Just a memo for me, but a reference for you.

Prerequisites

  • Arch Linux Box
  • At least 2 NICs, I’ll refer to them as WAN and LAN interface
    • WAN interface connects to local ISP
    • LAN interface connects to switches and APs which provides services to clients

Target

  • Full access to Internet (both domestic and international)
  • Full speed TCP
  • Support UDP, ICMP with best effort
  • Support Full Cone NAT (for UDP)
  • Switch international route in a command

Hierarchy

Built with several LXC containers without any ip rule or ipset

  • Container A (only 1)
    • the only container that connects to both WAN and LAN
    • Connects to WAN as default gateway
    • Provides NAT to clients in LAN (with FULLCONENAT)
    • Provides port forwarding service on LAN for Container C’s to access their corresponding remote endpoint
  • Container B (only 1)
    • Connects to LAN only
    • It’s the default gateway of all clients in LAN
    • Runs a DHCP & RADVD server to assign IPs to clients in LAN
    • Divert bandwidth to corresponding exit container (Container A and C’s)
      • Based on ip route only, with chnroute or something
      • Runs a DNS Server
  • Container C (many)
    • Connects to LAN only
    • Act as a gateway to Internet via the specified exit
    • Connects to Wireguard/OpenVPN forwarded by Container A
      • As default gateway to provide Internet access (non-TCP)
      • Provides NAT to clients in LAN (with FULLCONENAT)
      • iptables -t nat -A POSTROUTING -s *LAN*/24 -o *TUNIF* -j FULLCONENAT
    • Connects to Shadowsocks/VMess forwarded by Container A
      • Runs in TPROXY(REDIRECT) mode, which assure TCP performance
      • iptables -t nat -A PREROUTING -s *LAN*/24 ! -d *LAN*/24 -p tcp -m ttl --ttl-gt 40 -j REDIRECT --to-ports *TPROXYPORT*