跳到主要内容

clash

# golang build from source
go install github.com/Dreamacro/clash@latest
# macOS
brew install clash

# Docker
# https://hub.docker.com/r/dreamacro/clash
# https://github.com/Dreamacro/clash/blob/master/Dockerfile
docker run --rm -it --name clash dreamacro/clash

# Linux
# ==========
curl -LO https://github.com/Dreamacro/clash/releases/download/v1.14.0/clash-linux-amd64-v3-v1.14.0.gz
gzip -d clash-linux-amd64-v3-v1.14.0.gz
chmod +x clash-linux-amd64-v3-v1.14.0
mv clash-linux-amd64-v3-v1.14.0 clash
cp clash /usr/local/bin/clash
mkdir -p /var/lib/clash/ /etc/clash/

# https://ghproxy.com/github.com/Dreamacro/maxmind-geoip/releases/download/20230312/Country.mmdb
curl -o /var/lib/clash/Country.mmdb https://cdn.jsdelivr.net/gh/Dreamacro/maxmind-geoip@release/Country.mmdb

clash -t -d /var/lib/clash/ -f /etc/clash/config.yaml

# 同步本地到服务器
scp ~/.config/clash/config.yaml admin@server:/etc/clash/config.yaml
rsync -avP --exclude config.yaml ~/.config/clash/ admin@server:/var/lib/clash/

Awesome

# Dreamacro/clash-dashboard
curl -LO https://github.com/Dreamacro/clash-dashboard/archive/gh-pages.zip
unzip gh-pages.zip
mv clash-dashboard-gh-pages/ ~/.config/clash/

# haishanh/yacd
curl -LO https://github.com/haishanh/yacd/archive/gh-pages.zip
unzip gh-pages.zip
mv yacd-gh-pages/ ~/.config/clash/
external-controller: 0.0.0.0:9090
secret: external-controller-secret
# 默认目录 ~/.config/clash
# http://{{external-controller}}/ui
# yacd-gh-pages
external-ui: clash-dashboard-gh-pages

API

# reload 重载配置
curl -X PUT 127.0.0.1:9090/configs --json "{}"
# 配置 Secret 后
curl -X PUT -H "Authorization: Bearer secret" 127.0.0.1:9090/configs --json "{}"

TProxy

sysctl -w net.ipv4.ip_forward=1

# 新的路由表
ip rule add fwmark 666 lookup 666
ip route add local 0.0.0.0/0 dev lo table 666

# clash
# ==================
# clash 链负责处理转发流量
iptables -t mangle -N clash

# DIRECT Private
iptables -t mangle -A clash -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A clash -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A clash -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A clash -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A clash -d 240.0.0.0/4 -j RETURN

# Proxy
iptables -t mangle -A clash -p tcp -j TPROXY --on-port 7893 --tproxy-mark 666
iptables -t mangle -A clash -p udp -j TPROXY --on-port 7893 --tproxy-mark 666

# 转发所有 DNS 查询到 1053 端口
# 此操作会导致所有 DNS 请求全部返回虚假 IP(fake ip 198.18.0.1/16)
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to 1053

# 如果想要 dig 等命令可用, 可以只处理 DNS SERVER 设置为当前内网的 DNS 请求
#iptables -t nat -I PREROUTING -p udp --dport 53 -d 192.168.0.0/16 -j REDIRECT --to 1053

# 最后让所有流量通过 clash 链进行处理
iptables -t mangle -A PREROUTING -j clash

# clash_local
# ==================
# clash_local 链负责处理网关本身发出的流量
iptables -t mangle -N clash_local
# nerdctl 容器流量重新路由
#iptables -t mangle -A clash_local -i nerdctl2 -p udp -j MARK --set-mark 666
#iptables -t mangle -A clash_local -i nerdctl2 -p tcp -j MARK --set-mark 666

# 跳过内网流量
iptables -t mangle -A clash_local -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A clash_local -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A clash_local -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A clash_local -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A clash_local -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A clash_local -d 169.254.0.0/16 -j RETURN

iptables -t mangle -A clash_local -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A clash_local -d 240.0.0.0/4 -j RETURN

# 为本机发出的流量打 mark
iptables -t mangle -A clash_local -p tcp -j MARK --set-mark 666
iptables -t mangle -A clash_local -p udp -j MARK --set-mark 666

# 跳过 clash 程序本身发出的流量, 防止死循环(clash 程序需要使用 "clash" 用户启动)
iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner clash -j RETURN
iptables -t mangle -A OUTPUT -p udp -m owner --uid-owner clash -j RETURN

# 让本机发出的流量跳转到 clash_local
# clash_local 链会为本机流量打 mark, 打过 mark 的流量会重新回到 PREROUTING 上
iptables -t mangle -A OUTPUT -j clash_local

# 修复 ICMP(ping)
# 这并不能保证 ping 结果有效(clash 等不支持转发 ICMP), 只是让它有返回结果而已
# --to-destination 设置为一个可达的地址即可
sysctl -w net.ipv4.conf.all.route_localnet=1
iptables -t nat -A PREROUTING -p icmp -d 198.18.0.0/16 -j DNAT --to-destination 127.0.0.1

openrc

nano /etc/init.d/clash
chmod +x /etc/init.d/clash
service clash checkconfig
#!/sbin/openrc-run
supervisor=supervise-daemon

name="Clash"
description="A rule-based tunnel in Go."
description_reload="Reload configuration without exiting"

clash_config="${clash_config:-/etc/clash/config.yaml}"
command=/usr/local/bin/clash
command_args="-d /var/lib/clash/ -f ${clash_config}"
extra_commands="checkconfig"
extra_started_commands="reload"

clash_log="${clash_log:-/var/log/${RC_SVCNAME}.log}"
output_log="${clash_log}"
error_log="${clash_log}"

depend() {
  use logger dns
  need net
}

checkconfig() {
  ebegin "Checking ${clash_config}"
  if [ ! -f "${clash_config}" ]; then
    eerror "No clash config.yaml"
    return 1
  fi
  ${command} -d /var/lib/clash/ -f ${clash_config} -t
  return 0
}

reload() {
  ebegin "Reloading configuration"
  curl -X PUT -H "Authorization: Bearer $(yq .secret $clash_config)" -sf $(yq .external-controller $clash_config)/configs --json "{}"
  eend $?
}

Premium

curl -OL https://release.dreamacro.workers.dev/latest/clash-linux-amd64-latest.gz
gzip -d clash-linux-amd64-latest.gz
mv clash-linux-amd64-latest clash
chmod +x clash
# 出口
interface-name: eth0

tun:
  enable: true
  stack: system # gvisor
  # dns-hijack:
  #   - 8.8.8.8:53
  #   - tcp://8.8.8.8:53
  #   - any:53
  #   - tcp://any:53
  auto-route: true # 设置全局代理
  # auto-detect-interface: true # 自动检测 interface-name

FAQ

Start TProxy server error: operation not permitted

sudo setcap cap_net_bind_service,cap_net_admin+ep $(which clash)