记录: clash-meta 配置 ss 回连访问局域网设备

1 天前
 evemoo

两个注意点:

  1. clash-meta 取消勾选“网络->绕过私有地址”,不然配置了 dns 和 tun 都会被直接过滤掉,连 debug 日志都不显示 192.168.0.0/16 的访问流量;
  2. dns -> proxy-server-nameserver 要加,不然解析不到回连的 ddns 域名

配置如下:

mixed-port: 7890

# Linux 和 macOS 的 redir 代理端口
redir-port: 7892

# 允许局域网的连接
allow-lan: true

# 规则模式:Rule (规则) / Global (全局代理)/ Direct (全局直连)
mode: rule

# 设置日志输出级别 (默认级别:silent ,即不输出任何内容,以避免因日志内容过大而导致程序内存溢出)。
# 5 个级别:silent / warning / error / info / debug 。级别越高日志输出量越大,越倾向于调试,若需要请自行开启。
log-level: info

# Clash 的 RESTful API
external-controller: '127.0.0.1:9091'

# RESTful API 的口令
secret: ''

tun:
  enable: true
  stack: mixed
  dns-hijack:
    - "any:53"
    - "tcp://any:53"
  auto-route: true
  auto-redirect: true
  auto-detect-interface: true

dns:
  enable: true
  ipv6: false
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  fake-ip-filter:
    - "*"
    - "+.lan"
    - "+.local"
    - "+.market.xiaomi.com"
  nameserver:
    - https://1.1.1.1/dns-query
    - https://8.8.8.8/dns-query
  proxy-server-nameserver: # 解析代理节点
    - https://doh.pub/dns-query
    - https://dns.alidns.com/dns-query
  nameserver-policy:
    "geosite:cn,private":
    - 223.5.5.5
    - 119.29.29.29

# proxy provider start here
proxies:
  - name: ss-in
    type: ss
    server: 
    port: 
    cipher: 2022-blake3-aes-128-gcm
    password: <openssl rand -base64 16>
    udp: true

proxy-providers:
  sub-1:
    type: http
    url: 
    interval: 3600

  sub-2:
    type: http
    url: 
    interval: 3600
# proxy provider end

proxy-groups:
  - name: 自动选择
    type: url-test
    url: 'http://www.gstatic.com/generate_204'
    interval: 300
    use:
      - sub-1
      - sub-2

  - name: alias-sub-1
    type: select
    use:
      - sub-1


rule-providers:
  reject:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/reject.txt"
    path: ./ruleset/reject.yaml
    interval: 86400

  icloud:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/icloud.txt"
    path: ./ruleset/icloud.yaml
    interval: 86400

  apple:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/apple.txt"
    path: ./ruleset/apple.yaml
    interval: 86400

  google:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/google.txt"
    path: ./ruleset/google.yaml
    interval: 86400

  proxy:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/proxy.txt"
    path: ./ruleset/proxy.yaml
    interval: 86400

  direct:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/direct.txt"
    path: ./ruleset/direct.yaml
    interval: 86400

  private:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/private.txt"
    path: ./ruleset/private.yaml
    interval: 86400

  gfw:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/gfw.txt"
    path: ./ruleset/gfw.yaml
    interval: 86400

  tld-not-cn:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/tld-not-cn.txt"
    path: ./ruleset/tld-not-cn.yaml
    interval: 86400

  telegramcidr:
    type: http
    behavior: ipcidr
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/telegramcidr.txt"
    path: ./ruleset/telegramcidr.yaml
    interval: 86400

  cncidr:
    type: http
    behavior: ipcidr
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/cncidr.txt"
    path: ./ruleset/cncidr.yaml
    interval: 86400

  lancidr:
    type: http
    behavior: ipcidr
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/lancidr.txt"
    path: ./ruleset/lancidr.yaml
    interval: 86400

  applications:
    type: http
    behavior: classical
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/applications.txt"
    path: ./ruleset/applications.yaml
    interval: 86400

rules:
  # ss-in
  - IP-CIDR,192.168.31.0/24,ss-in,no-resolve
  # custom rules
  - DOMAIN-SUFFIX,freenom.com,DIRECT
  # from rule-provider
  - RULE-SET,applications,DIRECT
  - DOMAIN,clash.razord.top,DIRECT
  - DOMAIN,yacd.haishan.me,DIRECT
  - RULE-SET,private,DIRECT
  - RULE-SET,reject,REJECT
  - RULE-SET,icloud,DIRECT
  - RULE-SET,apple,DIRECT
  - RULE-SET,google,自动选择
  - RULE-SET,proxy,自动选择
  - RULE-SET,direct,DIRECT
  - RULE-SET,lancidr,DIRECT
  - RULE-SET,cncidr,DIRECT
  - RULE-SET,telegramcidr,自动选择
  - GEOIP,LAN,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,自动选择



最后就是 DNS 泄露问题到底重不重要?翻了好多配置以及解析流程的文章,各有观点

595 次点击
所在节点    宽带症候群
2 条回复
evemoo
1 天前
才发现 overwall 跑路了,上周买的都还没怎么用,淦!
MYDB
1 天前
dns 泄露看个人洁癖,重度洁癖的人不仅会全局 tun ,还会把设备的语言和时区都改成与节点对应的

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/1208311

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX