├── LICENSE └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Mario 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # sing-box 旁路由 透明代理 配置 2 | 3 | ## 此教程适用于直接在 linux 上部署了 sing-box,想要让 sing-box 代理局域网内的所有设备的场景。也即是 linux 机器作为旁路由。 4 | 5 | 下面假设主路由的 ip 为 192.168.31.1,旁路由的 ip 为 192.168.31.6,你应该根据你的情况,在下面的的配置中将它们替换成你自己的。 6 | 7 | - 首先你要确保旁路由本身已经可以科学上网,sing-box 的配置可以参考我的,重点在 inbounds: 8 | 9 | ```json 10 | { 11 | "log": { 12 | "disabled": false, 13 | "level": "info", 14 | "timestamp": true 15 | }, 16 | "dns": { 17 | "strategy": "ipv4_only", 18 | "servers": [ 19 | { 20 | "tag": "remote", 21 | "address": "https://1.1.1.1/dns-query", 22 | "detour": "select" 23 | }, 24 | { 25 | "tag": "direct", 26 | "address": "https://1.12.12.12/dns-query", 27 | "detour": "direct" 28 | }, 29 | { 30 | "tag": "block", 31 | "address": "rcode://success" 32 | } 33 | ], 34 | "rules": [ 35 | { 36 | "outbound": "any", 37 | "server": "direct" 38 | }, 39 | { 40 | "clash_mode": "Global", 41 | "server": "remote" 42 | }, 43 | { 44 | "clash_mode": "Direct", 45 | "server": "direct" 46 | }, 47 | { 48 | "rule_set": "geosite-category-ads-all", 49 | "server": "block" 50 | }, 51 | { 52 | "rule_set": [ 53 | "geosite-apple" 54 | ], 55 | "server": "direct" 56 | }, 57 | { 58 | "rule_set": [ 59 | "geosite-geolocation-!cn", 60 | "geosite-anthropic" 61 | ], 62 | "domain_keyword": [], 63 | "server": "remote" 64 | } 65 | ], 66 | "final": "direct", 67 | "independent_cache": true 68 | }, 69 | "inbounds": [ 70 | { 71 | "type": "tun", 72 | "inet4_address": "172.19.0.1/30", 73 | "auto_route": true, 74 | "strict_route": false, 75 | "sniff": true, 76 | "sniff_override_destination": true 77 | } 78 | ], 79 | "outbounds": [ 80 | { 81 | "tag": "direct", 82 | "type": "direct" 83 | }, 84 | { 85 | "tag": "block", 86 | "type": "block" 87 | }, 88 | { 89 | "tag": "dns-out", 90 | "type": "dns" 91 | } 92 | // 添加你自己的节点 93 | ], 94 | "route": { 95 | "rules": [ 96 | { 97 | "protocol": "dns", 98 | "outbound": "dns-out" 99 | }, 100 | { 101 | "clash_mode": "Direct", 102 | "outbound": "direct" 103 | }, 104 | { 105 | "clash_mode": "Global", 106 | "outbound": "select" 107 | }, 108 | { 109 | "rule_set": ["geosite-apple"], 110 | "outbound": "direct" 111 | }, 112 | { 113 | "rule_set": [ 114 | "geosite-geolocation-!cn", 115 | "geosite-anthropic", 116 | "geoip-cloudflare", 117 | "geoip-cloudfront", 118 | "geoip-facebook", 119 | "geoip-fastly", 120 | "geoip-google", 121 | "geoip-netflix", 122 | "geoip-telegram", 123 | "geoip-twitter" 124 | ], 125 | "outbound": "select" 126 | } 127 | ], 128 | "rule_set": [ 129 | { 130 | "tag": "geosite-category-ads-all", 131 | "type": "remote", 132 | "format": "binary", 133 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geosite/geosite-category-ads-all.srs", 134 | "update_interval": "1d" 135 | }, 136 | { 137 | "tag": "geosite-geolocation-!cn", 138 | "type": "remote", 139 | "format": "binary", 140 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geosite/geosite-geolocation-!cn.srs", 141 | "update_interval": "1d" 142 | }, 143 | { 144 | "tag": "geosite-apple", 145 | "type": "remote", 146 | "format": "binary", 147 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geosite/geosite-apple.srs", 148 | "update_interval": "1d" 149 | }, 150 | { 151 | "tag": "geosite-anthropic", 152 | "type": "remote", 153 | "format": "binary", 154 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geosite/geosite-anthropic.srs", 155 | "update_interval": "1d" 156 | }, 157 | { 158 | "tag": "geoip-cloudflare", 159 | "type": "remote", 160 | "format": "binary", 161 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geoip/geoip-cloudflare.srs", 162 | "update_interval": "1d" 163 | }, 164 | { 165 | "tag": "geoip-cloudfront", 166 | "type": "remote", 167 | "format": "binary", 168 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geoip/geoip-cloudfront.srs", 169 | "update_interval": "1d" 170 | }, 171 | { 172 | "tag": "geoip-facebook", 173 | "type": "remote", 174 | "format": "binary", 175 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geoip/geoip-facebook.srs", 176 | "update_interval": "1d" 177 | }, 178 | { 179 | "tag": "geoip-fastly", 180 | "type": "remote", 181 | "format": "binary", 182 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geoip/geoip-fastly.srs", 183 | "update_interval": "1d" 184 | }, 185 | { 186 | "tag": "geoip-google", 187 | "type": "remote", 188 | "format": "binary", 189 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geoip/geoip-google.srs", 190 | "update_interval": "1d" 191 | }, 192 | { 193 | "tag": "geoip-netflix", 194 | "type": "remote", 195 | "format": "binary", 196 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geoip/geoip-netflix.srs", 197 | "update_interval": "1d" 198 | }, 199 | { 200 | "tag": "geoip-telegram", 201 | "type": "remote", 202 | "format": "binary", 203 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geoip/geoip-telegram.srs", 204 | "update_interval": "1d" 205 | }, 206 | { 207 | "tag": "geoip-twitter", 208 | "type": "remote", 209 | "format": "binary", 210 | "url": "https://raw.githubusercontent.com/lyc8503/sing-box-rules/rule-set-geoip/geoip-twitter.srs", 211 | "update_interval": "1d" 212 | } 213 | ], 214 | "auto_detect_interface": true, 215 | "final": "direct" 216 | } 217 | } 218 | ``` 219 | 220 | - 修改旁路由的 ip 获取方式为手动。 221 | 222 | 地址:192.168.31.6 223 | 224 | 子网掩码:255.255.255.0 225 | 226 | 网关:192.168.31.1 227 | 228 | DNS:192.168.31.1 229 | 230 | - 修改主路由的 DHCP。 231 | 232 | 网关:192.168.31.6 233 | 234 | DNS:192.168.31.6 235 | 236 | 以上是大多数旁路由或者透明代理教程会说到的。 237 | 238 | 相信很多人这些都做完了,但是局域网设备完全不能上网,下面是重点。 239 | 240 | - 开启IPv4转发。 241 | 242 | 使用以下命令检查IPv4转发是否已启用 243 | ```bash 244 | sysctl net.ipv4.ip_forward 245 | ``` 246 | 如果输出为 net.ipv4.ip_forward = 1,则表示IPv4转发已启用。 247 | 248 | 否则开启它: 249 | 在/etc/sysctl.conf文件里添加一行`net.ipv4.ip_forward = 1`,保存之后运行: 250 | ```bash 251 | sudo sysctl -p 252 | ``` 253 | 254 | - 在旁路由上修改转发规则。 255 | 256 | 修改/etc/nftables.conf,添加以下规则 257 | 258 | ``` 259 | # 定义表 260 | table ip nat { 261 | chain postrouting { 262 | type nat hook postrouting priority 100; policy accept; 263 | 264 | # 对192.168.31.0/24网段(除了192.168.31.1)的流量进行NAT 265 | ip saddr 192.168.31.0/24 ip saddr != 192.168.31.1 oif "tun0" masquerade 266 | } 267 | } 268 | ``` 269 | 270 | 让它生效 271 | 272 | ``` 273 | sudo nft -f /etc/nftables.conf 274 | ``` 275 | 276 | - 在旁路由上修改 DNS 监听规则。 277 | 278 | 修改/etc/systemd/resolved.conf,添加以下规则 279 | 280 | ``` 281 | DNSStubListenerExtra=0.0.0.0 282 | DNSStubListenerExtra=:: 283 | ``` 284 | 285 | 让它生效 286 | 287 | ``` 288 | sudo systemctl restart systemd-resolved 289 | ``` 290 | 291 | 好了,恭喜你 🎉🎉🎉,现在你局域网的设备都可以科学上网了。 292 | 293 | 帮到你的话,请点点右上角的 ⭐Star⭐。 294 | 295 | ## 进阶 296 | 297 | - 设置开机生效 298 | 299 | 新建`/etc/systemd/system/nftables-post-tun0.service`文件,添加以下内容: 300 | ```ini 301 | [Unit] 302 | Description=Apply nftables rules after tun0 is up 303 | After=network-online.target 304 | Wants=network-online.target 305 | 306 | [Service] 307 | Type=oneshot 308 | ExecStart=/bin/bash -c 'until ip link show tun0 &>/dev/null; do sleep 1; done; nft -f /etc/nftables.conf' 309 | RemainAfterExit=true 310 | 311 | [Install] 312 | WantedBy=multi-user.target 313 | ``` 314 | 315 | 运行 316 | ```bash 317 | sudo systemctl daemon-reload 318 | sudo systemctl enable nftables-post-tun0.service 319 | ``` 320 | 321 | --------------------------------------------------------------------------------