From 46e06b70cdb613d92823a4d2b8b6edcc2f115471 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=83=81=E3=82=BB?=
<123655015+chise0713@users.noreply.github.com>
Date: Wed, 20 Dec 2023 18:10:35 +0800
Subject: [PATCH] Merge `fwmark`/`sendThrough`/`sockopt.interface` together
---
docs/document/level-2/README.md | 2 +-
docs/document/level-2/redirect.md | 214 ++++++++----------------------
2 files changed, 54 insertions(+), 162 deletions(-)
diff --git a/docs/document/level-2/README.md b/docs/document/level-2/README.md
index 8e875fddb..967a3dd5e 100644
--- a/docs/document/level-2/README.md
+++ b/docs/document/level-2/README.md
@@ -24,7 +24,7 @@
[通过 Xray 将特定的流量指向特定出口,实现全局路由“分流”](./redirect.md) by 
[@Zzz3m](https://github.com/Zzz3m)
-将 Xray 玩出花:基于 fwmark 或 sendThrough 方式实现“分流”。
+将 Xray 玩出花:基于 fwmark 、 sendThrough 或 sockopt.interface 方式实现“分流”。
[通过 Cloudflare Warp 增强代理安全性](./warp.md) by 
[@yuhan6665](https://github.com/yuhan6665)
diff --git a/docs/document/level-2/redirect.md b/docs/document/level-2/redirect.md
index d53f7ad84..16b0d4514 100644
--- a/docs/document/level-2/redirect.md
+++ b/docs/document/level-2/redirect.md
@@ -11,7 +11,7 @@ title: 出站流量重定向
之前在网络上看到许多代理或者 VPN 会接管全局路由,如果与 Xray 同时安装,会导致 Xray 失效。参考了网络上许多教程,及时分流,也是通过维护一张或者多张 CIDR
路由表来实现的。这种情况下并不优雅,如果我想可以任意替换,实现按需分流,那有没有更好的办法呢?有!
-通过 fwmark 或 Xray 的 sendThrough,再简单配合路由表功能即可实现:
+通过 fwmark 或 Xray 的 sendThrough/sockopt.interface,再简单配合路由表功能即可实现:
1. Xray 可设置指定的 Tag、域名等走指定接口。如果您的接口是双栈的,可以指定 IPV4 或者 IPV6
2. 其余用户则走原 IPV4 或者 IPV6
@@ -26,98 +26,55 @@ title: 出站流量重定向
原始文件:
-
-
-
-
```ini
[Interface]
-PrivateKey = xxxxxxxxxxxxxxxxxxxx
-Address = "your wg0 v4 address"
-Address = "your wg0 v6 address"
+PrivateKey =
+Address =
+Address =
DNS = 8.8.8.8
MTU = 1280
[Peer]
-PublicKey = xxxxxxxxxxxxxxxxxxxxx
+PublicKey =
AllowedIPs = ::/0
AllowedIPs = 0.0.0.0/0
-Endpoint = "ip:port"
+Endpoint = :
```
在 `[Interface]` 下添加如下命令:
-
```ini
-Table = off
-PostUP = ip -4 rule add fwmark lookup
-PostUP = ip -4 route add default dev <接口名称> table
-PostUP = ip -4 rule add table main suppress_prefixlength 0
+Table =
+### fwmark
+PostUP = ip rule add fwmark lookup
+PostDown = ip rule del fwmark lookup
PostUP = ip -6 rule add fwmark lookup
-PostUP = ip -6 rule add not fwmark table
-PostUP = ip -6 route add ::/0 dev <接口名称> table
-PostUP = ip -6 rule add table main suppress_prefixlength 0
-PostDown = ip -4 rule delete fwmark lookup
-PostDown = ip -4 rule delete table main suppress_prefixlength 0
-PostDown = ip -6 rule delete fwmark lookup
-PostDown = ip -6 rule delete not fwmark table
-PostDown = ip -6 rule delete table main suppress_prefixlength 0
-```
-
-::: tip
-
-- 此命令表示 IPv4 中 fwmark 为 ``,IPv6 中 fwmark 为``,::/0 全局 v6 走 WireGuard
-- 可根据自己需求增删命令,mark 值要与 Xray-core 中设置为相同,table 值自定
-- 如果不支持配置文件,可以在系统中修改路由表
- :::
-
-
-
-
-
-```ini
-[Interface]
-PrivateKey = xxxxxxxxxxxxxxxxxxxx
-Address = "your wg0 v4 address"
-Address = "your wg0 v6 address"
-DNS = 8.8.8.8
-MTU = 1280
-[Peer]
-PublicKey = xxxxxxxxxxxxxxxxxxxxx
-AllowedIPs = ::/0
-AllowedIPs = 0.0.0.0/0
-Endpoint = "ip:port"
-```
-
-在 `[Interface]` 下添加如下命令:
-
-```ini
-Table = off
-PostUP = ip -4 rule add from "your wg0 v4 address" lookup
-PostUP = ip -4 route add default dev wg0 table
-PostUP = ip -4 rule add table main suppress_prefixlength 0
-PostUP = ip -6 rule add not fwmark table
-PostUP = ip -6 route add ::/0 dev wg0 table
-PostUP = ip -6 rule add table main suppress_prefixlength 0
-PostDown = ip -4 rule delete from "your wg0 v4 address" lookup
-PostDown = ip -4 rule delete table main suppress_prefixlength 0
-PostDown = ip -6 rule delete not fwmark table
-PostDown = ip -6 rule delete table main suppress_prefixlength 0
+PostDown = ip -6 rule del fwmark lookup
+## sendThrough
+PreUp = ip rule add from lookup
+PostDown = ip rule del from lookup
+PreUp = ip -6 rule add from lookup
+PostDown = ip -6 rule del from lookup
+## sockopt.interface
+PreUp = ip rule add oif %i lookup
+PostDown = ip rule del oif %i lookup
+PreUp = ip -6 rule add oif %i lookup
+PostDown = ip -6 rule del oif %i lookup
```
-
::: tip
+- 此配置文件融合了 `fwmark` / `sendThrough` / `sockopt.interface`,表示
+- 送入此设备 `%i` 的连接 / 送入此 `` 的连接 / `fwmark` 被标记为 `` 的连接
+- 将会使用 wireguard 进行转发
+- `%i` 是 wireguard 配置文件中的占位符,表示在启动时替换为这个设备的名称
+:::
-- 此命令表示 IPV4 中来自 `your wg0 v4 address` 地址的走 WireGuard,IPv6 中::/0 全局 v6 走 WireGuard)
-- 可根据自己需求增删命令,实现 v6 分流,也可以与 fwmark 融合
-- 如果不支持配置文件,可以在系统中修改路由表
- :::
-
-
-
-
保存
可顺手安装
+::: warning
+如果使用了 `[Interface]` 中的 `DNS` 字段,这个程序将会是必须的
+:::
+
```bash
apt install openresolv
```
@@ -138,11 +95,7 @@ lsmod | grep wireguard
## 4、Xray-core 配置文件修改
-
-
-
-
-```json
+```jsonc
{
"api": {
"services": [
@@ -167,108 +120,48 @@ lsmod | grep wireguard
{
"protocol": "freedom",
"settings": {
- "domainStrategy": "UseIPv6"
- //设置默认用户走指定方式”UseIPv6”或者”UseIPv4”
+ "domainStrategy": "UseIPv4"
}
+ //修改此处,可v4或者v6
},
+ // <--请在不同的方案中选择--> 方案1:fwmark
{
"protocol": "freedom",
"tag": "wg0",
"streamSettings": {
"sockopt": {
- "mark":
+ "mark": //
}
},
"settings": {
"domainStrategy": "UseIPv6"
}
- //设置fwmark为的用户走指定方式”UseIPv6””UseIPv4”
- },
- {
- "protocol": "blackhole",
- "settings": {},
- "tag": "blocked"
- }
- ],
- "policy": {
- "system": {
- "statsInboundDownlink": true,
- "statsInboundUplink": true
- }
- },
- "routing": {
- "rules": [
- {
- "inboundTag": [
- "api"
- ],
- "outboundTag": "api",
- "type": "field"
- },
- {
- "type": "field",
- "outboundTag": "wg0",
- "inboundTag": [
- ""
- //需要之前在inbound中指定好Tag,我这里是api生成的,还可以添加域名等等
- ]
- },
- {
- "outboundTag": "blocked",
- "protocol": [
- "bittorrent"
- ],
- "type": "field"
- }
- ]
- },
- "stats": {}
-}
-```
-
-
-
-
-
-```json
-{
- "api": {
- "services": [
- "HandlerService",
- "LoggerService",
- "StatsService"
- ],
- "tag": "api"
- },
- "inbounds": [
- {
- "listen": "127.0.0.1",
- "port": ,
- "protocol": "dokodemo-door",
- "settings": {
- "address": "127.0.0.1"
- },
- "tag": "api"
- }
- ],
- "outbounds": [
+ } //设置fwmark为的用户走指定方式”UseIPv6””UseIPv4”
+ // <--请在不同的方案中选择--> 方案2:sendThrough
{
+ "tag": "wg0",
"protocol": "freedom",
+ "sendThrough": "your wg0 v4 address",
+ //修改此处,可v4或者v6
"settings": {
"domainStrategy": "UseIPv4"
}
//修改此处,可v4或者v6
},
+ // <--请在不同的方案中选择--> 方案3:sockopt.interface
{
"tag": "wg0",
"protocol": "freedom",
- "sendThrough": "your wg0 v4 address",
- //修改此处,可v4或者v6
"settings": {
"domainStrategy": "UseIPv4"
+ },
+ "streamSettings": {
+ "sockopt": {
+ "interface": "wg0"
+ }
}
- //修改此处,可v4或者v6
},
+ // <--请在不同的方案中选择--> 结束
{
"protocol": "blackhole",
"settings": {},
@@ -295,7 +188,7 @@ lsmod | grep wireguard
"outboundTag": "wg0",
"inboundTag": [
""
- //需要之前在 inbound 中指定好 Tag,我这里是 api 生成的,还可以添加域名等等
+ //需要之前在 inbound 中指定好 Tag,这里是 api 生成的,还可以添加域名等等
]
},
{
@@ -311,10 +204,6 @@ lsmod | grep wireguard
}
```
-
-
-
-
::: tip
可以通过修改 "domainStrategy": "UseIPv6"来控制对应用户的访问方式 实测优先级要高于系统本身的 gai.config
:::
@@ -323,6 +212,8 @@ lsmod | grep wireguard
::: tip
需要打开系统的 ip_forward
+`sysctl -w net.ipv4.ip_forward=1`
+`sysctl -w net.ipv6.conf.all.forwarding=1`
:::
## 6、完成 WireGuard 相关设置
@@ -342,7 +233,7 @@ systemctl start wg-quick@wg0
验证 IPv4/IPv6
-> 自行验证 Google 搜索 myip
+> 在代理上 运行 `curl ip-api.com -4/-6` / 浏览器访问ip-api.com
## 后记
@@ -350,4 +241,5 @@ systemctl start wg-quick@wg0
## 感谢
-@Xray-core @V2ray-core @WireGuard @p3terx @w @Hiram @Luminous @Ln @JackChou
+[XTLS/Xray-core](https://github.com/XTLS/Xray-core); [v2fly/v2ray-core](https://github.com/v2fly/v2ray-core); [WireGuard](https://www.wireguard.com/); [@p3terx](https://p3terx.com/); @w; @Hiram; @Luminous; @Ln; @JackChou;
+
\ No newline at end of file