Menu Close

Xray透明代理(TProxy)配置教程

XTrojan黑科技 Xray教程 2条评论
机场加速器梯子推荐:优质SS/SSR/Trojan/Xray/V2Ray机场推荐 | IPLC/IEPL专线加速器梯子推荐 | 解锁奈飞Netflix/HBO/Hulu等国外流媒体

本配置基于TProxy 透明代理的新 V2Ray 白话文教程,加入了 Xray 的新特性,使用 VLESS + XTLS Splice 方案,并将旧教程中默认出站代理的分流方式改为默认出站直连,使用者请按照实际情况进行修改。

本文中所有配置已在 Raspberry Pi 2B、Ubuntu 20.04 环境下测试成功,如在其它环境中使用请自行调整配置。

1、开始之前

请检查您的设备是否有可用的网络连接,且服务端已经配置成功,客户端已经安装完毕。

需注意的是,目前很多透明代理教程都会将 Linux 系统的 IP 转发打开,但这样会导致 Splice 性能下降。详情请参考大案牍术破案纪实第三篇–我们是如何破解 Splice 性能下降甚至低于 Direct 之谜的

这里我想要补充的是,很多透明代理教程会使用 Netfilter 进行分流,使直连流量直接发出而不经过 Xray,这时必须开启 IP 转发;也有的教程,如本文,会将所有流量导入 Xray 之中,由 Xray 的路由模块进行分流,这时无需开启 IP 转发。

2、Xray 配置

{
"log": {
"loglevel": "warning",
"error": "/var/log/xray/error.log",
"access": "/var/log/xray/access.log"
},
"inbounds": [
{
"tag": "all-in",
"port": 12345,
"protocol": "dokodemo-door",
"settings": {
"network": "tcp,udp",
"followRedirect": true
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
},
"streamSettings": {
"sockopt": {
"tproxy": "tproxy"
}
}
}
],
"outbounds": [
{
"tag": "direct",
"protocol": "freedom",
"settings": {
"domainStrategy": "UseIPv4"
},
"streamSettings": {
"sockopt": {
"mark": 2
}
}
},
{
"tag": "proxy",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "服务端域名",
"port": 443,
"users": [
{
"id": "UUID",
"flow": "xtls-rprx-splice",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "xtls",
"sockopt": {
"mark": 2
}
}
},
{
"tag": "block",
"protocol": "blackhole",
"settings": {
"response": {
"type": "http"
}
}
},
{
"tag": "dns-out",
"protocol": "dns",
"settings": {
"address": "8.8.8.8"
},
"proxySettings": {
"tag": "proxy"
},
"streamSettings": {
"sockopt": {
"mark": 2
}
}
}
],
"dns": {
"hosts": {
"服务端域名": "服务端 IP"
},
"servers": [
{
"address": "119.29.29.29",
"port": 53,
"domains": [
"geosite:cn"
],
"expectIPs": [
"geoip:cn"
]
},
{
"address": "223.5.5.5",
"port": 53,
"domains": [
"geosite:cn"
],
"expectIPs": [
"geoip:cn"
]
},
"8.8.8.8",
"1.1.1.1",
"https+local://doh.dns.sb/dns-query"
]
},
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"inboundTag": [
"all-in"
],
"port": 53,
"outboundTag": "dns-out"
},
{
"type": "field",
"ip": [
"119.29.29.29",
"223.5.5.5"
],
"outboundTag": "direct"
},
{
"type": "field",
"ip": [
"8.8.8.8",
"1.1.1.1"
],
"outboundTag": "proxy"
},
{
"type": "field",
"domain": [
"geosite:category-ads-all"
],
"outboundTag": "block"
},
{
"type": "field",
"domain": [
"geosite:geolocation-!cn"
],
"outboundTag": "proxy"
},
{
"type": "field",
"ip": [
"geoip:jp",
"geoip:us",
"geoip:sg",
"geoip:hk",
"geoip:tw",
"109.239.140.0/24",
"14.102.250.18",
"14.102.250.19",
"149.154.164.0/22",
"149.154.168.0/22",
"149.154.172.0/22",
"174.142.105.153",
"50.7.31.230",
"67.220.91.15",
"67.220.91.18",
"67.220.91.23",
"69.65.19.160",
"72.52.81.22",
"85.17.73.31",
"91.108.4.0/22",
"91.108.56.0/22",
"91.108.56.0/23",
"108.177.120.94",
"108.177.120.0/24",
"172.217.0.0/16",
"74.125.0.0/16",
"23.246.0.0/18",
"37.77.184.0/21",
"45.57.0.0/17",
"64.120.128.0/17",
"66.197.128.0/17",
"108.175.32.0/20",
"192.173.64.0/18",
"198.38.96.0/19",
"198.45.48.0/20",
"173.245.48.0/20",
"103.21.244.0/22",
"103.22.200.0/22",
"103.31.4.0/22",
"141.101.64.0/18",
"108.162.192.0/18",
"190.93.240.0/20",
"188.114.96.0/20",
"197.234.240.0/22",
"198.41.128.0/17",
"162.158.0.0/15",
"104.16.0.0/12",
"172.64.0.0/13",
"131.0.72.0/22",
"144.220.0.0/16",
"52.124.128.0/17",
"54.230.0.0/16",
"54.239.128.0/18",
"52.82.128.0/19",
"99.84.0.0/16",
"204.246.172.0/24",
"54.239.192.0/19",
"70.132.0.0/18",
"13.32.0.0/15",
"205.251.208.0/20",
"13.224.0.0/14",
"13.35.0.0/16",
"204.246.164.0/22",
"204.246.168.0/22",
"71.152.0.0/17",
"216.137.32.0/19",
"205.251.249.0/24",
"99.86.0.0/16",
"52.46.0.0/18",
"52.84.0.0/15",
"204.246.173.0/24",
"130.176.0.0/16",
"205.251.200.0/21",
"204.246.174.0/23",
"64.252.128.0/18",
"205.251.254.0/24",
"143.204.0.0/16",
"205.251.252.0/23",
"204.246.176.0/20",
"13.249.0.0/16",
"54.240.128.0/18",
"205.251.250.0/23",
"52.222.128.0/17",
"54.182.0.0/16",
"54.192.0.0/16",
"103.2.30.0/23",
"125.209.208.0/20",
"147.92.128.0/17",
"203.104.144.0/21",
"91.108.8.0/22",
"91.108.12.0/22",
"91.108.16.0/22",
"149.154.160.0/20",
"3.123.36.126/32",
"35.157.215.84/32",
"35.157.217.255/32",
"52.58.209.134/32",
"54.93.124.31/32",
"54.162.243.80/32",
"54.173.34.141/32",
"54.235.23.242/32",
"169.45.248.118/32"
],
"outboundTag": "proxy"
}
]
}
}

TIP

本配置会劫持所有发往 53 端口的流量以解决 DNS 污染问题,所以客户端和本机的 DNS 服务器的地址可以随意配置。

此外,由于内置的 geoip.dat 文件无法完美实现路由分流,故在配置文件中格外添加了一些 IP。

3、策略路由配置

# ip route add local default dev lo table 100 # 添加路由表 100
# ip rule add fwmark 1 table 100 # 为路由表 100 设定规则

4、Netfilter 配置

注意

nftables 配置与 iptables 配置二选一,不可同时使用。

#!/usr/sbin/nft -f

flush ruleset

define RESERVED_IP = { 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 }

table ip xray {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr $RESERVED_IP return
ip daddr 192.168.0.0/16 tcp dport != 53 return
ip daddr 192.168.0.0/16 udp dport != 53 return
ip protocol tcp tproxy to 127.0.0.1:12345 meta mark set 1
ip protocol udp tproxy to 127.0.0.1:12345 meta mark set 1
}
chain output {
type route hook output priority mangle; policy accept;
ip daddr $RESERVED_IP return
ip daddr 192.168.0.0/16 tcp dport != 53 return
ip daddr 192.168.0.0/16 udp dport != 53 return
meta mark 2 return
ip protocol tcp meta mark set 1
ip protocol udp meta mark set 1
}
}

使用方法

 

将上述配置写入一个文件(如 nft.conf),之后将该文件赋予可执行权限,最后使用 root 权限执行该文件即可(# ./nft.conf)。

配置完成后,将局域网内其它设备的默认网关改为该设备 IP,就可以直接翻墙了。在其它主机和本机皆测试成功后,可进行下一步配置。

5、配置永久化与开机自启

首先将已经编辑好的 nftables 配置文件移动到 /etc 目录下,并重命名为 nftables.conf。然后编辑 /lib/systemd/system/nftables.service

[Unit]
Description=nftables
Documentation=man:nft(8) http://wiki.nftables.org
Wants=network-pre.target
Before=network-pre.target shutdown.target
Conflicts=shutdown.target
DefaultDependencies=no

[Service] Type=oneshot RemainAfterExit=yes StandardInput=null ProtectSystem=full ProtectHome=true ExecStart=/usr/sbin/nft -f /etc/nftables.conf ; /usr/sbin/ip route add local default dev lo table 100 ; /usr/sbin/ip rule add fwmark 1 table 100 ExecReload=/usr/sbin/nft -f /etc/nftables.conf ExecStop=/usr/sbin/nft flush ruleset ; /usr/sbin/ip route del local default dev lo table 100 ; /usr/sbin/ip rule del table 100

[Install]
WantedBy=sysinit.target

最后 enable 即可。

相关文章:

  1. Xray透明代理transparent_proxy
  2. Cloudflare CDN自定义IP+Xray+WS+TLS,拯救垃圾线路小鸡,亲测10$/年PR小鸡满血复活
  3. 一键搭建Xray服务器,并使 WordPress 和宝塔面板共存
  4. Nginx SNI分流(端口复用)使用 Xray+VLESS+XTLS
标签:Xray, Xray透明代理, Xray配置教程

2条评论

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注