• v2ray-core to redirect traffic to proxy.

  • ip rule and route to route traffic marked as 1 to the system.

    ip rule add fwmark 1 table 100 pref 0
ip route add local default dev lo table 100

  • OpenWrt network configuration to route traffic marked as 1 to the system.

    config rule
	option priority '0'
	option lookup '100'
	option mark '1'

config route
	option interface 'loopback'
	option type 'local'
	option target '0.0.0.0/0'
	option table '100'

  • /etc/nftables.d/proxy.nft for OpenWrt's firewall4.

    • Mark the socket that connects to the proxy server as 2 to prevent it from being proxied.
    • Remove the proxy_output chain if you don't want to proxy the local processes on the system.
    set proxy_byp4 {
	typeof ip daddr
	flags interval
	elements = { 0.0.0.0/8, 10.0.0.0/8,
		     100.64.0.0/10, 127.0.0.0/8,
		     169.254.0.0/16, 172.16.0.0/12,
		     192.0.0.0/24, 192.0.2.0/24,
		     192.88.99.0/24, 192.168.0.0/16,
		     198.18.0.0/15, 198.51.100.0/24,
		     203.0.113.0/24, 224.0.0.0/4,
		     240.0.0.0/4 }
}

set proxy_byp6 {
	typeof ip6 daddr
	flags interval
	elements = { ::,
		     ::1,
		     ::ffff:0:0:0/96,
		     64:ff9b::/96,
		     100::/64,
		     2001::/32,
		     2001:20::/28,
		     2001:db8::/32,
		     2002::/16,
		     fc00::/7,
		     fe80::/10,
		     ff00::/8 }
}

chain proxy_prerouting {
	type filter hook prerouting priority mangle + 1; policy accept;
	ip daddr @proxy_byp4 return
	ip6 daddr @proxy_byp6 return
	meta l4proto { tcp, udp } tproxy ip to 127.0.0.1:12345 meta mark set 0x00000001 accept
}

chain proxy_output {
	type route hook output priority mangle + 1; policy accept;
	meta mark 0x00000002 return
	ip daddr @proxy_byp4 return
	ip6 daddr @proxy_byp6 return
	meta l4proto { tcp, udp } meta mark set 0x00000001
}