salmonstill/server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: salmonstill/server:edd8614b0a230b7e53a81dc12c03eec51cb24d51
Branches Tags
salmonstill/server:master
...
compare: salmonstill/server:master
Branches Tags
salmonstill/server:master

9 Commits
edd8614b0a ... master

Author SHA1 Message Date
salmonstill 51f9a1bfbc opencode映射到了外网,只保留了一个md文件 2026-05-25 08:51:42 +08:00
salmonstill 5c66bc599a 所有的东西都已正常 2026-05-24 10:35:19 +08:00
salmonstill 1b604b502f 稳定版本,但是访问3000端口都导向gitea还没修 2026-05-24 10:11:58 +08:00
salmonstill fee7043601 添加了spark的快捷访问方式 2026-05-20 16:10:27 +08:00
salmonstill 7440b00575 分了tun模式和非tun模式的主机,然后ubuntu专门配置了走外网 2026-05-20 00:12:36 +08:00
salmonstill f2cdde7c55 直连通过版本 2026-05-18 00:22:41 +08:00
salmonstill fdeb904741 现在是经过北京中转mihomo'的稳定版本,现在准备测试直连东京vps的版本 2026-05-17 23:41:11 +08:00
salmonstill 0b3fdf45c2 qbittorent在用的稳定版本 2026-05-14 10:32:53 +08:00
salmonstill 54c1d69ced qbittorent代理的第一步wancheng 2026-05-11 11:42:40 +08:00
12 changed files with 2210 additions and 151 deletions
Expand all files Collapse all files
README.md
+904
View File
@@ -0,0 +1,904 @@
# VPS 流量转发配置
基于 **Xray + Nginx SNI 分流 + Mihomo TUN 透明代理 + WireGuard**,实现:
内网服务反向代理、多 VPS 链路中转、BT 透明代理、Minecraft UDP 转发。
---
## 设备
| 设备 | IP / 域名 | 角色 |
|---|---|---|
| **北京 VPS** | `salmonstill.cn` / `49.232.242.90` | 公网入口,Nginx + Xray + socat + WireGuard |
| **搬瓦工 VPS** | `173.242.118.60` | 代理出口,Xray Reality 入站(客户端直连) |
| **旁路由** | `192.168.1.199` / WG `10.0.0.2` | 内网核心,Xray bridge + Mihomo 代理 |
| **NAS** | `192.168.1.188` | 绿联云 UGOS,思源笔记等服务 |
| **qBittorrent** | `192.168.1.200` (macvlan) | PT 下载,独立 IP |
| **Windows** | `192.168.1.177` | 内网办公,SSH |
| **Spark** | `192.168.1.166` | Ubuntu 主机,本地 TUN 代理 |
---
## Nginx SNI 分流 (`beijing-vps-stream.conf`)
监听 `:443`,按 SNI 将流量分发到不同后端:
| SNI | 后端 | 端口 | 用途 |
|---|---|---|---|
| `www.apple.com` | Xray interconn | :9443 | 反向代理隧道 |
| `www.microsoft.com` | Xray mihomo_in | :9444 | Mihomo 客户端 → 搬瓦工出口 |
| `news.apple.com` | Xray proxy_from_lan | :9445 | 北京直连代理 |
| `drive.salmonstill.cn` | NAS | :38653 | 绿联云直接转发 |
| 默认 | NPM | :8443 | Nginx Proxy Manager |
搬瓦工 VPS(部署 `东京-vps-stream.conf` + `tokyo-vps-config.json`):`www.microsoft.com` → Xray :9443,默认 → NPM。
---
## Xray 核心
### 北京 VPS (`xray-北京vps-config.json`)
**Reality 入站** — 共享 privateKey `GGT9LfN_...`,由 Nginx SNI 转发:
| Tag | 端口 | SNI | Reality target |
|---|---|---|---|
| `interconn` | :9443 | `www.apple.com` | `www.apple.com:443` |
| `mihomo_in` | :9444 | `www.microsoft.com` | `www.microsoft.com:443` |
| `proxy_from_lan` | :9445 | `news.apple.com` | `www.apple.com:443` |
**dokodemo-door 入站** — 端口转发到旁路由反向隧道,共 11 个:
| Tag | 公网端口 | 路由目标 |
|---|---|---|
| `external` | 38653 | → portal → NAS :9443 |
| `external_siyuan` | 38654 | → portal → NAS :5005 |
| `external_minecraft` | 39132 | → portal → 旁路由 :39132 |
| `external_wsl` | 38655 | → portal → Windows :22 |
| `external_nas_ssh` | 38656 | → portal → NAS :22 |
| `external_router_ssh` | 38657 | → portal → 旁路由 :22 |
| `external_spark_ssh` | 38659 | → portal → Spark (166) :22 |
| `external_spark_rdp` | 38660 | → portal → Spark (166) :3389 |
| `external_spark_38662` | 38662 | → portal → Spark (166) :38662 |
| `external_router_web` | 39766 | → portal → 旁路由 :80 |
| `external_tmp` | 8501 | → portal → Windows :8501 |
| `external_gitea` | 38661 | → portal → NAS :3000 |
| `external_222` | 222 | → portal → NAS :222 |
| `external_qbit` | 51413 | → portal → qBittorrent :51413 |
**其他入站**
| Tag | 端口 | 类型 | 用途 |
|---|---|---|---|
| `proxy_in` | 10809 | mixed | SOCKS5/HTTP 代理 → 搬瓦工出口 |
| `socks-dynamic` | 38658 | SOCKS5 (password) | 动态 LAN 端口访问 |
**出站**`direct`freedom 直连)、`to_tokyo`VLESS+Reality → `173.242.118.60:443`
**路由**:所有 `external_*` + `interconn` + `socks-dynamic``portal`(反向隧道);`mihomo_in` + `proxy_in``to_tokyo``proxy_from_lan``direct`
### 旁路由 (`xray-旁路由-config.json`)
**Bridge 入站**:与北京 VPS 的 Portal 建立永久反向隧道。
**出站**14 个):
| Tag | 目标 | 用途 |
|---|---|---|
| `to_nas` | `192.168.1.188:9443` | NAS 管理 |
| `to_siyuan` | `192.168.1.188:5005` | 思源笔记 |
| `to_wsl` | `192.168.1.177:22` | WSL SSH |
| `to_nas_ssh` | `192.168.1.188:22` | NAS SSH |
| `to_router_ssh` | `192.168.1.199:22` | 旁路由 SSH |
| `to_router_web` | `192.168.1.199:80` | 旁路由 Web |
| `to_minecraft` | `127.0.0.1:39132` | Minecraft 服务 |
| `to_tmp` | `192.168.1.177:8501` | 临时服务 |
| `to_3000` | `192.168.1.188:3000` | Web 服务 |
| `to_222` | `192.168.1.188:222` | 备用服务 |
| `to_qbit` | `192.168.1.200:51413` | qBittorrent 入站 |
| `to_spark_ssh` | `192.168.1.166:22` | Spark SSH 远程 |
| `to_spark_rdp` | `192.168.1.166:3389` | Spark xRDP 桌面远程 |
| `to_spark_38662` | `192.168.1.166:38662` | Spark 自定义服务 |
| `interconn` | VLESS+Reality → `salmonstill.cn:443` (SNI=www.apple.com) | 隧道链接 |
| `to_beijing_direct` | VLESS+Reality → `salmonstill.cn:443` (SNI=news.apple.com) | 北京直连 |
| `direct` | freedom | 直连 |
**路由规则**bridge 入站按端口匹配):
- 38653 → `to_nas`NAS 管理)
- 38654 → `to_siyuan`
- 38655 → `to_wsl`
- 38656 → `to_nas_ssh`
- 38657 → `to_router_ssh`
- 8501 → `to_tmp`
- 39766 → `to_router_web`
- 38661 → `to_3000`
- 222 → `to_222`
- 39132 → `to_minecraft`
- 51413 → `to_qbit`
- 38658 → `direct`(SOCKS5 动态回家,直接连接目标地址)
- 38659 → `to_spark_ssh`Spark SSH 远程)
- 38660 → `to_spark_rdp`Spark xRDP 桌面远程)
- 38662 → `to_spark_38662`
- 默认(catch-all)→ **`direct`**(不匹配端口规则的动态请求直连目标)
- `socks-lan` 入站 → `to_beijing_direct`
> 所有显式端口规则优先于 catch-all,现有端口转发不受影响。
### 搬瓦工 VPS / 洛杉矶 (`tokyo-vps-config.json`)
极简:VLESS+Reality 入站 `:9443`SNI=www.microsoft.com),freedom 出站。
所有客户端(Spark、旁路由、macOS)直连此服务器,不再经北京 VPS 中转。
---
## Mihomo
### 旁路由 (`旁路由的mihomo config.yaml`)
**纯代理模式** — 无内核级劫持,提供多端口代理服务供客户端手动指定:
| 端口 | 类型 | 路由 | 用途 |
|---|---|---|---|
| `7890` | mixed | 按规则分流 | 本地服务默认代理 |
| `7891` | mixed | 全部走 US-Direct | 全局国外代理 |
| `7892` | mixed | 全部直连 | 全局国内直连 |
配合 **fake-ip DNS**`enhanced-mode: fake-ip`),DNS 请求返回 `198.18.x.x` 假 IP,强制流量进入代理路由。
**代理节点**
- `US-Direct` — VLESS+Reality → `173.242.118.60:443`(默认国外出口,客户端直连搬瓦工)
**关键策略组**
- 国外 → `[US-Direct, 直连]`
**防死循环 IP**`49.232.242.90`(北京 VPS)、`173.242.118.60`(搬瓦工 VPS)强制直连。
**额外监听器**`:7891`(全局→US-Direct)、`:7892`(强制直连)
### macOS (`非tun模式的主机mihomo config.yaml`)
结构与旁路由一致,无 TUN,监听器 `:7890` + `:7891` + `:7892`
**重启**launchctl 管理):
```bash
launchctl unload ~/Library/LaunchAgents/com.mihomo.proxy.plist
launchctl load ~/Library/LaunchAgents/com.mihomo.proxy.plist
```
### Ubuntu / Spark (`tun模式的主机mihomo config.yaml`)
本地 TUN 模式(`stack: system`),不依赖旁路由网关。设备重启后 `auto-route` 自建路由表,稳定可靠。监听器 `:7890` + `:7891` + `:7892`,节点直连 US-Direct。
## qBittorrent 透明代理
### 架构总览
```
出站(SOCKS5 代理)
qBittorrent(192.168.1.200) 互联网
↓ SOCKS5 旁路由:1080 (socks-lan) ↑
↓ Xray routing → to_beijing_direct │
↓ Reality(VLESS, SNI=news.apple.com) │
↓ 北京VPS:443 → Nginx分流 │
↓ proxy_from_lan:9445 → direct(freedom) ─────────────────┘
入站(端口转发)
Peer → 北京VPS:51413 → external_qbit → portal
→ bridge隧道 → 旁路由 → to_qbit → 192.168.1.200:51413
```
---
### 设备清单
| 设备 | IP | 角色 |
|---|---|---|
| 北京VPS | `salmonstill.cn` / `49.232.242.90` | 公网出口 + 入站入口 |
| 旁路由 | `192.168.1.199` | Xray 桥接 + SOCKS5 代理 |
| NAS | `192.168.1.188` | Docker 宿主机 |
| qBittorrent 容器 | `192.168.1.200` | macvlan 独立 IPPT 专用 |
---
### 第一部分:北京 VPS 配置
#### 1.1 Nginx Stream SNI 分流 `beijing-vps-stream.conf`
新增 `news.apple.com` SNI 映射(用于旁路由 Mihomo 直连代理):
```nginx
stream {
map $ssl_preread_server_name $backend {
www.apple.com xray; # 旁路由反向代理隧道
www.microsoft.com mihomo; # 外部客户端代理 → 东京出口
news.apple.com xray_lan; # 旁路由 Mihomo 北京直连代理
drive.salmonstill.cn nas; # 绿联云服务
default npm; # Nginx Proxy Manager
}
upstream xray { server 127.0.0.1:9443; }
upstream mihomo { server 127.0.0.1:9444; }
upstream xray_lan { server 127.0.0.1:9445; } # 新增
upstream nas { server 127.0.0.1:38653; }
upstream npm { server 127.0.0.1:8443; }
server {
listen 443 reuseport;
listen [::]:443 reuseport;
ssl_preread on;
proxy_pass $backend;
}
}
```
#### 1.2 Xray 配置 `xray-北京vps-config.json`
##### 新增入站 `proxy_from_lan`(北京直连出口)
```json
{
"tag": "proxy_from_lan",
"listen": "127.0.0.1",
"port": 9445,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "113e167a-a2be-4b46-9010-60020108626c",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"show": false,
"target": "www.apple.com:443",
"serverNames": ["news.apple.com"],
"privateKey": "GGT9LfN_2JdQG68cwrULgUK-adfT6wIokLzWjaB0fXs",
"shortIds": ["7c947a71b94f369e"]
}
}
}
```
> Reality 公私钥复用已有的 `interconn` 入站 keypair`serverNames` 用新的 `news.apple.com` 与 Nginx 对应。
> `target` 设为 `www.apple.com:443`Reality 从此地址偷取真实 TLS 证书用于伪装。
##### 新增入站 `external_qbit`BT 入站端口)
```json
{
"tag": "external_qbit",
"listen": "0.0.0.0",
"port": 51413,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 51413,
"network": "tcp"
}
}
```
> 仅 TCP——Xray portal 反向代理对 UDP 支持不完善,BT 的 μTP(UDP) 走不了,需要在 qBittorrent 里关闭。
##### 新增路由规则
```json
{ "type": "field", "inboundTag": ["proxy_from_lan"], "outboundTag": "direct" },
{ "type": "field", "inboundTag": ["external_qbit"], "outboundTag": "portal" }
```
#### 1.3 腾讯云防火墙
新开端口:
| 端口 | 协议 | 用途 |
|---|---|---|
| 51413 | TCP | BT 入站 |
---
### 第二部分:旁路由 Xray SOCKS5 出站代理
#### 2.1 配置 `xray-旁路由-config.json`
qBittorrent 出站不走 Mihomo 透明代理,而是通过旁路由上 Xray 的 `socks-lan` 入站(`:1080`),直接转发到北京 VPS 直连出口。
##### SOCKS5 入站
```json
{
"tag": "socks-lan",
"port": 1080,
"listen": "0.0.0.0",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true
}
}
```
##### 出站 `to_beijing_direct`
```json
{
"tag": "to_beijing_direct",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "salmonstill.cn",
"port": 443,
"users": [
{
"id": "113e167a-a2be-4b46-9010-60020108626c",
"flow": "xtls-rprx-vision",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"fingerprint": "chrome",
"serverName": "news.apple.com",
"publicKey": "62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs",
"shortId": "7c947a71b94f369e"
}
}
}
```
##### 路由规则
```json
{ "type": "field", "inboundTag": ["socks-lan"], "outboundTag": "to_beijing_direct" }
```
> 路径:`qBittorrent → SOCKS5 旁路由:1080 → to_beijing_direct → 北京VPS:443(SNI=news.apple.com) → proxy_from_lan:9445 → direct → 互联网`
---
### 第三部分:旁路由 Xray 51413 转发
#### 3.1 配置 `xray-旁路由-config.json`
##### 新增加出站 `to_qbit`
```json
{
"tag": "to_qbit",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.200:51413"
}
}
```
##### 新增路由规则
```json
{
"type": "field",
"inboundTag": ["bridge"],
"port": "51413",
"outboundTag": "to_qbit"
}
```
> 放在 bridge 下——从北京 VPS 的 portal 通过反向隧道过来的 BT 入站流量,由 bridge 接收后按端口 51413 匹配到此规则,转发到 qBittorrent 容器。
---
### 第四部分:NAS qBittorrent Docker
#### 4.1 创建 macvlan 网络
```bash
docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.199 \
--ip-range=192.168.1.200/32 \
-o parent=eth0 \
qbit_macvlan
```
> `--gateway=192.168.1.199`qBittorrent 的默认网关设为旁路由,确保出站流量经过旁路由。
> `--ip-range=192.168.1.200/32`:固定 IP。
#### 4.2 启动容器
```bash
docker run -d \
--name qbittorrent \
--network qbit_macvlan \
--ip 192.168.1.200 \
-e WEBUI_PORT=8090 \
-p 8090:8090 \
-v /path/to/downloads:/downloads \
lscr.io/linuxserver/qbittorrent:latest
```
#### 4.3 qBittorrent 设置
| 设置项 | 值 |
|---|---|
| 监听端口 | `51413` |
| UPnP/NAT-PMP | **禁用** |
| SOCKS5 代理 | `192.168.1.199` / 端口 `1080` |
| 连接协议 | **仅 TCP**(关闭 μTP |
| DHT | 可选(建议开) |
| PEX | 可选(建议开) |
> 关闭 μTP(UDP)Xray portal 反向代理不支持 UDPBT 的 μTP 走 UDP 会导致入站失败。
#### 4.4 定时做种调度(crontab
让 qBittorrent 只在夜间(01:00-07:00)做种,白天暂停以节省带宽:
```bash
crontab -e
```
添加以下两行(在 NAS 或任意可访问 192.168.1.200 的设备上):
```
0 1 * * * curl -s -X POST "http://192.168.1.200:8888/api/v2/torrents/start" --data "hashes=all"
0 7 * * * curl -s -X POST "http://192.168.1.200:8888/api/v2/torrents/stop" --data "hashes=all"
```
| 时间 | 操作 | 含义 |
|---|---|---|
| 凌晨 01:00 | `/torrents/start` `hashes=all` | 启动全部种子开始做种 |
| 早上 07:00 | `/torrents/stop` `hashes=all` | 停止全部种子 |
---
### 第五部分:部署顺序
```
1. 腾讯云防火墙 → 开放 51413/tcp
2. scp beijing-vps-stream.conf → 北京VPS /etc/nginx/stream.conf.d/
3. scp xray-北京vps-config.json → 北京VPS /usr/local/etc/xray/config.json
4. 北京VPS: nginx -t && systemctl reload nginx
5. 北京VPS: systemctl restart xray
6. scp 旁路由的mihomo config.yaml → 旁路由 /opt/mihomo/config.yaml
7. scp xray-旁路由-config.json → 旁路由 /etc/xray/config.json
8. 旁路由: /etc/init.d/mihomo restart
9. 旁路由: /etc/init.d/xray restart
10. NAS: 创建 macvlan 网络 + 启动 qBittorrent 容器
11. NAS: 配置 qBittorrent 监听端口 51413,关闭 μTP
```
---
### 第六部分:验证
#### 6.1 SOCKS5 代理出站验证
```bash
# 在 NAS 上执行,应返回北京 VPS 的公网 IP
docker exec qbittorrent curl --socks5 192.168.1.199:1080 https://ip.sb
```
#### 6.2 Xray 日志确认
```bash
# 旁路由上查看 Xray 日志,确认 socks-lan 流量转发正常
tail -f /var/log/xray.log | grep socks-lan
```
#### 6.3 BT 入站验证
```bash
# 北京 VPS 上确认端口监听
ss -tlnp | grep 51413
# 从外部测试端口可达
nc -zv salmonstill.cn 51413
```
#### 6.4 端到端 BT 测试
下载一个热门 Ubuntu torrent 种子,观察:
- qBittorrent WebUI → 连接 → 应显示 DHT 节点数增长
- 跟踪器页面 → 应显示 "Working"
- 下载速度应有上传来确认入站工作
---
### 第七部分:故障排查
| 现象 | 排查 |
|---|---|
| qBittorrent curl ip.sb 返回真实 IP | SOCKS5 代理未生效,检查 qBittorrent 设置中代理配置 |
| 代理连不上 | 确认 旁路由 Xray 正在运行且 `socks-lan` 入站监听 :1080 |
| 入站无上传 | 检查北京 VPS ufw/腾讯云安全组已放行 51413/tcp |
| xray 报错 `reverse-proxy.xray.internal` | portal/bridge 域名不匹配,两边必须一致 |
| 下载有速度、无上传 | μTP 没关或 portal UDP 不支持,qBittorrent 设置仅 TCP |
---
### 第八部分:文件清单
| 文件 | 位置 | 作用 |
|---|---|---|
| `beijing-vps-stream.conf` | 北京VPS `/etc/nginx/stream.conf.d/` | Nginx SNI分流(含 news.apple.com → 9445 |
| `xray-北京vps-config.json` | 北京VPS `/usr/local/etc/xray/config.json` | Xray 入站+路由(含 proxy_from_lan + external_qbit |
| `xray-旁路由-config.json` | 旁路由 `/etc/xray/config.json` | Xray bridge + to_qbit(51413) + socks-lan(1080) → to_beijing_direct |
## Minecraft UDP 转发
### 架构
```
公网玩家 (UDP 19132)
北京VPS (salmonstill.cn)
socat 监听 19132 → 转发到 10.0.0.2:19132
↓ WireGuard 隧道
旁路由 ImmortalWrt (192.168.1.199 / 10.0.0.2)
nftables 端口转发 + SNAT
NAS (192.168.1.188:19132)
Minecraft 基岩版 Docker 容器
```
---
### 设备信息
| 设备 | IP | 系统 |
|---|---|---|
| 北京VPS | `salmonstill.cn` / `49.232.242.90` | Ubuntu 22.04 |
| 旁路由 | `192.168.1.199` / WG隧道: `10.0.0.2` | ImmortalWrt 24.10 (GL-MT2500) |
| NAS | `192.168.1.188` | 绿联云 UGOS |
---
### 第一部分:北京VPS 配置
#### WireGuard 配置 `/etc/wireguard/wg0.conf`
```ini
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <北京VPS私钥>
MTU = 1420
# 回包源地址转换(必须,否则公网玩家收不到回包)
PostUp = iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
[Peer]
# 旁路由
PublicKey = 9jPlaUhx2Dc+C5ZqJx6Iu8GtNMig3cFIoqfHg8PZbCA=
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25
```
> ⚠️ 不使用 iptables DNAT 转发,改用 socat 处理 UDP 转发,避免 conntrack 连接跟踪问题导致回包丢失。
#### 开启内核转发
```bash
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
```
#### 开放防火墙端口
```bash
ufw allow 51820/udp # WireGuard
ufw allow 19132/udp # Minecraft 基岩版
```
#### 启动 WireGuard
```bash
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
```
#### socat UDP 转发
socat 监听公网 19132 端口,收到包后转发给旁路由隧道 IP,并维护连接状态确保回包正确返回。
创建 systemd service
```bash
nano /etc/systemd/system/mc-forward.service
```
```ini
[Unit]
Description=Minecraft UDP Forward
After=network.target
[Service]
ExecStart=/usr/bin/socat UDP4-LISTEN:19132,fork,reuseaddr UDP4:10.0.0.2:19132
Restart=always
[Install]
WantedBy=multi-user.target
```
启动并设置开机自启:
```bash
systemctl daemon-reload
systemctl enable mc-forward
systemctl start mc-forward
```
---
### 第二部分:旁路由 ImmortalWrt 配置
#### WireGuard 接口配置
路径:**网络 → 接口 → 添加新接口**
**常规设置:**
| 字段 | 值 |
|---|---|
| 接口名称 | `WireGuard` |
| 协议 | `WireGuard VPN` |
| 私钥 | `<旁路由私钥>` |
| IP 地址 | `10.0.0.2/24` |
| 监听端口 | 不填 |
**防火墙设置:** 加入 `wan` 区域
**Peers → 添加对端:**
| 字段 | 值 |
|---|---|
| 公钥 | `n159R7bNB+tW3Br0cok2zA27Pzg2WSPTI9uQ9odOFyU=` |
| 端点主机 | `salmonstill.cn` |
| 端点端口 | `51820` |
| 允许的 IP | `0.0.0.0/0` |
| 路由允许的 IP | ✅ 勾选 |
| 持续 Keep-Alive | `25` |
> ⚠️ 允许的 IP 必须设为 `0.0.0.0/0`,否则 WireGuard 会丢弃来自公网玩家 IP 的包。
#### 端口转发配置
路径:**网络 → 防火墙 → 端口转发 → 添加**
| 字段 | 值 |
|---|---|
| 名称 | `Minecraft-udp` |
| 协议 | `UDP` |
| 源区域 | `wan` |
| 外部端口 | `19132` |
| 目标区域 | `lan` |
| 内部 IP 地址 | `192.168.1.188` |
| 内部端口 | `19132` |
#### SNAT 配置
路径:**网络 → 防火墙 → NAT 规则 → 添加**
| 字段 | 值 |
|---|---|
| 名称 | `minecraft-snat` |
| 地址族限制 | `仅 IPv4` |
| 协议 | `UDP` |
| 出站区域 | `lan` |
| 目标地址 | `192.168.1.188` |
| 目标端口 | `19132` |
| 操作 | `SNAT - 重写为特定的源 IP 或端口` |
| 重写 IP 地址 | `192.168.1.199` |
> SNAT 的作用:将转发给 NAS 的包源 IP 改为旁路由 IP,确保 NAS 的回包发回给旁路由而不是直接走主路由,避免回包路径不对称。
---
### 第三部分:NAS Docker 配置
使用 `network_mode: host` 避免 Docker NAT 导致的 IP 映射问题。
```yaml
services:
bedrock:
image: itzg/minecraft-bedrock-server:2026.2.1
container_name: mc-bedrock
network_mode: host
stdin_open: true
tty: true
environment:
EULA: "TRUE"
VERSION: "1.26.14.1"
TZ: "Asia/Shanghai"
OPS: "2535472561115036"
volumes:
- /volume2/ProgramsV2/minecraft:/data
restart: unless-stopped
```
---
### 第四部分:验证
#### 检查 WireGuard 隧道
```bash
# 旁路由
wg show
# 正常应有 latest handshake 和双向 transfer
```
#### 检查 socat 运行状态
```bash
systemctl status mc-forward
```
#### 抓包验证完整链路
```bash
# VPS 上抓 wg0,确认双向流量
tcpdump -i wg0 udp port 19132 -n
# 旁路由抓 br-lan,确认转发到 NAS
tcpdump -i br-lan udp port 19132 -n
# NAS 上抓包,确认收到并回包
sudo tcpdump -i bridge0 udp port 19132 -n
```
---
### 故障排查
| 现象 | 排查方法 |
|---|---|
| WireGuard 无握手 | 检查 VPS 防火墙 51820/udp 是否开放 |
| socat 收不到包 | 检查 ufw 19132/udp 是否开放 |
| 旁路由收不到包 | 检查 WireGuard AllowedIPs 是否为 `0.0.0.0/0` |
| NAS 收不到包 | 检查端口转发内部端口是否填写正确 |
| NAS 有回包但玩家连不上 | 检查 SNAT 规则是否生效,确认 NAS 用 host 网络模式 |
| 游戏内延迟不显示 | 检查 socat 是否正常运行,DNAT 规则是否已删除 |
---
### 扩展:新增其他 UDP 服务
1. VPS 新建一个 socat service,修改端口号
2. 旁路由 LuCI 端口转发新增一条规则
3. `ufw allow <新端口>/udp`
---
## SOCKS5 动态 LAN 端口访问
通过新增的 `socks-dynamic` 入站(`:38658`,密码认证),可从外部访问任意内网 IP:PORT,无需事先配置端口规则。
```
浏览器 SOCKS5 → salmonstill.cn:38658
→ 北京VPS socks-dynamic → portal → 反向隧道
→ 旁路由 bridge → catch-all direct → 任意 LAN IP:PORT
```
---
## Reality 密钥
| 位置 | Private Key | Public Key (客户端用) |
|---|---|---|
| **北京 VPS**3 个入站共用) | `GGT9LfN_2JdQG68cwrULgUK-adfT6wIokLzWjaB0fXs` | `62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs` |
| **搬瓦工 VPS**(客户端直连) | `iBlu3eH1VLf1S5Qw87m_1w0TGYUktDwHAzgpQ2aKuGI` | `jr_zQjC4mvlQITuG5Ap5Mxqe5EBbGyyvwbVLDEi8OCA` |
`Beijing-Direct` 节点必须 `skip-cert-verify: true`,因 Reality 返回 target`www.apple.com`)的证书,而 SNI 是 `news.apple.com`TLS SAN 校验会失败。
---
## 流量路径
### 路径 1:内网服务反向代理
```
用户 → salmonstill.cn:端口 → dokodemo-door → portal → 隧道 → bridge
→ 端口匹配出站 → 内网目标 → 原路返回
```
### 路径 2:代理翻墙(直连搬瓦工)
```
Mihomo 客户端 → 173.242.118.60:443 (SNI=www.microsoft.com)
→ Nginx 分流 → Xray :9443 → freedom → 互联网
```
### 路径 3qBittorrent 代理出站
```
qBittorrent → SOCKS5 旁路由:1080 → Xray to_beijing_direct
→ salmonstill.cn:443 (SNI=news.apple.com) → proxy_from_lan → direct → 互联网
```
### 路径 4BT 入站
```
BT Peer → salmonstill.cn:51413 → portal → 隧道 → bridge → to_qbit → 1.200:51413
```
### 路径 5Minecraft UDP
```
公网玩家 → salmonstill.cn:19132 → socat → WireGuard → 旁路由 → NAS :19132
```
### 路径 6SOCKS5 动态回家
```
浏览器 SOCKS5 → salmonstill.cn:38658 → socks-dynamic → portal → 隧道
→ bridge → catch-all direct → 任意 LAN IP:PORT
```
| 文件 | 目标设备 | 部署路径 |
|---|---|---|
| `beijing-vps-stream.conf` | 北京 VPS | `/etc/nginx/stream.conf.d/` |
| `xray-北京vps-config.json` | 北京 VPS | `/usr/local/etc/xray/config.json` |
| `东京-vps-stream.conf` | 搬瓦工 VPS | `/etc/nginx/stream.conf.d/` |
| `tokyo-vps-config.json` | 搬瓦工 VPS | `/usr/local/etc/xray/config.json` |
| `xray-旁路由-config.json` | 旁路由 | `/etc/xray/config.json` |
| `旁路由的mihomo config.yaml` | 旁路由 | `/opt/mihomo/config.yaml` |
| `非tun模式的主机mihomo config.yaml` | macOS | `~/Library/LaunchAgents/` (launchctl 管理) |
| `tun模式的主机mihomo config.yaml` | Spark (Ubuntu) | `/opt/mihomo/config.yaml` (systemd) |
| `subscribe-7891-only.yaml` | 通用 | 精简版模板(单独 7891 端口) |
| `qbittorrent流量转发.md` | — | 方案文档(已合并到 README,可删除) |
| `我的世界udp转发.md` | — | 方案文档(已合并到 README,可删除) |
---
## 部署流程
```
1. 腾讯云防火墙开放端口(443, 51413/tcp, 51820/udp, 19132/udp
2. 北京 VPS: 部署 Nginx stream → nginx -t && systemctl reload nginx
3. 北京 VPS: 部署 Xray → systemctl restart xray
4. 北京 VPS: 部署 WireGuard → wg-quick@wg0
5. 北京 VPS: 部署 socat → systemctl start mc-forward
6. 搬瓦工 VPS: 部署 Nginx + Xray
7. 旁路由: 部署 Xray → /etc/init.d/xray restart
8. 旁路由: 部署 Mihomo → /etc/init.d/mihomo restart
9. 旁路由: 配置 WireGuard + 端口转发 + SNATLuCI
10. NAS: 创建 macvlan 网络 → 启动 qBittorrent 容器
11. NAS: 启动 Minecraft 容器
```
---
## 验证命令
```bash
# 北京 VPS
ss -tlnp | grep -E '944[345]|3865[3-8]|51413|10809'
systemctl status nginx xray wg-quick@wg0 mc-forward
# 搬瓦工 VPS
ss -tlnp | grep -E '443|9443'
systemctl status nginx xray
# 旁路由
ss -tlnp | grep -E '789[0-2]|1080' # Mihomo 端口 + Xray socks-lan
mihomo -d /opt/mihomo -t # 配置文件校验
tail /opt/mihomo/logs/mihomo.log | grep INFO # 确认代理无报错
wg show
# qBittorrent 连通性
docker exec qbittorrent curl -s https://ip.sb # 应返回北京 VPS IP
# Minecraft
systemctl status mc-forward
tcpdump -i wg0 udp port 19132 -n
```
VPS流量转发架构说明.md
-86
View File
@@ -1,86 +0,0 @@
# VPS流量转发架构说明
## 总览
这套架构基于Xray+Nginx SNI分流实现,完全基于443端口HTTPS流量伪装,实现三个核心功能:
1. 反向代理内网服务到公网(无需公网IPv6/端口映射)
2. 异地多VPS链路中转代理(mihomo客户端接入)
3. 统一公网入口流量管理(所有流量走443端口,无额外端口暴露)
---
## 设备清单说明
| 设备 | IP/域名 | 说明 |
|---|---|---|
| 北京VPS | `salmonstill.cn` | 公网入口节点,Nginx+Xray服务部署在这里 |
| 东京VPS | `tokyo.salmonstill.cn` | 代理出口节点,Xray服务部署在这里 |
| 旁路由 | `192.168.1.199` | 内网反向代理节点,Xray桥接服务部署在这里 |
| NAS | `192.168.1.188` | 内网存储服务,部署了思源笔记、绿联云管理界面 |
| Windows台式机 | `192.168.1.177` | 内网办公设备,提供WSL SSH服务 |
---
## 核心组件说明
### 1. 北京VPS(公网入口节点)
#### Nginx Stream SNI分流层
配置文件:`beijing-vps-stream.conf`
根据SSL握手阶段的ServerName字段,将不同域名的流量转发到不同后端服务:
| 域名 | 后端服务 | 作用 |
|---|---|---|
| `www.apple.com` | Xray 9443端口 | 旁路由反向代理隧道 |
| `www.microsoft.com` | Xray 9444端口 | Mihomo客户端代理入口 |
| `drive.salmonstill.cn` | 38653端口 | 绿联云NAS服务直接转发 |
| 其他域名 | Nginx Proxy Manager 8443端口 | 常规Web服务管理 |
#### Xray服务层
配置文件:`beijing-vps-config.json`
包含两个核心入站和一个出站:
- **interconn入站(9443端口)**VLESS+Reality协议,接收旁路由的反向代理桥接连接
- **mihomo_in入站(9444端口)**VLESS+Reality协议,接收外部Mihomo客户端的代理连接
- **to_tokyo出站**VLESS+Reality协议,将代理流量转发到东京VPS出口
---
### 2. 旁路由(内网反向代理节点)
配置文件:`旁路由-config.json`
基于Xray反向代理桥接模式实现内网服务穿透:
- **bridge桥接组件**:和北京VPS的portal组件建立永久隧道,将公网过来的反向代理流量转发到内网
- 路由规则根据端口自动转发到对应内网服务:
| 端口 | 内网目标 | 服务 |
|---|---|---|
| 38653 | 192.168.1.188:9443 | NAS管理界面 |
| 38654 | 192.168.1.188:5005 | 思源笔记 |
| 38655 | 192.168.1.177:22 | WSL SSH服务 |
| 39132 | 127.0.0.1:39132 | Minecraft游戏服务 |
---
### 3. 东京VPS(代理出口节点)
配置文件:`tokyo-vps-config.json`
极简配置的Xray出口节点:
- 入站:VLESS+Reality协议,接收北京VPS转发的代理请求
- 出站:直接freedom出口访问国际网络
---
## 流量路径说明
### 1. 内网服务反向代理访问路径(比如访问drive.salmonstill.cn
```
用户 → 北京VPS 443端口 → Nginx匹配SNI `drive.salmonstill.cn` → 转发到38653端口 dokodemo-door入站
→ Xray路由转发到portal反向代理组件 → 走已经建立的隧道到旁路由bridge组件
→ 旁路由路由匹配端口38653 → 转发到内网NAS 192.168.1.188:9443 → 响应原路返回
```
### 2. Mihomo代理访问路径
```
Mihomo客户端 → 北京VPS 443端口 → Nginx匹配SNI `www.microsoft.com` → 转发到9444端口 mihomo_in入站
→ Xray路由转发到to_tokyo出站 → 加密传输到东京VPS 443端口 → 东京Xray入站接收请求
→ 直接访问国际网络 → 响应原路返回
```
---
## 架构优势
1. **极致伪装**:所有流量都走443端口HTTPS,不同流量通过SNI区分,完全和正常网站访问一致,无特征被封
2. **零额外端口暴露**:除了443端口没有任何公网开放端口,安全性拉满
3. **高可用性**:反向代理隧道永久在线,内网服务无需公网IP/端口映射即可访问
4. **性能损耗低**Xray Reality协议性能优异,中转延迟增加<10ms
5. **易扩展**:新增内网服务只需要在旁路由添加对应的路由规则即可,无需修改公网配置
---
## 配置要点
1. Reality公私钥配对:客户端的publicKey必须和对应服务端的privateKey严格匹配
2. SNI一致性:客户端请求的ServerName必须和Nginx分流规则以及Xray Reality配置的serverNames完全一致
3. 端口映射:Nginx分流的后端端口必须和Xray入站监听端口严格对应
qbittorrent流量转发.md
+364
View File
@@ -0,0 +1,364 @@
# qBittorrent SOCKS5 代理 + BT 入站转发配置文档
## 架构总览
```
出站(SOCKS5 代理)
qBittorrent(192.168.1.200) 互联网
↓ SOCKS5 旁路由:1080 (socks-lan) ↑
↓ Xray routing → to_beijing_direct │
↓ Reality(VLESS, SNI=news.apple.com) │
↓ 北京VPS:443 → Nginx分流 │
↓ proxy_from_lan:9445 → direct(freedom) ─────────────────┘
入站(端口转发)
Peer → 北京VPS:51413 → external_qbit → portal
→ bridge隧道 → 旁路由 → to_qbit → 192.168.1.200:51413
```
---
## 设备清单
| 设备 | IP | 角色 |
|---|---|---|
| 北京VPS | `salmonstill.cn` / `49.232.242.90` | 公网出口 + 入站入口 |
| 旁路由 | `192.168.1.199` | Xray 桥接 + SOCKS5 代理 |
| NAS | `192.168.1.188` | Docker 宿主机 |
| qBittorrent 容器 | `192.168.1.200` | macvlan 独立 IPPT 专用 |
---
## 第一部分:北京 VPS 配置
### 1.1 Nginx Stream SNI 分流 `beijing-vps-stream.conf`
新增 `news.apple.com` SNI 映射(用于旁路由 Mihomo 直连代理):
```nginx
stream {
map $ssl_preread_server_name $backend {
www.apple.com xray; # 旁路由反向代理隧道
www.microsoft.com mihomo; # 外部客户端代理 → 东京出口
news.apple.com xray_lan; # 旁路由 Mihomo 北京直连代理
drive.salmonstill.cn nas; # 绿联云服务
default npm; # Nginx Proxy Manager
}
upstream xray { server 127.0.0.1:9443; }
upstream mihomo { server 127.0.0.1:9444; }
upstream xray_lan { server 127.0.0.1:9445; } # 新增
upstream nas { server 127.0.0.1:38653; }
upstream npm { server 127.0.0.1:8443; }
server {
listen 443 reuseport;
listen [::]:443 reuseport;
ssl_preread on;
proxy_pass $backend;
}
}
```
### 1.2 Xray 配置 `xray-北京vps-config.json`
#### 新增入站 `proxy_from_lan`(北京直连出口)
```json
{
"tag": "proxy_from_lan",
"listen": "127.0.0.1",
"port": 9445,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "113e167a-a2be-4b46-9010-60020108626c",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"show": false,
"target": "www.apple.com:443",
"serverNames": ["news.apple.com"],
"privateKey": "GGT9LfN_2JdQG68cwrULgUK-adfT6wIokLzWjaB0fXs",
"shortIds": ["7c947a71b94f369e"]
}
}
}
```
> Reality 公私钥复用已有的 `interconn` 入站 keypair`serverNames` 用新的 `news.apple.com` 与 Nginx 对应。
> `target` 设为 `www.apple.com:443`Reality 从此地址偷取真实 TLS 证书用于伪装。
#### 新增入站 `external_qbit`BT 入站端口)
```json
{
"tag": "external_qbit",
"listen": "0.0.0.0",
"port": 51413,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 51413,
"network": "tcp"
}
}
```
> 仅 TCP——Xray portal 反向代理对 UDP 支持不完善,BT 的 μTP(UDP) 走不了,需要在 qBittorrent 里关闭。
#### 新增路由规则
```json
{ "type": "field", "inboundTag": ["proxy_from_lan"], "outboundTag": "direct" },
{ "type": "field", "inboundTag": ["external_qbit"], "outboundTag": "portal" }
```
### 1.3 腾讯云防火墙
新开端口:
| 端口 | 协议 | 用途 |
|---|---|---|
| 51413 | TCP | BT 入站 |
---
## 第二部分:旁路由 Xray SOCKS5 出站代理
### 2.1 配置 `xray-旁路由-config.json`
qBittorrent 出站不走 Mihomo 透明代理,而是通过旁路由上 Xray 的 `socks-lan` 入站(`:1080`),直接转发到北京 VPS 直连出口。
#### SOCKS5 入站
```json
{
"tag": "socks-lan",
"port": 1080,
"listen": "0.0.0.0",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true
}
}
```
#### 出站 `to_beijing_direct`
```json
{
"tag": "to_beijing_direct",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "salmonstill.cn",
"port": 443,
"users": [
{
"id": "113e167a-a2be-4b46-9010-60020108626c",
"flow": "xtls-rprx-vision",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"fingerprint": "chrome",
"serverName": "news.apple.com",
"publicKey": "62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs",
"shortId": "7c947a71b94f369e"
}
}
}
```
#### 路由规则
```json
{ "type": "field", "inboundTag": ["socks-lan"], "outboundTag": "to_beijing_direct" }
```
> 路径:`qBittorrent → SOCKS5 旁路由:1080 → to_beijing_direct → 北京VPS:443(SNI=news.apple.com) → proxy_from_lan:9445 → direct → 互联网`
---
## 第三部分:旁路由 Xray 51413 转发
### 3.1 配置 `xray-旁路由-config.json`
#### 新增加出站 `to_qbit`
```json
{
"tag": "to_qbit",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.200:51413"
}
}
```
#### 新增路由规则
```json
{
"type": "field",
"inboundTag": ["bridge"],
"port": "51413",
"outboundTag": "to_qbit"
}
```
> 放在 bridge 下——从北京 VPS 的 portal 通过反向隧道过来的 BT 入站流量,由 bridge 接收后按端口 51413 匹配到此规则,转发到 qBittorrent 容器。
---
## 第四部分:NAS qBittorrent Docker
### 4.1 创建 macvlan 网络
```bash
docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.199 \
--ip-range=192.168.1.200/32 \
-o parent=eth0 \
qbit_macvlan
```
> `--gateway=192.168.1.199`qBittorrent 的默认网关设为旁路由,确保出站流量经过旁路由。
> `--ip-range=192.168.1.200/32`:固定 IP。
### 4.2 启动容器
```bash
docker run -d \
--name qbittorrent \
--network qbit_macvlan \
--ip 192.168.1.200 \
-e WEBUI_PORT=8090 \
-p 8090:8090 \
-v /path/to/downloads:/downloads \
lscr.io/linuxserver/qbittorrent:latest
```
### 4.3 qBittorrent 设置
| 设置项 | 值 |
|---|---|
| 监听端口 | `51413` |
| UPnP/NAT-PMP | **禁用** |
| SOCKS5 代理 | `192.168.1.199` / 端口 `1080` |
| 连接协议 | **仅 TCP**(关闭 μTP |
| DHT | 可选(建议开) |
| PEX | 可选(建议开) |
> 关闭 μTP(UDP)Xray portal 反向代理不支持 UDPBT 的 μTP 走 UDP 会导致入站失败。
### 4.4 定时做种调度(crontab
让 qBittorrent 只在夜间(01:00-07:00)做种,白天暂停以节省带宽:
```bash
crontab -e
```
添加以下两行(在 NAS 或任意可访问 192.168.1.200 的设备上):
```
0 1 * * * curl -s -X POST "http://192.168.1.200:8888/api/v2/torrents/start" --data "hashes=all"
0 7 * * * curl -s -X POST "http://192.168.1.200:8888/api/v2/torrents/stop" --data "hashes=all"
```
| 时间 | 操作 | 含义 |
|---|---|---|
| 凌晨 01:00 | `/torrents/start` `hashes=all` | 启动全部种子开始做种 |
| 早上 07:00 | `/torrents/stop` `hashes=all` | 停止全部种子 |
---
## 第五部分:部署顺序
```
1. 腾讯云防火墙 → 开放 51413/tcp
2. scp beijing-vps-stream.conf → 北京VPS /etc/nginx/stream.conf.d/
3. scp xray-北京vps-config.json → 北京VPS /usr/local/etc/xray/config.json
4. 北京VPS: nginx -t && systemctl reload nginx
5. 北京VPS: systemctl restart xray
6. scp 旁路由的mihomo config.yaml → 旁路由 /opt/mihomo/config.yaml
7. scp xray-旁路由-config.json → 旁路由 /etc/xray/config.json
8. 旁路由: /etc/init.d/mihomo restart
9. 旁路由: /etc/init.d/xray restart
10. NAS: 创建 macvlan 网络 + 启动 qBittorrent 容器
11. NAS: 配置 qBittorrent 监听端口 51413,关闭 μTP
```
---
## 第六部分:验证
### 6.1 SOCKS5 代理出站验证
```bash
# 在 NAS 上执行,应返回北京 VPS 的公网 IP
docker exec qbittorrent curl --socks5 192.168.1.199:1080 https://ip.sb
```
### 6.2 Xray 日志确认
```bash
# 旁路由上查看 Xray 日志,确认 socks-lan 流量转发正常
tail -f /var/log/xray.log | grep socks-lan
```
### 6.3 BT 入站验证
```bash
# 北京 VPS 上确认端口监听
ss -tlnp | grep 51413
# 从外部测试端口可达
nc -zv salmonstill.cn 51413
```
### 6.4 端到端 BT 测试
下载一个热门 Ubuntu torrent 种子,观察:
- qBittorrent WebUI → 连接 → 应显示 DHT 节点数增长
- 跟踪器页面 → 应显示 "Working"
- 下载速度应有上传来确认入站工作
---
## 第七部分:故障排查
| 现象 | 排查 |
|---|---|
| qBittorrent curl ip.sb 返回真实 IP | SOCKS5 代理未生效,检查 qBittorrent 设置中代理配置 |
| 代理连不上 | 确认 旁路由 Xray 正在运行且 `socks-lan` 入站监听 :1080 |
| 入站无上传 | 检查北京 VPS ufw/腾讯云安全组已放行 51413/tcp |
| xray 报错 `reverse-proxy.xray.internal` | portal/bridge 域名不匹配,两边必须一致 |
| 下载有速度、无上传 | μTP 没关或 portal UDP 不支持,qBittorrent 设置仅 TCP |
---
## 第八部分:文件清单
| 文件 | 位置 | 作用 |
|---|---|---|
| `beijing-vps-stream.conf` | 北京VPS `/etc/nginx/stream.conf.d/` | Nginx SNI分流(含 news.apple.com → 9445 |
| `xray-北京vps-config.json` | 北京VPS `/usr/local/etc/xray/config.json` | Xray 入站+路由(含 proxy_from_lan + external_qbit |
| `xray-旁路由-config.json` | 旁路由 `/etc/xray/config.json` | Xray bridge + to_qbit(51413) + socks-lan(1080) → to_beijing_direct |
subscribe-7891-only.yaml
-49
View File
@@ -1,49 +0,0 @@
mixed-port: 7890
allow-lan: true
bind-address: '*'
mode: rule
log-level: info
external-controller: '127.0.0.1:9090'
find-process-mode: off
dns:
enable: true
ipv6: false
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
default-nameserver:
- tls://223.5.5.5
- tls://223.6.6.6
nameserver:
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
respect-rules: false
proxies:
- name: Xray-Real
type: vless
server: salmonstill.cn
port: 443
uuid: "113e167a-a2be-4b46-9010-60020108626c"
udp: true
flow: xtls-rprx-vision
packet-encoding: xudp
tls: true
servername: www.microsoft.com
client-fingerprint: chrome
reality-opts:
public-key: "62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs"
short-id: "7c947a71b94f369e"
network: tcp
listeners:
- name: global-mixed
type: mixed
port: 7891
listen: 0.0.0.0
udp: true
proxy: Xray-Real
rules:
- MATCH,DIRECT
tun模式下的主机mihomo config.yaml
+321
View File
@@ -0,0 +1,321 @@
# ========================
# Spark (Ubuntu) Mihomo 配置
# 本地 TUN 模式,国外走 US-Direct 直连
# ========================
mixed-port: 7890
allow-lan: false
bind-address: '0.0.0.0'
mode: rule
log-level: info
external-controller: '127.0.0.1:9090'
find-process-mode: off
# TUN 模式 — 本机所有流量自动劫持
tun:
enable: true
stack: system
dns-hijack:
- any:53
auto-route: true
auto-detect-interface: true
dns:
enable: true
ipv6: false
prefer-h3: false
use-hosts: false
use-system-hosts: true
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
fake-ip-filter:
- geosite:private
- geosite:tracker
- geosite:cn
- geosite:apple@cn
- geosite:microsoft@cn
- geosite:microsoft
- '+.lan'
- '+.local'
- '+.hf-mirror.com'
default-nameserver:
- 223.5.5.5
- 223.6.6.6
nameserver:
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
proxy-server-nameserver:
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
direct-nameserver:
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
respect-rules: true
# ========================
# 代理定义
# ========================
proxies:
- name: 直连
type: direct
- name: 拒绝
type: reject
- name: US-Direct
type: vless
server: 173.242.118.60
port: 443
uuid: "4d222c16-53bb-4402-814e-c8188cebcea6"
udp: true
flow: xtls-rprx-vision
packet-encoding: xudp
tls: true
servername: www.microsoft.com
client-fingerprint: chrome
reality-opts:
public-key: "jr_zQjC4mvlQITuG5Ap5Mxqe5EBbGyyvwbVLDEi8OCA"
short-id: "a1b2c3d4"
network: tcp
# ========================
# 策略组
# ========================
proxy-groups:
- name: 国内
type: select
proxies: [直连]
- name: 国外
type: select
proxies: [US-Direct, 直连]
- name: Steam-rule
type: select
proxies: [国内, 国外, 直连]
- name: Microsoft-rule
type: select
proxies: [国内, 国外, 直连]
- name: AI
type: select
proxies: [国外, 国内, 直连]
- name: Stream Media
type: select
proxies: [国外, 国内, 直连]
- name: GitHub
type: select
proxies: [国外, 国内, 直连]
- name: Crypto
type: select
proxies: [国外, 国内, 直连]
- name: Block
type: select
proxies: [拒绝, 直连]
- name: 其他
type: select
proxies: [国外, 国内, 直连, 拒绝]
# ========================
# rule-providers
# ========================
rule-providers:
Ads:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/category-ads-all.mrs
path: ./rule-providers/ads.mrs
proxy: 国外
Private_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/private.mrs
path: ./rule-providers/private_domain.mrs
proxy: 国外
Private_IP:
type: http
behavior: ipcidr
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/private.mrs
path: ./rule-providers/private_ip.mrs
proxy: 国外
China_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/cn.mrs
path: ./rule-providers/cn_domain.mrs
proxy: 国外
China_IP:
type: http
behavior: ipcidr
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/cn.mrs
path: ./rule-providers/cn_ip.mrs
proxy: 国外
Oracle:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/oracle.mrs
path: ./rule-providers/oracle.mrs
proxy: 国外
OpenAI:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/openai.mrs
path: ./rule-providers/openai.mrs
proxy: 国外
GitHub_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/github.mrs
path: ./rule-providers/github.mrs
proxy: 国外
Netflix_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/netflix.mrs
path: ./rule-providers/netflix_domain.mrs
proxy: 国外
Netflix_IP:
type: http
behavior: ipcidr
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/netflix.mrs
path: ./rule-providers/netflix_ip.mrs
proxy: 国外
Steam_CN:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/steam@cn.mrs
path: ./rule-providers/steam_cn.mrs
proxy: 国外
Steam:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/steam.mrs
path: ./rule-providers/steam.mrs
proxy: 国外
GFW:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/gfw.mrs
path: ./rule-providers/gfw.mrs
proxy: 国外
Geo_NoCN:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/geolocation-!cn.mrs
path: ./rule-providers/geo_nocn.mrs
proxy: 国外
Microsoft:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/microsoft.mrs
path: ./rule-providers/microsoft.mrs
proxy: 国外
Crypto:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/category-cryptocurrency.mrs
path: ./rule-providers/crypto.mrs
proxy: 国外
# ========================
# 多监听器
# ========================
listeners:
- name: global-mixed
type: mixed
port: 7891
listen: 127.0.0.1
udp: true
proxy: US-Direct
- name: direct-mixed
type: mixed
port: 7892
listen: 127.0.0.1
udp: true
proxy: 直连
# ========================
# rules
# ========================
rules:
- DOMAIN,vs18.bj2cu.u3.ucweb.com,拒绝
- DOMAIN-SUFFIX,salmonstill.cn,直连
- DOMAIN-SUFFIX,hf-mirror.com,国内
- DOMAIN-KEYWORD,raylink,直连
- IP-CIDR,49.232.242.90/32,直连
- IP-CIDR,173.242.118.60/32,直连
- DOMAIN-SUFFIX,ubuntu.com,国外
- DOMAIN-SUFFIX,canonical.com,国外
- DOMAIN-SUFFIX,okx.com,国外
- DOMAIN-SUFFIX,okxc.com,国外
- RULE-SET,Ads,Block
- RULE-SET,Private_Domain,国内
- RULE-SET,Private_IP,国内,no-resolve
- RULE-SET,China_Domain,国内
- RULE-SET,Oracle,国内
- RULE-SET,China_IP,国内,no-resolve
- RULE-SET,OpenAI,AI
- RULE-SET,GitHub_Domain,GitHub
- RULE-SET,Netflix_Domain,Stream Media
- RULE-SET,Netflix_IP,Stream Media,no-resolve
- RULE-SET,Steam_CN,国内
- RULE-SET,Steam,Steam-rule
- RULE-SET,Microsoft,Microsoft-rule
- RULE-SET,Crypto,Crypto
- RULE-SET,GFW,国外
- RULE-SET,Geo_NoCN,国外
- MATCH,其他
tokyo-vps-config.json → xray-代理服务器-config.json
View File
xray-北京vps-config.json
+131 -5
View File
@@ -109,13 +109,24 @@
}
},
{
"tag": "external_3000",
"tag": "external_gitea",
"listen": "0.0.0.0",
"port": 3000,
"port": 38661,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 3000,
"port": 38661,
"network": "tcp"
}
},
{
"tag": "external_spark_38662",
"listen": "0.0.0.0",
"port": 38662,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 38662,
"network": "tcp"
}
},
@@ -189,6 +200,85 @@
]
}
}
},
{
"tag": "proxy_from_lan",
"listen": "127.0.0.1",
"port": 9445,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "113e167a-a2be-4b46-9010-60020108626c",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"show": false,
"target": "www.apple.com:443",
"serverNames": [
"news.apple.com"
],
"privateKey": "GGT9LfN_2JdQG68cwrULgUK-adfT6wIokLzWjaB0fXs",
"shortIds": [
"7c947a71b94f369e"
]
}
}
},
{
"tag": "external_qbit",
"listen": "0.0.0.0",
"port": 51413,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 51413,
"network": "tcp"
}
},
{
"tag": "socks-dynamic",
"listen": "0.0.0.0",
"port": 38658,
"protocol": "socks",
"settings": {
"auth": "password",
"accounts": [
{
"user": "dynamic",
"pass": "ab981c1d2b6d031631ee75986ea4e7c7"
}
],
"udp": true
}
},
{
"tag": "external_spark_ssh",
"listen": "0.0.0.0",
"port": 38659,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 38659,
"network": "tcp"
}
},
{
"tag": "external_spark_rdp",
"listen": "0.0.0.0",
"port": 38660,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 38660,
"network": "tcp"
}
}
],
"outbounds": [
@@ -202,7 +292,7 @@
"settings": {
"vnext": [
{
"address": "tokyo.salmonstill.cn",
"address": "173.242.118.60",
"port": 443,
"users": [
{
@@ -282,7 +372,14 @@
{
"type": "field",
"inboundTag": [
"external_3000"
"external_gitea"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"external_spark_38662"
],
"outboundTag": "portal"
},
@@ -300,6 +397,28 @@
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"external_qbit"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"socks-dynamic"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"external_spark_ssh",
"external_spark_rdp"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
@@ -320,6 +439,13 @@
"mihomo_in"
],
"outboundTag": "to_tokyo"
},
{
"type": "field",
"inboundTag": [
"proxy_from_lan"
],
"outboundTag": "direct"
}
]
}
xray-旁路由-config.json
+127 -1
View File
@@ -10,6 +10,18 @@
}
]
},
"inbounds": [
{
"tag": "socks-lan",
"port": 1080,
"listen": "0.0.0.0",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true
}
}
],
"outbounds": [
{
"tag": "to_nas",
@@ -81,6 +93,34 @@
"redirect": "192.168.1.188:222"
}
},
{
"tag": "to_qbit",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.200:51413"
}
},
{
"tag": "to_spark_ssh",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.166:22"
}
},
{
"tag": "to_spark_rdp",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.166:3389"
}
},
{
"tag": "to_spark_38662",
"protocol": "freedom",
"settings": {
"redirect": "192.168.1.166:38662"
}
},
{
"tag": "interconn",
"protocol": "vless",
@@ -112,6 +152,37 @@
}
}
},
{
"tag": "to_beijing_direct",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "salmonstill.cn",
"port": 443,
"users": [
{
"id": "113e167a-a2be-4b46-9010-60020108626c",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"show": false,
"fingerprint": "chrome",
"serverName": "news.apple.com",
"password": "62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs",
"shortId": "7c947a71b94f369e",
"spiderX": "/"
}
}
},
{
"tag": "direct",
"protocol": "freedom"
@@ -119,6 +190,13 @@
],
"routing": {
"rules": [
{
"type": "field",
"inboundTag": [
"socks-lan"
],
"outboundTag": "to_beijing_direct"
},
{
"type": "field",
"inboundTag": [
@@ -182,7 +260,7 @@
"inboundTag": [
"bridge"
],
"port": "3000",
"port": "38661",
"outboundTag": "to_3000"
},
{
@@ -206,7 +284,55 @@
"inboundTag": [
"bridge"
],
"port": "51413",
"outboundTag": "to_qbit"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "38658",
"outboundTag": "direct"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "38659",
"outboundTag": "to_spark_ssh"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "38660",
"outboundTag": "to_spark_rdp"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "38662",
"outboundTag": "to_spark_38662"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "38653",
"outboundTag": "to_nas"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"outboundTag": "direct"
}
]
}
东京-vps-stream.conf → 代理vps-stream.conf
View File
beijing-vps-stream.conf → 北京vps-stream.conf
+5
View File
@@ -2,6 +2,7 @@ stream {
map $ssl_preread_server_name $backend {
www.apple.com xray; # 旁路由反向代理隧道
www.microsoft.com mihomo; # 新增:mihomo出站流量
news.apple.com xray_lan; # 新增:旁路由代理直连流量
drive.salmonstill.cn nas; # 绿联云服务
default npm; # Nginx Proxy Manager
}
@@ -12,6 +13,10 @@ stream {
upstream mihomo {
server 127.0.0.1:9444;
}
# 旁路由代理直连
upstream xray_lan {
server 127.0.0.1:9445;
}
upstream nas {
server 127.0.0.1:38653;
}
旁路由的mihomo config.yaml
+329
View File
@@ -0,0 +1,329 @@
# ========================
# Clash-ALL 思路(单上游 Xray Reality 精简版) + 额外端口:7891 全局代理 + 7892 强制直连
# ========================
mixed-port: 7890
allow-lan: true
bind-address: '*'
mode: rule
log-level: info
external-controller: '127.0.0.1:9090'
find-process-mode: off
dns:
enable: true
ipv6: false
prefer-h3: false
use-hosts: false
use-system-hosts: true
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
fake-ip-filter:
- geosite:private
- geosite:tracker
- geosite:cn
- geosite:apple@cn
- geosite:microsoft@cn
- geosite:microsoft
- '+.lan'
- '+.local'
- '+.volces.com'
- '+.salmonstill.cn'
- '+.raylink' # keyword 的话用这个兜底
default-nameserver:
- 223.5.5.5
- 114.114.114.114
nameserver:
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
proxy-server-nameserver:
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
direct-nameserver:
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
respect-rules: false
# ========================
# 代理定义
# ========================
proxies:
- name: 直连
type: direct
- name: 拒绝
type: reject
- name: Xray-Real
type: vless
server: 49.232.242.90
port: 443
uuid: "113e167a-a2be-4b46-9010-60020108626c"
udp: true
flow: xtls-rprx-vision
packet-encoding: xudp
tls: true
servername: www.microsoft.com
client-fingerprint: chrome
reality-opts:
public-key: "62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs"
short-id: "7c947a71b94f369e"
network: tcp
- name: US-Direct
type: vless
server: 173.242.118.60
port: 443
uuid: "4d222c16-53bb-4402-814e-c8188cebcea6"
udp: true
flow: xtls-rprx-vision
packet-encoding: xudp
tls: true
servername: www.microsoft.com
client-fingerprint: chrome
reality-opts:
public-key: "jr_zQjC4mvlQITuG5Ap5Mxqe5EBbGyyvwbVLDEi8OCA"
short-id: "a1b2c3d4"
network: tcp
# ========================
# 策略组
# ========================
proxy-groups:
- name: 国内
type: select
proxies: [直连]
- name: 国外
type: select
proxies: [US-Direct, 直连]
- name: Steam-rule
type: select
proxies: [国内, 国外, 直连]
- name: Microsoft-rule
type: select
proxies: [国内, 国外, 直连]
- name: AI
type: select
proxies: [国外, 国内, 直连]
- name: Stream Media
type: select
proxies: [国外, 国内, 直连]
- name: GitHub
type: select
proxies: [国外, 国内, 直连]
- name: Crypto
type: select
proxies: [国外, 国内, 直连]
- name: Block
type: select
proxies: [直连, 拒绝]
- name: 其他
type: select
proxies: [国外, 国内, 直连, 拒绝]
# ========================
# rule-providers
# ========================
rule-providers:
Ads:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/category-ads-all.mrs
path: ./rule-providers/ads.mrs
proxy: 国外
Private_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/private.mrs
path: ./rule-providers/private_domain.mrs
proxy: 国外
Private_IP:
type: http
behavior: ipcidr
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/private.mrs
path: ./rule-providers/private_ip.mrs
proxy: 国外
China_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/cn.mrs
path: ./rule-providers/cn_domain.mrs
proxy: 国外
China_IP:
type: http
behavior: ipcidr
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/cn.mrs
path: ./rule-providers/cn_ip.mrs
proxy: 国外
Oracle:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/oracle.mrs
path: ./rule-providers/oracle.mrs
proxy: 国外
OpenAI:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/openai.mrs
path: ./rule-providers/openai.mrs
proxy: 国外
GitHub_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/github.mrs
path: ./rule-providers/github.mrs
proxy: 国外
Netflix_Domain:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/netflix.mrs
path: ./rule-providers/netflix_domain.mrs
proxy: 国外
Netflix_IP:
type: http
behavior: ipcidr
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/netflix.mrs
path: ./rule-providers/netflix_ip.mrs
proxy: 国外
Steam_CN:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/steam@cn.mrs
path: ./rule-providers/steam_cn.mrs
proxy: 国外
Steam:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/steam.mrs
path: ./rule-providers/steam.mrs
proxy: 国外
GFW:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/gfw.mrs
path: ./rule-providers/gfw.mrs
proxy: 国外
Geo_NoCN:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/geolocation-!cn.mrs
path: ./rule-providers/geo_nocn.mrs
proxy: 国外
Microsoft:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/microsoft.mrs
path: ./rule-providers/microsoft.mrs
proxy: 国外
Crypto:
type: http
behavior: domain
format: mrs
interval: 86400
url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/category-cryptocurrency.mrs
path: ./rule-providers/crypto.mrs
proxy: 国外
# ========================
# 多监听器部分
# ========================
listeners:
- name: global-mixed
type: mixed
port: 7891
listen: 0.0.0.0
udp: true
proxy: US-Direct
- name: direct-mixed
type: mixed
port: 7892
listen: 0.0.0.0
udp: true
proxy: 直连
# ========================
# rules
# ========================
rules:
- DOMAIN,vs18.bj2cu.u3.ucweb.com,拒绝
- DOMAIN-SUFFIX,salmonstill.cn,直连
- DOMAIN-SUFFIX,volces.com,直连
- DOMAIN-KEYWORD,raylink,直连
- IP-CIDR,49.232.242.90/32,直连
- IP-CIDR,173.242.118.60/32,直连
- DOMAIN-SUFFIX,ubuntu.com,国外
- DOMAIN-SUFFIX,canonical.com,国外
- DOMAIN-SUFFIX,okx.com,国外
- DOMAIN-SUFFIX,okxc.com,国外
- RULE-SET,Ads,Block
- RULE-SET,Private_Domain,国内
- RULE-SET,Private_IP,国内,no-resolve
- RULE-SET,China_Domain,国内
- RULE-SET,Oracle,国内
- RULE-SET,China_IP,国内,no-resolve
- RULE-SET,OpenAI,AI
- RULE-SET,GitHub_Domain,GitHub
- RULE-SET,Netflix_Domain,Stream Media
- RULE-SET,Netflix_IP,Stream Media,no-resolve
- RULE-SET,Steam_CN,国内
- RULE-SET,Steam,Steam-rule
- RULE-SET,Microsoft,Microsoft-rule
- RULE-SET,Crypto,Crypto
- RULE-SET,GFW,国外
- RULE-SET,Geo_NoCN,国外
- MATCH,其他
subscribe.yaml → 非tun模式下的主机mihomo config.yaml
+29 -10
View File
@@ -29,13 +29,11 @@ dns:
- '+.lan'
- '+.local'
default-nameserver:
- tls://223.5.5.5
- tls://223.6.6.6
- 223.5.5.5
- 223.6.6.6
nameserver:
- https://9.9.9.9/dns-query
- https://149.112.112.112/dns-query
- https://94.140.14.14/dns-query
- https://94.140.15.15/dns-query
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
proxy-server-nameserver:
- https://dns.alidns.com/dns-query
- https://doh.pub/dns-query
@@ -69,6 +67,22 @@ proxies:
short-id: "7c947a71b94f369e"
network: tcp
- name: US-Direct
type: vless
server: 173.242.118.60
port: 443
uuid: "4d222c16-53bb-4402-814e-c8188cebcea6"
udp: true
flow: xtls-rprx-vision
packet-encoding: xudp
tls: true
servername: www.microsoft.com
client-fingerprint: chrome
reality-opts:
public-key: "jr_zQjC4mvlQITuG5Ap5Mxqe5EBbGyyvwbVLDEi8OCA"
short-id: "a1b2c3d4"
network: tcp
# ========================
# 策略组
# ========================
@@ -79,7 +93,7 @@ proxy-groups:
- name: 国外
type: select
proxies: [Xray-Real, 直连]
proxies: [US-Direct, 直连]
- name: Steam-rule
type: select
@@ -111,7 +125,7 @@ proxy-groups:
- name: 其他
type: select
proxies: [, 国, 直连, 拒绝]
proxies: [, 国, 直连, 拒绝]
# ========================
# rule-providers
@@ -270,7 +284,7 @@ listeners:
port: 7891
listen: 127.0.0.1
udp: true
proxy: Xray-Real
proxy: US-Direct
- name: direct-mixed
type: mixed
@@ -285,9 +299,14 @@ listeners:
rules:
- DOMAIN,vs18.bj2cu.u3.ucweb.com,拒绝
- DOMAIN-SUFFIX,salmonstill.cn,直连
- DOMAIN-SUFFIX,hf-mirror.com,国内
- DOMAIN-KEYWORD,raylink,直连
- IP-CIDR,49.232.242.90/32,直连
- IP-CIDR,43.165.178.10/32,直连
- IP-CIDR,173.242.118.60/32,直连
- DOMAIN-SUFFIX,ubuntu.com,国外
- DOMAIN-SUFFIX,canonical.com,国外
- DOMAIN-SUFFIX,okx.com,国外
- DOMAIN-SUFFIX,okxc.com,国外
- RULE-SET,Ads,Block
- RULE-SET,Private_Domain,国内
- RULE-SET,Private_IP,国内,no-resolve