方法一:网络代理自动发现协议
网络代理自动发现协议(Web Proxy Auto-Discovery Protocol,WPAD)是一种客户端使用DHCP和/或DNS发现方法来定位一个配置文件URL的方法。在检测和下载配置文件后,它可以执行配置文件以测定特定URL应使用的代理。
缺点:
- 很多系统默认未开启此功能,甚至不支持此功能
- 成功开启系统自动代理后,依然有很多APP应用不支持
- 不支持ip_cidr
方法二:软路由模式
在现网中添加一台软路由,用软路由代替用户网关或者串联在网关之上再或者旁路模式,由软路由代理所有用户流量,进而转发分流。
缺点:
- 硬件性能要求高,软件版本升级频繁
- 兼容稳定性差,不易实现冗余灾备方案
- 多vlan跨网段支持较差,IPv4/v6双栈支持较差
方法三:本文重点介绍fakeip旁路实现方案
1):新建Linux(推荐Debian最小化安装)
点击查看详细安装说明
a、获取ISO安装镜像https://www.debian.org
b、安装选项
c、安装完成默认启用ssh,用户名密码均为user,使用中科大源。
2):在Debian中搭建sing-box客户端
bash <(curl -fsSL https://sing-box.app/deb-install.sh)本站使用amd64 Debian12.5和sing-box_1.8.14
curl -fsSL http://lotro.cc/other/sing-box_1.8.14_linux_amd64.deb -o sing-box.deb
sudo dpkg -i sing-box.deb
配置sing-box主机配置文件(需要国外sing-box服务端即梯子,推荐Trojan协议,用于转发GFW流量)
sudo nano /etc/sing-box/config.json点击查看完整配置(需要完善sing-box outbound 配置)
{
"log": {
"level": "warn",
"timestamp": true
},
"dns": {
"servers": [
{
"tag": "local",
"address": "tls://223.5.5.5",
"detour": "direct"
},
{
"tag": "google",
"address": "tls://8.8.8.8",
"detour": "trojan"
},
{
"tag": "dns_refused",
"address": "rcode://success"
},
{
"tag": "remote",
"address": "fakeip"
}
],
"rules": [
{
"rule_set": [
"adrules_domainset",
"reject"
],
"server": "dns_refused"
},
{
"outbound": "any",
"server": "local"
},
{
"type": "logical",
"mode": "and",
"rules": [
{
"query_type": "HTTPS"
},
{
"rule_set": [
"OpenAI",
"gfw"
]
}
],
"server": "dns_refused"
},
{
"type": "logical",
"mode": "and",
"rules": [
{
"query_type": [
"A",
"AAAA"
]
},
{
"rule_set": [
"OpenAI",
"gfw"
]
}
],
"server": "remote"
}
],
"fakeip": {
"enabled": true,
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
},
"independent_cache": true
},
"inbounds": [
{
"type": "mixed",
"tag": "mixed-in",
"listen": "::",
"listen_port": 1080,
"sniff": true
},
{
"type": "direct",
"tag": "dns-in",
"listen": "::",
"listen_port": 53,
"sniff": true
},
{
"type": "tun",
"inet4_address": "172.19.0.1/30",
"inet6_address": "fefe:dcba:9876::1/126",
"auto_route": true,
"inet4_route_address": [
"198.18.0.0/15",
"91.105.192.0/23",
"91.108.4.0/22",
"91.108.8.0/21",
"91.108.16.0/21",
"91.108.56.0/22",
"95.161.64.0/20",
"149.154.160.0/20",
"185.76.151.0/24"
],
"inet6_route_address": [
"fc00::/18",
"2001:67c:4e8::/48",
"2001:b28:f23c::/47",
"2001:b28:f23f::/48",
"2a0a:f280::/32"
],
"inet4_route_exclude_address": "224.0.0.0/4",
"inet6_route_exclude_address": "ff00::/8",
"sniff": true
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct"
},
{
"type": "dns",
"tag": "dns-out"
},
{
"type": "trojan",
"tag": "trojan",
"server": "IP地址",
"server_port": 8080,
"password": "password",
"tls": {
"enabled": true,
"server_name": "example.org",
"utls": {
"enabled": true,
"fingerprint": "firefox"
}
},
"multiplex": {
"enabled": true
}
},
{
"type": "block",
"tag": "block"
}
],
"route": {
"rules": [
{
"protocol": "dns",
"outbound": "dns-out"
},
{
"rule_set": [
"adrules_domainset",
"reject"
],
"outbound": "block"
},
{
"ip_is_private": true,
"rule_set": [
"private",
"geosite-geolocation-cn",
"direct",
"cncidr"
],
"outbound": "direct"
},
{
"rule_set": [
"OpenAI",
"gfw"
],
"outbound": "trojan"
}
],
"rule_set": [
{
"type": "remote",
"tag": "private",
"format": "binary",
"url": "https://raw.githubusercontent.com/chg1f/sing-geosite-mixed/rule-set/private.srs",
"download_detour": "trojan"
},
{
"type": "remote",
"tag": "adrules_domainset",
"format": "binary",
"url": "https://raw.githubusercontent.com/Toperlock/sing-box-geosite/main/rule/adrules_domainset.srs",
"download_detour": "trojan"
},
{
"type": "remote",
"tag": "reject",
"format": "binary",
"url": "https://raw.githubusercontent.com/chg1f/sing-geosite-mixed/rule-set/reject.srs",
"download_detour": "trojan"
},
{
"type": "remote",
"tag": "geosite-geolocation-cn",
"format": "binary",
"url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs",
"download_detour": "trojan"
},
{
"type": "remote",
"tag": "direct",
"format": "binary",
"url": "https://raw.githubusercontent.com/chg1f/sing-geosite-mixed/rule-set/direct.srs",
"download_detour": "trojan"
},
{
"type": "remote",
"tag": "cncidr",
"format": "binary",
"url": "https://raw.githubusercontent.com/chg1f/sing-geosite-mixed/rule-set/cncidr.srs",
"download_detour": "trojan"
},
{
"type": "remote",
"tag": "OpenAI",
"format": "binary",
"url": "https://raw.githubusercontent.com/Toperlock/sing-box-geosite/main/rule/OpenAI.srs",
"download_detour": "trojan"
},
{
"type": "remote",
"tag": "gfw",
"format": "binary",
"url": "https://raw.githubusercontent.com/Toperlock/sing-box-geosite/main/rule/gfw.srs",
"download_detour": "trojan"
}
],
"auto_detect_interface": true
},
"experimental": {
"cache_file": {
"enabled": true,
"store_fakeip": true
},
"clash_api": {
"external_controller": "0.0.0.0:9090",
"external_ui": "ui"
}
}
}启用并运行sing-box
sudo systemctl enable --now sing-box3):配置DNS缓存服务器(没有条件的可略过此步)
为了实现冗余灾备,本文采用AdGuard Home作用dns冗余缓存服务器
a、安装AdGuard Home
curl -fsSL https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v屏幕输出内容如下
点击查看
2024/06/20 19:31:37 [info] AdGuard Home, version v0.107.51
2024/06/20 19:31:37 [info] service: control action: install
2024/06/20 19:31:38 [info] service: started
2024/06/20 19:31:38 [info] Almost ready!
AdGuard Home is successfully installed and will automatically start on boot.
There are a few more things that must be configured before you can use it.
Click on the link below and follow the Installation Wizard steps to finish setup.
AdGuard Home is now available at the following addresses:
2024/06/20 19:31:38 [info] go to http://127.0.0.1:3000
2024/06/20 19:31:38 [info] go to http://[::1]:3000
2024/06/20 19:31:38 [info] go to http://10.8.0.19:3000
2024/06/20 19:31:38 [info] go to http://[feee:8000::20c:29ff:fe45:863]:3000
2024/06/20 19:31:38 [info] go to http://[fe80::20c:29ff:fe45:863%ens192]:3000
2024/06/20 19:31:38 [info] service: action install has been done successfully on linux-systemd
AdGuard Home is now installed and running
you can control the service status with the following commands:
sudo /opt/AdGuardHome/AdGuardHome -s start|stop|restart|status|install|uninstall通过访问http://IP:3000访问AdGuardHome后台完成配置(确保AdGuardHome监听所有接口并绑定端口53)。注:如果AdGuard与sing-box部署在一起,可能会导致53端口冲突,此时应修改sing-box的配置文件中inbound字段dns-in接口的port值,另同步修改AdGuard分流脚本中对应sing-box端口。
b、制作AdGuard Home分流规则文件
替换如下代码中的192.168.50.5:53为sing-box主机IP和配置文件中dns-in对应的port值
echo 'quic://dns.alidns.com' > /tmp/default.upstream
curl -s https://gitlab.com/fernvenue/chn-domains-list/-/raw/master/CHN.ALL.agh | sed "/#/d" > "/tmp/chinalist.upstream"
curl -sSL https://lotro.cc/other/gfwlist2adguardhome.sh | sh -s -- -s 192.168.50.5:53
cat "/tmp/default.upstream" "/tmp/chinalist.upstream" "adguardhome_gfwlist.txt" > /opt/AdGuardHome/adguardhome.upstream
sed -i "s|114.114.114.114|https://dns.alidns.com/dns-query|g" /opt/AdGuardHome/adguardhome.upstream
rm /tmp/*.upstreamc、加载AdGuard Home分流规则文件
sudo sed -i "s|upstream_dns_file.*|upstream_dns_file: adguardhome.upstream|g" /opt/AdGuardHome/AdGuardHome.yaml重启AdGuard Home
sudo systemctl restart AdGuardHome4):配置静态路由
静态路由的配置是本文的重点,需要在用户网关(路由器)把sing-box配置中fakeip的地址段路由指向sing-box主机,即198.18.0.0/15和fc00::/18的下一跳为sing-box主机IP。
本文案例中额外添加了电报Telegram的IP段静态路由,假设sing-box的主机IP地址为192.168.50.5和feee:5000::5,配置截图如下图所示,企业用户需要确保用户到sing-box主机的全程路由互通。
5):使用方法
给用户分配dns地址为AdGuard Home地址,如果没有AdGuard Home缓存服务器可直接把sing-box地址作为DNS分配给用户。
sing-box还配置了proxy代理上网接口,支持http/socks端口为:1080方便特殊应用场景使用。