salmonstill/server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

第一次初始化

Browse Source
This commit is contained in:
salmonstill
2026-04-24 00:42:59 +08:00
commit 6ef19d5be9
11 changed files with 1249 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
VPS流量转发架构说明.md
+86
View File
@@ -0,0 +1,86 @@
# VPS流量转发架构说明
## 总览
这套架构基于Xray+Nginx SNI分流实现,完全基于443端口HTTPS流量伪装,实现三个核心功能:
1. 反向代理内网服务到公网(无需公网IPv6/端口映射)
2. 异地多VPS链路中转代理(mihomo客户端接入)
3. 统一公网入口流量管理(所有流量走443端口,无额外端口暴露)
---
## 设备清单说明
| 设备 | IP/域名 | 说明 |
|---|---|---|
| 北京VPS | `salmonstill.cn` | 公网入口节点,Nginx+Xray服务部署在这里 |
| 东京VPS | `tokyo.salmonstill.cn` | 代理出口节点,Xray服务部署在这里 |
| 旁路由 | `192.168.1.199` | 内网反向代理节点,Xray桥接服务部署在这里 |
| NAS | `192.168.1.188` | 内网存储服务,部署了思源笔记、绿联云管理界面 |
| Windows台式机 | `192.168.1.177` | 内网办公设备,提供WSL SSH服务 |
---
## 核心组件说明
### 1. 北京VPS(公网入口节点)
#### Nginx Stream SNI分流层
配置文件:`beijing-vps-stream.conf`
根据SSL握手阶段的ServerName字段,将不同域名的流量转发到不同后端服务:
| 域名 | 后端服务 | 作用 |
|---|---|---|
| `www.apple.com` | Xray 9443端口 | 旁路由反向代理隧道 |
| `www.microsoft.com` | Xray 9444端口 | Mihomo客户端代理入口 |
| `drive.salmonstill.cn` | 38653端口 | 绿联云NAS服务直接转发 |
| 其他域名 | Nginx Proxy Manager 8443端口 | 常规Web服务管理 |
#### Xray服务层
配置文件:`beijing-vps-config.json`
包含两个核心入站和一个出站:
- **interconn入站(9443端口)**VLESS+Reality协议,接收旁路由的反向代理桥接连接
- **mihomo_in入站(9444端口)**VLESS+Reality协议,接收外部Mihomo客户端的代理连接
- **to_tokyo出站**VLESS+Reality协议,将代理流量转发到东京VPS出口
---
### 2. 旁路由(内网反向代理节点)
配置文件:`旁路由-config.json`
基于Xray反向代理桥接模式实现内网服务穿透:
- **bridge桥接组件**:和北京VPS的portal组件建立永久隧道,将公网过来的反向代理流量转发到内网
- 路由规则根据端口自动转发到对应内网服务:
| 端口 | 内网目标 | 服务 |
|---|---|---|
| 38653 | 192.168.1.188:9443 | NAS管理界面 |
| 38654 | 192.168.1.188:5005 | 思源笔记 |
| 38655 | 192.168.1.177:22 | WSL SSH服务 |
| 39132 | 127.0.0.1:39132 | Minecraft游戏服务 |
---
### 3. 东京VPS(代理出口节点)
配置文件:`tokyo-vps-config.json`
极简配置的Xray出口节点:
- 入站:VLESS+Reality协议,接收北京VPS转发的代理请求
- 出站:直接freedom出口访问国际网络
---
## 流量路径说明
### 1. 内网服务反向代理访问路径(比如访问drive.salmonstill.cn
```
用户 → 北京VPS 443端口 → Nginx匹配SNI `drive.salmonstill.cn` → 转发到38653端口 dokodemo-door入站
→ Xray路由转发到portal反向代理组件 → 走已经建立的隧道到旁路由bridge组件
→ 旁路由路由匹配端口38653 → 转发到内网NAS 192.168.1.188:9443 → 响应原路返回
```
### 2. Mihomo代理访问路径
```
Mihomo客户端 → 北京VPS 443端口 → Nginx匹配SNI `www.microsoft.com` → 转发到9444端口 mihomo_in入站
→ Xray路由转发到to_tokyo出站 → 加密传输到东京VPS 443端口 → 东京Xray入站接收请求
→ 直接访问国际网络 → 响应原路返回
```
---
## 架构优势
1. **极致伪装**:所有流量都走443端口HTTPS,不同流量通过SNI区分,完全和正常网站访问一致,无特征被封
2. **零额外端口暴露**:除了443端口没有任何公网开放端口,安全性拉满
3. **高可用性**:反向代理隧道永久在线,内网服务无需公网IP/端口映射即可访问
4. **性能损耗低**Xray Reality协议性能优异,中转延迟增加<10ms
5. **易扩展**:新增内网服务只需要在旁路由添加对应的路由规则即可,无需修改公网配置
---
## 配置要点
1. Reality公私钥配对:客户端的publicKey必须和对应服务端的privateKey严格匹配
2. SNI一致性:客户端请求的ServerName必须和Nginx分流规则以及Xray Reality配置的serverNames完全一致
3. 端口映射:Nginx分流的后端端口必须和Xray入站监听端口严格对应
beijing-vps-stream.conf
+27
View File
@@ -0,0 +1,27 @@
stream {
map $ssl_preread_server_name $backend {
www.apple.com xray; # 旁路由反向代理隧道
www.microsoft.com mihomo; # 新增:mihomo出站流量
drive.salmonstill.cn nas; # 绿联云服务
default npm; # Nginx Proxy Manager
}
upstream xray {
server 127.0.0.1:9443;
}
# 新增mihomo upstream
upstream mihomo {
server 127.0.0.1:9444;
}
upstream nas {
server 127.0.0.1:38653;
}
upstream npm {
server 127.0.0.1:8443;
}
server {
listen 443 reuseport;
listen [::]:443 reuseport;
ssl_preread on;
proxy_pass $backend;
}
}
subscribe-7891-only.yaml
+49
View File
@@ -0,0 +1,49 @@
mixed-port: 7890
allow-lan: true
bind-address: '*'
mode: rule
log-level: info
external-controller: '127.0.0.1:9090'
find-process-mode: off
dns:
enable: true
ipv6: false
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
default-nameserver:
- tls://223.5.5.5
- tls://223.6.6.6
nameserver:
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
respect-rules: false
proxies:
- name: Xray-Real
type: vless
server: salmonstill.cn
port: 443
uuid: "113e167a-a2be-4b46-9010-60020108626c"
udp: true
flow: xtls-rprx-vision
packet-encoding: xudp
tls: true
servername: www.microsoft.com
client-fingerprint: chrome
reality-opts:
public-key: "62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs"
short-id: "7c947a71b94f369e"
network: tcp
listeners:
- name: global-mixed
type: mixed
port: 7891
listen: 0.0.0.0
udp: true
proxy: Xray-Real
rules:
- MATCH,DIRECT
subscribe.yaml
+307
View File
@@ -0,0 +1,307 @@
# ========================
# Clash-ALL 思路(单上游 Xray Reality 精简版) + 额外端口:7891 全局代理 + 7892 强制直连
# ========================
mixed-port: 7890
allow-lan: true
bind-address: '*'
mode: rule
log-level: info
external-controller: '127.0.0.1:9090'
find-process-mode: off
dns:
enable: true
ipv6: false
prefer-h3: false
use-hosts: false
use-system-hosts: true
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
fake-ip-filter:
- geosite:private
- geosite:tracker
- geosite:cn
- geosite:apple@cn
- geosite:microsoft@cn
- geosite:microsoft
- '+.lan'
- '+.local'
default-nameserver:
- tls://223.5.5.5
- tls://223.6.6.6
nameserver:
- https://9.9.9.9/dns-query
- https://149.112.112.112/dns-query
- https://94.140.14.14/dns-query
- https://94.140.15.15/dns-query
proxy-server-nameserver:
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
direct-nameserver:
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
respect-rules: true
# ========================
# 代理定义
# ========================
proxies:
- name: 直连
type: direct
- name: 拒绝
type: reject
- name: Xray-Real
type: vless
server: salmonstill.cn
port: 443
uuid: "113e167a-a2be-4b46-9010-60020108626c"
udp: true
flow: xtls-rprx-vision
packet-encoding: xudp
tls: true
servername: www.microsoft.com
client-fingerprint: chrome
reality-opts:
public-key: "62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs"
short-id: "7c947a71b94f369e"
network: tcp
# ========================
# 策略组
# ========================
proxy-groups:
- name: 国内
type: select
proxies: [直连]
- name: 国外
type: select
proxies: [Xray-Real, 直连]
- name: Steam-rule
type: select
proxies: [国内, 国外, 直连]
- name: Microsoft-rule
type: select
proxies: [国内, 国外, 直连]
- name: AI
type: select
proxies: [国外, 国内, 直连]
- name: Stream Media
type: select
proxies: [国外, 国内, 直连]
- name: GitHub
type: select
proxies: [国外, 国内, 直连]
- name: Crypto
type: select
proxies: [国外, 国内, 直连]
- name: Block
type: select
proxies: [拒绝, 直连]
- name: 其他
type: select
proxies: [国内, 国外, 直连, 拒绝]
# ========================
# rule-providers
# ========================
rule-providers:
Ads:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/category-ads-all.mrs
path: ./rule-providers/ads.mrs
proxy: 国外
Private_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/private.mrs
path: ./rule-providers/private_domain.mrs
proxy: 国外
Private_IP:
type: http
behavior: ipcidr
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/private.mrs
path: ./rule-providers/private_ip.mrs
proxy: 国外
China_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/cn.mrs
path: ./rule-providers/cn_domain.mrs
proxy: 国外
China_IP:
type: http
behavior: ipcidr
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/cn.mrs
path: ./rule-providers/cn_ip.mrs
proxy: 国外
Oracle:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/oracle.mrs
path: ./rule-providers/oracle.mrs
proxy: 国外
OpenAI:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/openai.mrs
path: ./rule-providers/openai.mrs
proxy: 国外
GitHub_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/github.mrs
path: ./rule-providers/github.mrs
proxy: 国外
Netflix_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/netflix.mrs
path: ./rule-providers/netflix_domain.mrs
proxy: 国外
Netflix_IP:
type: http
behavior: ipcidr
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/netflix.mrs
path: ./rule-providers/netflix_ip.mrs
proxy: 国外
Steam_CN:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/steam@cn.mrs
path: ./rule-providers/steam_cn.mrs
proxy: 国外
Steam:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/steam.mrs
path: ./rule-providers/steam.mrs
proxy: 国外
GFW:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/gfw.mrs
path: ./rule-providers/gfw.mrs
proxy: 国外
Geo_NoCN:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/geolocation-!cn.mrs
path: ./rule-providers/geo_nocn.mrs
proxy: 国外
Microsoft:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/microsoft.mrs
path: ./rule-providers/microsoft.mrs
proxy: 国外
Crypto:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/category-cryptocurrency.mrs
path: ./rule-providers/crypto.mrs
proxy: 国外
# ========================
# 多监听器部分
# ========================
listeners:
- name: global-mixed
type: mixed
port: 7891
listen: 127.0.0.1
udp: true
proxy: Xray-Real
- name: direct-mixed
type: mixed
port: 7892
listen: 127.0.0.1
udp: true
proxy: 直连
# ========================
# rules
# ========================
rules:
- DOMAIN,vs18.bj2cu.u3.ucweb.com,拒绝
- DOMAIN-SUFFIX,salmonstill.cn,直连
- DOMAIN-KEYWORD,raylink,直连
- IP-CIDR,49.232.242.90/32,直连
- IP-CIDR,43.165.178.10/32,直连
- RULE-SET,Ads,Block
- RULE-SET,Private_Domain,国内
- RULE-SET,Private_IP,国内,no-resolve
- RULE-SET,China_Domain,国内
- RULE-SET,Oracle,国内
- RULE-SET,China_IP,国内,no-resolve
- RULE-SET,OpenAI,AI
- RULE-SET,GitHub_Domain,GitHub
- RULE-SET,Netflix_Domain,Stream Media
- RULE-SET,Netflix_IP,Stream Media,no-resolve
- RULE-SET,Steam_CN,国内
- RULE-SET,Steam,Steam-rule
- RULE-SET,Microsoft,Microsoft-rule
- RULE-SET,Crypto,Crypto
- RULE-SET,GFW,国外
- RULE-SET,Geo_NoCN,国外
- MATCH,其他
tokyo-vps-config.json
+44
View File
@@ -0,0 +1,44 @@
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 9443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "4d222c16-53bb-4402-814e-c8188cebcea6",
"level": 0,
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"show": false,
"dest": "www.microsoft.com:443",
"xver": 0,
"serverNames": [
"www.microsoft.com"
],
"privateKey": "iBlu3eH1VLf1S5Qw87m_1w0TGYUktDwHAzgpQ2aKuGI",
"shortIds": [
"a1b2c3d4"
]
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
}
]
}
xray-北京vps-config.json
+290
View File
@@ -0,0 +1,290 @@
{
"log": {
"loglevel": "warning"
},
"reverse": {
"portals": [
{
"tag": "portal",
"domain": "reverse-proxy.xray.internal"
}
]
},
"inbounds": [
{
"tag": "external",
"listen": "0.0.0.0",
"port": 38653,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 38653,
"network": "tcp"
}
},
{
"tag": "external_siyuan",
"listen": "0.0.0.0",
"port": 38654,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 38654,
"network": "tcp"
}
},
{
"tag": "external_minecraft",
"listen": "0.0.0.0",
"port": 39132,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 39132,
"network": "tcp"
}
},
{
"tag": "external_wsl",
"listen": "0.0.0.0",
"port": 38655,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 38655,
"network": "tcp"
}
},
{
"tag": "external_nas_ssh",
"listen": "0.0.0.0",
"port": 38656,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 38656,
"network": "tcp"
}
},
{
"tag": "external_router_ssh",
"listen": "0.0.0.0",
"port": 38657,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 38657,
"network": "tcp"
}
},
{
"tag": "proxy_in",
"listen": "127.0.0.1",
"port": 10809,
"protocol": "mixed",
"settings": {
"udp": true
}
},
{
"tag": "external_router_web",
"listen": "0.0.0.0",
"port": 39766,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 39766,
"network": "tcp"
}
},
{
"tag": "external_tmp",
"listen": "0.0.0.0",
"port": 8501,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 8501,
"network": "tcp"
}
},
{
"tag": "interconn",
"listen": "127.0.0.1",
"port": 9443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "113e167a-a2be-4b46-9010-60020108626c",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"show": false,
"target": "www.apple.com:443",
"serverNames": [
"www.apple.com"
],
"privateKey": "GGT9LfN_2JdQG68cwrULgUK-adfT6wIokLzWjaB0fXs",
"shortIds": [
"7c947a71b94f369e"
]
}
}
},
{
"tag": "mihomo_in",
"listen": "127.0.0.1",
"port": 9444,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "113e167a-a2be-4b46-9010-60020108626c",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"show": false,
"target": "www.microsoft.com:443",
"serverNames": [
"www.microsoft.com"
],
"privateKey": "GGT9LfN_2JdQG68cwrULgUK-adfT6wIokLzWjaB0fXs",
"shortIds": [
"7c947a71b94f369e"
]
}
}
}
],
"outbounds": [
{
"tag": "direct",
"protocol": "freedom"
},
{
"tag": "to_tokyo",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "tokyo.salmonstill.cn",
"port": 443,
"users": [
{
"id": "4d222c16-53bb-4402-814e-c8188cebcea6",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"show": false,
"fingerprint": "chrome",
"serverName": "www.microsoft.com",
"password": "jr_zQjC4mvlQITuG5Ap5Mxqe5EBbGyyvwbVLDEi8OCA",
"shortId": "a1b2c3d4",
"spiderX": "/"
}
}
}
],
"routing": {
"rules": [
{
"type": "field",
"inboundTag": [
"external"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"external_siyuan"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"external_minecraft"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"external_wsl"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"external_nas_ssh"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"external_router_ssh"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"external_tmp"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"external_router_web"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"proxy_in"
],
"outboundTag": "to_tokyo"
},
{
"type": "field",
"inboundTag": [
"interconn"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"mihomo_in"
],
"outboundTag": "to_tokyo"
}
]
}
}
xray-旁路由-config.json
+183
View File
@@ -0,0 +1,183 @@
{
"log": {
"loglevel": "info"
},
"reverse": {
"bridges": [
{
"tag": "bridge",
"domain": "reverse-proxy.xray.internal"
}
]
},
"outbounds": [
{
"tag": "to_nas",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.188:9443"
}
},
{
"tag": "to_siyuan",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.188:5005"
}
},
{
"tag": "to_wsl",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.177:22"
}
},
{
"tag": "to_nas_ssh",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.188:22"
}
},
{
"tag": "to_router_ssh",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.199:22"
}
},
{
"tag": "to_router_web",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.199:80"
}
},
{
"tag": "to_minecraft",
"protocol": "freedom",
"settings": {
"redirect": "127.0.0.1:39132"
}
},
{
"tag": "to_tmp",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.177:8501"
}
},
{
"tag": "interconn",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "salmonstill.cn",
"port": 443,
"users": [
{
"id": "113e167a-a2be-4b46-9010-60020108626c",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"show": false,
"fingerprint": "chrome",
"serverName": "www.apple.com",
"password": "62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs",
"shortId": "7c947a71b94f369e",
"spiderX": "/search?q=xray"
}
}
},
{
"tag": "direct",
"protocol": "freedom"
}
],
"routing": {
"rules": [
{
"type": "field",
"inboundTag": [
"bridge"
],
"domain": [
"full:reverse-proxy.xray.internal"
],
"outboundTag": "interconn"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "38654",
"outboundTag": "to_siyuan"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "38655",
"outboundTag": "to_wsl"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "38656",
"outboundTag": "to_nas_ssh"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "38657",
"outboundTag": "to_router_ssh"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "8501",
"outboundTag": "to_tmp"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "39766",
"outboundTag": "to_router_web"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "39132",
"outboundTag": "to_minecraft"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"outboundTag": "to_nas"
}
]
}
}
东京-vps-stream.conf
+18
View File
@@ -0,0 +1,18 @@
stream {
map $ssl_preread_server_name $backend {
www.microsoft.com xray;
default npm;
}
upstream xray {
server 127.0.0.1:9443;
}
upstream npm {
server 127.0.0.1:8443;
}
server {
listen 443 reuseport;
listen [::]:443 reuseport;
ssl_preread on;
proxy_pass $backend;
}
}
我的世界udp转发.md
+245
View File
@@ -0,0 +1,245 @@
# Minecraft 基岩版 UDP 转发配置文档
## 架构
```
公网玩家 (UDP 19132)
北京VPS (salmonstill.cn)
socat 监听 19132 → 转发到 10.0.0.2:19132
↓ WireGuard 隧道
旁路由 ImmortalWrt (192.168.1.199 / 10.0.0.2)
nftables 端口转发 + SNAT
NAS (192.168.1.188:19132)
Minecraft 基岩版 Docker 容器
```
---
## 设备信息
| 设备 | IP | 系统 |
|---|---|---|
| 北京VPS | `salmonstill.cn` / `49.232.242.90` | Ubuntu 22.04 |
| 旁路由 | `192.168.1.199` / WG隧道: `10.0.0.2` | ImmortalWrt 24.10 (GL-MT2500) |
| NAS | `192.168.1.188` | 绿联云 UGOS |
---
## 第一部分:北京VPS 配置
### WireGuard 配置 `/etc/wireguard/wg0.conf`
```ini
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <北京VPS私钥>
MTU = 1420
# 回包源地址转换(必须,否则公网玩家收不到回包)
PostUp = iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
[Peer]
# 旁路由
PublicKey = 9jPlaUhx2Dc+C5ZqJx6Iu8GtNMig3cFIoqfHg8PZbCA=
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25
```
> ⚠️ 不使用 iptables DNAT 转发,改用 socat 处理 UDP 转发,避免 conntrack 连接跟踪问题导致回包丢失。
### 开启内核转发
```bash
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
```
### 开放防火墙端口
```bash
ufw allow 51820/udp # WireGuard
ufw allow 19132/udp # Minecraft 基岩版
```
### 启动 WireGuard
```bash
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
```
### socat UDP 转发
socat 监听公网 19132 端口,收到包后转发给旁路由隧道 IP,并维护连接状态确保回包正确返回。
创建 systemd service
```bash
nano /etc/systemd/system/mc-forward.service
```
```ini
[Unit]
Description=Minecraft UDP Forward
After=network.target
[Service]
ExecStart=/usr/bin/socat UDP4-LISTEN:19132,fork,reuseaddr UDP4:10.0.0.2:19132
Restart=always
[Install]
WantedBy=multi-user.target
```
启动并设置开机自启:
```bash
systemctl daemon-reload
systemctl enable mc-forward
systemctl start mc-forward
```
---
## 第二部分:旁路由 ImmortalWrt 配置
### WireGuard 接口配置
路径:**网络 → 接口 → 添加新接口**
**常规设置:**
| 字段 | 值 |
|---|---|
| 接口名称 | `WireGuard` |
| 协议 | `WireGuard VPN` |
| 私钥 | `<旁路由私钥>` |
| IP 地址 | `10.0.0.2/24` |
| 监听端口 | 不填 |
**防火墙设置:** 加入 `wan` 区域
**Peers → 添加对端:**
| 字段 | 值 |
|---|---|
| 公钥 | `n159R7bNB+tW3Br0cok2zA27Pzg2WSPTI9uQ9odOFyU=` |
| 端点主机 | `salmonstill.cn` |
| 端点端口 | `51820` |
| 允许的 IP | `0.0.0.0/0` |
| 路由允许的 IP | ✅ 勾选 |
| 持续 Keep-Alive | `25` |
> ⚠️ 允许的 IP 必须设为 `0.0.0.0/0`,否则 WireGuard 会丢弃来自公网玩家 IP 的包。
### 端口转发配置
路径:**网络 → 防火墙 → 端口转发 → 添加**
| 字段 | 值 |
|---|---|
| 名称 | `Minecraft-udp` |
| 协议 | `UDP` |
| 源区域 | `wan` |
| 外部端口 | `19132` |
| 目标区域 | `lan` |
| 内部 IP 地址 | `192.168.1.188` |
| 内部端口 | `19132` |
### SNAT 配置
路径:**网络 → 防火墙 → NAT 规则 → 添加**
| 字段 | 值 |
|---|---|
| 名称 | `minecraft-snat` |
| 地址族限制 | `仅 IPv4` |
| 协议 | `UDP` |
| 出站区域 | `lan` |
| 目标地址 | `192.168.1.188` |
| 目标端口 | `19132` |
| 操作 | `SNAT - 重写为特定的源 IP 或端口` |
| 重写 IP 地址 | `192.168.1.199` |
> SNAT 的作用:将转发给 NAS 的包源 IP 改为旁路由 IP,确保 NAS 的回包发回给旁路由而不是直接走主路由,避免回包路径不对称。
---
## 第三部分:NAS Docker 配置
使用 `network_mode: host` 避免 Docker NAT 导致的 IP 映射问题。
```yaml
services:
bedrock:
image: itzg/minecraft-bedrock-server:2026.2.1
container_name: mc-bedrock
network_mode: host
stdin_open: true
tty: true
environment:
EULA: "TRUE"
VERSION: "1.26.14.1"
TZ: "Asia/Shanghai"
OPS: "2535472561115036"
volumes:
- /volume2/ProgramsV2/minecraft:/data
restart: unless-stopped
```
---
## 第四部分:验证
### 检查 WireGuard 隧道
```bash
# 旁路由
wg show
# 正常应有 latest handshake 和双向 transfer
```
### 检查 socat 运行状态
```bash
systemctl status mc-forward
```
### 抓包验证完整链路
```bash
# VPS 上抓 wg0,确认双向流量
tcpdump -i wg0 udp port 19132 -n
# 旁路由抓 br-lan,确认转发到 NAS
tcpdump -i br-lan udp port 19132 -n
# NAS 上抓包,确认收到并回包
sudo tcpdump -i bridge0 udp port 19132 -n
```
---
## 故障排查
| 现象 | 排查方法 |
|---|---|
| WireGuard 无握手 | 检查 VPS 防火墙 51820/udp 是否开放 |
| socat 收不到包 | 检查 ufw 19132/udp 是否开放 |
| 旁路由收不到包 | 检查 WireGuard AllowedIPs 是否为 `0.0.0.0/0` |
| NAS 收不到包 | 检查端口转发内部端口是否填写正确 |
| NAS 有回包但玩家连不上 | 检查 SNAT 规则是否生效,确认 NAS 用 host 网络模式 |
| 游戏内延迟不显示 | 检查 socat 是否正常运行,DNAT 规则是否已删除 |
---
## 扩展:新增其他 UDP 服务
1. VPS 新建一个 socat service,修改端口号
2. 旁路由 LuCI 端口转发新增一条规则
3. `ufw allow <新端口>/udp`
旁路由备份/backup-ImmortalWrt-2026-04-17.tar.gz
BIN
View File
Binary file not shown.
旁路由备份/backup-ImmortalWrt-2026-04-18.tar.gz
BIN
View File
Binary file not shown.