抛弃旁路由,使用 clash 作为透明网关
不用(我)配置 iptables 的方案就是好方案
Updated
•2 min read
众所周知使用 clash 配置透明网关非常复杂,最近疯狂搜文终于找到了一个简便的工具:
https://github.com/mritd/tpclash
使用起来也非常简单。
首先先把它下载下来,重命名为
/usr/local/bin/clash创建 clash 的工作目录,可以是任何目录,我放在了 /etc/clash
增加配置文件 config.yaml
interface-name: ens18 # 请指定自己实际的接口名称(ip a 获取) port: 7890 socks-port: 7891 redir-port: 7892 tproxy-port: 7893 allow-lan: true bind-address: "*" mode: Rule log-level: info external-controller: 0.0.0.0:9090 secret: "" external-ui: /opt/clash-dashboard dns: enable: true ipv6: false listen: 0.0.0.0:1053 enhanced-mode: fake-ip fake-ip-range: 198.18.0.1/16 default-nameserver: - 114.114.114.114 - 1.1.1.1 nameserver: - 114.114.114.114 - 223.6.6.6 tun: enable: true stack: system auto-route: true auto-detect-interface: true dns-hijack: - any:53 proxies: - { name: hk, udp: true, } rule-providers: reject: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt" path: ./ruleset/reject.yaml interval: 86400 icloud: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt" path: ./ruleset/icloud.yaml interval: 86400 apple: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt" path: ./ruleset/apple.yaml interval: 86400 google: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt" path: ./ruleset/google.yaml interval: 86400 proxy: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt" path: ./ruleset/proxy.yaml interval: 86400 direct: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt" path: ./ruleset/direct.yaml interval: 86400 private: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt" path: ./ruleset/private.yaml interval: 86400 gfw: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt" path: ./ruleset/gfw.yaml interval: 86400 greatfire: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/greatfire.txt" path: ./ruleset/greatfire.yaml interval: 86400 tld-not-cn: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt" path: ./ruleset/tld-not-cn.yaml interval: 86400 telegramcidr: type: http behavior: ipcidr url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt" path: ./ruleset/telegramcidr.yaml interval: 86400 cncidr: type: http behavior: ipcidr url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt" path: ./ruleset/cncidr.yaml interval: 86400 lancidr: type: http behavior: ipcidr url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt" path: ./ruleset/lancidr.yaml interval: 86400 applications: type: http behavior: classical url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications.txt" path: ./ruleset/applications.yaml interval: 86400 rules: - RULE-SET,applications,DIRECT - DOMAIN-SUFFIX,hashnode.com,hk - DOMAIN-KEYWORD,taobao,DIRECT - DOMAIN-KEYWORD,github,hk - DOMAIN,clash.razord.top,DIRECT - DOMAIN,yacd.haishan.me,DIRECT - RULE-SET,private,DIRECT - RULE-SET,reject,REJECT - RULE-SET,icloud,DIRECT - RULE-SET,apple,DIRECT - RULE-SET,google,DIRECT - RULE-SET,proxy,hk - RULE-SET,direct,DIRECT - RULE-SET,lancidr,DIRECT - RULE-SET,cncidr,DIRECT - RULE-SET,telegramcidr,hk - GEOIP,LAN,DIRECT - GEOIP,CN,DIRECT - MATCH,DIRECT # 处理漏网之鱼,可按需调整为默认走 proxy 或像我一样默认 direct启动测试,看下配置是否有误
clash --test注册为服务,方便使用
systemctl控制# /etc/systemd/system/clash.service [Unit] Description=Clash TProxy After=network.target [Service] User=root Group=clash Restart=on-failure ExecStart=/usr/local/bin/clash -d /etc/clash [Install] WantedBy=multi-user.target启动服务,并配置开机自启
systemctl start clash systemctl enable clash将自己的设备网关设置为运行服务的机器 ip, Over
PS. tpclash 作者同样提供了 docker 配置方案
14K views
