Clash透明网关代理
设备:arm64 架构
系统:armbian
参考了大佬的配置,由于机器不一样,所以自己又修改了一下
详细教程在这里GitHub - UntaggedRui/clashindocker: Using docker to run clash as a bypass route
又去翻了一下文档,发现并没有那么难,教程在这
不用clash了,现在用sing-box了,什么iptables都是浮云,开箱即用,开启高质量上网,具体可参考这篇
下面的可以完全不看,看官方文档就行👍
那个iptables也不用管,不想搞就是因为iptables太难了
1、拉取完代码后修改clash 为适合自己机器的
其他架构在这个页面查找Releases · MetaCubeX/mihomo · GitHub
Bash
cd clash
wget https://github.com/MetaCubeX/mihomo/releases/download/v1.18.1/mihomo-linux-arm64-v1.18.1.gz
gzip -d mihomo-linux-arm64-v1.18.1.gz
mv mihomo-linux-arm64-v1.18.1.gz clash
chmod +x clash
#检查版本号
./clash -v
2、注册系统服务处,系统不同system路径也不同
比如/etc/systemd/system/
3、修改配置文件为dns分流及fakeip黑名单模式
只有命中规则的网络流量才使用代理,适用于服务器线路网络质量不稳定或不够快,或服务器流量紧缺的用户。通常也是软路由用户、家庭网关用户的常用模式
config.yml
proxy-providers:
🛫 我的机场 1:
type: http
# 修改为你的 Clash 订阅链接
url: "https://xxxx/api/v1/client/subscribe?token=1fad3e8&flag=clash"
path: ./proxy_providers/airport1.yaml
interval: 43200
# filter: ""
health-check:
enable: true
url: "https://www.gstatic.com/generate_204"
interval: 3600
🛫 我的机场 2:
type: http
# 修改为你的 Clash 订阅链接
url: "https://githubusercontent.com/h"
path: ./proxy_providers/airport2.yaml
interval: 43200
# filter: "香港|台湾|日本|韩国|新加坡|美国"
health-check:
enable: true
url: "https://www.gstatic.com/generate_204"
interval: 3600
mode: rule
ipv6: true
log-level: silent
allow-lan: true
mixed-port: 7890
unified-delay: false
tcp-concurrent: true
external-controller: 0.0.0.0:9090
external-ui: ui
secret: "youpassword"
find-process-mode: strict
global-client-fingerprint: chrome
profile: {store-selected: true, store-fake-ip: true}
sniffer:
enable: true
parse-pure-ip: true
sniff: {HTTP: {ports: [80, 8080-8880], override-destination: true}, TLS: {ports: [443, 8443]}, QUIC: {ports: [443, 8443]}}
skip-domain: ['Mijia Cloud']
tun:
enable: true
stack: mixed
dns-hijack:
- 'any:53'
auto-route: true
auto-detect-interface: true
strict-route: true
dns:
enable: true
prefer-h3: true
listen: :1053
fake-ip-range: 198.18.0.1/16
ipv6: true
enhanced-mode: fake-ip
fake-ip-filter:
- '*.lan'
- '*.localdomain'
- '*.example'
- '*.invalid'
- '*.localhost'
- '*.test'
- '*.local'
- '*.home.arpa'
- 'time.*.com'
- 'time.*.gov'
- 'time.*.edu.cn'
- 'time.*.apple.com'
- 'time-ios.apple.com'
- 'time1.*.com'
- 'time2.*.com'
- 'time3.*.com'
- 'time4.*.com'
- 'time5.*.com'
- 'time6.*.com'
- 'time7.*.com'
- 'ntp.*.com'
- 'ntp1.*.com'
- 'ntp2.*.com'
- 'ntp3.*.com'
- 'ntp4.*.com'
- 'ntp5.*.com'
- 'ntp6.*.com'
- 'ntp7.*.com'
- '*.time.edu.cn'
- '*.ntp.org.cn'
- '+.pool.ntp.org'
- 'time1.cloud.tencent.com'
- 'music.163.com'
- '*.music.163.com'
- '*.126.net'
- 'musicapi.taihe.com'
- 'music.taihe.com'
- 'songsearch.kugou.com'
- 'trackercdn.kugou.com'
- '*.kuwo.cn'
- 'api-jooxtt.sanook.com'
- 'api.joox.com'
- 'joox.com'
- 'y.qq.com'
- '*.y.qq.com'
- 'streamoc.music.tc.qq.com'
- 'mobileoc.music.tc.qq.com'
- 'isure.stream.qqmusic.qq.com'
- 'dl.stream.qqmusic.qq.com'
- 'aqqmusic.tc.qq.com'
- 'amobile.music.tc.qq.com'
- '*.xiami.com'
- '*.music.migu.cn'
- 'music.migu.cn'
- '+.msftconnecttest.com'
- '+.msftncsi.com'
- 'localhost.ptlogin2.qq.com'
- 'localhost.sec.qq.com'
- '+.qq.com'
- '+.tencent.com'
- '+.srv.nintendo.net'
- '*.n.n.srv.nintendo.net'
- '+.stun.playstation.net'
- 'xbox.*.*.microsoft.com'
- '*.*.xboxlive.com'
- 'xbox.*.microsoft.com'
- 'xnotify.xboxlive.com'
- '+.battlenet.com.cn'
- '+.wotgame.cn'
- '+.wggames.cn'
- '+.wowsgame.cn'
- '+.wargaming.net'
- 'proxy.golang.org'
- 'stun.*.*'
- 'stun.*.*.*'
- '+.stun.*.*'
- '+.stun.*.*.*'
- '+.stun.*.*.*.*'
- '+.stun.*.*.*.*.*'
- 'heartbeat.belkin.com'
- '*.linksys.com'
- '*.linksyssmartwifi.com'
- '*.router.asus.com'
- 'mesu.apple.com'
- 'swscan.apple.com'
- 'swquery.apple.com'
- 'swdownload.apple.com'
- 'swcdn.apple.com'
- 'swdist.apple.com'
- 'lens.l.google.com'
- 'stun.l.google.com'
- 'na.b.g-tun.com'
- '+.nflxvideo.net'
- '*.square-enix.com'
- '*.finalfantasyxiv.com'
- '*.ffxiv.com'
- '*.ff14.sdo.com'
- 'ff.dorado.sdo.com'
- '*.mcdn.bilivideo.cn'
- '+.media.dssott.com'
- 'shark007.net'
- 'Mijia Cloud'
- '+.cmbchina.com'
- '+.cmbimg.com'
- 'adguardteam.github.io'
- 'adrules.top'
- 'anti-ad.net'
- 'local.adguard.org'
- 'static.adtidy.org'
- '+.sandai.net'
- '+.n0808.com'
- '+.3gppnetwork.org'
default-nameserver:
- https://223.5.5.5/dns-query
- https://1.12.12.12/dns-query
nameserver:
- https://dns.alidns.com/dns-query#h3=true
- https://doh.pub/dns-query
# proxy-server-nameserver:
# - https://dns.alidns.com/dns-query#h3=true
# - https://doh.pub/dns-query
nameserver-policy:
'rule-set:microsoft-cn,apple-cn,google-cn,games-cn':
- https://dns.alidns.com/dns-query#h3=true
- https://doh.pub/dns-query
'rule-set:cn,private':
- 'https://dns.alidns.com/dns-query#h3=true'
- 'https://doh.pub/dns-query'
'rule-set:proxy':
- 'https://cloudflare-dns.com/dns-query#🪜 代理域名&h3=true'
- 'https://dns.google/dns-query#🪜 代理域名'
# 单个出站代理节点(以 vless 为例)
# proxies:
# - name: 🆓 免费节点
# type: vless
# server: example.com
# port: 443
# uuid: {uuid}
# network: ws
# tls: true
# udp: false
# sni: example.com
# client-fingerprint: chrome
# ws-opts:
# path: "/?ed=2048"
# headers:
# host: example.com
proxy-groups:
- {name: 🚀 节点选择, type: select, proxies: [🇭🇰 香港节点, 🇨🇳 台湾节点, 🇯🇵 日本节点, 🇰🇷 韩国节点, 🇸🇬 新加坡节点, 🇺🇸 美国节点, 🇦🇺 澳大利亚节点, 🇩🇪 德国节点, 🇳🇱 荷兰节点, 🆓 备用机场]}
- {name: 📈 网络测试, type: select, proxies: [🎯 全球直连, 🇭🇰 香港节点, 🇨🇳 台湾节点, 🇯🇵 日本节点, 🇰🇷 韩国节点, 🇸🇬 新加坡节点, 🇺🇸 美国节点, 🇦🇺 澳大利亚节点, 🇩🇪 德国节点, 🇳🇱 荷兰节点]}
# 若机场的 UDP 质量不是很好,导致某游戏无法登录或进入房间,可以添加 `disable-udp: true` 配置项解决
- {name: 🐟 漏网之鱼, type: select, proxies: [🎯 全球直连, 🚀 节点选择]}
- {name: 🔗 直连域名, type: select, proxies: [🎯 全球直连, 🚀 节点选择]}
- {name: 🪜 代理域名, type: select, proxies: [🚀 节点选择, 🎯 全球直连]}
- {name: 🎮 游戏平台, type: select, proxies: [🎯 全球直连, 🚀 节点选择]}
- {name: Ⓜ️ 微软服务, type: select, proxies: [🎯 全球直连, 🚀 节点选择]}
- {name: 📢 谷歌服务, type: select, proxies: [🎯 全球直连, 🚀 节点选择]}
- {name: 🍎 苹果服务, type: select, proxies: [🎯 全球直连, 🚀 节点选择]}
- {name: 🇨🇳 国内 IP, type: select, proxies: [🎯 全球直连, 🚀 节点选择]}
- {name: 📲 电报消息, type: select, proxies: [🚀 节点选择]}
- {name: 🖥️ 直连软件, type: select, proxies: [🎯 全球直连]}
- {name: 🔒 私有网络, type: select, proxies: [🎯 全球直连]}
- {name: 🛑 广告拦截, type: select, proxies: [REJECT]}
- {name: 🎯 全球直连, type: select, proxies: [DIRECT]}
# 采用节点负载均衡策略,优点是更稳定,速度可能有提升;推荐在节点复用比较多的情况下使用
- {name: 🇭🇰 香港节点, type: load-balance, strategy: consistent-hashing, lazy: true, use: [🛫 我的机场 1,], filter: "(?i)港|hk|hongkong|hong kong"}
- {name: 🇨🇳 台湾节点, type: load-balance, strategy: consistent-hashing, lazy: true, use: [🛫 我的机场 1,], filter: "(?i)台|tw|taiwan"}
- {name: 🇯🇵 日本节点, type: load-balance, strategy: consistent-hashing, lazy: true, use: [🛫 我的机场 1,], filter: "(?i)日本|jp|japan"}
- {name: 🇰🇷 韩国节点, type: load-balance, strategy: consistent-hashing, lazy: true, use: [🛫 我的机场 1,], filter: "(?i)韩国|kr|korea"}
- {name: 🇸🇬 新加坡节点, type: load-balance, strategy: consistent-hashing, lazy: true, use: [🛫 我的机场 1,], filter: "(?i)新|sg|singapore"}
- {name: 🇺🇸 美国节点, type: load-balance, strategy: consistent-hashing, lazy: true, use: [🛫 我的机场 1,], filter: "(?i)美|us|unitedstates|united states"}
- {name: 🇦🇺 澳大利亚节点, type: load-balance, strategy: consistent-hashing, lazy: true, use: [🛫 我的机场 1], filter: "(?i)澳大|au|aus|australia"}
- {name: 🇩🇪 德国节点, type: load-balance, strategy: consistent-hashing, lazy: true, use: [🛫 我的机场 1], filter: "(?i)德国|de|germany"}
- {name: 🇳🇱 荷兰节点, type: load-balance, strategy: consistent-hashing, lazy: true, use: [🛫 我的机场 1], filter: "(?i)荷兰|nl|netherlands"}
- {name: 🆓 备用机场, type: select, lazy: true, use: [🛫 我的机场 2]}
rule-providers:
ads:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/ads.yaml"
path: ./ruleset/ads.yaml
interval: 86400
private:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/private.yaml"
path: ./ruleset/private.yaml
interval: 86400
microsoft-cn:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/microsoft-cn.yaml"
path: ./ruleset/microsoft-cn.yaml
interval: 86400
apple-cn:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/apple-cn.yaml"
path: ./ruleset/apple-cn.yaml
interval: 86400
google-cn:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/google-cn.yaml"
path: ./ruleset/google-cn.yaml
interval: 86400
games-cn:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/games-cn.yaml"
path: ./ruleset/games-cn.yaml
interval: 86400
networktest:
type: http
behavior: classical
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/networktest.yaml"
path: ./ruleset/networktest.yaml
interval: 86400
applications:
type: http
behavior: classical
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/applications.yaml"
path: ./ruleset/applications.yaml
interval: 86400
proxy:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/proxy.yaml"
path: ./ruleset/proxy.yaml
interval: 86400
cn:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/cn.yaml"
path: ./ruleset/cn.yaml
interval: 86400
telegramip:
type: http
behavior: ipcidr
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/telegramip.yaml"
path: ./ruleset/telegramip.yaml
interval: 86400
privateip:
type: http
behavior: ipcidr
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/privateip.yaml"
path: ./ruleset/privateip.yaml
interval: 86400
cnip:
type: http
behavior: ipcidr
url: "https://fastly.jsdelivr.net/gh/DustinWin/ruleset_geodata@clash/cnip.yaml"
path: ./ruleset/cnip.yaml
interval: 86400
rules:
- RULE-SET,ads,🛑 广告拦截
- RULE-SET,private,🔒 私有网络
- RULE-SET,microsoft-cn,Ⓜ️ 微软服务
- RULE-SET,apple-cn,🍎 苹果服务
- RULE-SET,google-cn,📢 谷歌服务
- RULE-SET,games-cn,🎮 游戏平台
- RULE-SET,networktest,📈 网络测试
- RULE-SET,applications,🖥️ 直连软件
- RULE-SET,proxy,🪜 代理域名
- RULE-SET,cn,🔗 直连域名
- RULE-SET,telegramip,📲 电报消息
- RULE-SET,privateip,🔒 私有网络,no-resolve
- RULE-SET,cnip,🇨🇳 国内 IP
- MATCH,🐟 漏网之鱼
4、iptable设置
sudo iptables -P FORWARD ACCEPT
其他和大佬的教程跟着配置就行了,能启动起来,本机可以代理就说明成功了
5、网关机器其他设置
如果当透明网关(旁路由),就得修改这台机器的IP地址为静态,防止dhcp服务租约到期更换地址;dns地址设置为静态
sudo nano /etc/network/interfaces
interfaces
# Wired adapter #1
allow-hotplug eth0
no-auto-down eth0
iface eth0 inet static
# 固定IP地址
address 192.168.0.100
netmask 255.255.255.0
# 主路由地址
gateway 192.168.0.1
dns-nameservers 1.1.1.1 119.29.29.29
nano /etc/systemd/resolved.conf
重启网络服务,如果没用,就重启机器
sudo systemctl restart networking
sudo systemctl restart systemd-resolved
6、其他机器设置
除了透明网关这台机器外,需要让家里其他机器网关指向这台机器
最简单的方法,就是主路由dhcp服务处修改网关为透明网关的ip,dns为119.29.29.29
最后,主路由重启一下,让其他设备刷新地址
FAQ
1、与docker 冲突解决
Docker also sets the policy for the
FORWARDchain toDROP. If your Docker host also acts as a router, this will result in that router not forwarding any traffic anymore. If you want your system to continue functioning as a router, you can add explicitACCEPTrules to theDOCKER-USERchain to allow it:
Docker 还将 FORWARD 链的策略设置为 DROP 。如果您的 Docker 主机还充当路由器,这将导致该路由器不再转发任何流量。
需要在机器重启后设置ACCEPT
通过修改systemd中docker服务实现:
sudo nano /etc/systemd/system/docker.service
找到 ExecStart 行,并在下面添加 ExecStartPost 行,用于执行你的脚本文件
Bash
[Service]
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStartPost=/usr/local/bin/iptables-forward-accept.sh
nano iptables-forward-accept.sh
重启机器查看是否生效
iptables -L