本文是参考 V2RAY 官方文档进行编写的,详见: https://toutyrater.github.io/app/tproxy.html
再此做个记录,仅包含使用 TPROXY 的方式。
- [X]
v2ray:到 Release 页面下载最新版本,然后安装 - [X]
wget - [X]
bind9-dnsutils:安装nslookup - [X]
jp - [X]
iptables - [X]
procps:安装sysctl - [ ]
net-tools:可选,安装netstat - [ ]
clash到 Release 页面进行下载安装到
/usr/local/bin - [ ]
clash country db到 Release 页面进行下载安装到
/usr/local/etc/clash
# 拷贝配置文件
sudo mkdir -p /etc/transparent-v2ray
sudo cp ./simple/etc-transparent-v2ray/config.json /etc/transparent-v2ray/
# 拷贝 v2ray 配置文件
sudo mkdir -p /etc/v2ray
sudo cp ./simple/etc-2ray.client/v2ray.json /etc/v2ray/
# 拷贝 service 文件
sudo cp ./simple/systemd-service/v2ray@.service /lib/systemd/system/
sudo cp ./simple/systemd-service/transparent_v2ray.service /lib/systemd/system/
sudo systemctl daemon-reload
# 拷贝主脚本
sudo cp ./transparent_v2ray.sh /usr/local/bin/transparent_v2ray
sudo chmod +x /usr/local/bin/transparent_v2ray完成上述文件安装后,根据实际配置修改 /etc/v2ray/v2ray.json 和 /etc/transparent-v2ray/config.json 文件。
然后执行 sudo systemctl start transparent_v2ray.service 进行测试,如果一切正常则执行 sudo systemctl enable transparent_v2ray.service 设置开机自启。如果运行结果异常,请自行检查配置。
sudo transparent_v2ray start:启动服务sudo transparent_v2ray stop:停止服务sudo transparent_v2ray restart:重启服务sudo transparent_v2ray update-v2ray-geoip:更新v2ray的geoip.dat和geosite.dat
透明代理的配置文件比较简单,这里介绍下:
server:代理服务器域名或地址proxy_start:透明代理启动命令proxy_stop:透明代理关闭命令local_port:透明代理本地监听端口
在流量来源 inbounds 里,主要需要添加 protocol 为 dokodemo-door 段,这段设置了透明代理的端口、代理方式、网络协议等内容。
特别需要注意的是 followRedirect 必须为 true , tpoxy 的值必须为 tproxy ,另外建议开启 sniffing 的设置,路由无法匹配域名。
示例配置如下:
{
"port": 1083,
"tag": "transparent",
"protocol": "dokodemo-door",
"settings": {
"network": "tcp,udp",
"followRedirect": true
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"streamSettings": {
"sockopt": {
"tproxy": "tproxy"
}
}
}outbounds 主要配置流量出口方式,这里配置了四种,分别是:
vmess:填写代理服务器的配置信息,v2ray.json中是ws的示例配置freedom:直连的配置,通过ip进行区分blackhole:屏蔽广告的配置,针对http类型的流量dns:dns出口配置
dns 主要配置 dns 查询规则,这里国内使用 225.5.5.5 和 114.114.114.114 查询,国外使用 8.8.8.8 和 1.1.1.1 进行查询。
另外对 223.5.5.5 进行了特殊配置, geosite:cn 和 ntp.org 会优先使用
routing 配置了路由规则,主要是国内、国外流量的设置,如下:
domainStrategy域名策略,可用值为:
AsIs只使用域名进行路由选择,默认值。其分流速度快,但不够精确。
IPIfNonMatch当域名没有匹配到任何规则时,将域名解析成
IP后再次进行匹配。- 当一个域名有多个 A 记录时,会尝试匹配所有的 A 记录,直到其中一个与某个规则匹配为止;
- 解析后的 IP 仅在路由选择时起作用,转发的数据包中依然使用原始域名;
牺牲了部分速度,但提升了分流的精确度,推荐使用。
IPOnDemand匹配时碰到任何基于 IP 的规则,立即将域名解析成 IP 后进行匹配。 最为准确,但速度慢,并且精准度相对于
IPIfNonMatch提升不明显,不推荐使用。
port: 53这是
dns端口,转发到dns-outport: 123这是
ntp端口,直接访问,不做代理。这是为了保证ntp服务能够正常,避免因时间误差大导致服务端拒绝连接ip两个
ip段的配置,分别指定了域名解析服务的访问方式,国内的直连,国外的代理category-ads-all设置了广告的访问方式,转发到
blockbittorrent设置了
bt链接的访问方式,直连geoipprivate和cn的ip走直连geositecn国内域名走直连
参考:Clash Configuration ,这里给出两个例子:
tproxy-port: 7893
# Set to true to allow connections to the local-end server from
# other LAN IP addresses
allow-lan: false
# This is only applicable when `allow-lan` is `true`
# '*': bind all IP addresses
# 192.168.122.11: bind a single IPv4 address
# "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address
bind-address: '*'
# Clash router working mode
# rule: rule-based packet routing
# global: all packets will be forwarded to a single endpoint
# direct: directly forward the packets to the Internet
mode: rule
# Clash by default prints logs to STDOUT
# info / warning / error / debug / silent
log-level: error
# When set to false, resolver won't translate hostnames to IPv6 addresses
ipv6: false
# fwmark on Linux only
routing-mark: 255
profile:
# Store the `select` results in $HOME/.config/clash/.cache
# set false If you don't want this behavior
# when two different configurations have groups with the same name, the selected values are shared
store-selected: false
# persistence fakeip
store-fake-ip: true
# DNS server settings
# This section is optional. When not present, the DNS server will be disabled.
dns:
enable: false
listen: 0.0.0.0:53
# ipv6: false # when the false, response to AAAA questions will be empty
# These nameservers are used to resolve the DNS nameserver hostnames below.
# Specify IP addresses only
default-nameserver:
- 114.114.114.114
- 8.8.8.8
enhanced-mode: fake-ip # or redir-host (not recommended)
fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR
# use-hosts: true # lookup hosts and return IP record
# Hostnames in this list will not be resolved with fake IPs
# i.e. questions to these domain names will always be answered with their
# real IP addresses
# fake-ip-filter:
# - '*.lan'
# - localhost.ptlogin2.qq.com
# Supports UDP, TCP, DoT, DoH. You can specify the port to connect to.
# All DNS questions are sent directly to the nameserver, without proxies
# involved. Clash answers the DNS question with the first result gathered.
nameserver:
- 114.114.114.114 # default value
- 8.8.8.8 # default value
- tls://dns.rubyfish.cn:853 # DNS over TLS
- https://1.1.1.1/dns-query # DNS over HTTPS
- dhcp://en0 # dns from dhcp
# - '8.8.8.8#en0'
proxies:
- name: "ss"
type: ss
server: server
port: 443
cipher: chacha20-ietf-poly1305
password: "password"
plugin: v2ray-plugin
plugin-opts:
mode: websocket # no QUIC now
# tls: true # wss
# skip-cert-verify: true
# host: bing.com
# path: "/"
# mux: true
# headers:
# custom: value
# vmess
# cipher support auto/aes-128-gcm/chacha20-poly1305/none
- name: "vmess"
type: vmess
server: server
port: 443
uuid: uuid
alterId: 32
cipher: auto
# udp: true
tls: true
# skip-cert-verify: true
# servername: example.com # priority over wss host
network: ws
ws-opts:
path: /path
# headers:
# Host: v2ray.com
# max-early-data: 2048
# early-data-header-name: Sec-WebSocket-Protocol
proxy-groups:
# url-test select which proxy will be used by benchmarking speed to a URL.
- name: "auto"
type: fallback
proxies:
- ss
- vmess
# tolerance: 150
# lazy: true
url: 'http://www.gstatic.com/generate_204'
interval: 300
rules:
- DOMAIN-SUFFIX,google.com,auto
- DOMAIN-KEYWORD,google,auto
- DOMAIN,google.com,auto
- DOMAIN-SUFFIX,github.io,auto
- DOMAIN-SUFFIX,github.com,auto
- DOMAIN-KEYWORD,github,auto
- DOMAIN,github.com,auto
- DOMAIN-SUFFIX,ad.com,REJECT
- SRC-IP-CIDR,192.168.1.201/32,DIRECT
# optional param "no-resolve" for IP rules (GEOIP, IP-CIDR, IP-CIDR6)
- IP-CIDR,127.0.0.0/8,DIRECT
- GEOIP,CN,DIRECT
- DST-PORT,80,DIRECT
- SRC-PORT,7777,DIRECT
- MATCH,autotproxy-port: 7893
# Set to true to allow connections to the local-end server from
# other LAN IP addresses
allow-lan: false
# This is only applicable when `allow-lan` is `true`
# '*': bind all IP addresses
# 192.168.122.11: bind a single IPv4 address
# "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address
bind-address: '*'
# Clash router working mode
# rule: rule-based packet routing
# global: all packets will be forwarded to a single endpoint
# direct: directly forward the packets to the Internet
mode: rule
# Clash by default prints logs to STDOUT
# info / warning / error / debug / silent
log-level: info
# When set to false, resolver won't translate hostnames to IPv6 addresses
ipv6: false
# fwmark on Linux only
routing-mark: 255
profile:
# Store the `select` results in $HOME/.config/clash/.cache
# set false If you don't want this behavior
# when two different configurations have groups with the same name, the selected values are shared
store-selected: false
# persistence fakeip
store-fake-ip: true
# DNS server settings
# This section is optional. When not present, the DNS server will be disabled.
dns:
enable: false
listen: 0.0.0.0:53
# ipv6: false # when the false, response to AAAA questions will be empty
# These nameservers are used to resolve the DNS nameserver hostnames below.
# Specify IP addresses only
default-nameserver:
- 114.114.114.114
- 8.8.8.8
enhanced-mode: fake-ip # or redir-host (not recommended)
fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR
# use-hosts: true # lookup hosts and return IP record
# Hostnames in this list will not be resolved with fake IPs
# i.e. questions to these domain names will always be answered with their
# real IP addresses
# fake-ip-filter:
# - '*.lan'
# - localhost.ptlogin2.qq.com
# Supports UDP, TCP, DoT, DoH. You can specify the port to connect to.
# All DNS questions are sent directly to the nameserver, without proxies
# involved. Clash answers the DNS question with the first result gathered.
nameserver:
- 114.114.114.114 # default value
- 8.8.8.8 # default value
- tls://dns.rubyfish.cn:853 # DNS over TLS
- https://1.1.1.1/dns-query # DNS over HTTPS
- dhcp://en0 # dns from dhcp
# - '8.8.8.8#en0'
proxy-providers:
provider1:
type: http
# 使用 Proxy Provider Converter 转换订阅链接
# 如:https://proxy-provider-converter-iota-cyan.vercel.app
url: "url"
interval: 3600
path: ./provider1.yaml
health-check:
enable: true
interval: 600
# lazy: true
url: http://www.gstatic.com/generate_204
proxy-groups:
- name: PROXY
type: select
use:
- provider1
proxies:
- DIRECT
rules:
- DOMAIN-SUFFIX,google.com,PROXY
- DOMAIN-KEYWORD,google,PROXY
- DOMAIN,google.com,PROXY
- DOMAIN-SUFFIX,github.io,PROXY
- DOMAIN-SUFFIX,github.com,PROXY
- DOMAIN-KEYWORD,github,PROXY
- DOMAIN,github.com,PROXY
- DOMAIN-SUFFIX,ad.com,REJECT
- SRC-IP-CIDR,192.168.1.201/32,DIRECT
# optional param "no-resolve" for IP rules (GEOIP, IP-CIDR, IP-CIDR6)
- IP-CIDR,127.0.0.0/8,DIRECT
- GEOIP,CN,DIRECT
- DST-PORT,80,DIRECT
- SRC-PORT,7777,DIRECT
- MATCH,PROXY通过 iptables 配置系统的访问规则,默认是 tcp 和 udp 一起代理。
start_transparent_proxy 函数开启代理, stop_transparent_proxy 函数则关闭代理, check_environment 函数检查运行条件是否满足。
其它细节请直接阅读 ./transparent_v2ray.sh 文件。
haveged:随机数服务v2ray:查看上文caddy:反向代理,从 https://caddyserver.com/download 下载合适的版本,根据自己域名的dns服务商决定,如aliyun则应该下载github.com/caddy-dns/lego-deprecated
v2ray:配置参见 ./simple/v2ray_server.json ,是一个ws的配置caddy:配置参见 ./simple/Caddyfile