• v2ray-core to redirect traffic to proxy.

  • ip rule and route to route traffic marked as 1 to the system.

    ip rule add fwmark 1 table 100 priority 0
ip route add local default dev lo table 100

  • OpenWrt network configuration to route traffic marked as 1 to the system.

    config rule
	option priority '0'
	option lookup '100'
	option mark '1'

config route
	option interface 'loopback'
	option type 'local'
	option target '0.0.0.0/0'
	option table '100'

  • /etc/nftables.d/proxy.nft for OpenWrt's firewall4.

    • Mark the socket that connects to the proxy server as 2 to prevent it from being proxied.
    • Remove the proxy_output chain if you don't want to proxy the local processes on the system.
    # Make packets from client destined to an IPv4 address that is local to the
# system bypass the proxy. This includes unicast DHCP Request packets with the
# IPv4 daddr not being a private IPv4 address, for which we had to put the 'udp
# dport 67' rule to have it bypass the proxy. This rule ensures that all traffic
# from client that is destined to the router bypasses the proxy. This covers the
# case that if the LAN IP address of the router is not a private IPv4 address,
# it wouldn't bypass the proxy.
#
# This makes it so that all packets that are supposed to be routed will be
# tproxied, except packets with a private IPv4 address as daddr.
#
# Author: Chester A. Unal <[email protected]>

set proxy_byp4 {
	typeof ip daddr
	flags interval
	elements = { 0.0.0.0/8, 10.0.0.0/8,
		     100.64.0.0/10, 127.0.0.0/8,
		     169.254.0.0/16, 172.16.0.0/12,
		     192.0.0.0/24, 192.0.2.0/24,
		     192.88.99.0/24, 192.168.0.0/16,
		     198.18.0.0/15, 198.51.100.0/24,
		     203.0.113.0/24, 224.0.0.0/4,
		     240.0.0.0/4 }
}

set proxy_byp6 {
	typeof ip6 daddr
	flags interval
	elements = { ::,
		     ::1,
		     ::ffff:0:0:0/96,
		     64:ff9b::/96,
		     100::/64,
		     2001::/32,
		     2001:20::/28,
		     2001:db8::/32,
		     2002::/16,
		     fc00::/7,
		     fe80::/10,
		     ff00::/8 }
}

chain proxy_prerouting_mangle {
	type filter hook prerouting priority mangle + 1; policy accept;
	ip daddr @proxy_byp4 return
	ip6 daddr @proxy_byp6 return
	fib daddr type != local meta l4proto { tcp, udp } tproxy ip to 127.0.0.1:12345 meta mark set 0x00000001
}

chain proxy_output_mangle {
	type route hook output priority mangle + 1; policy accept;
	meta mark 0x00000002 return
	ip daddr @proxy_byp4 return
	ip6 daddr @proxy_byp6 return
	oifname != "lo" meta l4proto { tcp, udp } meta mark set 0x00000001
}