github
/
Xray-docs-next
mirror of https://github.com/XTLS/Xray-docs-next
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '74da9a3b65'
${ noResults }
Xray-docs-next/docs/document/level-2/warp.md

225 lines
6.6 KiB
Raw Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

---
title: 通过 Cloudflare Warp 增强代理安全性
---
# 通过 Cloudflare Warp 增强代理安全性
Xray1.6.5+)新加入了 WireGuard 出站,虽然增加的代码和依赖会增大 core 体积,但是我们认为这是一个很有必要的新功能,原因有三:
1. 通过近期的一些讨论和[实验](https://github.com/net4people/bbs/issues/129#issuecomment-1308102504),我们知道代理回国流量是不安全的。一种应对方式是将回国流量路由至黑洞,它的缺点是由于 geosite 和 geoip 更新的不及时或者新手不知道如何在客户端适当分流,结果流量进入黑洞,影响使用体验。
这时我们只需要将回国流量导入 Cloudflare Warp可以在不影响使用体验的情况下达到同样的安全性。
2. 众所周知,大部分机场会记录用户访问域名的日志,某些机场还会审计和阻断一些用户流量。保护用户私密性的一个方法,就是在客户端使用链式代理。
Warp 使用的 WireGuard 轻量级 VPN 协议会在代理层内增加一层加密。对于机场而言,用户所有流量的目标都是 Warp从而最大程度保护自己的隐私。
3. 方便使用,只需要一个 core 即可完成分流Wireguard Tun链式代理的设置。
## 申请 Warp 账户
### 感谢 Cloudflare 推动自由的互联网,现在你可以免费使用 Warp 服务,连接的时候会根据出口自动选择最近的服务器
#### 方法 1
1. 使用一台 vps下载 [wgcf](https://github.com/ViRb3/wgcf/releases)
2. 运行 `wgcf register` 生成 `wgcf-account.toml`
3. 运行 `wgcf generate` 生成 `wgcf-profile.conf` 拷贝内容如下:
```ini
[Interface]
PrivateKey = 我的私钥
Address = 172.16.0.2/32
Address = 2606:4700:110:8949:fed8:2642:a640:c8e1/128
DNS = 1.1.1.1
MTU = 1280
[Peer]
PublicKey = Warp公钥
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = engage.cloudflareclient.com:2408
```
#### 方法 2
1. 使用 [warp-reg.sh](https://github.com/chise0713/warp-reg.sh),运行:
```
bash -c "$(curl -L warp-reg.vercel.app)"
```
- 输出
```json
{
"endpoint":{
"v4": "162.159.192.7",
"v6": "[2606:4700:d0::a29f:c007]",
},
"reserved_dec": [35, 74, 190],
"reserved_hex": "0x234abe",
"reserved_str": "I0q+",
"private_key": "yL0kApRiZW4VFfNkKAQ/nYxnMFT3AH0dfVkj1GAlr1k=",
"public_key": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=",
"v4": "172.16.0.2",
"v6": "2606:4700:110:81f3:2a5b:3cad:9d4:9ea6"
}
```
2. 拷贝输出的内容
#### 方法 3
1. 使用[wgcf-cli](https://github.com/ArchiveNetwork/wgcf-cli),运行以下内容进行安装:
```
bash -c "$(curl -L wgcf-cli.vercel.app)"
```
2. 运行 `wgcf-cli -r` 进行注册,输出:
```json
wgcf-cli -r
{
"endpoint": {
"v4": "162.159.192.7:0",
"v6": "[2606:4700:d0::a29f:c007]:0"
},
"reserved_str": "6nT5",
"reserved_hex": "0xea74f9",
"reserved_dec": [
234,
116,
249
],
"private_key": "WIAKvgUlq5fBazhttCvjhEGpu8MmGHcb1H0iHSGlU0Q=",
"public_key": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=",
"addresses": {
"v4": "172.16.0.2",
"v6": "2606:4700:110:8d9c:3c4e:2190:59d1:2d3c"
}
}
```
- 完整文件将会保存到工作目录的 `wgcf.json` 内。
3. 如果你还拥有一个 warp-plus 的密钥,你还可以运行 `wgcf-cli -l [密钥]` 进行绑定
- (密钥可以在[我们群](https://t.me/projectXray/)里发送 `/keyget@getwarpplusbot` 获取)输出:
```json
wgcf-cli -l 9zs5I61a-l9j8m7T5-4pC6k20X
{
"id": "cd7f4695-e9ef-4bb0-b412-5f4d84919db7",
"created": "0001-01-01T00:00:00Z",
"updated": "2023-12-14T12:32:18.689777921Z",
"premium_data": 0,
"quota": 0,
"warp_plus": true,
"referral_count": 0,
"referral_renewal_countdown": 0,
"role": "child"
}
```
4. 运行 `wgcf-cli -g xray` 来生成一个WireGurad出站他会将内容保存到 `wgcf.json.xray.json`
- 示例文件:
```json
{
"protocol": "wireguard",
"settings": {
"secretKey": "6CRVRLgFwGajnikoVOPTDNZnDhx3EydhPsMgpxHfBCY=",
"address": [
"172.16.0.2/32",
"2606:4700:110:857a:6a95:fe27:1870:2a9d/128"
],
"peers": [
{
"publicKey": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=",
"allowedIPs": [
"0.0.0.0/0",
"::/0"
],
"endpoint": "162.159.192.1:2408"
}
],
"reserved": [
240,
25,
146
],
"mtu": 1280
},
"tag": "wireguard"
}
```
## 在服务端分流回国流量至 warp
在现有出站中新增一个 WireGurad 出站
```json
{
"protocol": "wireguard",
"settings": {
"secretKey": "我的私钥",
"address": ["172.16.0.2/32", "2606:4700:110:8949:fed8:2642:a640:c8e1/128"],
"peers": [
{
"publicKey": "Warp公钥",
"endpoint": "engage.cloudflareclient.com:2408"
}
],
"reserved":[0, 0, 0] // 如果你有的话粘贴reserved到这里
},
"tag": "wireguard-1"
}
```
路由策略推荐`IPIfNonMatch`
在现有路由中新增以下
```json
{
"type": "field",
"domain": [
"geosite:cn"
],
"outboundTag": "wireguard-1"
},
{
"type": "field",
"ip": [
"geoip:cn"
],
"outboundTag": "wireguard-1"
},
```
## 客户端使用 warp 链式代理
```json
{
"outbounds":[
{
"protocol":"wireguard",
"settings":{
"secretKey":"我的私钥",
"peers":[
{
"publicKey":"Warp公钥",
"endpoint":"engage.cloudflareclient.com:2408"
}
],
"reserved":[0, 0, 0] // 如果你有的话粘贴reserved到这里
},
"streamSettings":{
"sockopt":{
"dialerProxy":"proxy"
}
},
"tag":"wireguard-1"
},
{
"tag":"proxy",
"protocol":"vmess",
"settings":{
"vnext":[
{
"address":"我的IP",
"port":我的端口,
"users":[
{
"id":"我的UUID",
"security":"auto"
}
]
}
]
},
"streamSettings":{
"network":"tcp"
}
}
]
}
```
Reference in new issue View Git Blame Copy Permalink