树莓派搭配clash premiu制作代理网关
April 23, 2022 默认分类
要进行全局代理,常见的方式是转发到特定端口、使用 tun 虚拟设备和使用 TPROXY。 上一篇讲了使用v2ray的tproxy模式制作透明代理网关, 本文介绍的是使用 tun 的方式, 该方式不需要手工配置路由策略,防火墙转发.
由于2022.04.17版本clash premium支持使用eBPF, 所以性能上有一定的提升. 本文设备采用raspberry pi 4, 操作系统ubuntu 21.10 server 64位
固定ip地址
由于ubuntu从18.04开始采用netplan管理网络, 且配置文件为yaml格式, 可谓亲民. 修改/etc/netplan/50-cloud-init.yaml即可, 自行替换对应ip以及网关
cat > /etc/netplan/50-cloud-init.yaml <<EOF
network:
version: 2
ethernets:
eth0:
dhcp4: false
optional: true
addresses:
- 192.168.8.254/24
routes:
- to: default
via: 192.168.8.1
nameservers:
addresses: [223.5.5.5,223.6.6.6,8.8.8.8,8.8.4.4]
EOF优化
参数过多就不一一介绍了, 感兴趣的在实现透明网关后自行取谷歌了解
# 打开格局
cat >> /etc/security/limits.conf <<EOF
* soft nofile 262144
root soft nofile 262144
* hard nofile 393216
root hard nofile 393216
EOF
# 内核
cat > /etc/sysctl.conf <<EOF
kernel.sysrq = 0
kernel.panic = 1
net.core.default_qdisc = cake
net.core.netdev_max_backlog = 4096
net.core.rmem_max = 4000000
net.core.rmem_default = 4000000
net.core.wmem_max = 4000000
net.core.wmem_default = 4000000
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 100
net.ipv4.tcp_keepalive_probes = 6
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_sack = 1
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_base_mss = 1024
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_ecn_fallback = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_fastopen = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_retries2 = 3
net.ipv4.tcp_fin_timeout = 3
net.ipv4.tcp_max_tw_buckets = 65535
net.ipv4.ip_default_ttl = 255
net.ipv4.tcp_window_scaling = 1
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.tcp_low_latency = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_early_demux = 0
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_orphan_retries = 2
net.ipv4.tcp_min_tso_segs = 2
net.ipv4.tcp_tso_win_divisor = 2
net.ipv4.ip_local_port_range=1024 65000
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_adv_win_scale = 2
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_comp_sack_delay_ns = 1000000
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_early_demux = 0
net.ipv4.udp_early_demux = 0
net.ipv4.tcp_recovery = 1
net.ipv4.tcp_frto = 2
net.ipv4.tcp_min_rtt_wlen = 50
net.ipv4.tcp_reordering = 6
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.all.proxy_ndp = 1
net.ipv6.conf.all.hop_limit = 128
net.ipv6.conf.default.hop_limit = 128
net.ipv6.route.min_adv_mss = 1024
net.ipv6.route.mtu_expires = 600
vm.swappiness = 100
vm.vfs_cache_pressure = 200
vm.dirty_writeback_centisecs = 500
vm.dirty_expire_centisecs = 1000
vm.dirty_ratio = 5
vm.dirty_background_ratio = 2
vm.min_free_kbytes = 102400
vm.max_map_count = 262144
fs.aio-max-nr = 1048576
fs.lease-break-time = 30
EOF
安装
从clash premium下载最新稳定版, 一定要>=2022.04.17版本
wget https://github.com/Dreamacro/clash/releases/download/premium/clash-linux-armv8-2022.04.17.gz
gunzip clash-linux-armv8-2022.04.17.gz
chmod +x clash-linux-armv8-2022.04.17
mv clash-linux-armv8-2022.04.17 /usr/local/bin/clash
# 配置文件目录自行修改, 本文存放在/data/clash中
mkdir -p /data/clash
cat > /etc/systemd/system/clash.service <<EOF
[Unit]
Description=Clash daemon, A rule-based proxy in Go.
After=network.target
[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/clash -d /data/clash
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable clash.service配置
参看官方文档, 解析的很清楚.
premium-core-features
注意:
auto-route与eBPF冲突
本人使用的配置, 采用黑名单模式 Rules 配置方式, 自己添加自己的代理服务端
- 黑名单模式,意为「只有命中规则的网络流量,才使用代理」,适用于服务器线路网络质量不稳定或不够快,或服务器流量紧缺的用户。通常也是软路由用户、家庭网关用户的常用模式。
- 以下配置中,除了 DIRECT 和 REJECT 是默认存在于 Clash 中的 policy(路由策略/流量处理策略),其余均为自定义 policy,对应配置文件中 proxies 或 proxy-groups 中的 name。如你直接使用下面的 rules 规则,则需要在 proxies 或 - - proxy-groups 中手动配置一个 name 为 PROXY 的 policy。
log-level: info
bind-address: '*' # 这仅在 `allow-lan` 为 `true` 时适用
allow-lan: true # 允许局域网访问
mode: rule # 模式
ipv6: false # 当设置为 false 时,解析器不会将主机名转换为 IPv6 地址
external-controller: 192.168.8.254:80 # api control
external-ui: dashboard # ui, 从https://github.com/Dreamacro/clash-dashboard/tree/gh-pages 下载
#secret: K2YTnzEtlRcj1mzHxKUSi60ijqLBQxwG # 密钥
interface-name: eth0 # 出口网卡
routing-mark: 7777 # 路由mark
ebpf: # 使用ebpf
redirect-to-tun:
- eth0 # ebpf转发出口网卡
profile:
tracing: true # 开启追踪
store-selected: true
store-fake-ip: true
tun: # 启用tun模式
enable: true
stack: system
auto-detect-interface: true
dns:
enable: true
ipv6: true #当为false时,回复AAAA问题会为空
listen: 0.0.0.0:53
enhanced-mode: fake-ip # 使用劫持模式
nameserver:
- 119.29.29.29
- 223.5.5.5
fake-ip-range: 10.0.0.1/8 # 默认为198.18.0.1/16, 由于本人工地有使用vpn, 更默认地址冲突
fake-ip-filter: # 以下域名使用真实 IP 地址来回答
- '*.lan'
fallback:
- tls://8.8.8.8:853
- tls://8.8.4.4:853
- https://1.1.1.1/dns-query
- https://dns.google/dns-query
fallback-filter:
geoip: true
geoip-code: CN
ipcidr:
- 240.0.0.0/4
proxies:
- name: xxx1
# xxxxxxx
- name: xxx2
# xxxxx
- name: xxx3
# xxxxxxx
- name: xxx4
# xxxxx
- name: xxx5
# xxxxxxx
- name: xxx6
# xxxxx
- name: UnblockMusic # 网抑云一枚
type: http
server: 127.0.0.1
port: 2333
proxy-groups:
- name: PROXY
type: load-balance # 服务器多, 没办法. 得雨露均沾, 顾负载出墙
url: 'http://www.gstatic.com/generate_204'
interval: 30
strategy: round-robin # 负载策略
proxies:
- xxx1
- xxx2
- xxx3
- xxx4
- xxx5
- xxx6
rule-providers:
reject:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/reject.txt"
path: ./ruleset/reject.yaml
interval: 86400
icloud:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/icloud.txt"
path: ./ruleset/icloud.yaml
interval: 86400
apple:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/apple.txt"
path: ./ruleset/apple.yaml
interval: 86400
google:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/google.txt"
path: ./ruleset/google.yaml
interval: 86400
proxy:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/proxy.txt"
path: ./ruleset/proxy.yaml
interval: 86400
direct:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/direct.txt"
path: ./ruleset/direct.yaml
interval: 86400
private:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/private.txt"
path: ./ruleset/private.yaml
interval: 86400
gfw:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/gfw.txt"
path: ./ruleset/gfw.yaml
interval: 86400
greatfire:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/greatfire.txt"
path: ./ruleset/greatfire.yaml
interval: 86400
tld-not-cn:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/tld-not-cn.txt"
path: ./ruleset/tld-not-cn.yaml
interval: 86400
telegramcidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/telegramcidr.txt"
path: ./ruleset/telegramcidr.yaml
interval: 86400
cncidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/cncidr.txt"
path: ./ruleset/cncidr.yaml
interval: 86400
lancidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/lancidr.txt"
path: ./ruleset/lancidr.yaml
interval: 86400
applications:
type: http
behavior: classical
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/[email protected]/applications.txt"
path: ./ruleset/applications.yaml
interval: 86400
neteasemusic:
type: http
behavior: classical
path: ./ruleset/neteasemusic.yaml
url: https://cdn.staticaly.com/gh/DesperadoJ/Rules-for-UnblockNeteaseMusic/master/Clash/RuleSet/NeteaseMusic.yaml
interval: 86400
rules:
# default rule
- PROCESS-NAME,node,DIRECT
- RULE-SET,neteasemusic,UnblockMusic
# rule-set
- RULE-SET,applications,DIRECT
- RULE-SET,private,DIRECT
- RULE-SET,reject,REJECT
- RULE-SET,tld-not-cn,PROXY
- RULE-SET,gfw,PROXY
- RULE-SET,greatfire,PROXY
- RULE-SET,telegramcidr,PROXY
- MATCH,DIRECT起飞
systemctl start clash.service