kr328 / clash-premium-installer Goto Github PK

View Code? Open in Web Editor NEW

316.0 316.0 83.0 19 KB

Simple clash premium core installer for Linux.

Shell 100.00%

clash-premium-installer's People

Contributors

Stargazers

Watchers

Forkers

suiahae retdschute jn7163 jackyicu yangliu pobizhe hehh2001 fhill122 tom-snow zhangchaocool fbigun senocids luckypoem gdfsnhsw thonydroidyt chenzaichun thinkluffy runwu2012 xjiangiao wxdjs hadkins1 herminia1993 cybergeek2077 hongyegb123 meetayue simonla yesky84 net-9qdv michzhan 2646308870 hailongeric oocococo a1mersnow betaxab baojiliu pomhg jingkunliu cysk003 lao01 jackyzhangyc droid-q whitegerry hadwinwen lmce72 rinex20 foxleoly ricky9w uazw sinfere zhenghub awaybird blue7wings esinchung sususu98 wanderingkang gitdefi luojiyin1987 aisyun yjl3230 wxl3899 marandi269 nameup2 aajonaa fiefdx jinzaizhichi 0x15c4 bangyo18 wemwall yethank thricons joseluis128 4oops xin-ma docyc svengong li2pbo3 victor8886 roczhao latentgod maiff lazy2b

clash-premium-installer's Issues

怎么修改可以支持自定义clash core名称和路径

一直在使用premium core，但是d大也没说怎么用tun模式，看到这个安装脚本，又不想和目前使用的clash位置和名称冲突。请问怎么修改脚本才能支持自定义路径的clash的安装？谢谢

what is "iptabels" in clash.service?

should it be "iptables"?

执行安装命令还会重新下载clash

如图所示，这样的话，那为什么还要下载clash呢，clash是我本机下的传到服务器的，执行脚本再下载太慢了，求教

重启服务后clash无法工作

Ubuntu20.04，当使用service clash restart以后，clash正常启动无报错，但没有任何连接日志，仿佛没有接收到任何请求。但是接着手动几次restart服务以后，又恢复正常。
另外对cgroup不是很了解，clash.service里面运行setup-cgroup以后，在关闭服务后不需要用命令删除掉cgroup吗？

不太明白脚本里的ip protocol != { tcp, udp } accept

请教一下，我看脚本里有这个ip protocol != { tcp, udp } accept，意思是只接受非tcp和udp的包吗？？不太明白

通过udev规则执行的脚本未能修改iptables

刚开始以为udev规则失效并提了一个issue #1 ，在脚本中加入debug脚本后，发现udev规则生效，相应脚本(setup-tun.sh) 可以运行。但脚本未能成功修改iptables。

系统：Fedora 32
udev(7)：https://man7.org/linux/man-pages/man7/udev.7.html

Ubuntu的TUN设置问题

您好，电脑系统是Ubuntu18.04，用clash-premium-installer安装的clash。
想用开启clash的电脑做个网关，但是手机经过配置后完全没有网。此时手机的Router改成了电脑的IP，
DNS为dns-hijack的8.8.8.8.
请问是哪里出问题导致手机没网呢？

下面是配置文件的头部：

config.yaml

redir-port: 7892 tproxy-port: 7893 mixed-port: 7890 allow-lan: true bind-address: '*' mode: rule log-level: info ipv6: false external-controller: 127.0.0.1:9111 hosts: 'mtalk.google.com': 108.177.125.188 't.cn': 203.107.55.116 dns: enable: false listen: 0.0.0.0:53 default-nameserver: - 114.114.114.114 - 8.8.8.8 enhanced-mode: redir-host # or fake-ip fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR fake-ip-filter: - '.lan' - localhost.ptlogin2.qq.com - '+.srv.nintendo.net' - '+.stun.playstation.net' - '+.msftconnecttest.com' - '+.msftncsi.com' - '+.xboxlive.com' - 'msftconnecttest.com' - 'xbox..microsoft.com' nameserver: - 114.114.114.114 # default value - 8.8.8.8 # default value - tls://dns.rubyfish.cn:853 # DNS over TLS - https://1.1.1.1/dns-query # DNS over HTTPS fallback-filter: geoip: true ipcidr: tun: enable: true stack: system # or gvisor dns-listen: 0.0.0.0:53 dns-hijack: - 8.8.8.8:53 - tcp://8.8.8.8:53

权限不足. DNS Redir: operation not permitted

看了几个文档, 发现这个 repo 是集官方文档以及官方文档的引用的大成者. 感谢
不过, 有一些问题.

一些勘误?

不明白文件夹 /srv/clash/ 是 644

installer.sh:
44:-  assert install -d -m 0644 /srv/clash/
44:+  assert install -d -m 0755 /srv/clash/
88:-  rm -rf /usr/bin/bypass-proxy-uid
88:+  rm -rf /usr/bin/bypass-proxy-pid

环境

raspbian buster

$ uname -a
Linux raspberrypi 5.10.17-v8+ #1403 SMP PREEMPT Mon Feb 22 11:37:54 GMT 2021 aarch64 GNU/Linux
$ ./clash -v
Clash 2021.03.10 linux arm64 Wed Mar 10 13:32:16 UTC 2021

问题

使用默认用户 pi, 无法开启 URP redirect
使用 sudo 解决问题
如下 log, 已将 DNS 端口改成 > 1024. 依旧需要权限
TProxy server 也有同样的问题, 但不是此 issue 重点

config.yaml

# Port of HTTP(S) proxy server on the local end
# port: 7890

# Port of SOCKS5 proxy server on the local end
socks-port: 7891

# Transparent proxy server port for Linux and macOS (Redirect TCP and TProxy UDP)
redir-port: 7892

# Transparent proxy server port for Linux (TProxy TCP and TProxy UDP)
tproxy-port: 7893

# HTTP(S) and SOCKS5 server on the same port
mixed-port: 7890

# authentication of local SOCKS5/HTTP(S) server
# authentication:
#  - "user1:pass1"
#  - "user2:pass2"

# Set to true to allow connections to the local-end server from
# other LAN IP addresses
allow-lan: true

# This is only applicable when `allow-lan` is `true`
# '*': bind all IP addresses
# 192.168.122.11: bind a single IPv4 address
# "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address
bind-address: '*'

# Clash router working mode
# rule: rule-based packet routing
# global: all packets will be forwarded to a single endpoint
# direct: directly forward the packets to the Internet
mode: rule

# Clash by default prints logs to STDOUT
# info / warning / error / debug / silent
log-level: info

# When set to false, resolver won't translate hostnames to IPv6 addresses
ipv6: true

# RESTful web API listening address
external-controller: 0.0.0.0:9090

# A relative path to the configuration directory or an absolute path to a
# directory in which you put some static web resource. Clash core will then
# serve it at `http://{{external-controller}}/ui`.
external-ui: yacd-gh-pages

# Secret for the RESTful API (optional)
# Authenticate by spedifying HTTP header `Authorization: Bearer ${secret}`
# ALWAYS set a secret if RESTful API is listening on 0.0.0.0
secret: ""

# Outbound interface name
interface-name: eth0

# Static hosts for DNS server and connection establishment (like /etc/hosts)
#
# Wildcard hostnames are supported (e.g. *.clash.dev, *.foo.*.example.com)
# Non-wildcard domain names have a higher priority than wildcard domain names
# e.g. foo.example.com > *.example.com > .example.com
# P.S. +.foo.com equals to .foo.com and foo.com
hosts:
  # '*.clash.dev': 127.0.0.1
  # '.dev': 127.0.0.1
  # 'alpha.clash.dev': '::1'

# DNS server settings
# This section is optional. When not present, the DNS server will be disabled.
dns:
  enable: true
  listen: 0.0.0.0:50053
  ipv6: true # when the false, response to AAAA questions will be empty

  # These nameservers are used to resolve the DNS nameserver hostnames below.
  # Specify IP addresses only
  default-nameserver:
    - 114.114.114.114
    - 8.8.8.8
  enhanced-mode: redir-host # or fake-ip
  # fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR
  # use-hosts: true # lookup hosts and return IP record
  
  # Hostnames in this list will not be resolved with fake IPs
  # i.e. questions to these domain names will always be answered with their
  # real IP addresses
  # fake-ip-filter:
  #   - '*.lan'
  #   - localhost.ptlogin2.qq.com
  
  # Supports UDP, TCP, DoT, DoH. You can specify the port to connect to.
  # All DNS questions are sent directly to the nameserver, without proxies
  # involved. Clash answers the DNS question with the first result gathered.
  nameserver:
    - 114.114.114.114
    - 223.5.5.5
    - 119.29.29.29
    - tls://dns.rubyfish.cn:853 # DNS over TLS
    - https://1.1.1.1/dns-query # DNS over HTTPS

  # When `fallback` is present, the DNS server will send concurrent requests
  # to the servers in this section along with servers in `nameservers`.
  # The answers from fallback servers are used when the GEOIP country
  # is not `CN`.
  fallback:
    - tcp://1.1.1.1
    
  # If IP addresses resolved with servers in `nameservers` are in the specified
  # subnets below, they are considered invalid and results from `fallback`
  # servers are used instead.
  #
  # IP address resolved with servers in `nameserver` is used when
  # `fallback-filter.geoip` is true and when GEOIP of the IP address is `CN`.
  #
  # If `fallback-filter.geoip` is false, results from `nameserver` nameservers
  # are always used if not match `fallback-filter.ipcidr`.
  #
  # This is a countermeasure against DNS pollution attacks.
  fallback-filter:
    geoip: true
    # ips in these subnets will be considered polluted
    ipcidr:
      - 240.0.0.0/4
    # domain:
    #   - '+.google.com'
    #   - '+.facebook.com'
    #   - '+.youtube.com'
tun:
  enable: true
  stack: gvisor # or system
  macOS-auto-route: true
  macOS-auto-detect-interface: true
  dns-hijack:
    - tcp://8.8.8.8:53
    - 8.8.8.8:1053
...
...

根据 config 修改 clash-default 中 dns 端口

diff --git a/scripts/clash-default b/scripts/clash-default
@@ -9,7 +9,7 @@ NETFILTER_MARK=114514
 # iproute2 rule table id
 IPROUTE2_TABLE_ID=114
 
-# dns redirect
-FORWARD_DNS_REDIRECT=1.0.0.1:53
+# dns redirect, match dns listen in clash config
+FORWARD_DNS_REDIRECT=0.0.0.1:50053

更改 daemon 使用默认用户组. 此项不重要, 不用 daemon 也有相同问题

diff --git a/scripts/clash.service b/scripts/clash.service
@@ -4,8 +4,14 @@ After=network-online.target nftables.service iptabels.service
 
 [Service]
 Type=simple
-ExecStartPre=+/usr/lib/clash/setup-cgroup.sh
-ExecStart=/usr/bin/bypass-proxy /usr/bin/clash -d /srv/clash
+StandardError=journal
+User=pi
+Group=pi
+ExecStartPre=+/home/pi/lib/clash/setup-cgroup.sh
+ExecStart=/home/pi/bin/bypass-proxy /home/pi/bin/clash -f /home/pi/.config/clash/config.yaml
+Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target

Output:

...
INFO[0000] Start initial compatible provider 🎞StreamingSE 
INFO[0000] RESTful API listening at: 0.0.0.0:9090       
INFO[0000] SOCKS proxy listening at: :7891              
WARN[0000] Failed to start Redir UDP Listener: operation not permitted 
ERRO[0000] Start TProxy server error: operation not permitted 
INFO[0000] Redir proxy listening at: :7892              
INFO[0000] Mixed(http+socks5) proxy listening at: :7890 
INFO[0000] DNS server listening at: 0.0.0.0:50053
...

建议?

由于使用的是 raspbian, 默认用户文件夹是 /Home/pi/, 使用路径名检查 package 是否安装会报错, 如 if [ ! -d "/usr/lib/udev/rules.d" ];then. 不知如下怎样:
- Linux How can I prove if udev installed? SuperUser
- How to know if I am using systemd on Linux? SuperUser
uninstall 时 ipv4 转发恢复为 0

安装提示“cgroup not support net_cls”及处理措施

sudo ./installer.sh install
提示cgroup not support net_cls
于是mkdir -p /sys/fs/cgroup/net_cls后安装完成

启动后报错
/sys/fs/cgroup/net_cls/bypass_proxy/net_cls.classid permission denied
/sys/fs/cgroup/net_cls/bypass_proxy/tasks no such file or directory

于是参考net_cls编辑setup-cgroup.sh如下

if [ ! -d "/sys/fs/cgroup/net_cls" ];then
	mkdir -p /sys/fs/cgroup/net_cls
	exit 0
fi
mount -t cgroup -onet_cls net_cls /sys/fs/cgroup/net_cls
mkdir -p /sys/fs/cgroup/net_cls/bypass_proxy
echo "$PROXY_BYPASS_CGROUP" > /sys/fs/cgroup/net_cls/bypass_proxy/net_cls.classid
chmod 666 /sys/fs/cgroup/net_cls/bypass_proxy/tasks

目前本机运行无报错，可顺利开启tun。
注：本机Debian bullseye版本，本人是普通用户，对代码编辑了解少，如有差错请多包涵。
最后感谢作者提供该脚本工具为普通用户一键开启tun模式，不知道后期是否会编写一键开启tproxy模式。

docker环境下的op权限受限，还有其它方法安装么

~/clash-premium-installer# ./installer.sh install
-ash: ./installer.sh: Permission denied

IP地址类型的流量似乎没有被导入utun

刚好在 https://github.com/Dreamacro/clash 那边提过 https://github.com/Dreamacro/clash/discussions/1251类似的问题。

tun模式运行的clash premium会接管53端口，域名类请求都会被clash正确地处理，但是有一些应用如Telegram、Android TV端的Netflix会直接请求IP地址类资源，这类请求似乎没有被导入utun。

我关闭了防火墙并尝试了下面的iptables规则，发现可以解决问题，但是似乎clash-premium-installer用的是nftables。

#!/bin/bash
# https://comzyh.gitbook.io/clash/real-ip-tun-example

# 创建 Clash Chain
iptables -t mangle -N clash

# 放行内网内部数据
iptables -t mangle -A clash -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A clash -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A clash -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A clash -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A clash -d 240.0.0.0/4 -j RETURN

# 其他数据打上标记
iptables -t mangle -A clash -j MARK --set-xmark 100

# 给转发流量打上fwmark
iptables -t mangle -A PREROUTING -j clash

# 放行root用户数据避免回环
# iptables -t mangle -A OUTPUT -m owner --uid-owner 0 -j RETURN

# utun添加策略路由表
ip route add default dev utun table 100
# 标记为100的包由策略路由表100处理
ip rule add fwmark 100 lookup 100

exec "$@"

所以在打开防火墙时该如何处理IP地址类的入站流量？另外“放行root用户数据避免回环”那个规则是否应该加上？

谢谢

udev规则不起作用

安装脚本所设定的udev规则（99-clash.rules）不起作用，需要手动执行sudo /usr/lib/clash/setup-tun.sh来配置tun。

nft无法生效

ubuntu18，setup-tun.sh这个脚本提示错误：
internal:0:0-0: Error: Could not open file "-": No such file or directory

Tun下网速问题

1、clash通过此脚本安装。
2、Clash宿主机为小米笔记本air 12.5，系统为deepin20.4
3、笔记本可以正常通过Tun上网。
4、我家移动宽带300M
问题描述：
1、安卓手机wifi设置为宿主机的ip和DNS,speed测速为9MB/s
2、还是安卓手机，DHCP，wifi代理设置成宿主机ip和7890端口号，测速为47-48MB/s
3、台式机win11按照上述两种方式设置，网速也是如上所述。

可否提供配置文件的示例

RT.

无法通过主路由端口映射的方式访问到，运行clashtun机器里面的桥接模式下的docker服务。如果是host模式则能正常请求。

安装成功无法通过tun上网

安装成功，未提示错误。通过socks5可以正常代理上网，通过tun，也就是把客户机的网关和dns都设置成clash的ip无法代理上网。
而且就算一个域名解析成同一个IP地址，网关设置成clash就ping不通，设置成主路由的就可以ping通。说明跟dns没关系。网关设置成clash的时候使用socks5代理照样可以上网，说明clash代理是成功运行的，只是无法通过redir转发。clash配置如下：

mixed-port: 7890
redir-port: 7892
#tproxy-port: 7893
allow-lan: true
mode: rule
log-level: warning # info / warning / error / debug / silent
ipv6: false
external-controller: 0.0.0.0:9090
# external-ui: /ui
#interface-name: ens18
tun:
  enable: true
  stack: system # or `gvisor'
#  dns-listen: 0.0.0.0:53
  dns-hijack:
    - 1.0.0.1:53
#  auto-route: true
dns: # DNS server settings
  enable: true
#  listen: 0.0.0.0:53
  ipv6: false
  default-nameserver:
    - 119.29.29.29
  enhanced-mode: redir-host # or fake-ip redir-host
  fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR
  # use-hosts: true # lookup hosts and return IP record
  fake-ip-filter:
    - '*.lan'
    - localhost.ptlogin2.qq.com
    - '+.srv.nintendo.net'
    - '+.stun.playstation.net'
    - '+.msftconnecttest.com'
    - '+.msftncsi.com'
    - '+.xboxlive.com'
    - 'msftconnecttest.com'
    - 'xbox.*.microsoft.com'
    - '*.battlenet.com.cn'
    - '*.battlenet.com'
    - '*.blzstatic.cn'
    - '*.battle.net'
  nameserver: # 国内域名使用 nameserver 请求
    - https://doh.pub/dns-query #腾讯DNS
    - https://dns.alidns.com/dns-query #阿里DNS
    # - 119.29.29.29
  fallback: # 国外域名使用 fallback 请求 (没有被污染的DNS)
    - https://cloudflare-dns.com/dns-query #Cloudflare DNS
    - https://doh.dns.sb/dns-query #DNS.SB
  fallback-filter: # fallback请求过滤
    geoip: true
    ipcidr:
      - 240.0.0.0/4
    domain:
      - '+.google.com'
      - '+.youtube.com'

通过ifconfig查看， tun设备也成功建立了

utun: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 9000
        inet 198.18.0.1  netmask 255.255.0.0  destination 198.18.0.1
        inet6 fe80::5a70:e37f:3785:97e8  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 1040  bytes 115856 (113.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1042  bytes 115952 (113.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

通过nft list table clash -s查看，clash防火墙规则也有了

table ip clash {
        chain local {
                type route hook output priority 0; policy accept;
                ip protocol != { tcp, udp } accept
                cgroup 114514 accept
                ip daddr { 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4 } accept
                ct state new ct mark set 0x0001bf52
                ct mark 0x0001bf52 mark set 0x0001bf52
        }

        chain forward {
                type filter hook prerouting priority 0; policy accept;
                ip protocol != { tcp, udp } accept
                iif "utun" accept
                ip daddr { 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4 } accept
                mark set 0x0001bf52
        }

        chain local-dns-redirect {
                type nat hook output priority 0; policy accept;
                ip protocol != { tcp, udp } accept
                cgroup 114514 accept
                ip daddr 127.0.0.0/8 accept
                udp dport domain dnat to 1.0.0.1:domain
                tcp dport domain dnat to 1.0.0.1:domain
        }

        chain forward-dns-redirect {
                type nat hook prerouting priority 0; policy accept;
                ip protocol != { tcp, udp } accept
                udp dport domain dnat to 1.0.0.1:domain
                tcp dport domain dnat to 1.0.0.1:domain
        }
}

Any reason to put home dir to srv/clash?

I am just curious about why set the home dir to srv/clash? Are there any additional benefits for doing this?
From clash wiki, he recommend /etc/clash. for myself, I prefer put configs to ~/.config/clash.