sing-box搭建ShadowTLS v3节点
1、开启BBR加速
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p2、更新软件源及安装依赖
apt update && apt -y install wget git libc6-dev build-essential zlib1g-dev libssl-dev libevent-dev mingw-w643、安装go
wget -c https://go.dev/dl/go1.20.3.linux-amd64.tar.gz -O - | tar -xz -C /usr/localecho 'export PATH=$PATH:/usr/local/go/bin' > /etc/profilesource /etc/profile4、编译安装sing-box
go install -v -tags \
with_quic,\
with_grpc,\
with_dhcp,\
with_wireguard,\
with_shadowsocksr,\
with_ech,\
with_utls,\
with_reality_server,\
with_acme,\
with_clash_api,\
with_v2ray_api,\
with_gvisor,\
with_embedded_tor,\
with_lwip \
github.com/sagernet/sing-box/cmd/sing-box@latest5、复制编译好的sing-box到/usr/local/bin/目录
cp ~/go/bin/sing-box /usr/local/bin/6、为sing-box配置开机自启服务
cat > /etc/systemd/system/sing-box.service <<EOF[Unit]
Description=sing-box service
Documentation=https://sing-box.sagernet.org
After=network.target nss-lookup.target
[Service]
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ExecStart=/usr/local/bin/sing-box run -c /usr/local/etc/sing-box/config.json
Restart=on-failure
RestartSec=1800s
LimitNOFILE=infinity
[Install]
WantedBy=multi-user.target
EOF7、创建sing-box文件夹
mkdir /usr/local/etc/sing-box && cd $_8、创建sing-box配置文件
touch config.json9、服务端配置信息
{
"log": {
"disabled": false,
"level": "info",
"timestamp": true
},
"dns": {
"servers": [
{
"tag": "local",
"address": "https://1.1.1.1/dns-query",
"detour": "direct"
},
{
"tag": "block",
"address": "rcode://success"
}
],
"rules": [
{
"geosite": "cn",
"server": "local"
},
{
"geosite": "category-ads-all",
"server": "block",
"disable_cache": true
}
]
},
"inbounds": [
{
"type": "shadowtls",
"tag": "st-in",
"listen": "::",
"listen_port": 443, //监听端口
"version": 3, //协议版本为ShadowTLS v3
"users": [
{
"name": "xiao0123", //用户名
"password": "XTVsAyFnREiRn5hgrjUAu8a9dSsicFKYIJM+K8+Iv8g=" //ShadowTLS 密码,执行sing-box generate rand --base64 32生成
}
],
"handshake": {
"server": "www.apple.com", //握手服务器地址
"server_port": 443
},
"strict_mode": true, //开启ShadowTLS 严格模式
"detour": "ss-in" //连接转发到shadowsocks节点
},
{
"type": "shadowsocks", //shadowsocks节点配置
"tag": "ss-in",
"listen": "127.0.0.1",
"network": "tcp",
"method": "2022-blake3-chacha20-poly1305", //Shadowsocks加密方式
"password": "NZew3ZrmZjxullszmAKtfu+pZh0F1dxnIPcwlaStjyI=" //Shadowsocks密码,执行sing-box generate rand --base64 32生成
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct"
},
{
"type": "block",
"tag": "block"
}
],
"route": {
"geoip": {
"download_url": "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db",
"download_detour": "direct"
},
"geosite": {
"download_url": "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db",
"download_detour": "direct"
},
"rules": [
{
"geosite": "cn",
"geoip": "cn",
"outbound": "direct"
},
{
"geosite": "category-ads-all",
"outbound": "block"
}
]
}
}10、测试配置文件是否有效
/usr/local/bin/sing-box run -c /usr/local/etc/sing-box/config.json11、启动并设置sing-box为开机自启
systemctl enable --now sing-box12、查看sing-box启动状态
systemctl status sing-boxClash配置信息
# port: 7890 # HTTP(S) 代理服务器端口
# socks-port: 7891 # SOCKS5 代理端口
mixed-port: 10801 # HTTP(S) 和 SOCKS 代理混合端口
# redir-port: 7892 # 透明代理端口,用于 Linux 和 MacOS
# Transparent proxy server port for Linux (TProxy TCP and TProxy UDP)
# tproxy-port: 7893
allow-lan: true # 允许局域网连接
bind-address: "*" # 绑定 IP 地址,仅作用于 allow-lan 为 true,'*'表示所有地址
# find-process-mode has 3 values:always, strict, off
# - always, 开启,强制匹配所有进程
# - strict, 默认,由 clash 判断是否开启
# - off, 不匹配进程,推荐在路由器上使用此模式
find-process-mode: strict
mode: rule
#自定义 geodata url
geox-url:
geoip: "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geoip.dat"
geosite: "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat"
mmdb: "https://cdn.jsdelivr.net/gh/Loyalsoldier/geoip@release/Country.mmdb"
log-level: debug # 日志等级 silent/error/warning/info/debug
ipv6: true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS 请求 AAAA 记录
external-controller: 0.0.0.0:9093 # RESTful API 监听地址
secret: "123456" # RESTful API的密码 (可选)
# tcp-concurrent: true # TCP 并发连接所有 IP, 将使用最快握手的 TCP
#external-ui: /path/to/ui/folder # 配置 WEB UI 目录,使用 http://{{external-controller}}/ui 访问
# interface-name: en0 # 设置出口网卡
# 全局 TLS 指纹,优先低于 proxy 内的 client-fingerprint
# 可选: "chrome","firefox","safari","ios","random","none" options.
# Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.
global-client-fingerprint: chrome
# routing-mark:6666 # 配置 fwmark 仅用于 Linux
# 实验性选择
# experimental:
# 类似于 /etc/hosts, 仅支持配置单个 IP
# hosts:
# '*.clash.dev': 127.0.0.1
# '.dev': 127.0.0.1
# 'alpha.clash.dev': '::1'
# test.com: [1.1.1.1, 2.2.2.2]
# clash.lan: clash # clash 为特别字段,将加入本地所有网卡的地址
# baidu.com: google.com # 只允许配置一个别名
profile: # 存储 select 选择记录
store-selected: true
# 持久化 fake-ip
store-fake-ip: true
# 嗅探域名
sniffer:
enable: true
sniffing:
- tls
- http
# 强制对此域名进行嗅探
dns:
enable: true #开启Clash内置DNS服务器,默认为false
prefer-h3: true # 开启 DoH 支持 HTTP/3,将并发尝试
listen: 0.0.0.0:53 # 开启 DNS 服务器监听
ipv6: true # false 将返回 AAAA 的空结果
# ipv6-timeout: 300 # 单位:ms,内部双栈并发时,向上游查询 AAAA 时,等待 AAAA 的时间,默认 100ms
# 解析nameserver和fallback的DNS服务器
# 填入纯IP的DNS服务器
default-nameserver:
- 114.114.114.114
- 223.5.5.5
enhanced-mode: fake-ip # 模式fake-ip
fake-ip-range: 198.18.0.1/16 # fake-ip 池设置
# use-hosts: true # 查询 hosts
# 配置不使用fake-ip的域名
fake-ip-filter:
- "*.lan"
- "*.localdomain"
- "*.example"
- "*.invalid"
- "*.localhost"
- "*.test"
- "*.local"
- "*.home.arpa"
- time.*.com
- time.*.gov
- time.*.edu.cn
- time.*.apple.com
- time1.*.com
- time2.*.com
- time3.*.com
- time4.*.com
- time5.*.com
- time6.*.com
- time7.*.com
- ntp.*.com
- ntp1.*.com
- ntp2.*.com
- ntp3.*.com
- ntp4.*.com
- ntp5.*.com
- ntp6.*.com
- ntp7.*.com
- "*.time.edu.cn"
- "*.ntp.org.cn"
- "+.pool.ntp.org"
- music.163.com
- "*.music.163.com"
- "*.126.net"
- musicapi.taihe.com
- music.taihe.com
- songsearch.kugou.com
- trackercdn.kugou.com
- "*.kuwo.cn"
- api-jooxtt.sanook.com
- api.joox.com
- joox.com
- y.qq.com
- "*.y.qq.com"
- streamoc.music.tc.qq.com
- mobileoc.music.tc.qq.com
- isure.stream.qqmusic.qq.com
- dl.stream.qqmusic.qq.com
- aqqmusic.tc.qq.com
- amobile.music.tc.qq.com
- "*.xiami.com"
- "*.music.migu.cn"
- music.migu.cn
- "*.msftconnecttest.com"
- "*.msftncsi.com"
- msftconnecttest.com
- msftncsi.com
- localhost.ptlogin2.qq.com
- localhost.sec.qq.com
- "+.srv.nintendo.net"
- "+.stun.playstation.net"
- xbox.*.microsoft.com
- xnotify.xboxlive.com
- "+.battlenet.com.cn"
- "+.wotgame.cn"
- "+.wggames.cn"
- "+.wowsgame.cn"
- "+.jd.com"
- "+.wargaming.net"
- proxy.golang.org
- stun.*.*
- stun.*.*.*
- "+.stun.*.*"
- "+.stun.*.*.*"
- "+.stun.*.*.*.*"
- heartbeat.belkin.com
- "*.linksys.com"
- "*.linksyssmartwifi.com"
- "*.router.asus.com"
- mesu.apple.com
- swscan.apple.com
- swquery.apple.com
- swdownload.apple.com
- swcdn.apple.com
- swdist.apple.com
- lens.l.google.com
- stun.l.google.com
- "+.nflxvideo.net"
- "*.square-enix.com"
- "*.finalfantasyxiv.com"
- "*.ffxiv.com"
- '*.mcdn.bilivideo.cn'
# DNS主要域名配置
# 支持 UDP,TCP,DoT,DoH,DoQ
# 这部分为主要 DNS 配置,影响所有直连,确保使用对大陆解析精准的 DNS
nameserver:
- 114.114.114.114 # default value
- 223.5.5.5
- 119.29.29.29
- https://doh.360.cn/dns-query
- https://doh.pub/dns-query # DNS over HTTPS
- https://dns.alidns.com/dns-query # 强制 HTTP/3,与 perfer-h3 无关,强制开启 DoH 的 HTTP/3 支持,若不支持将无法使用
# 当配置 fallback 时,会查询 nameserver 中返回的 IP 是否为 CN,非必要配置
# 当不是 CN,则使用 fallback 中的 DNS 查询结果
# 确保配置 fallback 时能够正常查询
fallback:
- 219.141.136.10
- 8.8.8.8
- 1.1.1.1
- https://cloudflare-dns.com/dns-query
- https://dns.google/dns-query
# 配置 fallback 使用条件
fallback-filter:
geoip: false # 配置是否使用 geoip
geoip-code: CN # 当 nameserver 域名的 IP 查询 geoip 库为 CN 时,不使用 fallback 中的 DNS 查询结果
# 如果不匹配 ipcidr 则使用 nameservers 中的结果
ipcidr:
- 240.0.0.0/4
domain:
- "+.google.com"
- "+.facebook.com"
- "+.youtube.com"
- "+.githubusercontent.com"
- "+.googlevideo.com"
proxies:
- name: ShadowTLS v3
type: ss
server: 149.28.117.226 #VPS IP地址
port: 443 #监听端口
cipher: 2022-blake3-chacha20-poly1305 #shadowsocks节点的加密方式
password: "376pMmdNdbluhQ7DT2C4a9XvmM1d5b83tlMZurjjzs0=" #shadowsocks节点的密码
plugin: shadow-tls
client-fingerprint: chrome
plugin-opts:
host: "www.apple.com" #握手服务器地址
password: "MBE/ow0JW0kwErMxdGhrHkddA8l2bCDJ3d1bZKu7bLA=" #ShadowTLS密码
version: 3 # support 1/2/3
proxy-groups:
- name: PROXY
type: select
proxies:
- ShadowTLS v3
rule-providers:
reject:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
path: ./ruleset/reject.yaml
interval: 86400
icloud:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt"
path: ./ruleset/icloud.yaml
interval: 86400
apple:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt"
path: ./ruleset/apple.yaml
interval: 86400
proxy:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
path: ./ruleset/proxy.yaml
interval: 86400
direct:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
path: ./ruleset/direct.yaml
interval: 86400
private:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt"
path: ./ruleset/private.yaml
interval: 86400
gfw:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt"
path: ./ruleset/gfw.yaml
interval: 86400
greatfire:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/greatfire.txt"
path: ./ruleset/greatfire.yaml
interval: 86400
tld-not-cn:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt"
path: ./ruleset/tld-not-cn.yaml
interval: 86400
telegramcidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt"
path: ./ruleset/telegramcidr.yaml
interval: 86400
cncidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt"
path: ./ruleset/cncidr.yaml
interval: 86400
lancidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt"
path: ./ruleset/lancidr.yaml
interval: 86400
applications:
type: http
behavior: classical
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications.txt"
path: ./ruleset/applications.yaml
interval: 86400
rules:
- RULE-SET,applications,DIRECT
- DOMAIN,clash.razord.top,DIRECT
- DOMAIN,yacd.haishan.me,DIRECT
- DOMAIN-SUFFIX,services.googleapis.cn,DIRECT
- DOMAIN-SUFFIX,xn--ngstr-lra8j.com,DIRECT
- RULE-SET,private,DIRECT
- RULE-SET,reject,REJECT
- RULE-SET,icloud,DIRECT
- RULE-SET,apple,DIRECT
- RULE-SET,proxy,PROXY
- RULE-SET,direct,DIRECT
- RULE-SET,lancidr,DIRECT
- RULE-SET,cncidr,DIRECT
- RULE-SET,telegramcidr,PROXY
- GEOIP,LAN,DIRECT
- GEOIP,CN,DIRECT
- MATCH,PROXY
本文链接:
/archives/1682040770162
版权声明:
本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自
Ray!
喜欢就支持一下吧
