RaspGateway

(相关帖子：https://briteming.hatenablog.com/entry/2022/02/11/163643）

使用 Raspberry Pi 和 Clash 打造即插即用的透明网关/代理。

使用 Raspberry Pi (Rapbian 10) 和 Clash (v0.15.0) 打造即插即用的透明网关/代理。

• 编译和准备 Clash
  • 准备配置文件
  • 交叉编译 Clash
  • 准备 Clash
• 网络配置
• 使用 Supervisor 监护 Clash 进程
• 使用 yacd 作为控制前端
• 使用 Cron 自动更新和重启 Clash
• 使用方法
• Extra
  • 使用清华镜像
  • 关闭蓝牙和 Wi-Fi
• 感谢

编译和准备 Clash

准备配置文件

Clash 配置文件的前半部分修改如下：

port: HTTP代理端口
socks-port: SOCKS代理端口
redir-port: 转发端口
allow-lan: true
mode: Rule
log-level: error
external-controller: 0.0.0.0:配置端口
secret: ""
dns:
  enable: true
  ipv6: false
  listen: 0.0.0.0:53
  enhanced-mode: fake-ip
  nameserver:
  - 223.5.5.5
  - tls://dns.rubyfish.cn:853
  - tls://1.1.1.1:853
  - tls://dns.google
  - tcp://1.1.1.1:53
  - tcp://208.67.222.222:443

交叉编译 Clash

Mac 或 Linux 上可以：

go get -u -v github.com/Dreamacro/clash
cd ~/go/src/github.com/Dreamacro/clash
GOARCH=arm GOOS=linux GOARM=7 CGO_ENABLED=0 go build -ldflags '-w -s'

编译的时候有个小陷阱，编译到 go-shadowsocks2 时会报 undefined ... chacha20poly1305.NewX。
找到那个源文件把 X 删掉就好了。

准备 Clash

上传 Clash 和你的配置文件到 Raspberry Pi：

scp clash pi@raspberrypi.local:
scp config.yaml pi@raspberrypi.local:

登录 Raspberry Pi，把 Clash 和配置文件放到 /opt/clash 目录

sudo -i
cd /home/pi
chown root:root clash
mkdir -p /opt/clash
mv clash config.yaml /opt/clash/

网络配置

编辑 /etc/dhcpcd.conf，固定 Raspberry Pi 的 IP：

interface eth0
static ip_address=固定IP/24
static routers=路由器IP

打开转发：

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf && sysctl -p

设置并保存转发规则：

iptables -t nat -N Clash
iptables -t nat -A Clash -d 192.168.0.0/16 -j RETURN
iptables -t nat -A Clash -p tcp -j REDIRECT --to-ports 转发端口
iptables -t nat -A PREROUTING -p tcp -j Clash
netfilter-persistent save

使用 Supervisor 监护 Clash 进程

创建 /etc/supervisor/conf.d/clash.conf：

[supervisord]
nodaemon=false

[program:clash]
priority=1
directory=/opt/clash
command=/opt/clash/clash -d .
autorestart=true

启动 Supervisor：

systemctl restart supervisor
systemctl enable supervisor

使用 yacd 作为控制前端

安装 git 和 build 工具：

apt install git build-essential

安装 nodejs：

curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash - 
apt install nodejs 

安装 yarn：

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
apt update && sudo apt install yarn

安装 nginx：

apt -y install nginx unzip
mv /etc/nginx/sites-enabled/default /etc/nginx/sites-enabled/default.bak

下载 yacd：

git clone https://github.com/haishanh/yacd.git
cd yacd

可以编辑 src/ducks/app.js，把登录页面上缺省的服务器和端口改为你习惯的：

const defaultState = {
  clashAPIConfig: {
    hostname: '固定IP’,
    port: ‘配置端口’,
    secret: ''
  },

使用 yarn 编译安装：

yarn
yarn build
cp -r public/. /usr/share/nginx/html/yacd

创建 /etc/nginx/conf.d/yacd.conf：

server {
    listen       80;
    server_name  固定IP;
    root /usr/share/nginx/html/yacd;
    index index.html;
}

启动 nginx：

systemctl start nginx
systemctl enable nginx

使用 Cron 自动更新和重启 Clash

执行 crontab -e，加入以下两行（每天 3:45 更新配置，3:50 重启 Clash）：

45 3 * * 1 /usr/bin/wget 你的配置链接 -O /opt/clash/config.yaml
50 3 * * * /usr/bin/supervisorctl -c /etc/supervisor/supervisord.conf restart clash 

使用方法

• 作为网关

将设备的 IP 设置改为手动，设置如下：

IP：随便，不冲突就行
网关：固定IP
DNS：固定IP

• 作为代理
  
  • 作为 HTTP 代理
    

     固定IP:HTTP端口
    

  • 作为 SOCKS 代理
    

    固定IP:SOCKS端口
    

• 访问配置界面 在任何浏览器中打开：
  http://固定IP
  

Extra

使用清华镜像

在 /etc/apt/sources.list 中注释掉原有的 repo，加入：

deb http://mirrors.tuna.tsinghua.edu.cn/raspbian/raspbian/ buster main contrib non-free rpi
# deb http://raspbian.raspberrypi.org/raspbian/ buster main contrib non-free rpi

在/etc/apt/sources.list.d/raspi.list 中注释掉原有的 repo，加入：

deb https://mirrors.tuna.tsinghua.edu.cn/raspberrypi/ buster main ui
# deb http://archive.raspberrypi.org/debian/ buster main ui

关闭蓝牙和 Wi-Fi

如果只作为一个网关运行，可以关闭蓝牙和 Wi-Fi，省电的同时纯净无线空间。
编辑 /boot/config.txt 中加入以下两行：

dtoverlay=pi3-disable-wifi
dtoverlay=pi3-disable-bt

感谢

• Clash
• yacd
• go-shadowsocks2
• V2Ray
• 使用Debian9自己打造一个旁路由
• 在树莓派上使用kone和clash

from https://github.com/cykor/RaspGateway
----------

Running Clash on OpenWrt as a transparent proxy

I will revamp this post soon as Clash is going to have major changes.

As you would have been aware of that I live in China where internet is under strict censorship. I’ve been discovering ways to access the blocked internet resources.

So recently I switched to a x86 mini computer that runs Proxmox VE, which has an OpenWRT VM running as a router. In this blog post, I'm using Clash, a new software that is quite the same to Surge. They both support "rules" mode that routes internet traffic on your will. It’s so convenient that you don’t have to use gfwlist anymore, and they are more precise and customizable, like you can route Google to a Hong Kong proxy, YouTube to United States, Netflix to Japan and so forth. Clash also has a redir mode which can be used with iptables to redirect the TCP packets. We're also gonna utilize Unbound and DNSCrypt-proxy to solve the DNS pollution issue.

Download the tools

$ mkdir /etc/clash
$ cd /etc/clash
$ wget https://github.com/Dreamacro/clash/releases/download/v0.13.0/clash-linux-amd64.tar.gz
$ tar -xzvf clash-linux-amd64.tar.gz
$ mv clash-linux-amd64 clash

$ mkdir /etc/unbound
$ opkg update && opkg install unbound luci-app-unbound

Follow this guide to install DNSCrypt-proxy: https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-on-OpenWRT

Make them into services

Put the following script to /etc/init.d/clash:

#!/bin/sh /etc/rc.common

START=90

USE_PROCD=1

start_service() {
        procd_open_instance
        procd_set_param command /etc/clash/clash -d /etc/clash
        procd_set_param respawn 300 0 5 # threshold, timeout, retry
        procd_set_param file /etc/clash/config.yml
        procd_set_param stdout 1
        procd_set_param stderr 1
        procd_set_param pidfile /var/run/clash.pid
        procd_close_instance
}

Then run the following to make it executable:

$ chmod +x /etc/init.d/clash

This init.d script also immediately restarts clash when it exits for whatever reason. If it crashes 5 times in 5 minutes, it won’t be restarted anymore.

The logs are in /var/log/messages.

Write Clash Configuration

I'm not covering how to write Clash configuration in this blog post, but these options must be set as follows:

redir-port: 9090
allow-lan: true
external-controller: 0.0.0.0:6170
dns:
  enable: true
  ipv6: false
  listen: 0.0.0.0:53
  enhanced-mode: redir-host
  nameserver:
    - 127.0.0.1:5353

Let’s tear it down. 9090 is the redir port, allow-lan allows other devices in LAN to access the proxy and external-controller is the API that we’re gonna use later to control Clash.

Clash will now forward DNS requests from :53 to unbound (:5353), which forwards DNS requests to DNSCrypt-proxy (:5678). DNSCrypt-proxy will then securely get the correct DNS responses using DoH.

Configure dnsmasq

# Disable dnsmasq DNS server
$ uci set 'dhcp.@dnsmasq[0].port=0'

# Configure dnsmasq to send a DNS Server DHCP option with its LAN IP
# since it does not do this by default when port is configured.
$ lan_address=$(uci get network.lan.ipaddr)
$ uci add_list "dhcp.lan.dhcp_option=option:dns-server,$lan_address"

$ uci commit
$ service dnsmasq restart

Configure DNSCrypt-proxy

Use the example config with these options changed:

server_names = ['cloudflare', 'google']
listen_addresses = ['0.0.0.0:5678']
fallback_resolver = '119.29.29.29:53'
ignore_system_dns = true
forwarding_rules = 'forwarding-rules.txt'

Configure Unbound

First download named.cache from InterNIC:

$ wget ftp://FTP.INTERNIC.NET/domain/named.cache -O/etc/unbound/root.hints

Then enable manual config so we can configure Unbound directly using it’s config file:

$ uci set 'unbound.@unbound[0].manual_conf=1'

To make China domains solve through 119.29.29.29 instead of foreign DNSCrypt-proxy, we’re using https://github.com/felixonmars/dnsmasq-china-list.

$ cd
$ git clone https://github.com/felixonmars/dnsmasq-china-list.git
$ cd dnsmasq-china-list
$ make SERVER=119.29.29.29 unbound
$ mkdir /etc/unbound/unbound.conf.d
$ cp accelerated-domains.china.unbound.conf /etc/unbound/unbound.conf.d

Finally, this is the config I’m currently using:

include: "/etc/unbound/unbound.conf.d/accelerated-domains.china.unbound.conf"

server:
 verbosity: 1
 directory: "/etc/unbound"
 num-threads: 2
 msg-cache-slabs: 1
 rrset-cache-slabs: 1
 infra-cache-slabs: 1
 key-cache-slabs: 1
 interface: 127.0.0.1
 access-control: 127.0.0.0/8 allow
 outgoing-num-tcp: 256
 incoming-num-tcp: 1024
 outgoing-port-permit: "10240-65335"
 outgoing-range: 60
 num-queries-per-thread: 30
 msg-buffer-size: 8192
 infra-cache-numhosts: 200
 key-cache-size: 100k
 neg-cache-size: 10k
 target-fetch-policy: "2 1 0 0 0 0"
 harden-large-queries: yes
 harden-short-bufsize: yes
 port: 5353
 so-rcvbuf: 4m
 so-sndbuf: 4m
 so-reuseport: yes
 msg-cache-size: 64m
 rrset-cache-size: 128m
 cache-max-ttl: 3600
 do-ip4: yes
 do-ip6: yes
 do-udp: yes
 do-tcp: yes
 tcp-upstream: no
 use-syslog: yes
 log-queries: no
 root-hints: "/etc/unbound/root.hints"
 hide-identity: yes
 hide-version: yes
 identity: ""
 version: ""
 harden-glue: yes
 private-address: 10.0.0.0/8
 private-address: 172.16.0.0/12
 private-address: 192.168.0.0/16
 private-address: 169.254.0.0/16
 private-address: fd00::/8
 private-address: fe80::/10
 private-address: ::ffff:0:0/96
 unwanted-reply-threshold: 10000000
 do-not-query-localhost: no
 prefetch: yes
 minimal-responses: no
 module-config: "iterator"
forward-zone:
    name: "."
    forward-addr: 127.0.0.1@5678

Launch the services

Run the following to make Clash, DNScrypt-proxy and Unbound launch at system startup:

$ service clash enable
$ service dnscrypt-proxy enable
$ service unbound enable

Apply the changes:

$ service dnscrypt-proxy restart
$ service unbound restart
$ service clash restart

Redirect the traffic to Clash

Go to https://ROUTER_IP/cgi-bin/luci/admin/network/firewall/custom, append the following to the end of rules. Be aware that you need to change YOUR_SSH_PORT.

iptables -t nat -N clash_lan
iptables -t nat -A clash_lan -d 0.0.0.0/8 -j RETURN
iptables -t nat -A clash_lan -d 10.0.0.0/8 -j RETURN
iptables -t nat -A clash_lan -d 127.0.0.0/8 -j RETURN
iptables -t nat -A clash_lan -d 169.254.0.0/16 -j RETURN
iptables -t nat -A clash_lan -d 172.16.0.0/12 -j RETURN
iptables -t nat -A clash_lan -d 192.168.0.0/16 -j RETURN
iptables -t nat -A clash_lan -d 224.0.0.0/4 -j RETURN
iptables -t nat -A clash_lan -d 240.0.0.0/4 -j RETURN

# Disable the proxy for 10.0.0.123
# iptables -t nat -A clash_lan -s 10.0.0.123 -j RETURN

iptables -t nat -A clash_lan -p tcp --dport YOUR_SSH_PORT -j ACCEPT
iptables -t nat -A clash_lan -p tcp --dport 80 -j REDIRECT --to-ports 9090
iptables -t nat -A clash_lan -p tcp --dport 443 -j REDIRECT --to-ports 9090
iptables -t nat -A clash_lan -p tcp --dport 53 -j REDIRECT --to-ports 53

iptables -t nat -A PREROUTING -p tcp -j clash_lan

# Chromecast
iptables -t nat -A PREROUTING -s IP_CIDR_OF_CHROMECAST_IF_YOU_HAVE_ANY -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -s IP_CIDR_OF_CHROMECAST_IF_YOU_HAVE_ANY -p tcp --dport 53 -j REDIRECT --to-ports 53

You can now open your browser now and go to https://ipinfo.io to see if it works!

Control Clash

Remember external-controller? We’re gonna make use of it… right now.

There’s a fantastic web interface that does exactly the work: http://clash.razord.top/. Use your OpenWrt IP address, and port 6170.

Be ware that Clash does not remember your choices of servers between restarts.

Check the logs

$ logread -e clash -f

-------------------------------------------------------

Luci interface for Clash Openwrt.

Luci For Clash

A rule based custom proxy for Openwrt based on Clash.

Install

• Upload ipk file to tmp folder
• cd /tmp
• opkg update
• opkg install luci-app-clash_1.6.8_all.ipk
• opkg install luci-app-clash_1.6.8_all.ipk --force-depends

Features

• Support Manually config upload
• GeoIP Database Update
• Iptables udp redirect
• IP Query / Website Access Check
• DNS Forwarding
• Support Trojan
• Support SSR
• Ping Custom proxy servers
• Create v2ray & ssr clash config from subscription url
• Create Custom Clash Config
• Tun Support
• Support Proxy Provider,Game rules & Restore Config Thanks to @vernesong

Dependency

• bash
• coreutils
• coreutils-nohup
• coreutils-base64
• ipset
• iptables
• luci
• luci-base
• wget
• libustream-openssl
• libopenssl
• openssl-util
• curl
• jsonfilter
• ca-certificates

Clash on Other Platforms

• Clash for Windows : A Windows GUI based on Clash
• clashX : A rule based custom proxy with GUI for Mac base on clash
• ClashA : An Android GUI for Clash
• ClashForAndroid : Another Android GUI for Clash
• KoolClash OpenWrt/LEDE : A rule based custom proxy for Koolshare OpenWrt/LEDE based on Clash

from https://github.com/frainzy1477/luci-app-clash

---------------------------------------

A Clash Client For OpenWrt.

OpenClash

  

本插件是一个可运行在 OpenWrt 上的 Clash 客户端

兼容 Shadowsocks、Vmess、Trojan、Snell 等协议，根据灵活的规则配置实现策略代理

- 感谢 frainzy1477 ，本插件基于 Luci For Clash 进行二次开发 -

使用手册

• Wiki

下载地址

• IPK 前往下载

依赖

• luci
• luci-base
• iptables
• dnsmasq-full
• coreutils
• coreutils-nohup
• bash
• curl
• jsonfilter
• ca-certificates
• ipset
• ip-full
• iptables-mod-tproxy
• kmod-tun(TUN模式)
• luci-compat(Luci-19.07)

编译

从 OpenWrt 的 SDK 编译

# 解压下载好的 SDK
tar xjf OpenWrt-SDK-ar71xx-for-linux-x86_64-gcc-4.8-linaro_uClibc-0.9.33.2.tar.bz2
cd OpenWrt-SDK-ar71xx-*

# Clone 项目
mkdir package/luci-app-openclash
cd package/luci-app-openclash
git init
git remote add -f origin https://github.com/vernesong/OpenClash.git
git config core.sparsecheckout true
echo "luci-app-openclash" >> .git/info/sparse-checkout
git pull origin master
git branch --set-upstream-to=origin/master master

# 编译 po2lmo (如果有po2lmo可跳过)
pushd package/luci-app-openclash/luci-app-openclash/tools/po2lmo
make && sudo make install
popd

# 选择要编译的包 LuCI -> Applications -> luci-app-openclash
make menuconfig

# 开始编译
make package/luci-app-openclash/luci-app-openclash/compile V=99

# 您也可以直接拷贝 `luci-app-openclash` 文件夹至其他 `OpenWrt` 项目的 `Package` 目录下随固件编译

许可

• MIT License
• 内核 clash by Dreamacro
• 本项目代码基于 Luci For Clash by frainzy1477
• GEOIP数据库 GeoLite2 by MaxMind
• IP检查 MyIP by SukkaW
• 控制面板 clash-dashboard by Dreamacro
• 控制面板 yacd by haishanh
• lhie1规则 lhie1-Rules by lhie1
• ConnersHua规则 ConnersHua-Rules by ConnersHua
• 游戏规则 SSTap-Rule by FQrabbit
• 订阅转换API Api_Constructor by Fndroid

from https://github.com/vernesong/OpenClash/tree/master

-----

仅针对 Linux

setup-clash-tun.sh

简单配置 Clash 的 tun 代理

clean-clash-tun.sh

清理 clash 的 tun 代理

setup-clash-cgroup.sh

配置 绕过 Clash 的 应用的 cgroup

clash.service

Clash 的 systemd 服务单元

bypass-proxy

利用 cgroup 使部分进程绕过 Clash

用法 bypass-proxy 命令...

bypass-proxy-pid

同上

用法 bypass-proxy-pid <PID>




from  https://github.com/Kr328/kr328-clash-setup-scripts

------




Clash Premiun Installer

Simple clash premiun core installer with full tun support for Linux.

Usage

1. Install dependencies git, nftables, iproute2

2. Clone repository

   git clone https://github.com/Kr328/clash-premium-installer
   cd clash-premium-installer

3. Download clash core link

4. Extract core and rename it to ./clash

5. Run Installer

   ./installer.sh install

from https://github.com/Kr328/clash-premium-installer

-----

Clash Tun Scripts for Linux

Usage

1. Clone Repo

   git clone https://github.com/Kr328/clash-tun-for-linux
   cd clash-tun-for-linux

2. Build Clash Binary
   Build by install.sh (upstream comzyh/clash)

   ./install.sh build

   or just copy one

   cp /path/to/clash ./clash

3. Install

   sudo ./install.sh install

from https://github.com/Kr328/clash-tun-for-linux

-------

 

windows上的Clash启用Tun模式 

 

Clash的功能强大，除了最基本的分流，屏蔽广告功能，可以通过加载TUN驱动，实现全局代理，有点类似与Netch的功能。

本文参考

TUN 模式 | Clash for Windows编写，主要针对Windows平台，其他平台请自行研究

操作步骤

首先至

Wintun网站下载Wintun的软件包，解压，将文件路径为wintun\bin\amd64\wintun.dll(应该没人是32位系统了吧）复制到Clash的Home Directory目录中。

 

 

接下来打开启动服务模式，这一步需要管理员权限:

 

最后点击左侧的Settings:

找到Mixin处，点击YAML的编辑:

dns:
    enable: true
    enhanced-mode: redir-host
    nameserver:
      - 8.8.8.8 # 真实请求DNS，可多设置几个
      - 114.114.114.114
# interface-name: WLAN # 出口网卡名称，或者使用下方的自动检测
  tun:
    enable: true
    stack: gvisor # 使用 system 需要 Clash Premium 2021.05.08 及更高版本
    dns-hijack:
      - 198.18.0.2:53 # 请勿更改
    auto-route: true
    auto-detect-interface: true # 自动检测出口网卡

复制以上内容填入。

使用

回到主界面点击Mixin，即可启动Tun模式。