Loading... ## 安装 clash 1. 下载对应的 `clash` 版本 > 下载地址:[https://github.com/Dreamacro/clash/releases](https://github.com/Dreamacro/clash/releases) 2. 解压 `clash` 3. 将解压出的文件重命名成 `clash` 4. 将 `clash` 移动到 `/usr/bin/` 目录下 5. 赋予 `clash` 可执行权限 ```bash sudo chmod +x /usr/bin/clash ``` 6. 检查 `clash` 是否安装成功 ```bash clash -v ``` > 返回以下内容说明安装成功: ```text Clash v1.2.0 linux amd64 Thu Oct 8 16:08:30 UTC 2020 ``` ## 修改配置 默认配置目录是 `$HOME/.config/clash` 配置文件的名称是 `config.yml` 如果要使用其他目录,可以使用 `-d` 控制配置目录: ```bash clash -d /path/to/config ``` > 如果使用机场的话,一般都会提供 config.yml 文件的 #### `config.yml` 配置示例 ```yaml # port of HTTP port: 7890 # port of SOCKS5 socks-port: 7891 # redir port for Linux and macOS # redir-port: 7892 allow-lan: false # Rule / Global/ Direct (default is Rule) mode: Rule # set log level to stdout (default is info) # info / warning / error / debug / silent log-level: info # A RESTful API for clash external-controller: 127.0.0.1:9090 # you can put the static web resource (such as clash-dashboard) to a directory, and clash would serve in `${API}/ui` # input is a relative path to the configuration directory or an absolute path # external-ui: folder # Secret for RESTful API (Optional) # secret: "" # dns: # enable: true # set true to enable dns (default is false) # ipv6: false # default is false # listen: 0.0.0.0:53 # enhanced-mode: redir-host # nameserver: # - 114.114.114.114 # - tls://dns.rubyfish.cn:853 # dns over tls # fallback: # concurrent request with nameserver, fallback used when GEOIP country isn't CN # - tcp://1.1.1.1 Proxy: # shadowsocks # The types of cipher are consistent with go-shadowsocks2 # support AEAD_AES_128_GCM AEAD_AES_192_GCM AEAD_AES_256_GCM AEAD_CHACHA20_POLY1305 AES-128-CTR AES-192-CTR AES-256-CTR AES-128-CFB AES-192-CFB AES-256-CFB CHACHA20-IETF XCHACHA20 # In addition to what go-shadowsocks2 supports, it also supports chacha20 rc4-md5 xchacha20-ietf-poly1305 - { name: "ss1", type: ss, server: server, port: 443, cipher: AEAD_CHACHA20_POLY1305, password: "password" } # old obfs configuration remove after prerelease - name: "ss2" type: ss server: server port: 443 cipher: AEAD_CHACHA20_POLY1305 password: "password" plugin: obfs plugin-opts: mode: tls # or http # host: bing.com - name: "ss3" type: ss server: server port: 443 cipher: AEAD_CHACHA20_POLY1305 password: "password" plugin: v2ray-plugin plugin-opts: mode: websocket # no QUIC now # tls: true # wss # skip-cert-verify: true # host: bing.com # path: "/" # headers: # custom: value # vmess # cipher support auto/aes-128-gcm/chacha20-poly1305/none - { name: "vmess", type: vmess, server: server, port: 443, uuid: uuid, alterId: 32, cipher: auto } # with tls - { name: "vmess", type: vmess, server: server, port: 443, uuid: uuid, alterId: 32, cipher: auto, tls: true } # with tls and skip-cert-verify - { name: "vmess", type: vmess, server: server, port: 443, uuid: uuid, alterId: 32, cipher: auto, tls: true, skip-cert-verify: true } # with ws-path and ws-headers - { name: "vmess", type: vmess, server: server, port: 443, uuid: uuid, alterId: 32, cipher: auto, network: ws, ws-path: /path, ws-headers: { Host: v2ray.com } } # with ws + tls - { name: "vmess", type: vmess, server: server, port: 443, uuid: uuid, alterId: 32, cipher: auto, network: ws, ws-path: /path, tls: true } # socks5 - { name: "socks", type: socks5, server: server, port: 443 } # socks5 with authentication - { name: "socks", type: socks5, server: server, port: 443, username: "username", password: "password" } # with tls - { name: "socks", type: socks5, server: server, port: 443, tls: true } # with tls and skip-cert-verify - { name: "socks", type: socks5, server: server, port: 443, tls: true, skip-cert-verify: true } # http - { name: "http", type: http, server: server, port: 443 } # http with authentication - { name: "http", type: http, server: server, port: 443, username: "username", password: "password" } # with tls (https) - { name: "http", type: http, server: server, port: 443, tls: true } # with tls (https) and skip-cert-verify - { name: "http", type: http, server: server, port: 443, tls: true, skip-cert-verify: true } Proxy Group: # url-test select which proxy will be used by benchmarking speed to a URL. - { name: "auto", type: url-test, proxies: ["ss1", "ss2", "vmess1"], url: "http://www.gstatic.com/generate_204", interval: 300 } # fallback select an available policy by priority. The availability is tested by accessing an URL, just like an auto url-test group. - { name: "fallback-auto", type: fallback, proxies: ["ss1", "ss2", "vmess1"], url: "http://www.gstatic.com/generate_204", interval: 300 } # load-balance: The request of the same eTLD will be dial on the same proxy. - { name: "load-balance", type: load-balance, proxies: ["ss1", "ss2", "vmess1"], url: "http://www.gstatic.com/generate_204", interval: 300 } # select is used for selecting proxy or proxy group # you can use RESTful API to switch proxy, is recommended for use in GUI. - { name: "Proxy", type: select, proxies: ["ss1", "ss2", "vmess1", "auto"] } Rule: - DOMAIN-SUFFIX,google.com,auto - DOMAIN-KEYWORD,google,auto - DOMAIN,google.com,auto - DOMAIN-SUFFIX,ad.com,REJECT - IP-CIDR,127.0.0.0/8,DIRECT - SOURCE-IP-CIDR,192.168.1.201/32,DIRECT - GEOIP,CN,DIRECT # FINAL would remove after prerelease # you also can use `FINAL,Proxy` or `FINAL,,Proxy` now - MATCH,auto ``` ## systemd 服务脚本 在 `/lib/systemd/system/` 目录下创建 `clash@.service` 文件 ```bash sudo vim /lib/systemd/system/clash@.service ``` 写入以下内容并保存: ```yaml [Unit] Description=A rule based proxy in Go for %i. After=network.target [Service] Type=simple User=%i Restart=on-abort CapabilityBoundingSet=CAP_NET_BIND_SERVICE # important AmbientCapabilities=CAP_NET_BIND_SERVICE # important ExecStart=/usr/bin/clash [Install] WantedBy=multi-user.target ``` **重新加载 `systemd` 模块** ```bash systemctl daemon-reload ``` **启动 `clash` 服务** ```bash systemctl start clash@user ``` > `user` 表示的是当前用户名,例如: > > ```bash > systemctl start clash@richard > ``` **设置开机自启** ```bash systemctl enable clash@user ``` ## 配置 dashboard 首先下载 dashboard 的文件: > 使用的是 yacd 这个 dashboard : https://github.com/haishanh/yacd ```bash cd ~/.config/clashwget https://github.com/haishanh/yacd/archive/gh-pages.zipunzip gh-pages.zipmv yacd-gh-pages/ dashboard/ ``` 然后配置 `config.yaml` ,添加以下代码: ```yaml # api 端口external-controller: 0.0.0.0:9090# 密钥secret: ""external-ui: dashboard ``` 接着重启 clash ,既可以在浏览器里面访问`http://serverip:9090/ui/`来对 clash 进行配置了。 ## 透明代理 放上一份简单的配置,亲测可用: ```bash # fake dnssudo iptables -t nat -N clash_fakednssudo iptables -t nat -A clash_fakedns -p udp --dport 53 -j DNAT --to-destination 192.168.50.3:5353sudo iptables -t nat -A clash_fakedns -p tcp --dport 53 -j DNAT --to-destination 192.168.50.3:5353sudo iptables -t nat -A PREROUTING -p udp -d 192.168.50.0/24 -j clash_fakednssudo iptables -t nat -A PREROUTING -p tcp -d 192.168.50.0/24 -j clash_fakednssudo iptables -t nat -N Clashsudo iptables -t nat -A Clash -d 192.168.50.0/16 -j RETURNsudo iptables -t nat -A Clash -p tcp -j REDIRECT --to-ports 7892sudo iptables -t nat -A PREROUTING -p tcp -j Clash ``` > 其中 `192.168.50.0` 需要改成自己的网段; > > 第三条的端口需要设置成和 `clash` 中配置的 `redir-port` 一样; > > 如果 `clash` 配置中开启了 `fake-ip` 且 `fake-dns` 地址为默认的 53 端口,则上述 `fake dns` 部分不用 这里使用 iptables 实现透明代理,下面放上一份来自[这里](https://blog.newhanly.com/2020/04/28/clash/)的配置: 添加标记路由 ```bash ip rule add fwmark 0x1 table 100ip route add local 0.0.0.0/0 dev lo table 100 ``` UDP重路由 ```bash iptables -t mangle -N P_MARK #新建表iptables -t mangle -A P_MARK -d 127.0.0.1 -j RETURNiptables -t mangle -A P_MARK -d 192.168.0.0/16 -j RETURN #放行局域网数据iptables -t mangle -A P_MARK -d 255.255.255.255 -j RETURN #放行广播数据包iptables -t mangle -A P_MARK -m owner --uid-owner clash -j RETURN #放行clash发出的数据iptables -t mangle -A P_MARK -p udp -j MARK --set-mark 0x1 #标记并重路由 ``` TCP转发 ```bash iptables -t nat -N TCP_REDIRiptables -t nat -A TCP_REDIR -d 127.0.0.1/8 -j RETURNiptables -t nat -A TCP_REDIR -d 192.168.0.0/16 -j RETURNiptables -t nat -A TCP_REDIR -p tcp -j REDIRECT --to-ports 7892 #转发TCP到指定端口 ``` UDP转发 ```bash iptables -t mangle -N UDP_REDIRiptables -t mangle -A UDP_REDIR -d 127.0.0.1 -j RETURNiptables -t mangle -A UDP_REDIR -d 192.168.0.0/16 -j RETURN iptables -t mangle -A UDP_REDIR -d 255.255.255.255 -j RETURNiptables -t mangle -A UDP_REDIR -p udp -j TPROXY --on-port 7892 --tproxy-mark 0x1/0x1 #按标记路由转发UDP到指定端口 ``` 应用规则 ```bash iptables -t mangle -A PREROUTING -j UDP_REDIR #转发来自其它设备的UDP包iptables -t mangle -A OUTPUT -j P_MARK #重路由本机发出的UDP包iptables -t nat -A PREROUTING -j TCP_REDIR #转发来自其它设备的TCP包iptables -t nat -A OUTPUT -m owner ! --uid-owner clash -j TCP_REDIR #转发本机非clash的流量 ``` 如果不想要这些规则重启后就消失,可以使用一些辅助工具来持久化: > 注意,持久化之前一定要保证你的防火墙设置正确了,不然重置会很麻烦 ```bash sudo apt install iptables-persistent netfilter-persistentsudo netfilter-persistent savesudo netfilter-persistent reload ``` ## Reference https://blog.newhanly.com/2020/04/28/clash/ https://breakertt.moe/2019/08/20/clash_gateway/ https://matters.news/@outloudvi/systemd-slice-iptables-redir-%E5%A6%82%E4%BD%95%E5%9C%A8-arch-linux-%E4%B8%8A%E9%85%8D%E7%BD%AE%E9%80%8F%E6%98%8E%E4%BB%A3%E7%90%86-bafyreia56osrovpylifeiuzdcrxr52gmbo5rkn5zmlvlho5tr7mjejqshy https://0x01.io/2020/02/16/x86-%E8%BD%AF%E8%B7%AF%E7%94%B1%E9%80%8F%E6%98%8E%E4%BB%A3%E7%90%86%E6%9E%84%E5%BB%BA%E6%96%B9%E6%A1%88v2020-02/ https://github.com/Dreamacro/clash/issues/555 https://lala.im/5727.html https://bleepcoder.com/cn/clash/443041625/fake-ip-mo-shi-zuo-wei-wang-guan-dai-li-de-ji-ge-wen-ti 最后修改:2024 年 01 月 29 日 © 允许规范转载 赞 如果觉得我的文章对你有用,请随意赞赏