安装 clash
- 下载对应的
clash
版本
- 解压
clash
- 将解压出的文件重命名成
clash
- 将
clash
移动到/usr/bin/
目录下 赋予
clash
可执行权限sudo chmod +x /usr/bin/clash
检查
clash
是否安装成功clash -v
返回以下内容说明安装成功:
Clash v1.2.0 linux amd64 Thu Oct 8 16:08:30 UTC 2020
修改配置
默认配置目录是 $HOME/.config/clash
配置文件的名称是 config.yml
如果要使用其他目录,可以使用 -d
控制配置目录:
clash -d /path/to/config
如果使用机场的话,一般都会提供 config.yml 文件的
config.yml
配置示例
# port of HTTP
port: 7890
# port of SOCKS5
socks-port: 7891
# redir port for Linux and macOS
# redir-port: 7892
allow-lan: false
# Rule / Global/ Direct (default is Rule)
mode: Rule
# set log level to stdout (default is info)
# info / warning / error / debug / silent
log-level: info
# A RESTful API for clash
external-controller: 127.0.0.1:9090
# you can put the static web resource (such as clash-dashboard) to a directory, and clash would serve in `${API}/ui`
# input is a relative path to the configuration directory or an absolute path
# external-ui: folder
# Secret for RESTful API (Optional)
# secret: ""
# dns:
# enable: true # set true to enable dns (default is false)
# ipv6: false # default is false
# listen: 0.0.0.0:53
# enhanced-mode: redir-host
# nameserver:
# - 114.114.114.114
# - tls://dns.rubyfish.cn:853 # dns over tls
# fallback: # concurrent request with nameserver, fallback used when GEOIP country isn't CN
# - tcp://1.1.1.1
Proxy:
# shadowsocks
# The types of cipher are consistent with go-shadowsocks2
# support AEAD_AES_128_GCM AEAD_AES_192_GCM AEAD_AES_256_GCM AEAD_CHACHA20_POLY1305 AES-128-CTR AES-192-CTR AES-256-CTR AES-128-CFB AES-192-CFB AES-256-CFB CHACHA20-IETF XCHACHA20
# In addition to what go-shadowsocks2 supports, it also supports chacha20 rc4-md5 xchacha20-ietf-poly1305
- { name: "ss1", type: ss, server: server, port: 443, cipher: AEAD_CHACHA20_POLY1305, password: "password" }
# old obfs configuration remove after prerelease
- name: "ss2"
type: ss
server: server
port: 443
cipher: AEAD_CHACHA20_POLY1305
password: "password"
plugin: obfs
plugin-opts:
mode: tls # or http
# host: bing.com
- name: "ss3"
type: ss
server: server
port: 443
cipher: AEAD_CHACHA20_POLY1305
password: "password"
plugin: v2ray-plugin
plugin-opts:
mode: websocket # no QUIC now
# tls: true # wss
# skip-cert-verify: true
# host: bing.com
# path: "/"
# headers:
# custom: value
# vmess
# cipher support auto/aes-128-gcm/chacha20-poly1305/none
- { name: "vmess", type: vmess, server: server, port: 443, uuid: uuid, alterId: 32, cipher: auto }
# with tls
- { name: "vmess", type: vmess, server: server, port: 443, uuid: uuid, alterId: 32, cipher: auto, tls: true }
# with tls and skip-cert-verify
- { name: "vmess", type: vmess, server: server, port: 443, uuid: uuid, alterId: 32, cipher: auto, tls: true, skip-cert-verify: true }
# with ws-path and ws-headers
- { name: "vmess", type: vmess, server: server, port: 443, uuid: uuid, alterId: 32, cipher: auto, network: ws, ws-path: /path, ws-headers: { Host: v2ray.com } }
# with ws + tls
- { name: "vmess", type: vmess, server: server, port: 443, uuid: uuid, alterId: 32, cipher: auto, network: ws, ws-path: /path, tls: true }
# socks5
- { name: "socks", type: socks5, server: server, port: 443 }
# socks5 with authentication
- { name: "socks", type: socks5, server: server, port: 443, username: "username", password: "password" }
# with tls
- { name: "socks", type: socks5, server: server, port: 443, tls: true }
# with tls and skip-cert-verify
- { name: "socks", type: socks5, server: server, port: 443, tls: true, skip-cert-verify: true }
# http
- { name: "http", type: http, server: server, port: 443 }
# http with authentication
- { name: "http", type: http, server: server, port: 443, username: "username", password: "password" }
# with tls (https)
- { name: "http", type: http, server: server, port: 443, tls: true }
# with tls (https) and skip-cert-verify
- { name: "http", type: http, server: server, port: 443, tls: true, skip-cert-verify: true }
Proxy Group:
# url-test select which proxy will be used by benchmarking speed to a URL.
- { name: "auto", type: url-test, proxies: ["ss1", "ss2", "vmess1"], url: "http://www.gstatic.com/generate_204", interval: 300 }
# fallback select an available policy by priority. The availability is tested by accessing an URL, just like an auto url-test group.
- { name: "fallback-auto", type: fallback, proxies: ["ss1", "ss2", "vmess1"], url: "http://www.gstatic.com/generate_204", interval: 300 }
# load-balance: The request of the same eTLD will be dial on the same proxy.
- { name: "load-balance", type: load-balance, proxies: ["ss1", "ss2", "vmess1"], url: "http://www.gstatic.com/generate_204", interval: 300 }
# select is used for selecting proxy or proxy group
# you can use RESTful API to switch proxy, is recommended for use in GUI.
- { name: "Proxy", type: select, proxies: ["ss1", "ss2", "vmess1", "auto"] }
Rule:
- DOMAIN-SUFFIX,google.com,auto
- DOMAIN-KEYWORD,google,auto
- DOMAIN,google.com,auto
- DOMAIN-SUFFIX,ad.com,REJECT
- IP-CIDR,127.0.0.0/8,DIRECT
- SOURCE-IP-CIDR,192.168.1.201/32,DIRECT
- GEOIP,CN,DIRECT
# FINAL would remove after prerelease
# you also can use `FINAL,Proxy` or `FINAL,,Proxy` now
- MATCH,auto
systemd 服务脚本
在 /lib/systemd/system/
目录下创建 clash@.service
文件
sudo vim /lib/systemd/system/clash@.service
写入以下内容并保存:
[Unit]
Description=A rule based proxy in Go for %i.
After=network.target
[Service]
Type=simple
User=%i
Restart=on-abort
CapabilityBoundingSet=CAP_NET_BIND_SERVICE # important
AmbientCapabilities=CAP_NET_BIND_SERVICE # important
ExecStart=/usr/bin/clash
[Install]
WantedBy=multi-user.target
重新加载 systemd
模块
systemctl daemon-reload
启动 clash
服务
systemctl start clash@user
user
表示的是当前用户名,例如:systemctl start clash@richard
设置开机自启
systemctl enable clash@user
配置 dashboard
首先下载 dashboard 的文件:
使用的是 yacd 这个 dashboard : https://github.com/haishanh/yacd
cd ~/.config/clashwget https://github.com/haishanh/yacd/archive/gh-pages.zipunzip gh-pages.zipmv yacd-gh-pages/ dashboard/
然后配置 config.yaml
,添加以下代码:
# api 端口external-controller: 0.0.0.0:9090# 密钥secret: ""external-ui: dashboard
接着重启 clash ,既可以在浏览器里面访问http://serverip:9090/ui/
来对 clash 进行配置了。
透明代理
放上一份简单的配置,亲测可用:
# fake dnssudo iptables -t nat -N clash_fakednssudo iptables -t nat -A clash_fakedns -p udp --dport 53 -j DNAT --to-destination 192.168.50.3:5353sudo iptables -t nat -A clash_fakedns -p tcp --dport 53 -j DNAT --to-destination 192.168.50.3:5353sudo iptables -t nat -A PREROUTING -p udp -d 192.168.50.0/24 -j clash_fakednssudo iptables -t nat -A PREROUTING -p tcp -d 192.168.50.0/24 -j clash_fakednssudo iptables -t nat -N Clashsudo iptables -t nat -A Clash -d 192.168.50.0/16 -j RETURNsudo iptables -t nat -A Clash -p tcp -j REDIRECT --to-ports 7892sudo iptables -t nat -A PREROUTING -p tcp -j Clash
其中
192.168.50.0
需要改成自己的网段;第三条的端口需要设置成和
clash
中配置的redir-port
一样;如果
clash
配置中开启了fake-ip
且fake-dns
地址为默认的 53 端口,则上述fake dns
部分不用
这里使用 iptables 实现透明代理,下面放上一份来自这里的配置:
添加标记路由
ip rule add fwmark 0x1 table 100ip route add local 0.0.0.0/0 dev lo table 100
UDP重路由
iptables -t mangle -N P_MARK #新建表iptables -t mangle -A P_MARK -d 127.0.0.1 -j RETURNiptables -t mangle -A P_MARK -d 192.168.0.0/16 -j RETURN #放行局域网数据iptables -t mangle -A P_MARK -d 255.255.255.255 -j RETURN #放行广播数据包iptables -t mangle -A P_MARK -m owner --uid-owner clash -j RETURN #放行clash发出的数据iptables -t mangle -A P_MARK -p udp -j MARK --set-mark 0x1 #标记并重路由
TCP转发
iptables -t nat -N TCP_REDIRiptables -t nat -A TCP_REDIR -d 127.0.0.1/8 -j RETURNiptables -t nat -A TCP_REDIR -d 192.168.0.0/16 -j RETURNiptables -t nat -A TCP_REDIR -p tcp -j REDIRECT --to-ports 7892 #转发TCP到指定端口
UDP转发
iptables -t mangle -N UDP_REDIRiptables -t mangle -A UDP_REDIR -d 127.0.0.1 -j RETURNiptables -t mangle -A UDP_REDIR -d 192.168.0.0/16 -j RETURN iptables -t mangle -A UDP_REDIR -d 255.255.255.255 -j RETURNiptables -t mangle -A UDP_REDIR -p udp -j TPROXY --on-port 7892 --tproxy-mark 0x1/0x1 #按标记路由转发UDP到指定端口
应用规则
iptables -t mangle -A PREROUTING -j UDP_REDIR #转发来自其它设备的UDP包iptables -t mangle -A OUTPUT -j P_MARK #重路由本机发出的UDP包iptables -t nat -A PREROUTING -j TCP_REDIR #转发来自其它设备的TCP包iptables -t nat -A OUTPUT -m owner ! --uid-owner clash -j TCP_REDIR #转发本机非clash的流量
如果不想要这些规则重启后就消失,可以使用一些辅助工具来持久化:
注意,持久化之前一定要保证你的防火墙设置正确了,不然重置会很麻烦
sudo apt install iptables-persistent netfilter-persistentsudo netfilter-persistent savesudo netfilter-persistent reload
Reference
https://blog.newhanly.com/2020/04/28/clash/
https://breakertt.moe/2019/08/20/clash_gateway/
https://github.com/Dreamacro/clash/issues/555
https://bleepcoder.com/cn/clash/443041625/fake-ip-mo-shi-zuo-wei-wang-guan-dai-li-de-ji-ge-wen-ti