Raspberry Pi Running Distribution Agent

I seem to have been having trouble with various agents recently, so I took the time to read the Sing-box documentation, plus various video tutorials, and fumbled around a lot on my own.

sing-box is a universal proxy platform that is very powerful. It supports many inbound and outbound protocols and is very convenient to use.

This article records my personal usage, which may be useful to some readers. Some descriptions may not be professional enough, but they are definitely practical. Readers are welcome to follow the official account and leave messages for communication.

Because I have a Raspberry Pi 2 Model B that has been idle for many years, I checked that the rated power is 3.0 watts (5V/600mA), which is very suitable for use as a small gateway + dnsmasq domain name cache. The gateway can act as a proxy and can also block some advertisements.

First draw a network architecture diagram to facilitate readers' understanding.

architecture diagram

Just like a common home network. Just connect an extra Raspberry Pi to the home router. The gateways and dns servers of other devices are set to the IP address of the Raspberry Pi.

The following are the steps:

1. Install the official system on Raspberry Pi

Originally, there was nothing to write about this step. There are many tutorials on the Internet to teach you how to flash the official system for the Raspberry Pi. I haven’t flashed the system of Raspberry Pi for many years. I found out that the official tool is called Raspberry Pi Imager, which is very easy to use (I remember that I used the dd command to flash the system) and can save a lot of trouble.

pi imager

First select your Raspberry Pi model, then select the operating system image you want to install (if you have a network card in this step, you can select a custom image, just select the image downloaded from your computer), then select the SD card and click After Next, you can set the hostname, user password, enable ssh, automatically import keys, etc.

I chose the simplest image, which is more than 400 MB. After all, it does not require a desktop or too many functions.

This gadget can really be said to be a considerate little housekeeper. You will know how to use it just by reading the text description. After installing it, just remove the SD card and insert it into the Raspberry Pi card slot.

If you think about it carefully, this indeed lowers the operating threshold and is convenient and easy to use. When selecting storage, remember to confirm that the SD card is selected, otherwise it will kill the system, which will be a big trouble.

2. Configure dnsmasq on Raspberry Pi

Log in to the Raspberry Pi via ssh. As an aside, if you don’t know the IP assigned to the Raspberry Pi (for example, in an environment where the router is not controlled), you can use the packet capture software wireshark to capture the arp broadcast packets, or ping them one by one with the same IP address as your computer. IP😂, luckily I can find it quickly.

Generally, if there are not many devices mounted on the router, the IP will not change much. Of course, you can also set a fixed IP.

Check the basic information, debian system, armv7l CPU, and have switched to the source of Jiaotong University (choose a source close to you, it is fast).

 1mephisto@raspberrypi:~ $ cat /etc/os-release
 2PRETTY_NAME="Raspbian GNU/Linux 12 (bookworm)"
 3NAME="Raspbian GNU/Linux"
 5VERSION="12 (bookworm)"
12mephisto@raspberrypi:~ $ uname -a
13Linux raspberrypi 6.6.28+rpt-rpi-v7 #1 SMP Raspbian 1:6.6.28-1+rpt1 (2024-04-22) armv7l GNU/Linux
14mephisto@raspberrypi:~ $ cat /etc/apt/sources.list
16#deb [ arch=armhf ] http://raspbian.raspberrypi.com/raspbian/ bookworm main contrib non-free rpi
17# Uncomment line below then 'apt-get update' to enable 'apt-get source'
18#deb-src http://raspbian.raspberrypi.com/raspbian/ bookworm main contrib non-free rpi
21# deb http://mirrors.ustc.edu.cn/raspberrypi/debian/ bookworm main
22#deb-src http://mirrors.ustc.edu.cn/raspberrypi/debian/ bookworm main
25deb http://mirrors.sjtug.sjtu.edu.cn/raspbian/raspbian/ bookworm main contrib non-free rpi
26mephisto@raspberrypi:~ $

Install dnsmasq, which is suitable for use in small network scenarios. It is mainly used to cache domain names, add custom domain names, and is used in combination with NetworkManager.

1sudo apt install dnsmasq

To configure dnsmasq, please refer to this arch document: https://wiki.archlinux.org/title/NetworkManager#dnsmasq

 1mephisto@raspberrypi:~ $ cd /etc/NetworkManager/
 2mephisto@raspberrypi:/etc/NetworkManager $ ls
 3NetworkManager.conf conf.d dispatcher.d dnsmasq-shared.d dnsmasq.d system-connections
 4mephisto@raspberrypi:/etc/NetworkManager $ cat conf.d/dns.conf
 7mephisto@raspberrypi:/etc/NetworkManager $ cat dnsmasq.d/
 8cache.conf listen.conf
 9mephisto@raspberrypi:/etc/NetworkManager $ cat dnsmasq.d/cache.conf
10server= # Domain name server Alibaba’s
11cache-size=1000 # Cache 1000 dns records, or dns records with a certain memory size. If you are interested, check the dnsmasq source code to confirm.
12strict-order # Not important, see dnsmasq documentation
13address=/www.example.com/ # Define the domain name yourself, because I ran lighttpd to host the pac on the Raspberry Pi silly girl, and also used it to verify whether dnsmasq is configured correctly.
14mephisto@raspberrypi:/etc/NetworkManager $ cat dnsmasq.d/listen.conf
15listen-address=::1,, # The network card that the dns service listens to, port 53
16mephisto@raspberrypi:/etc/NetworkManager $

The specific settings are as shown above, dns=dnsmasq means that the dns part of the enabled NetworkManager is taken over by dnsmasq.

Notice! In this way, you don’t need to start dnsmasq on the computer, NetworkManager will do it for you.

1mephisto@raspberrypi:/etc/NetworkManager $ systemctl is-enabled dnsmasq
3mephisto@raspberrypi:/etc/NetworkManager $ ps -ef | grep NetworkManager
4root 508 1 0 Apr27 ? 00:00:10 /usr/sbin/NetworkManager --no-daemon
5nobody 1524 508 0 Apr27 ? 00:00:46 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/NetworkManager/ dnsmasq.pid --listen-address= --cache-size=400 --clear-on-reload --conf-file=/dev/null --proxy-dnssec --enable-dbus=org.freedesktop .NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d
6mephisto 17990 17355 50 14:29 pts/0 00:00:00 grep --color=auto NetworkManager
7mephisto@raspberrypi:/etc/NetworkManager $

3. Configure sing-box client on Raspberry Pi

Open ip_forward first

1mephisto@raspberrypi:~ $ cat /etc/sysctl.conf |grep ip_forward
3mephisto@raspberrypi:~ $ sysctl -p
4sysctl: permission denied on key "net.ipv4.ip_forward"
5mephisto@raspberrypi:~ $ sysctl net.ipv4.ip_forward
6net.ipv4.ip_forward = 1

Install sing-box

1sudo curl -fsSL https://sing-box.app/gpg.key -o /etc/apt/keyrings/sagernet.asc
2sudo chmod a+r /etc/apt/keyrings/sagernet.asc
3echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/sagernet.asc] https://deb.sagernet.org/ * *" | \
4   sudo tee /etc/apt/sources.list.d/sagernet.list > /dev/null
5sudo apt-get update
6sudo apt-get install sing-box

In order to facilitate the understanding of the sing-box client, I suggest readers who are not afraid of trouble to read the official documentation first. After all, the software is constantly being updated and the configuration will also change. After understanding the configuration items, you can write your own rules.

Or go to major video websites to watch videos. Some of the videos are unclear or outdated, leading to misunderstandings.

Client configuration:

 2mephisto@raspberrypi:/etc/sing-box $ cat config.json
 4   "dns": {
 5     "servers": [
 6       {
 7         "tag": "cf",
 8         "address": ""
 9       },
10       {
11         "tag": "local",
12         "address": "",
13         "detour": "direct"
14       },
15       {
16         "tag": "block",
17         "address": "rcode://success"
18       }
19     ],
20     "rules": [
21       {
22         "outbound": "any",
23         "server": "local"
24       },
25       {
26         "geosite": "cn",
27         "server": "local"
28       }
29     ],
30     "strategy": "ipv4_only"
31   },
32   "inbounds": [
33     {
34       "type": "tun", # In tun mode, there will eventually be an additional tun virtual network card on the Raspberry Pi.
35       "stack": "system",
36       "inet4_address": "",
37       "auto_route": true,
38       "strict_route": true,
39       "sniff": true
40     }
41   ],
42   "outbounds": [
43     {
44       "type": "hysteria2",
45       "tag": "proxy",
46       "server": "stock.mephisto.cc", # Fill in your domain name
47       "server_port": 443,
48       "up_mbps": 20,
49       "down_mbps": 100,
50       "password": "your_password", # Password
51       "tls": {
52         "enabled": true,
53         "server_name": "stock.mephisto.cc", # Certificate domain name
54         "insecure": true # If the frame number verification fails, enable it. In my case, my certificate has expired. It is estimated that the server certificate has not been refreshed and the browser access is normal.
55       }
56     },
57     {
58       "type": "direct",
59       "tag": "direct"
60     },
61     {
62       "type": "block",
63       "tag": "block"
64     },
65     {
66       "type": "dns",
67       "tag": "dns-out"
68     }
69   ],
70   "route": {
71     "rules": [
72       {
73         "protocol": "dns",
74         "outbound": "dns-out"
75       },
76       {
77         "geosite": "cn",
78         "geoip": [
79           "private",
80           "cn"
81         ],
82         "outbound": "direct"
83       }
84     ],
85     "auto_detect_interface": true
86   }

Originally, the configuration I was referring to also had an ad blocking function, but I removed it myself. After all, I own a small website and am not very averse to ads. Interested readers can search for relevant configurations online.

4. Configure gateway and dns on the computer

There are thousands of online tutorials for this step, so I’ll just take a screenshot 😂

For the gateway, I automatically dhcp the Wi-Fi connection first and then change it, otherwise the link cannot be established. If it is wired, there is no such problem if I set it directly.


Set the Raspberry Pi IP in dns first, and then set the router IP. Double insurance, the Raspberry Pi IP should be used first.


5. Test verification

Choose to test on Mac, other devices are similar.

Test the domain name cache. I have not confirmed whether this is cached by sing-box or dnsmasq.

1mephisto@RMBP ~> dig omg.com | grep "Query time"
2;; Query time: 716 msec
3mephisto@RMBP ~> dig omg.com | grep "Query time"
4;; Query time: 49 msec

Anyway, the effect is achieved, I am too lazy to distinguish. 716ms --> 49ms, dropped by an order of magnitude. If it is your computer's local dnsmasq cache, it is usually 0ms.

To test the custom domain name, directly access the default domain name www.example.com of lighttpd, and the default test page will return normally.


Dig confirmed, it is also ok.

 1mephisto@RMBP ~> dig www.example.com
 3; <<>> DiG 9.10.6 <<>> www.example.com
 4;; global options: +cmd
 5;; Got answer:
 6;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10055
 7;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
10; EDNS: version: 0, flags:; udp: 4096
12;www.example.com. IN A
15www.example.com. 0 IN A
17;; Query time: 108 msec
18;; SERVER:
19;; WHEN: Sun Apr 28 15:24:03 CST 2024
20;; MSG SIZE rcvd: 60

The above can confirm that dnsmasq on the Raspberry Pi is working properly.

Next, confirm the diversion proxy function and test the IP

china ip

japan ip

Visit the domain name test again:

 1mephisto@RMBP ~> curl baidu.com
 3<meta http-equiv="refresh" content="0;url=http://www.baidu.com/">
 5mephisto@RMBP ~> curl google.com
 6<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
 7<TITLE>301 Moved</TITLE></HEAD><BODY>
 8<H1>301 Moved</H1>
 9The document has moved
10<A HREF="http://www.google.com/">here</A>.
12mephisto@RMBP ~>

It can be seen that the sing-box function is normal and I personally think it is quite easy to use. The Raspberry Pi has better performance than ordinary routers and can also be used as a Linux server. There is no need to install additional software on mobile phones and other devices.

Lastmod: Sunday, April 28, 2024

See Also: