Since this post is sensitive in China, I will roll it with English instead.

ChinaDNS and WiFi(AP)

From DNS Server for home server, we have set up with ChinaDNS and can resolv the external websites correctly. You can see a file including China IP in /etc/chnroute.txt. This file is very important for ss-rules. In Access Points for home server, we have built a AP and can assign the clients with DHCP and Unbound DNS Server backend.

ss-redir

Now we can make full use of ss-redir and ss-rules to route all the traffic outside China to our VPS. First, make sure you have a high speed and reliable ss service. ss-redir is included in shadowsocks-libev port, install shadowsocks-libev in Arch is easy.

packer -S shadowsocks-libev

ss-redir configuration is the same with ss-local,

{
    "server": "your_ss_server",
    "server_port": your_ss_port,
    "local_address": "0.0.0.0",
    "local_port": 8484,
    "password": "your_ss_password",
    "timeout": 60,
    "method": "your_ss_encrypt_method"
}

Save it and move it to /etc/shadowsocks/redir.json, start ss-redir service.

sudo systemctl start shadowsocks-libev-redir@redir.service
sudo systemctl enable shadowsocks-libev-redir@redir.service

ss-rules

Thanks to @aa65535, he wrote the ss-rules scripts and works well with ss-redir. You can refer Instruction of ss rules for detailed info.

Download the ss-rules scripts from openwrt-shadowsocks/shadowsocks.rule.

sudo wget -O /usr/local/bin/ss-rules https://raw.githubusercontent.com/shadowsocks/openwrt-shadowsocks/master/files/shadowsocks.rule
sudo chmod +x /usr/local/bin/ss-rules

In case of TCP networking error, we should exclude our ss server. If you have only one ss server, save the following systemd service and move it to /etc/systemd/system/ss-rules.service.

[Unit]
Description=ss-rules Service
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/ss-rules -s your_ss_server_ip -l 8484 -i /etc/chnroute.txt
ExecStop=/usr/local/bin/ss-rules -f

[Install]
WantedBy=multi-user.target

Start it and enable.

sudo systemctl start ss-rules
sudo systemctl enable ss-rules

Enjoy Google, YouTube and other blocked sites when connected to your home server AP~