旁路clash网关选择

前置

由于我的网络已经采用RouterOS分流, 将特定流量转发到运行着clash的机器, 来实现"透明代理"的目的. 按目前的进展, 对比一下不同方式运行的clash, 有什么区别.

方式

pve跑一个Linux虚拟机, 上面运行shellclash
pve跑一个openwrt虚拟机, 运行nikki插件
pve跑一个lxc, 使用systemd运行clash-meta内核

对比

根据我自己的体验情况, 说说缺点. 目前已经切换到第三种方案了.

shellclash方案

较为依赖订阅转换服务, 而且是一个稳定快速的转换服务, 一旦订阅转换GG, 这玩意就老报错出问题, 更新不了订阅
对于自己准备配置文件, 使用proxy-provider方式的, 不方便, 要传文件到/tmp目录. 传文件就得开个别的程序或者安装lrzsz之类的, 然后再重启shellclash
这玩意内置的geoip之类的数据库和内核的下载地址, 虽然看起来用了cdn, 依然很慢, 经常下载个内核要好几分钟, 相当不爽. 对于初期配置很不友好.

nikki方案

就一个问题, 这玩意跑在openwrt上, 上面没有什么插件, 貌似就一个docker, 但是docker上没跑服务的, 整个虚拟机吃了300M+的内存. 虽然可以多分配点内存, 但是和第三个方案对比就差远了. 后面把docker卸载了, 依然如此. 由于虚拟机只分配了512M内存, 这个情况导致老是断流, 用着用着就不能用了, 让我一度怀疑是不是我dns出问题了, 又或者机场不太行. 甚至经常zashboard打开都卡一会.

systemd方案

非常不错, 相同的配置文件(proxy-provider), 15w+的规则数量, 200+连接数, 大概就使用了120M内存

方案三安装流程

lxc记得配置, 否则无法使用tun

1
2


lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

从release下载对应平台的包, 由于是debian的lxc, 直接使用deb包, 省事儿了.

https://github.com/MetaCubeX/mihomo/releases/download/v1.19.9/mihomo-linux-amd64-v1.19.9.deb

下载后, apt install mihomo-linux-amd64-v1.19.9.deb 即可.

默认会安装到 /usr/bin 目录.

建立服务文件, 修改一下 ExecStart 的可执行文件路径即可.

1

vim /etc/systemd/system/mihomo.service

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


[Unit]
Description=mihomo Daemon, Another Clash Kernel.
After=network.target NetworkManager.service systemd-networkd.service iwd.service

[Service]
Type=simple
LimitNPROC=500
LimitNOFILE=1000000
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
Restart=always
ExecStartPre=/usr/bin/sleep 1s
ExecStart=/usr/local/bin/mihomo -d /etc/mihomo
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

1
2


systemctl daemon-reload
systemctl enable mihomo

然后把配置文件改为 config.yaml 放到 /etc/mihomo

1

systemctl start mihomo

配置文件中的关键点

由于没有nikki那种覆写配置的功能了, 所以基本所有配置都需要在配置文件中完成

ui配置

1
2
3
4
5


external-controller: 0.0.0.0:9999
external-ui-name: zashboard
external-ui: /etc/mihomo/ui
external-ui-url: https://github.com/Zephyruso/zashboard/archive/refs/heads/gh-pages.zip
secret: ""

访问地址为 http://x.x.x.x:9999/ui/zashboard/

dns劫持配置

我没有使用fake-ip

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


dns:
  enable: true
  listen: 0.0.0.0:1053
  enhanced-mode: redir-host
  fake-ip-range: 198.18.0.1/16
  respect-rules: false
  prefer-h3: false
  ipv6: false
  use-system-hosts: false
  use-hosts: true
  default-nameserver:
    - adguardhome服务
  proxy-server-nameserver:
    - 自己的doh服务
  nameserver:
    - adguardhome服务
  fallback:
    - adguardhome服务

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


tun:
  enable: true
  stack: mixed
  device: nikki
  dns-hijack: ["any:53","tcp://any:53"]
  auto-route: true
  auto-redirect: true
  auto-detect-interface: true
  # mtu: 9000
  # gso: true
  # gso-max-size: 65536
  endpoint-independent-nat: false

嗅探

一句话, 不开. 成功率感人. 并且由于我的场景下, 国外地址请求dns时也是请求的clash的dns服务, 因此redir-host会自动建立域名和ip映射, 无需嗅探即可正常分流. 我早期的版本是无论国内外地址都是自行解析, 导致通过routeros路由国外流量后, clash没有ip对应的域名信息, 无法对国外流量进行分流

1
2


sniffer:
  enable: false

局域网代理和其他

1
2
3
4
5
6
7


mixed-port: 7890
allow-lan: true
bind-address: "*"
unified-delay: true
tcp-concurrent: true
find-process-mode: 'off'
global-client-fingerprint: chrome

完整配置

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234



# 机场
proxy-providers:
  机场名:
    url: "订阅地址"
    type: http
    interval: 86400
    health-check:
      enable: true
      url: https://www.google.com/generate_204
      interval: 300
    proxy: 直连
    header:
      User-Agent:
      - "Clash"
      - "mihomo"
      - "Clash.meta"
    override:
      udp: true
      skip-cert-verify: true
    
proxies:
  - name: 自建代理
    type: trojan
    server: xxxxx
    port: xxxxx
    client-fingerprint: chrome
    password: xxxx
    skip-cert-verify: true
    network: ws
    udp: true
    ws-opts:
      path: xxxxx
  # 这个必须, 下面要用
  - name: 直连
    type: direct
    udp: true

port: 7893
socks-port: 7891
redir-port: 7892
tproxy-port: 7894
mixed-port: 7890
allow-lan: true
bind-address: "*"
ipv6: false
unified-delay: true
tcp-concurrent: true
log-level: warning
mode: rule
find-process-mode: 'off'
global-client-fingerprint: chrome
keep-alive-idle: 600
keep-alive-interval: 15
disable-keep-alive: false
profile:
  store-selected: true
  store-fake-ip: true

# geo配置
geo-auto-update: true
geo-update-interval: 24
geodata-mode: true
geodata-loader: memconservative
geox-url:
  geoip: "https://ghfast.top/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.dat"
  geosite: "https://ghfast.top/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat"
  mmdb: "https://ghfast.top/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.metadb"
  asn: "https://ghfast.top/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/GeoLite2-ASN.mmdb"

# ui配置
external-controller: 0.0.0.0:9999
external-ui: /etc/mihomo/ui
external-ui-url: https://github.com/Zephyruso/zashboard/archive/refs/heads/gh-pages.zip
secret: ""


dns:
  enable: true
  listen: 0.0.0.0:1053
  enhanced-mode: redir-host
  fake-ip-range: 198.18.0.1/16
  respect-rules: false
  prefer-h3: false
  ipv6: false
  use-system-hosts: false
  use-hosts: true
  default-nameserver:
    - adguardhome去广告dns服务
  proxy-server-nameserver:
    - 自建adguardhome doh服务
  nameserver:
    - adguardhome去广告dns服务
  fallback:
    - adguardhome去广告dns服务



sniffer:
  enable: false

tun:
  enable: true
  # udp不代理可以改为 system
  stack: mixed
  # 随便填
  device: nikki
  dns-hijack: ["any:53","tcp://any:53"]
  auto-route: true
  auto-redirect: true
  auto-detect-interface: true
  # mtu: 9000
  # gso: true
  # gso-max-size: 65536
  endpoint-independent-nat: false
  

# 出站策略
# 注意锚点必须放在引用的上方，可以集中把锚点全部放yaml的顶部。
pr: &pr {type: select, proxies: [🚀 默认代理, 🕊️ 低倍率,🚄 高倍率,🇭🇰 香港,🇺🇸 美国, 🇯🇵 日本, 🇸🇬 新加坡, 🇹🇼 台湾, 🇰🇷 韩国,BPB,🇲🇾 马来西亚,直连]}
# 常态代理组
prn: &prn {type: select, proxies: [🚀 默认代理, 🕊️ 低倍率,🚄 高倍率,🇭🇰 香港, 🇯🇵 日本, 🇸🇬 新加坡, 🇹🇼 台湾,BPB,🇲🇾 马来西亚,直连]}
# AI用家宽代理组
prai: &prai {type: select, proxies: [🚀 默认代理, 🇺🇸 美国,🏡 OPENAI,直连]}
proxy-groups:
  - {name: 🚀 默认代理, type: select, proxies: [🕊️ 低倍率,🚄 高倍率,🇭🇰 香港,🇺🇸 美国, 🇯🇵 日本, 🇸🇬 新加坡, 🇹🇼 台湾,🇰🇷 韩国,BPB,🇲🇾 马来西亚,直连]}
  - {name: 📹 YouTube, <<: *prn}
  - {name: 🍀 Google, <<: *prn}
  - {name: 🤖 ChatGPT, <<: *prai}
  - {name: 🎮 Steam, <<: *prn}
  - {name: 👨🏿‍💻 GitHub, <<: *prn}
  - {name: 🐬 OneDrive, type: select, proxies: [直连, 🚀 默认代理]}
  - {name: 🪟 Microsoft, type: select, proxies: [直连, 🚀 默认代理]}
  - {name: 🎵 TikTok, <<: *pr}
  - {name: 📲 Telegram, <<: *prn}
  - {name: 🎥 NETFLIX, <<: *pr}
  - {name: ✈️ Speedtest, <<: *prn}
  - {name: 📲 TVDB, <<: *pr}
  - {name: 💶 PayPal, <<: *pr}
  - {name: 🍎 Apple, type: select, proxies: [直连, 🚀 默认代理]}
  - {name: 🎯 直连, type: select, proxies: [直连, 🚀 默认代理]}
  - {name: 🐟 漏网之鱼, <<: *pr}
  - {name: BPB, type: url-test, include-all: true,filter: "(?=.*(VLESS|Domain|Clean|IPv4|IPv6|Trojan))"}
  - {name: 🕊️ 低倍率, type: url-test, include-all: true, filter: "(?=.*(0.5|0.5倍|0.5x|0.9|x1|x1.2|x1.5|转发))"}
  - {name: 🚄 高倍率, type: url-test, include-all: true, filter: "(?=.*(x2|ˣ²|x8|x4|x3|专线))"}
  - {name: 🏡 OPENAI, type: select, include-all: true, filter: "(?=.*(家宽|家庭|住宅|Home))^((?!(港|HK|hk|Hong Kong|HongKong|hongkong|深港|新加坡|坡|狮城|韩|阿|越|哈|尼|瑞典|奥|克|埃及|新西兰|多哥|秘鲁|菲律宾|波兰|澳大|阿根廷|马来|SG|Singapore|台|新北|彰化|TW|Taiwan)).)*$"}
  - {name: 🏡 原生, type: url-test, include-all: true, filter: "(原生)"}
  - {name: 🏡 家宽, type: select, include-all: true, filter: "(家宽|家庭|住宅|Home)"}
  - {name: 🇭🇰 香港, type: select, include-all: true, filter: "(港|HK|hk|Hong Kong|HongKong|hongkong|深港)"}
  - {name: 🇯🇵 日本, type: select, include-all: true, filter: "(日本|川日|东京|大阪|泉日|埼玉|沪日|深日|JP|Japan)"}
  - {name: 🇸🇬 新加坡, type: select, include-all: true, filter: "(新加坡|坡|狮城|SG|Singapore)"}
  - {name: 🇹🇼 台湾, type: select, include-all: true, filter: "(台|新北|彰化|TW|Taiwan)"}
  - {name: 🇰🇷 韩国, type: select, include-all: true, filter: "(KR|Korea|KOR|首尔|韩|韓)"}
  - {name: 🇺🇸 美国, type: select, include-all: true, filter: "(美|波特兰|达拉斯|俄勒冈|凤凰城|费利蒙|硅谷|拉斯维加斯|洛杉矶|圣何塞|圣克拉拉|西雅图|芝加哥|US|United States|UnitedStates)"}
#  - {name: 🇨🇦 加拿大, type: url-test, include-all: true, filter: "(加拿大|CA|Canada)"}
#  - {name: 🇬🇧 英国, type: url-test, include-all: true, filter: "(英|伦敦|UK|United Kingdom)"}
#  - {name: 🇫🇷 法国, type: url-test, include-all: true, filter: "(法|巴黎|FR|France)"}
#  - {name: 🇩🇪 德国, type: url-test, include-all: true, filter: "(德|柏林|DE|Germany)"}
  # - {name: 🇳🇱 荷兰, type: url-test, include-all: true, filter: "(荷|阿姆斯特丹|NL|Netherlands)"}
#  - {name: 🇹🇷 土耳其, type: url-test, include-all: true, filter: "(土|伊斯坦布尔|TR|Turkey)"}
#  - {name: 🇻🇳 越南, type: url-test, include-all: true, filter: "(越|VN|Vietnam)"}
#  - {name: 🇳🇬 尼日利亚, type: url-test, include-all: true, filter: "(尼日利亚|NG|Nigeria)"}
#  - {name: 🇷🇺 俄罗斯, type: url-test, include-all: true, filter: "(俄|莫斯科|RU|Russia)"}
  - {name: 🇲🇾 马来西亚, type: select,include-all: true, filter: "(马来|MY)"}
  - {name: ♻️ 自动选择, type: url-test, include-all: true, tolerance: 20, interval: 300, filter: "^((?!(直连|官网)).)*$"}
  - {name: 🌐 全部节点, type: select, include-all: true}



# 规则
rules:
  - DOMAIN-SUFFIX,qichiyu.com,🚀 默认代理
  - RULE-SET,private_domain,直连
  - RULE-SET,steam_cn,直连
  - RULE-SET,steam,🎮 Steam
  - RULE-SET,steam_cdn,🎮 Steam
  - RULE-SET,apple_domain,🍎 Apple
  - RULE-SET,tmdb_domain,📲 TVDB
  - RULE-SET,tvdb_domain,📲 TVDB
  - RULE-SET,proxylite,🚀 默认代理
  - RULE-SET,ai,🤖 ChatGPT
  - RULE-SET,github_domain,👨🏿‍💻 GitHub
  - RULE-SET,youtube_domain,📹 YouTube
  - RULE-SET,google_domain,🍀 Google
  - RULE-SET,onedrive_domain,🐬 OneDrive
  - RULE-SET,microsoft_domain,🪟 Microsoft
  - RULE-SET,tiktok_domain,🎵 TikTok
  - RULE-SET,speedtest_domain,✈️ Speedtest
  - RULE-SET,telegram_domain,📲 Telegram
  - RULE-SET,netflix_domain,🎥 NETFLIX
  - RULE-SET,paypal_domain,💶 PayPal
  
  - RULE-SET,gfw_domain,🚀 默认代理
  - RULE-SET,geolocation-!cn,🚀 默认代理
  - RULE-SET,cn_domain,🎯 直连
  - RULE-SET,google_ip,🍀 Google,no-resolve
  - RULE-SET,netflix_ip,🎥 NETFLIX,no-resolve
  - RULE-SET,telegram_ip,📲 Telegram,no-resolve
  
  - RULE-SET,cn_ip,🎯 直连
  - MATCH,🐟 漏网之鱼

rule-anchor:
  ip: &ip {type: http, interval: 86400, behavior: ipcidr, format: mrs}
  domain: &domain {type: http, interval: 86400, behavior: domain, format: mrs}
  class: &class {type: http, interval: 86400, behavior: classical, format: text}
rule-providers: 
  private_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/private.mrs"}
  proxylite: { <<: *class, url: "https://ghfast.top/https://raw.githubusercontent.com/qichiyuhub/rule/refs/heads/main/proxy.list"}
  ai: {  <<: *domain, url: "https://ghfast.top/https://github.com/MetaCubeX/meta-rules-dat/raw/refs/heads/meta/geo/geosite/category-ai-!cn.mrs" }
  youtube_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/youtube.mrs"}
  google_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/google.mrs"}
  github_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/github.mrs"}
  telegram_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/telegram.mrs"}
  netflix_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/netflix.mrs"}
  paypal_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/paypal.mrs"}
  onedrive_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/onedrive.mrs"}
  microsoft_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/microsoft.mrs"}
  apple_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/apple-cn.mrs"}
  speedtest_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/ookla-speedtest.mrs"}
  tiktok_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/tiktok.mrs"}
  gfw_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/gfw.mrs"}
  geolocation-!cn: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/geolocation-!cn.mrs"}
  cn_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/cn.mrs"}
  steam_cn: { <<: *class, url: "https://ghfast.top/https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Clash/SteamCN/SteamCN.list"}
  steam: { <<: *class, url: "https://ghfast.top/https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Clash/Steam/Steam.list"}
  steam_cdn: { <<: *class, url: "https://ghfast.top/https://raw.githubusercontent.com/Aethersailor/Custom_OpenClash_Rules/main/rule/Steam_CDN.list"}
  tmdb_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/tmdb.mrs"}
  tvdb_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/tvdb.mrs"}
  slcak_domain: { <<: *domain, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/slack.mrs"}
  cn_ip: { <<: *ip, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/cn.mrs"}
  google_ip: { <<: *ip, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/google.mrs"}
  telegram_ip: { <<: *ip, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/telegram.mrs"}
  netflix_ip: { <<: *ip, url: "https://ghfast.top/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/netflix.mrs"}