树莓派4B Tun模式做透明代理转发局域网流量 Clash
CyberSicko
hava a nice day.
参考
参考教程:
https://www.arloor.com/posts/clash-tun-gateway/#%E4%B8%8B%E8%BD%BDclash-premium%E5%86%85%E6%A0%B8
https://cherysunzhang.com/2020/05/deploy-clash-as-transparent-proxy-on-raspberry-pi/
其他
系统软件源镜像(阿里)
nano /etc/apt/sources.list#deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
#deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
#deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
# Uncomment deb-src lines below then 'apt-get update' to enable 'apt-get source'
#deb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
#deb-src http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
#deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
#deb http://mirrors.tuna.tsinghua.edu.cn/raspbian/raspbian/ buster main non-free contrib rpi
#deb-src http://mirrors.tuna.tsinghua.edu.cn/raspbian/raspbian/ buster main non-free contrib rpi
# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释
# deb-src https://mirrors.tuna.tsinghua.edu.cn/debian/ bookworm main contrib non-free non-free-firmware
#deb https://mirrors.tuna.tsinghua.edu.cn/debian/ bookworm-updates main contrib non-free non-free-firmware
# deb-src https://mirrors.tuna.tsinghua.edu.cn/debian/ bookworm-updates main contrib non-free non-free-firmware
#deb https://mirrors.tuna.tsinghua.edu.cn/debian/ bookworm-backports main contrib non-free non-free-firmware
# deb-src https://mirrors.tuna.tsinghua.edu.cn/debian/ bookworm-backports main contrib non-free non-free-firmware
# 以下安全更新软件源包含了官方源与镜像站配置,如有需要可自行修改注释切换
#deb https://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
# deb-src https://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb https://mirrors.aliyun.com/debian/ bullseye main non-free contrib
deb-src https://mirrors.aliyun.com/debian/ bullseye main non-free contrib
deb https://mirrors.aliyun.com/debian-security/ bullseye-security main
deb-src https://mirrors.aliyun.com/debian-security/ bullseye-security main
deb https://mirrors.aliyun.com/debian/ bullseye-updates main non-free contrib
deb-src https://mirrors.aliyun.com/debian/ bullseye-updates main non-free contrib
deb https://mirrors.aliyun.com/debian/ bullseye-backports main non-free contrib
deb-src https://mirrors.aliyun.com/debian/ bullseye-backports main non-free contrib/etc/apt/sources.list.d/raspi.list#deb http://archive.raspberrypi.com/debian/ bookworm main
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://archive.raspberrypi.com/debian/ bookworm main
#deb http://mirrors.tuna.tsinghua.edu.cn/raspberrypi/ buster main ui
deb http://mirrors.aliyun.com/raspberrypi/ buster main ui
#deb-src http://archive.raspberrypi.com/debian/ bookworm main #deb http://mirrors.tuna.tsinghua.edu.cn/raspberrypi/ buster main ui deb http://mirrors.aliyun.com/raspberrypi/ buster main ui apt-get updateClash 下载和配置
根据参考的下载地址下载Clash并解压缩,解压后移动到系统bin路径:
mv clash /usr/local/bin现在可以用clash命令运行一下clash,运行后会在/root/.config/clash/路径生成配置文件,修改配置文件:
port: 8888
socks-port: 8889
redir-port: 8890
allow-lan: true
mode: Rule
log-level: info
external-controller: 0.0.0.0:9090
#external-ui: public
# secret: "your-secret-passphrase"
external-ui: /data/clash/ui
experimental:
ignore-resolve-fail: false
dns:
enable: true
ipv6: false
listen: 0.0.0.0:53
enhanced-mode: fake-ip
nameserver:
- https://dns.alidns.com/dns-query # DNS-over-HTTPS
tun:
enable: true
stack: system
dns-hijack:
- 8.8.8.8:53
- tcp://8.8.8.8:53
- any:53
- tcp://any:53
auto-route: true
auto-detect-interface: true
hosts:
"dns.alidns.com": 223.5.5.5
proxies:
[你的代理]...
proxy-groups:
[你的代理]...
rules:
- 'DOMAIN,subm.bixiny.in,DIRECT'
- 'DOMAIN-SUFFIX,services.googleapis.cn,BiXin Network'
- 'DOMAIN-SUFFIX,xn--ngstr-lra8j.com,BiXin Network'
- 'DOMAIN,safebrowsing.urlsec.qq.com,DIRECT'
...
其中 external-controller: 0.0.0.0:9090 用于开启ui web管理界面,使用ip:9090/ui即可访问,external-ui 是下载的dashboard项目路径,比如我这里放在 /data/clash/ui 目录下。
下载dashboard:
mkdir -p /data/clash
git clone -b gh-pages https://github.com/haishanh/yacd.git /data/clash/ui
此时再运行clash,打开浏览器访问 http://ip:9090/ui 即可访问管理界面:
Clash会使用Country.mmdb文件识别ip地址所属的国家,GEOIP的规则会用到这个文件。在clash启动时,如果运行目录下没有这个文件会自动下载,由于国内网络的问题,通常会耗时很久,所以我们自行到maxmind-geoip releases下载,并ftp/scp到软路由的 /data/clash 目录下。下载 Country.mmdb到 /root/.config/clash 路径下。
当然在这一步只是完成了一部分,接下来需要将clash封装为系统服务:
nano /lib/systemd/system/clash.service
[Unit]
Description=rust_http_proxy
After=network-online.target
Wants=network-online.target
[Service]
WorkingDirectory=/data/clash
ExecStartPre=/bin/sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
ExecStart=/usr/local/bin/clash -d /data/clash -f /data/clash/config.yaml
LimitNOFILE=100000
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target完成后启动服务:
systemctl start clash
将服务设为开启自启动:
systemctl enable clash
接下来开始配置iptables流量转发:
按照我的配置这个规则不用改直接用,将流量转发到clash 8890端口。
# Create CLASH chain
iptables -t nat -N CLASH
# Bypass private IP address ranges
iptables -t nat -A CLASH -d 10.0.0.0/8 -j RETURN
iptables -t nat -A CLASH -d 127.0.0.0/8 -j RETURN
iptables -t nat -A CLASH -d 169.254.0.0/16 -j RETURN
iptables -t nat -A CLASH -d 172.16.0.0/12 -j RETURN
iptables -t nat -A CLASH -d 192.168.0.0/16 -j RETURN
iptables -t nat -A CLASH -d 224.0.0.0/4 -j RETURN
iptables -t nat -A CLASH -d 240.0.0.0/4 -j RETURN
# Redirect all TCP traffic to 8890 port, where Clash listens
iptables -t nat -A CLASH -p tcp -j REDIRECT --to-ports 8890
iptables -t nat -A PREROUTING -p tcp -j CLASH将iptables规则持久化。
apt install iptables-persistent netfilter-persistent
netfilter-persistent save现在就可以用了!
使用
我的树莓派静态ip是192.168.3.21。
电脑配置:
Ipv4网关改为树莓派的Ip地址即可。
手机配置:
评论
还没有评论