FullCombo Shark!

Features

• Gateway Transparent proxy
• Gateway FullCone NAT
• Access control Whitelist/Blacklist
• Routing control based on Port/IP/Domain
• Complete DNS hijacking prevents any 53 port query behavior that bypasses the gateway
• DNS requests intelligent routing based on EDNS-Client-Subnet/Policy
• Based on mihomo documentation, fully visual configuration GUI

Requirements

• OpenWrt >= 24.10
• firewall4

Known issues

Screenshots

Simplified architecture diagram

Expand/Collapse

flowchart TD
  subgraph Firewall
    direction TB
    subgraph fw_inpot[Input]; rawin[Raw traffic]; end
    subgraph fw_outpot[Output]; lo; tun; direct[Direct]; mihomoin[Mihomo in]; end
    rawin --firewall--> flow{Subnet/Local traffic ?}
    flow --Subnet--> acl_listen
    flow --Local--> proxy_router{Proxy routerself ?}
      proxy_router --Yes--> acl_dst
      proxy_router --No --> direct
    subgraph acl[Access Control]
      direction TB
      acl_listen{Src-interface filter} --> acl_src
      acl_listen --> direct
      acl_src{Src-address filter} --> dns_hijack
      acl_src --> direct
      dns_hijack{dport is 53 ?} --Redirect to dnsmasq--> lo
      dns_hijack --Via TUN--> tun
      dns_hijack --No --> acl_dst
      acl_dst{Dst-address filter} --> acl_dport
      acl_dst --> direct
      acl_dport{Dst-port filter
Always redirect port 53} --> mihomoin
      acl_dport --> direct
    end
  end
  subgraph DNS
    direction TB
    subgraph dns_inpot[Input]; dnsreq[Any DNS request to **local:53**]; end
    subgraph dns_outpot[Output]; mihomodns[Minomo DNS]; otherdns[Other DNS]; end
    dnsreq <--> dnsmasq[DNSmasq]
    dnsmasq <--Upstearm--> mihomodns
    dnsmasq <--Upstearm--> otherdns
    dnsmasq-full --Set ipset--> e[NFTables direct/proxy/cn/gfw ipset]
  end

Loading

Releases

You can find the prebuilt-ipks here

Installation

If you have trouble downloading resource files after initial installation, you can upload the initial resource pack.

Example config

Used to override /etc/config/fchomo

bypasscn
gfwlist

Fullcone Configuration

Direct

1. add Dst-address to Global > Access Control > Custom Direct list (domain requires dnsmasq-full)
2. (Optional) remove Dst-port on Global > Access Control > Routing Control > Routing port (UDP)
3. accept input Dst-port on Network > Firewall > Traffic Rules, requires the upstream link is Fullcone

Proxy

1. (Optional) add Dst-address to Global > Access Control > Custom Proxy list (domain requires dnsmasq-full)
2. add Dst-port on Global > Access Control > Routing Control > Routing port (UDP)
3. add rule to Client > Routing rule, requires the dest Proxy group is Fullcone link

Build

# Take the x86_64 platform as an example
tar xjf openwrt-sdk-23.05.3-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz
# Go to the SDK root dir
cd openwrt-sdk-*-x86_64_*
# First run to generate a .config file
make menuconfig
./scripts/feeds update -a
./scripts/feeds install -a
# Get Makefile
git clone --depth 1 --branch master --single-branch --no-checkout https://github.com/fcshark-org/openwrt-fchomo.git package/openwrt-fchomo
pushd package/openwrt-fchomo
umask 022
git checkout
popd
# Select the package LuCI -> Applications -> luci-app-fchomo
make menuconfig
# Start compiling
make package/luci-app-fchomo/compile V=s BUILD_LOG=y -j$(nproc)