From 46e06b70cdb613d92823a4d2b8b6edcc2f115471 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=83=81=E3=82=BB?=
<123655015+chise0713@users.noreply.github.com>
Date: Wed, 20 Dec 2023 18:10:35 +0800
Subject: [PATCH] Merge `fwmark`/`sendThrough`/`sockopt.interface` together
---
docs/document/level-2/README.md | 2 +-
docs/document/level-2/redirect.md | 238 ++++++++----------------------
2 files changed, 66 insertions(+), 174 deletions(-)
diff --git a/docs/document/level-2/README.md b/docs/document/level-2/README.md
index 8e875fddb..967a3dd5e 100644
--- a/docs/document/level-2/README.md
+++ b/docs/document/level-2/README.md
@@ -24,7 +24,7 @@
[通过 Xray 将特定的流量指向特定出口,实现全局路由“分流”](./redirect.md) by <img src="https://avatars.githubusercontent.com/u/28607089?s=32" width="32" height="32" alt="a"/> [@Zzz3m](https://github.com/Zzz3m)
-将 Xray 玩出花:基于 fwmark 或 sendThrough 方式实现“分流”。
+将 Xray 玩出花:基于 fwmark 、 sendThrough 或 sockopt.interface 方式实现“分流”。
[通过 Cloudflare Warp 增强代理安全性](./warp.md) by <img src="https://avatars.githubusercontent.com/u/1588741?s=32" width="32" height="32" alt="a"/> [@yuhan6665](https://github.com/yuhan6665)
diff --git a/docs/document/level-2/redirect.md b/docs/document/level-2/redirect.md
index d53f7ad84..16b0d4514 100644
--- a/docs/document/level-2/redirect.md
+++ b/docs/document/level-2/redirect.md
@@ -11,7 +11,7 @@ title: 出站流量重定向
之前在网络上看到许多代理或者 VPN 会接管全局路由,如果与 Xray 同时安装,会导致 Xray 失效。参考了网络上许多教程,及时分流,也是通过维护一张或者多张 CIDR
路由表来实现的。这种情况下并不优雅,如果我想可以任意替换,实现按需分流,那有没有更好的办法呢?有!
-通过 fwmark 或 Xray 的 sendThrough,再简单配合路由表功能即可实现:
+通过 fwmark 或 Xray 的 sendThrough/sockopt.interface,再简单配合路由表功能即可实现:
1. Xray 可设置指定的 Tag、域名等走指定接口。如果您的接口是双栈的,可以指定 IPV4 或者 IPV6
2. 其余用户则走原 IPV4 或者 IPV6
@@ -26,98 +26,55 @@ title: 出站流量重定向
原始文件:
-<Tabs title="if-config">
-
-<Tab title="fwmark1">
-
```ini
[Interface]
-PrivateKey = xxxxxxxxxxxxxxxxxxxx
-Address = "your wg0 v4 address"
-Address = "your wg0 v6 address"
+PrivateKey = <PriKey>
+Address = <IPv4>
+Address = <IPv6>
DNS = 8.8.8.8
MTU = 1280
[Peer]
-PublicKey = xxxxxxxxxxxxxxxxxxxxx
+PublicKey = <Pubkey>
AllowedIPs = ::/0
AllowedIPs = 0.0.0.0/0
-Endpoint = "ip:port"
+Endpoint = <EndpointIP>:<Port>
```
在 `[Interface]` 下添加如下命令:
-
```ini
-Table = off
-PostUP = ip -4 rule add fwmark <mark> lookup <table>
-PostUP = ip -4 route add default dev <接口名称> table <table>
-PostUP = ip -4 rule add table main suppress_prefixlength 0
+Table = <table>
+### fwmark
+PostUP = ip rule add fwmark <mark> lookup <table>
+PostDown = ip rule del fwmark <mark> lookup <table>
PostUP = ip -6 rule add fwmark <mark> lookup <table>
-PostUP = ip -6 rule add not fwmark <table> table <table>
-PostUP = ip -6 route add ::/0 dev <接口名称> table <table>
-PostUP = ip -6 rule add table main suppress_prefixlength 0
-PostDown = ip -4 rule delete fwmark <mark> lookup <table>
-PostDown = ip -4 rule delete table main suppress_prefixlength 0
-PostDown = ip -6 rule delete fwmark <mark> lookup <table>
-PostDown = ip -6 rule delete not fwmark <table> table <table>
-PostDown = ip -6 rule delete table main suppress_prefixlength 0
+PostDown = ip -6 rule del fwmark <mark> lookup <table>
+## sendThrough
+PreUp = ip rule add from <IPv4> lookup <table>
+PostDown = ip rule del from <IPv4> lookup <table>
+PreUp = ip -6 rule add from <IPv6> lookup <table>
+PostDown = ip -6 rule del from <IPv6> lookup <table>
+## sockopt.interface
+PreUp = ip rule add oif %i lookup <table>
+PostDown = ip rule del oif %i lookup <table>
+PreUp = ip -6 rule add oif %i lookup <table>
+PostDown = ip -6 rule del oif %i lookup <table>
```
-
::: tip
+- 此配置文件融合了 `fwmark` / `sendThrough` / `sockopt.interface`,表示
+- 送入此设备 `%i` 的连接 / 送入此 `<IPv4/6>` 的连接 / `fwmark` 被标记为 `<mark>` 的连接
+- 将会使用 wireguard 进行转发
+- `%i` 是 wireguard 配置文件中的占位符,表示在启动时替换为这个设备的名称
+:::
-- 此命令表示 IPv4 中 fwmark 为 `<mark>`,IPv6 中 fwmark 为`<mark>`,::/0 全局 v6 走 WireGuard
-- 可根据自己需求增删命令,mark 值要与 Xray-core 中设置为相同,table 值自定
-- 如果不支持配置文件,可以在系统中修改路由表
- :::
-
-</Tab>
-
-<Tab title="sendThrough1">
-
-```ini
-[Interface]
-PrivateKey = xxxxxxxxxxxxxxxxxxxx
-Address = "your wg0 v4 address"
-Address = "your wg0 v6 address"
-DNS = 8.8.8.8
-MTU = 1280
-[Peer]
-PublicKey = xxxxxxxxxxxxxxxxxxxxx
-AllowedIPs = ::/0
-AllowedIPs = 0.0.0.0/0
-Endpoint = "ip:port"
-```
-
-在 `[Interface]` 下添加如下命令:
-
-```ini
-Table = off
-PostUP = ip -4 rule add from "your wg0 v4 address" lookup <table>
-PostUP = ip -4 route add default dev wg0 table <table>
-PostUP = ip -4 rule add table main suppress_prefixlength 0
-PostUP = ip -6 rule add not fwmark <table> table <table>
-PostUP = ip -6 route add ::/0 dev wg0 table <table>
-PostUP = ip -6 rule add table main suppress_prefixlength 0
-PostDown = ip -4 rule delete from "your wg0 v4 address" lookup <table>
-PostDown = ip -4 rule delete table main suppress_prefixlength 0
-PostDown = ip -6 rule delete not fwmark <table> table <table>
-PostDown = ip -6 rule delete table main suppress_prefixlength 0
-```
-
-::: tip
-
-- 此命令表示 IPV4 中来自 `your wg0 v4 address` 地址的走 WireGuard,IPv6 中::/0 全局 v6 走 WireGuard)
-- 可根据自己需求增删命令,实现 v6 分流,也可以与 fwmark 融合
-- 如果不支持配置文件,可以在系统中修改路由表
- :::
-
-</Tab>
-
-</Tabs>
保存
可顺手安装
+::: warning
+如果使用了 `[Interface]` 中的 `DNS` 字段,这个程序将会是必须的
+:::
+
```bash
apt install openresolv
```
@@ -138,99 +95,7 @@ lsmod | grep wireguard
## 4、Xray-core 配置文件修改
-<Tabs title="xray-config">
-
-<Tab title="fwmark2">
-
-```json
-{
- "api": {
- "services": [
- "HandlerService",
- "LoggerService",
- "StatsService"
- ],
- "tag": "api"
- },
- "inbounds": [
- {
- "listen": "127.0.0.1",
- "port": <port>,
- "protocol": "dokodemo-door",
- "settings": {
- "address": "127.0.0.1"
- },
- "tag": "api"
- }
- ],
- "outbounds": [
- {
- "protocol": "freedom",
- "settings": {
- "domainStrategy": "UseIPv6"
- //设置默认用户走指定方式”UseIPv6”或者”UseIPv4”
- }
- },
- {
- "protocol": "freedom",
- "tag": "wg0",
- "streamSettings": {
- "sockopt": {
- "mark": <mark>
- }
- },
- "settings": {
- "domainStrategy": "UseIPv6"
- }
- //设置fwmark为<mark>的用户走指定方式”UseIPv6””UseIPv4”
- },
- {
- "protocol": "blackhole",
- "settings": {},
- "tag": "blocked"
- }
- ],
- "policy": {
- "system": {
- "statsInboundDownlink": true,
- "statsInboundUplink": true
- }
- },
- "routing": {
- "rules": [
- {
- "inboundTag": [
- "api"
- ],
- "outboundTag": "api",
- "type": "field"
- },
- {
- "type": "field",
- "outboundTag": "wg0",
- "inboundTag": [
- "<inboundTag>"
- //需要之前在inbound中指定好Tag,我这里是api生成的,还可以添加域名等等
- ]
- },
- {
- "outboundTag": "blocked",
- "protocol": [
- "bittorrent"
- ],
- "type": "field"
- }
- ]
- },
- "stats": {}
-}
-```
-
-</Tab>
-
-<Tab title="sendThrough2">
-
-```json
+```jsonc
{
"api": {
"services": [
@@ -259,6 +124,20 @@ lsmod | grep wireguard
}
//修改此处,可v4或者v6
},
+ // <--请在不同的方案中选择--> 方案1:fwmark
+ {
+ "protocol": "freedom",
+ "tag": "wg0",
+ "streamSettings": {
+ "sockopt": {
+ "mark": // <mark>
+ }
+ },
+ "settings": {
+ "domainStrategy": "UseIPv6"
+ }
+ } //设置fwmark为<mark>的用户走指定方式”UseIPv6””UseIPv4”
+ // <--请在不同的方案中选择--> 方案2:sendThrough
{
"tag": "wg0",
"protocol": "freedom",
@@ -269,6 +148,20 @@ lsmod | grep wireguard
}
//修改此处,可v4或者v6
},
+ // <--请在不同的方案中选择--> 方案3:sockopt.interface
+ {
+ "tag": "wg0",
+ "protocol": "freedom",
+ "settings": {
+ "domainStrategy": "UseIPv4"
+ },
+ "streamSettings": {
+ "sockopt": {
+ "interface": "wg0"
+ }
+ }
+ },
+ // <--请在不同的方案中选择--> 结束
{
"protocol": "blackhole",
"settings": {},
@@ -295,7 +188,7 @@ lsmod | grep wireguard
"outboundTag": "wg0",
"inboundTag": [
"<inboundTag>"
- //需要之前在 inbound 中指定好 Tag,我这里是 api 生成的,还可以添加域名等等
+ //需要之前在 inbound 中指定好 Tag,这里是 api 生成的,还可以添加域名等等
]
},
{
@@ -311,10 +204,6 @@ lsmod | grep wireguard
}
```
-</Tab>
-
-</Tabs>
-
::: tip
可以通过修改 "domainStrategy": "UseIPv6"来控制对应用户的访问方式 实测优先级要高于系统本身的 gai.config
:::
@@ -323,6 +212,8 @@ lsmod | grep wireguard
::: tip
需要打开系统的 ip_forward
+`sysctl -w net.ipv4.ip_forward=1`
+`sysctl -w net.ipv6.conf.all.forwarding=1`
:::
## 6、完成 WireGuard 相关设置
@@ -342,7 +233,7 @@ systemctl start wg-quick@wg0
验证 IPv4/IPv6
-> 自行验证 Google 搜索 myip
+> 在代理上 运行 `curl ip-api.com -4/-6` / 浏览器访问ip-api.com
## 后记
@@ -350,4 +241,5 @@ systemctl start wg-quick@wg0
## 感谢
-@Xray-core @V2ray-core @WireGuard @p3terx @w @Hiram @Luminous @Ln @JackChou
+[XTLS/Xray-core](https://github.com/XTLS/Xray-core); [v2fly/v2ray-core](https://github.com/v2fly/v2ray-core); [WireGuard](https://www.wireguard.com/); [@p3terx](https://p3terx.com/); @w; @Hiram; @Luminous; @Ln; @JackChou;
+<!--剩下几位大佬我实在找不到他们的地址或Github空间,请大家帮忙找吧-->
\ No newline at end of file