
	typeof ip6 daddr
	flags interval
	elements = { ::,
		     ::1,
		     ::ffff:0:0:0/96,
		     64:ff9b::/96,
		     100::/64,
		     2001::/32,
		     2001:20::/28,
		     2001:db8::/32,
		     2002::/16,
		     fc00::/7,
		     fe80::/10,
		     ff00::/8 }
}

chain proxy_prerouting {
	type filter hook prerouting priority mangle + 1; policy accept;
	ip daddr @proxy_byp4 return
	ip6 daddr @proxy_byp6 return
	meta l4proto { tcp, udp } tproxy ip to 127.0.0.1:12345 meta mark set 0x00000001 accept
}

chain proxy_output {
	type route hook output priority mangle + 1; policy accept;
	meta mark 0x00000002 return
	ip daddr @proxy_byp4 return
	ip6 daddr @proxy_byp6 return
	meta l4proto { tcp, udp } meta mark set 0x00000001
}